Protecting the Digital Achilles Heel of Defence Capability & Operations

Capabilities with competitive advantage also bring new vulnerabilities

In general, any new capability that has given us a competitive edge has also introduced new vulnerabilities. A recent example is the introduction of GPS and other navigation systems. When it became widespread in the 90's, the risk of getting "geographically embarrassed" was reduced. Colleagues in the army bought consumer GPS receivers for personal use on exercise and operations, with the capability proving a significant advance. The joke that "the most dangerous thing in the combat zone is an officer with a map" became less relevant. However, skills like map reading need to be learned and practised. The more we rely on aids, the more we atrophy muscle memoryⁱ. How many of us follow phone directions only to realize we haven't learned the route and have no feel for the environment we’ve travelled throughⁱⁱ?

The effect is organisational as well as individual. The drive for efficiency with digital transformation has led to fragility, with the loss of capacity and capability when digital services are disrupted. The global IT failure caused by CrowdStrike overnight 18/19 July 2024ⁱⁱⁱ demonstrates this clearly. In just a few hours, a software update crashed 8.5 million computers around the world, severely disrupting banks, airlines, rail services, healthcare and other critical services. Maintaining full capacity in a reversionary mode is not economically viable once core business processes have been digitally optimised. But reducing the likelihood and impact of a systemic incident like this requires systems to be designed with resilience from the outset.

[It] has led to fragility, with the loss of capacity and capability when digital services are disrupted.

Good cyber and data security is about much more than preventing data leaks

It is natural to think data security is primarily about preventing someone from stealing secrets. Granted, this has been an important consideration since spies first operated. It is why we classify and compartmentalise information.

However, confidentiality is only part of the problem. If we look at trends over the last decade, many of the most damaging attacks have been ransomware with the attackers denying their victims the ability to access their information until they pay the fee.  

It is also vital to ensure information isn't covertly modified. I have always found it a fascinating aspect of human nature that people frequently assume the information presented on a computer is totally accurate when they would not have similar trust in information given to them by a human^iv. When serving, I saw staff officers assume a unit's location displayed on a digital map was accurate to within metres and always up to date. They knew, though, that the underlying information had been reported by a human to another human, over the radio, from time to time, and as an approximate six-figure grid reference. That belief contrasts with the physical map table, where the information was recognised as inherently vague and out of date.

People frequently assume the information presented on a computer is totally accurate when they would not have similar trust in information given to them by a human.

Protecting the availability of information and preventing its modification is just as important as preventing it from falling into the wrong hands.

Why do we need to care; what is the threat?

What must we protect to preserve our fighting power and freedom of manoeuvre on military operations? We first need to step above the world of bits and bytes and decide what malign intents might target us. How could malicious actors undermine military capability? The following are just a few examples, but they illustrate that the systemic nature of our digital landscape makes the risks far more complex and nuanced than they may first appear.

Espionage

Espionage is as old as human conflict. Two and a half thousand years ago, Sun Tzu wrote a whole chapter on the importance of espionage and the use of spies. It is practiced across all contexts from the grand strategic and political levels^v down to the compromise of tactical communications and devices^vi. Espionage is also rife across the defence industrial base to gain insight and intellectual property about future weapon systems so that they can be countered and copied^vii.  

Capability Denial

‍Even with Mission Command to empower and delegate, any operation relies on the efficient flow of information and commands to exploit opportunities and achieve the desired effects. This makes Command and Control capabilities a ripe target. One hour before Russia launched its full-scale invasion, it attempted to disrupt Ukraine's C2 capabilities by executing a cyber-attack on the communications company Viasat^viii. Disruption of communications bearers is an obvious approach, but a widespread attack on networked computers would be more complicated to recover from. And as we realise the vision of an "Internet of Military Things" described recently by the UK Chief of General Staff^ix by networking all elements of battlefield equipment, digital denial could extend across those platforms, disrupting intelligence, logistics, mobility and fires.

Subversion & Deception

‍Subversion and deception are already directed at our personal lives. Phishing attacks, spoofed websites, fake news, trolls and bots all attempt to manipulate the way we think and act. A notable case involved an AI-generated deep-fake of a company CFO on a video conference call, leading to criminals defrauding UK Engineering firm Arup by HK$200m (US$25m)^x. It may be a while before we see Microsoft Teams in the trenches, but reachback from formation headquarters to the home-base is nothing new. Are we prepared for remote support into theatre provided by partners and suppliers, being used as a vector to conduct highly realistic live deception and socially engineered attacks like the one Arup experienced?

An AI-generated deep-fake synthesis of the company CFO on a video conference call led to the criminals defrauding UK Engineering firm Arup by HK$200m.

Degradation of the Moral Component

‍The moral component – the ability to get people to fight – is the pre-eminent of the three essential elements that make up fighting power according to UK defence doctrine^xi. Many things would influence it, but a sense of confidence in the security and well-being of a soldier's family at home is a key one. What if the family at home couldn't access money because the military payroll system had been attacked? How quickly would force motivation and cohesion on operations deteriorate?

What is being done, and what more should we do?

The UK government has recognised the threats and risks for some time and has done a lot to reduce them. Cyber security has been recognised as a fundamental part of national security for over a decade^xii, with the Defence Industrial Sector identified as critical national infrastructure^xiii. The MOD's recent shift in governance policy to demand that systems are Secure by Design^{xiv xv}, and that a programme's Senior Responsible Officer takes ownership and responsibility for risk, is significant progress.

