It’s time for the U.S. military to add cyber activities to combatant commands’ regular security cooperation efforts with partner nations.
This would bolster our partners’ capabilities, reduce U.S. vulnerabilities, and provide a forward posture for future operations. Certainly, many of the U.S. military’s cyber capabilities are classified, but there are areas where more cooperation is possible. Moreover, such efforts would likely be welcomed by U.S. partners who are aware of their vulnerabilities but are having difficulty coming to grips with the complexities of cyber defense. Such efforts would be far from altruism; in the cyber domain, perhaps more than in any other, our partners’ vulnerabilities are often our own.
The stronger we build our virtual walls, the more our opponents will seek indirect ways to access U.S. information — and there is plenty of it on foreign servers. For example, much is shared to support the execution of a geographic combatant commander’s Theater Campaign Plan. During the coordination and execution of Joint Chiefs of Staff exercises, Joint Combined Exchange Training, and Foreign Military Sales, the U.S. reveals data about weapons and even individual personnel. As the U.S. seeks to help allies improve their military operations, it often shares and exchanges sensitive tactics, techniques, and procedures. Even innocuous-seeming information — unclassified, or For Official Use Only — might be stolen and put to good use by adversaries. And the threat extends beyond government and military secrets to U.S. corporations’ business information and trade secrets.
Few partner nations have adequate cyber security measures to protect this U.S. data, even ones with the budgets and expertise to mount advanced defenses. Longtime U.S. partner Saudi Arabia suffered large-scale destruction to Saudi Aramco’s networks and systems in attacks attributed to Iran. In South Korea, where the U.S. exchanges extensive data as part of its shared defense of the Korean peninsula, North Korea and China are suspected of having gained access to portions of the defense plan through a compromised USB thumb drive in 2009. In Japan, which hosts forward-based U.S. forces, exercises, and FMS efforts, U.S. information is exposed to attack by China, Russia and North Korea.
The situation is even worse in developing nations. Many do not have dedicated military or government networks; instead, they conduct official military and government business using commercial email providers such as Yahoo!, Gmail, and Hotmail. This use of common commercial addresses facilitates phishing, since an adversary can more easily create a false Gmail account than spoof a .mil- or .gov-type address. Similarly, a significant number of military leaders in developing nations use computers they have personally purchased for their own use. There is a high probability such computers are running compromised software.
Moreover, many of these nations have leapt from little connectivity to ubiquitous mobile telephony and computing in the past decade or so. The authors have personally witnessed senior foreign military officers using commercial mobile phones to send text messages containing orders for forces conducting combat operations. In many cases, the infrastructure that facilitates this was built by U.S. competitors. In Africa, wrote Foreign Policy’s John Reed, Chinese IT firm Huawei “isn’t just providing cell phones, towers and fiber-optic cable and then turning them over to local businesses. The telecom giant ... is often running these networks for the local communications providers and the government.”
So U.S. security cooperation and cyber planners must begin looking at ways to decrease these vulnerabilities through engagement, training, and equipment provision. The sharing of basic passive defensive measures, network “hardening” procedures, some forensic detection techniques, and intelligence on cyber threats should all be implemented in country-specific security cooperation engagements.
Initial emphasis should be on improving partner capabilities in passive (procedural) and defensive countermeasures. Training in the DoD Information Assurance Certification and Accreditation Process can be tailored for the host and partner nations and would provide a common set of standards. Pre-deployment training for U.S. military personnel should also address mitigating cyber security risks. User training is usually a very cost-effective method for improving network security. Many of the same passive techniques used to protect personally identifying information could be modeled during training engagements with partner forces.
Next, U.S. military forces could establish agreements to share information about cyber threats and responses, along the lines of the ones that currently exist for technical intelligence. These could facilitate the sharing of information that is not available to civilian organizations. (Obviously, the sharing of offensive cyber capability and knowledge by the U.S. will be done with only the most trusted allies and partners.)
These agreements could lead to the expansion of Subject Matter Expert Exchange and Mobile Training Team programs to provide training in cyber operations and defense. Given the nature of cyberspace, there is opportunity for remote training, which also provides a substantial cost savings by reducing requirements for personnel to travel. Through the sharing of approved TTPs and lessons, the U.S. can help to build military capacity in cyber personnel.
In particular, it would be productive for U.S. military forces to help establish Computer Incidence and Response Teams (CIRTs) within partners’ militaries and intelligence services. Many U.S. government agencies, and even commercial enterprises, have such teams, which share threat data and coordinate incidence responses internally and even with like organizations in some partner nations. But aside from a few allies, U.S. and partner militaries currently have no similar arrangements. Indeed, many partners do not possess even the most basic ability to respond to cyber attack. We spoke with a U.S. government contractor who discovered during a combined counterterrorism activity with one developing partner that their intelligence and police services had no such capacity at all. The lead investigator did not know how to retrieve deleted files or how to open a forensic image.
As well, the various military services each have specialized computer crime organizations, such as the Air Force’s Office of Special Investigations, the Army’s Criminal Investigations Division, and the Navy’s Naval Criminal Investigative Service. Additionally, U.S. Cyber Command brings together the disparate cyber functions from throughout the services. All of these organizations provide excellent opportunities for engagement with partner nations.
Such cyber engagements would also give the U.S. the opportunity to showcase the capabilities of U.S.-manufactured equipment and software, thereby providing additional venues for FMS and commercial sale of U.S. products. This modern equipment would not only assist in hardening and improving a partner nation’s cyber infrastructure, but would also provide the U.S. with forward platforms that could support its own operations. This would provide a countercapability to match competitors, like China, who provide cyber infrastructure and operations via parastatal companies that have murky relationships with their own nations’ intelligence services.
To sum up, cyber operations must be part of the overall U.S. strategy of building partner relationships and capabilities — not just for their sake, but for ours.