The document discusses how the Revolution in Military Affairs and push for network-centric warfare has left military networks vulnerable to cyber attacks. It outlines several past failures in securing military IT systems and networks that have allowed data theft and malware infections. The document warns that without improved security, future conflicts could involve crippling cyber attacks that undermine military communications, intelligence, and weapon systems like drones and the F-35 fighter. It defines cyberwar as using cyber attacks to support military force and outlines how a "Cyber Pearl Harbor" could involve defeating US forces through gaining information dominance in a conflict.
Long journey of Ruby standard library at RubyConf AU 2024
The Revolution in Military Affairs has Set the Stage for Cyberwar
1. The Revolution in Military Affairs has
Set the Stage for Cyberwar
Richard Stiennon
Chief Research Analyst
IT-Harvest
!
Executive Editor
securitycurrent.com
!
twitter.com/cyberwar
securitycurrent
3. 1996 Taiwan Straits Crisis
"Admiral Clemens was able to use e-mail, a very graphic-
rich environment, and video teleconferencing to
achieve the effect he wanted", which was to deploy the
carrier battle groups in a matter of hours instead of
days.” -Arthur Cebrowski
USS Nimitz and
USS Independence deploy
to Taiwan.
securitycurrent
4.
The Revolution in Military Affairs
• Roman centuries
• Long bow and battle of Crecy
• Napoleon’s staff command
• Machine guns
• Mechanized armor, blitzkrieg
securitycurrent
5. The Modern RMA
• Operation Desert
Storm leads to:
• Russian
assessment of
precision
weapons
ISR
C&C
securitycurrent
7.
Arthur Cebrowski: Evangelist
securitycurrent
“Network Centric
Warfare should be the
cornerstone of
transformation. If you
are not interoperable
you are not on the net.
You are not benefiting
from the information
age”.
8. The Dream
securitycurrent
Total Situational Awareness eliminates “the fog of war”!
!
Red Team - Blue Team identification!
!
Central Command and Control. Distributed battle command.!
!
Networked Intelligence, Surveillance Reconnaissance (ISR)
10. IT-Harvest Confidential
Deja vu all over again
We’ve seen this story payed out before in the enterprise. !
!
First network everything. Take advantage of connectivity and
ubiquity to re-invent commerce, social interactions, and
communications. !
!
Second: succumb to attacks from hackers, cyber criminals,
hacktivists, and nation states.!
!
Finally: Layer in security
11. IT-Harvest Confidential
How the Military Failed in Security
April 1, 2001 a Navy EP-3E was forced down and
captured by China. Top secret OS compromised!
!
In 2008 China blatantly flooded communication channels
known to be monitored by the NSA with decrypted US
intercepts, kicking off a major re-deployment. SEVEN
years too late. !
!
!
!
!
12. IT-Harvest Confidential
How the Military Failed in Security
Pentagon email servers
p0wned 2007!
!
Terabytes of data
exfiltrated to China from
the Defense Industrial
Base. The target? Joint
Strike Fighter design
data.!
!
!
!
13. IT-Harvest Confidential
Military IT Security Failures
The Wake Up Call !
!
BUCKSHOT YANKEE !
!
Agent.btz introduced via thumb drive in a forward operations
command (Afghanistan?) !
!
EVERY Windows machine re-imaged in the entire military (3
million +) at a cost of $1 Billion.
17. SATCOM Vulns
securitycurrent
• “We uncovered
what would
appear to be
multiple
backdoors,
hardcoded
credentials,
undocumented
and/or insecure
protocols, and
weak encryption
algorithms.” -
IOActive
18. Software Assurance maturity came after most new
weapons platforms were sourced.
securitycurrent
One Air Force study of 3 million lines of code revealed: !
!
One software vulnerability per 8 lines of code !
!
One high vulnerability per 31 lines of code!
!
One critical vulnerability for 70 lines of code
19. The F-35 Joint Strike Fighter
securitycurrent
!
“JSF software development is one
of the largest and most complex
projects in DOD history.” !
!
-Michael J. Sullivan, Director
Acquisition and Sourcing
Management for the DoD:!
20. The F-35 Joint Strike Fighter
• Nine million lines of onboard code
could mean 128,000 critical vulns
• 15 million lines of logistics code could
mean another 214,000 critical vulns
• What could possibly go wrong?
securitycurrent