However, threats and risks are not static. Foreign state hacks, both covert and overt, have risen with geopolitical instability^xvi. In the most recent National Cyber Security Centre's annual review, they specifically described the intensity and pervasive nature of the cyber threat from Russia^viii. Cyber-attacks against our information, digital services and infrastructure will be a core component of any hybrid war, not least because of their deniability. We can see this today with attacks that closely correlate with the Kremlin's interests and motivations, such as the recent attack by Russian hackers on NHS partners in London^xvii.

Cyber-attacks against our information, digital services and infrastructure will be a core component of any hybrid war, not least because of their deniability.

Fragile networks are only as strong as their weakest link. For some time, the defence "network" has spanned the wider defence enterprise, which extends deep into the supply chain. Our need to maintain technological advantage and agility means we will need to source innovation far beyond the traditional Defence OEMs. And we will need to get updates into theatre quickly and frequently. This makes the supplier of a digital "widget" part of the operational network, even if they’re not connected to it.

This makes the supplier of a digital "widget" part of the operational network, even if they aren’t connected to it.

So, the extended network is expanding and becoming increasingly operationally critical. And the capabilities and motivations of the geopolitical threats we face are evolving. What was adequate five years ago is unlikely sufficient for the next five. There are many steps that can be taken to respond to this change, and the following three focus on resilience in the extended defence network:

Threat Escalation Contingency Planning

‍All networks have non-critical capabilities that deliver softer benefits and efficiency. But every piece of software, network segment, or service presents a part of the surface that can be attacked. When the threat escalates, we can reduce our attack service by pre-emptively switching off non-core services, and further segmenting critical capabilities, all at the expense of efficiency^xviii. There is evidence that Ukraine's resilience in the face of Russian cyber-attacks in 2022 benefited from this preparation^xix. Preparing and testing these measures takes time and imposing it on suppliers will also have commercial consequences.

Enhance Continuous Supplier Assurance

‍Supplier assurance for cyber risk has been an element of MOD risk management for some time, albeit the tools to facilitate it have been limited since the Octavian Supplier Cyber Protection Service was retired without replacement in 2021^xx. However, when the scope of the networks at risk increases and the threats evolve, we need to change our posture. This will affect the suppliers to focus on, the questions we ask, and the standards we expect. Assurance needs to be flexible and dynamic. Threat changes may require targeted or widespread reviews at short notice, with commercial as well as practical implications.

Cyber Stress Testing

‍The Bank of England introduced its Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST^xxi) in 2014 to assure operational resilience in the UK financial sector. Implementing the Defence equivalent of CBEST would take some significant time and effort to deliver results. Without this type of activity though, there is insufficient objective evidence that risk and resilience are tolerable.

Conclusion

Our demographics and the moral value we place on life as a society mean our military's ability to deter and, if necessary, defeat a belligerent nation-state will rely on it exploiting technological advantage. The evolution of conflict in Ukraine also demonstrates that industry will need to be able to deliver digital enhancements to that technology rapidly into theatre to maintain an advantage. But this introduces vulnerabilities well beyond the boundaries of Government departments and their Tier 1 suppliers. If the enemy can exploit these vulnerabilities, the impact would be significantly greater than the equivalent just a few decades ago.  

The increased dependence on agile, reachback support from suppliers makes the supply chain an extended part of the networked battlespace, and their security and resilience are critical components of the risk calculus. A lot of progress has been made over the last ten years, but that period has also demonstrated what we should expect a cyber-capable adversarial state to do against us. To prevent and, if necessary, prosecute a war in the future, we need to not just maintain, but significantly enhance our management of risk in the Defence supply chain.  

References

^[i] Journal of Pragmatics, Apr 2021, Naomi S Baron “Know what? How digital technologies undermine learning and remembering”

^[ii] Nature, Mar 2016, Roger McKinlay “Technology: Use or lose our navigation skills”

^[iii] Financial Times, Jul 2024, “The global IT outage: As it happened”

^[iv] ScienceDaily, Apr 2021, University of Georgia “People may trust computers more than humans”

^[v] BBC News, Mar 2024, “Russia publishes German army meeting on Ukraine”

^[vi] Royal United Services Institute, July 2024, “Russia’s Cyber Campaign Shifts to Ukraine’s Frontlines”

^[vii] Wall Street Journal, Apr 2009, “Computer Spies Breach Fighter-Jet Project”

^[viii] UK National Cyber Security Centre, 2023, “NCSC Annual Review 2023”

^[ix] Financial Times, Jul 2024, “UK has 3 years to prepare for war, says army chief”

^[x] Financial Times, 17 May 2024, “Arup lost $25mn in Hong Kong deepfake video conference scam”

^[xi] UK Ministry of Defence, Nov 2022, “UK Defence Doctrine (JDP 0-01)”

^[xii] UK Cabinet Office, Jan 2022, “Government Cyber Security Strategy 2022-2030”

^[xiii] UK Cabinet Office, Feb 2019, “Public Summary of Sector Security and Resilience Plans 2018”

^[xiv] UK Ministry of Defence, May 2022, “Cyber Resilience Strategy for Defence”

^[xv] UK Ministry of Defence, Jul 2023, “Industry Security Notice: Secure by Design Requirements”

^[xvi] Microsoft, Nov 2022, “Nation-state cyberattacks become more brazen as authoritarian leaders ramp up aggression”

^[xvii] BBC News, Jun 2024, “Cyber attack on hospitals impacts 1,130 operations”

^[xviii] Justin Bronk & Jack Watling, Dec 2021, “The Slow and Imprecise Art of Cyber Warfare”

^[xix] The Wavell Room, Jan 2023, “Ukrainian observations on combat and command”

^[xx] UK Ministry of Defence, May 2024, “Defence Cyber Protection Partnership”

^[xxi] Bank of England, “CBEST Threat Intelligence-Led Assessments”