26 February 2023

PARALYZED AT THE PIER: SCHRÖDINGER’S FLEET AND SYSTEMIC NAVAL CYBER COMPROMISE

Tyson Meadors

In the spring of 2019, then-Navy Secretary Richard Spencer publicly released the “Navy Cybersecurity Readiness Review.”1 Conducted in the tradition of earlier reviews commissioned by Navy Secretaries such as the Chambers Board and the General Board Studies of 1929-1933, this report, led by the now-Under Secretary for Intelligence Ronald Moultrie, concluded that the Navy’s cybersecurity shortfalls were “an existential threat.”

Following its release, Secretary Spencer summarized the review’s findings during Congressional testimony: “…[O]ne of our battles is going to be just getting off the pier because [of] cyber…” After over two years in the position, the civilian leader of the Navy and Marine Corps had become convinced that the cyber-related reforms and force structure changes outlined in the Review were required to remain a viable naval power.

Due to his untimely dismissal in November of that same year, however, Secretary Spencer was never afforded the opportunity to see his proposed cyber reforms through. In his wake, the “existential” cyber matters described in the report have been largely left unaddressed. Three years later, Congress started to demand significant reforms to Navy cyber force structure in the 2023 National Defense Authorization Act (NDAA). These NDAA mandates suggest that Congressional defense committee leadership has concurred with Spencer’s conclusions—so much so, in fact, that they are willing to force the matter on Navy leadership.

While the 2019 report, prompted by over a decade of cyber incidents resulting in the “loss of significant amounts of Department of the Navy data,” makes it clear that the Navy is “losing the current global, counter-force, counter-value cyber war,” it never describes the strategic or operational naval implications of losing this “war.” The report notes that “[cyber] war is manifested in ways few appreciate, fewer understand, and even fewer know what to do about it.” But it leaves translating such proclamations into tangible guidance to the imagination of the (presumably “few”) readers capable of doing so. High-profile cyber warfare events over the last five years, however, have made understanding the strategic implications of the Navy’s cybersecurity readiness shortfalls far more apparent. The “how” and “why” of Spencer’s “battle to get off the pier”—and what it means for the Navy’s strategic reality—demands the attention of more than just Congress.

Introducing Schrödinger’s Fleet

The strategic reality described by the 2019 Cybersecurity Readiness Review is best analogized by Erwin Schrödinger’s “cat” thought experiment, which describes a situation where it is impossible to know whether a cat—imperiled by the superposition aspect of quantum dynamics—is either alive or dead until someone goes to observe the state of the cat. In this way, the cat is effectively both alive and dead prior to direct observation.

In the case of Schrödinger’s Fleet, the uncertainty is the unclear combat readiness of a naval fleet whose supply chains have suffered a thorough and prolonged period of cyber exploitation by sophisticated adversary actors. Given an indefinite period of access to the key portions of the defense industrial base responsible for the provisioning of all U.S. Navy platform and weapon systems, these actors are afforded countless opportunities to insert malicious code into software and firmware that eventually is built into one or myriad platforms, systems, and networks. The added code then lies effectively dormant until such a time or condition that it is activated to disrupt the availability of a weapon system, network, and/or platform. From a readiness perspective, the naval fleet appears operationally ready in peacetime, but the adversary knows that at the intended moment of action, the imperiled fleet will struggle to “just get off the pier.”

Had the 2019 Review been written 18 months later, it would have benefitted from the ready example of the SolarWinds cyber breach that made the term “software supply chain compromise” common parlance. The SolarWinds2 event was revealed by the cybersecurity firm FireEye, which discovered malicious cyber activity on its own network in December 2020.3 Further analysis revealed that beginning in the spring of 2020, this Russian cyber campaign had first compromised the software development environments of a prominent vendor of IT management tools, SolarWinds. They then modified code in its products to allow themselves access to its customers, leveraging SolarWinds’ otherwise legitimate software update processes to spread ‘poisoned’ updates across the networks of approximately 18,000 entities. Amongst the victims were the Departments of Defense, Homeland Security, Energy, and State, as well as defense-linked Fortune 500 companies such as Microsoft, Cisco, Deloitte, and Intel.4

