INDUSTRY PERSPECTIVE CYBER
JADC2 Could Introduce Cyber Risks At Unprecedented Scale
Technology has always played a major role in military competition, and military competition has always leaned heavily on industry. The two spheres, the military and industry, overlap so much that “military-industrial complex” is common parlance.
However, the dynamic has historically been mostly one way in the sense that once technology is turned over by industry to the military, industry moves on to developing more technology while the military operates whatever is already on the shelf.
Post 9/11, most people are familiar with the growing role of contractors in supplementing the military, but joint all-domain command and control, better known as JADC2, has the potential to close this loop once and for all by creating a dynamic wherein industry will be both the progenitor and operator of the technology, with the military mostly serving in the role of providing guidance and legal authorization for use cases.
The concept, which is being pursued by the Departments of the Army, Navy and Air Force, calls for linking sensors and shooters through a network — powered by artificial intelligence and cloud computing — that can operate at high speeds.
The Army calls its version Project Convergence, the Navy Project Overmatch and the Air Force the Advanced Battle Management System.
While JADC2 at the conceptual level has clear tactical intents and purposes, as one moves further down toward the underlying technology — such as the nodes, links and platforms that will form its structure — there are clear issues with operations, security and maintenance.
Setting aside the complexity this represents in terms of the mix of hardware, software and ongoing coding and upgrade requirements, it also will mean thousands of personnel will answer to numerous military chains of command and civilian procurement officials across the globe. The current defense contracting and procurement system is simply not equipped to provide this support in a manner befitting joint all-domain command and control’s requirements for agile, tactical capabilities.
How can the services and industry reconcile these requirements with strategic necessities, fiscal constraints and personnel and staffing realities? Addressing these apparent disconnects requires strong public-private partnership, as well as a willingness to do things in newer, faster, more efficient ways that break down stovepipes and challenge orthodoxies when it comes to how we buy and field technology.
This is why joint all-domain command and control presents a new and somewhat unique challenge. At its core it describes an end state that is wholly at odds with current industrial posture. Supply chain security, rapid fielding, continuous testing and evaluation for cyber systems — all these will need to be far more flexible for JADC2 than they are for the current mix of legacy systems.
The network and capabilities necessary to see the concept reach its full operational potential will require computers, connections, sensors and platforms on a scale and distribution that is unprecedented in military history — or history in general for that matter. Because of this, an inherent implied requirement is that the network be not only built and tested by industry, but also probably operated, at least in large part, by industry as well.
The United States and allied militaries are simply not large enough in terms of manpower, or skilled enough in terms of technical specialties, to operate such a vast and complex environment without civilian technical specialists participating in the effort. This means that defense contractors and consultants will become an even larger part of the warfighting footprint of the U.S. military than they already are.
Anyone working in cybersecurity today must have a basic understanding of the ecosystem of manufacturers, developers, service providers, vendors and clients in the industry.
The defense sector also has a rather complicated ecosystem divided mostly along lines of function — missiles or ground vehicles or satellite radios — as well as by size and scope in terms of relationships between prime contractors and customers, such as small businesses that support Air Force maintenance or very large ones that build artillery pieces for the Army, for example.
Joint all-domain command and control promises to ensure that elements of all these organizations, products and functions can share data and coordinate actions across a huge spectrum, thus increasing the attack surface area exponentially. Addressing this aspect alone will require a centralization of monitoring and incident response capabilities that is also capable of supporting a huge variety of platforms in the field.
Imagine the difficulties associated with an incident response on a network hosting weapons platforms that are also actively engaged in real-world combat with an enemy. The United States has not faced a challenge quite like this in history, but the dynamic is akin to operating a factory producing tanks being sent directly to the front while being bombarded by enemy artillery. We know how well that turned out for the German and Japanese industrial base during World War II.
Defense contractors have long had a target on their back because of their critical role in supporting America’s national security. This has continued into the present.
In February, the Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI announced that companies supporting the Defense Department and intelligence community were targeted by Russian state-sponsored actors in a campaign launched before the pandemic. This environment is only likely to intensify during the current period of global tensions with both Russia in Ukraine and China over Taiwan.
In past industrialized wars, it became generally accepted — though not without much agonizing and debate — that civilian industry, transportation and even population nodes were legitimate military targets in the context of prosecuting and shortening the war.
Joint all-domain command and control would put large parts of the private sector back on the front lines in a way they haven’t been since the Japanese navy raided the U.S. West Coast and the British and U.S. air forces sought to level the industrial cities of the Ruhr in Germany.
The primacy of the U.S. nuclear arsenal, air defenses and maritime supremacy means that very few avenues are left open for attacks on the United States. Cyber is perhaps becoming the most likely and dangerous avenue, which incidentally is the central component ensuring joint all-domain command and control is effective and can operate at scale. One of the few ways to overcome it would be to degrade the civilian infrastructure, which would include energy, communications and transportation necessary to maintain and operate it, potentially even by attacking the workforce itself.
This creates many potential complications and will mean that the morale and resilience of a civilian workforce will be much more important factors for future wars than most of those in the more recent U.S. history.
Due to cyber war techniques like disinformation campaigns targeting industry and governments as well as direct attacks like distributed denial of service operations or ransomware, civilian infrastructure and personnel can be attacked from afar with ease. When given the choice between challenging the U.S. militarily or launching cyber attacks on its industrial capabilities, most adversaries of the future will opt for the latter.
A June report from cybersecurity risk assessor Black Kite suggests that upward of 32 percent of the top U.S. defense contractors are vulnerable to ransomware attacks.
Mandiant’s threat intelligence team has found major information operation campaigns by China and Russia which aim to lower confidence in defense priorities and election security, which is detailed in the M-Trends 2022 report. While attackers mostly target professional services, finance, healthcare and retail sectors, the defense industry still needs to keep both state and non-state actors top of mind while becoming a greater part of our military operations.
Finally, history is awash in examples of generals or admirals being responsible for failure in physical battles. What we don’t have much in the way of historical analogy for losing a battle due to an internet outage or a vendor-specific ransomware attack.
Technological failures have played a role in warfare since antiquity, but never have those technologies been operated and maintained in the field by non-military personnel at the scale joint all-domain command and control would require.
Industry will not only build JADC2, but it will also accompany it into battle. The time to prepare for this reality is now.
Jason Atwell is a principal advisor of global intelligence at Mandiant.