SolarWinds was nowhere near the first supply-chain compromise used by adversary cyber actors. The NotPetya cyberattack by Russian military cyber units in 2017, for example, used a similar supply-chain infiltration tactic to infect Ukrainian accounting software updates to pre-position the virus across Ukraine before activating its worming and data destruction capabilities on the eve of Ukrainian Constitution Day. Once activated, its global spread and effects were the results of automatic spreading and attack processes in pre-positioned malicious code causing at least $10 billion of damage—the most financially destructive cyberattack ever.5,6

China is also a prolific software supply chain compromiser. In 2017, Chinese cyber actors compromised the development environments of the company responsible for the CCleaner software utility, subsequently inserting malicious code into software updates for that product, eventually spreading to over 2.3 million computers worldwide.7 This campaign lasted about six months, and subsequent analysis revealed that the Chinese ultimately only leveraged access to 40 organizations in the pursuit of further targeted activities against dissident groups and other Chinese security priorities.

Taken in totality, SolarWinds, NotPetya, and CCleaner represent the wavetops of what has now become a go-to tactic for nation-state and criminal actors alike—subvert the software supply chain to get to higher value targets with latent, malicious code. Then, at a time and place of the adversary’s choosing, activate the malicious code.

Adversary actors need two things to leverage such capabilities: First, they need ready access to a target’s supporting supply chains—the type of prolonged access to the Navy’s supporting vendors that prompted the commissioning of the 2019 Cyber Readiness Review. Second, the adversary needs to have some advanced idea of what type of outcomes it wishes to achieve with such operations. Adversaries with focused strategic or operational objectives—an invasion of a nearby island, for example—for which they control the notional timing and tempo, can engage in prolonged supply chain subversion campaigns to ensure that opposing forces are disadvantaged at the outset of a conflict. In the opening hours of Russia’s invasion of Ukraine, for example, (presumably Russian) hackers brought down satellite communications run by Viasat, upon which the Ukrainians were operationally reliant.8 While not decisive due to Russia’s conventional military failings, this type of cyberattack demonstrates that peer competitors can use pre-positioned cyber capabilities as part of a combined arms assault.

The 2019 Cybersecurity Readiness Review suggests—but did not state outright—that at least some of the Navy’s myriad acquisition programs may have been victim to this class of long-term compromise. The risk to an unknown number of Navy platforms and weapon systems remains critical. As recently as this year, “nearly nine out of ten US defense contractors fail to meet basic cybersecurity minimums,” as defined by the Defense Federal Acquisition Regulation Supplement (DFARS).9 Even generously assuming perfect contractor cyber defense thereafter, when the updated DFARS cybersecurity requirements finally are enforced (via the oft-delayed implementation of the Cybersecurity Maturity Model Certification [CMMC]), whatever latent compromises that Spencer alluded to in his Congressional testimony—as well as at least four additional years of continued near-peer cyber activity against Navy supply chains will remain. And the U.S. Navy will be left operating Schrödinger’s Fleet through the duration of the so-called Davidson Window and beyond.10

Cousin Cats: “Schrödinger’s Infrastructure” and “Schrödinger’s ICS”

The Navy is not the only entity faced with strategic cyber uncertainty. In a recent speech at NATCON 3, Joshua M. Steinman, the senior-most cybersecurity official in the Trump administration, described what he called “Schrödinger’s Infrastructure”: “…[A]n industrial base that is simultaneously compromised and not compromised… We find out which it is once the [People’s Liberation Army (PLA)] departs for Taipei.”11

Steinman’s description is significant to the U.S. Navy for two reasons. First, it identifies that the threat of latent Chinese cyber capabilities embedded in U.S. industrial infrastructure may only be fully realized when it is leveraged in support of a major PLA operation such as invading Taiwan. Perhaps less obvious—but just as significant—is that Steinman identifies an issue with a class of technologies that are just as critical to naval operations as they are to U.S. critical infrastructure. Namely, Steinman’s comments specifically addressed the cybersecurity vulnerability of “Operational Technologies” (OT), which describes the class of computers, controllers, networks, and embedded systems associated with the control of physical things such as power grids, factories, ship propulsion plants, and weapon systems.

Just as relevant to understanding contemporary U.S. Navy cyber risk is a description of what Robert M. Lee, the founder of the OT cybersecurity company Dragos, calls “Schrödinger’s Industrial Control System (ICS).” In a 2019 blog post discussing the circumstances of a rumored cyberattack that had caused a fire at the Abadan Oil Refinery in Iran, Lee explains that “Schrödinger’s ICS” is a situation that exists when operators of operational technology are unable to do “root cause analysis of the event to include a cyber component.”12 Otherwise stated, another aspect of the cyber-Schrödinger condition is that any OT-controlled machinery or weaponry casualty may be a cyberattack unless an entity has the cyber forensic capabilities to “observe” otherwise.

Responding to a question in 2017 about the possibility of a cyberattack causing a ship collision involving the USS McCain, the then Deputy-Chief of Naval Operations for Information Warfare, VADM Jan Tighe, stated that “…what if we detect a cyber intrusion into one of those machinery systems, et cetera? We need to have expertise that can respond to that… and can look for any signs of cyber intrusion or cyber malicious – malware… we will… learn from the results of the McCain investigation and just make [cyber forensics] part of the normal process of how we do mishap investigations moving forward.”13 As other observers noted,14 however, in 2017 the Navy did not have the capabilities required to do a proper forensics investigation on the McCain’s OT. VADM Tighe’s remarks suggested, at least, that a Fleet cyber forensic capability was an identified naval requirement and was to soon come online.

A recent letter from Congress to CNO Gilday sent in the fall of 2022,15 however, expressed concern that “the Navy’s cyber resiliency budget [for fiscal year 2023] equated to less than 0.1 percent of service-requested funds,” and pointedly asked, “What unit(s) will respond to cyberattacks against shipboard systems and are those units sufficient to meet wartime need?” It appears that Congress is skeptical as to whether the Navy has sufficiently developed the expertise that VADM Tighe stated was necessary two years prior to the 2019 Cybersecurity Readiness Study—the type of expertise required to resolve whether the Fleet is “cyber alive” or “cyber dead.”

Schrödinger Fleet Strategy

From a naval strategy perspective, Schrödinger’s Fleet is effectively the opposite of Mahan’s “fleet in being.” Rather than an immobile fleet limiting an adversary’s maneuvers because of the risks of such a fleet mobilizing, an otherwise mobile Schrödinger’s Fleet no longer has to be respected in an adversary’s calculations. At the initiation of conflict, the antagonist can assume that an otherwise mobile fleet will be rendered moot via cyber effects, and the antagonist can maneuver their forces accordingly.

That said, because the actual efficacy of latent malicious cyber capabilities cannot be known for certain until time of activation, it cannot be expected that an adversary advantaged by such capabilities will necessarily conduct its ante bellum activity noticeably different than they would if they did not possess such advantages. It is worth considering, however, that having such cyber capabilities may incline adversarial leadership to perceive a decisive strategic advantage, further easing their path towards initiating hostile actions.

This risk—that cyber effects at the outset of conflict used to undermine the military capabilities of the opposite side will ultimately be destabilizing and make conflict more likely—is described by another former Navy Secretary, Dr. Richard Danzig, as “mutually unassured destruction” (“MUD”). In a 2014 essay, Danzig specifically points out that should nuclear command, control, and warning be degraded by cyberattack, this could lead to a situation where the strategic deterrence inherent to mutually assured destruction deteriorates, leading to strategic instability.16 Danzig’s point might be extended, however, to consider the advantages conveyed if only the conventional defense capabilities of an adversary are disrupted.

Danzig’s explanation of cyber-induced MUD suggests that there may be a fundamental strategic difference in degrading conventional rather than nuclear forces. Namely, whereas there may be destabilizing risks in placing nuclear forces into Schrödinger Fleet conditions, this does not necessarily hold true for conventional forces. Consider two adversaries who have both compromised the software supply chains of the conventional forces of the opposing side. Each is faced with uncertainty regarding what forces will and will not be impacted at the point of initial aggression and therefore face an incalculable risk toward their respective chances of success. This condition—when Schrödinger Fleet-conditions call into question the viability of conventional military success—can prove deterring and thus potentially stabilizing. And this form of cyber deterrence need not be symmetrical or mutual. Should one side be able to demonstrate that they have created Schrödinger Fleet conditions inside of the aggressing force, the aggressor may hesitate to act, especially if the aggressor’s theory of victory requires a full complement of combat-available forces.

Spencer’s Congressional statements suggest that he believed the Navy may be at such a conventional disadvantage—potentially deterring U.S. strategic or operational action at a future moment of crisis or conflict. A Navy composed of a Schrödinger’s Fleet is not merely a force in an “existential” crisis. It is a critical national security liability.

Resiliency and MUD: A Quantum of Solace

Assuming that the strategic implications of the U.S. Navy operating a Schrödinger Fleet are anywhere near as dire as what Spencer’s Review and further analysis suggest, what is to be done?

Commercial OT cybersecurity suggests two partial remedies. First, after the SolarWinds event, public and private sector cybersecurity leadership began calling for the use of “software bills of material” or “SBOMs.” These are lists of software components used to create applications or systems that are provided upon the delivery of a product or service. While not a defensive cyber capability per se, they do allow entities to understand the degree of risk incurred when a subverted IT or OT component is revealed via a breach disclosure or some other sort of reporting.

In 2021, the Biden administration tasked the Department of Commerce to develop government-wide guidance mandating SBOMs for all IT and OT used by the federal government.17 The Senate’s version of the 2023 National Defense Authorization Act also contained an SBOM mandate for the Department of Defense, but this language did not make it into the bill’s final form.18 It remains prudent, however, for the Navy to require SBOMs from all its IT and OT suppliers.

Second, as Rob Lee and VADM Tighe both suggested is required, the Navy needs a rapidly deployable expert forensics capability that it can deploy to its ships and platforms to quickly determine whether or not the root cause of a system failure or casualty is or is not cyber-related. As VADM Tighe noted in her 2017 comments about the USS McCain cyber investigation, one of the most urgent second-order questions the Navy would have had to determine was that, if the McCain collision had been revealed to have a precipitating cyber cause, were other ships – to include the earlier collision of the USS Fitzgerald – also liable to a similar notional cyber effect?

Some of this forensic capability can be provided by additional cybersecurity sensors integrated into platforms. In Congress’ 2022 letter to Admiral Gilday, for example, Congress notes the existence of two Navy programs that address some of this risk. Some of this enhanced forensics capability will also require the types of teams that Congress inquired about in the same letter. As the Navy considers how to implement the reforms mandated in the 2023 NDAA, manning and equipping these sorts of teams should be top of mind.
A notional Navy cyber response team. (Artwork created via Midjourney AI)

While SBOMs and operational forensic capabilities reduce the uncertainties associated with Schrödinger’s Fleet, they do not meaningfully address the waxing strategic risk of systemic platform and weapon system casualties caused by latent malicious code. For this, two further compensatory mechanisms are necessary.

First, the Navy must have the capacity to recover compromised systems to secure baselines in operationally relevant timeframes. Assuming that the advance detection of latent malicious code is nigh impossible given the volume and complexity of the systems-of-systems in a naval platform and each of those systems’ respective supply chains, quickly recovering from the unpredictable impacts of such malicious code becomes a critical “fight through” enabler.

Finally, the Navy should pursue and maintain the ability to hold potential adversaries’ conventional naval capabilities at equivalent cyber risk. Expanding Secretary Danzig’s “MUD,” we should consider how much can be gained from developing an ability to call into doubt the wartime availability and reliability of an adversary’s conventional naval forces. This would create a credible, likely stabilizing deterrent that is not dependent on ensuring the cyber survivability of our own navy. This is a necessary approach when addressing the need to maintain strategic balance—if not outright advantage—over great naval powers.

No comments: