It has become relatively commonplace in policy and military circles for the term ‘cyber’ to be attached to lists of both threats to and enablers for traditional airpower capabilities. Cyberweapons are without doubt an important tool in warfare, espionage, and deterrence. The potential attack surface against which they can be employed is increasing rapidly as ever more of the fabric of society becomes digitized and network-enabled. However, the tempo and nature of the processes by which military-grade cyber capabilities can be developed and deployed are regularly misunderstood in non-specialist circles. Confusion over where the boundaries lie between offensive electronic warfare and cyber capabilities can further distort public discussions of how these important capabilities fit into conventional military operations, and the application of airpower, in particular.
Broadly, the fundamental dividing line between electronic warfare (EW) and cyber is that where offensive EW capabilities are designed to interact with hostile systems using electromagnetic energy emissions, offensive cyber capabilities are designed to interact with hostile systems using data in the form of code. In practice, the boundaries between the two spheres of operations are often somewhat blurred. This is especially true as an increasing number of platforms such as the US Navy’s EA-18G Growler and the F-35 Lightning II are fielded with systems and sensors which can potentially interact with enemy systems using both EW and cyber techniques, and in some cases transition quickly from one to the other in flight.
There are also similarities in that designing effective military EW and cyber capabilities require a detailed understanding of the target systems or networks, which must be refreshed frequently in order to remain relevant. However, the timescales involved in developing electronic attack capabilities and offensive cyber capabilities against military systems are very different. This is because of how cyberattacks work.
A military cyberattack functions, in essence, by the accessing, alteration, or deletion of data held within a hostile network. This is done in the virtual domain so as to achieve an effect in the real world. As such, a cyberattack can serve a wide range of purposes depending on what data is being accessed and what its intended function is within its host network and/or system. Effects of a successful attack range from gaining detailed intelligence on how threat systems work, preventing a target system from performing its function correctly, temporarily disabling key functions, or even causing it to malfunction in such a way as to cause physical damage.
This article is sponsored by Private Internet Access
However, before any desired effects can be designed into a cyber payload, an attacker must work out what data is held in which adversary networks, and what coding language and programming logic is being used in those networks. Many civilian networks use commercially available and, therefore, easily understood coding languages and logic. This makes penetrating and subsequently exploiting such systems significantly easier than sensitive military systems which are purpose-built and regularly monitored. In either case, a cyber attacker must gain an initial access point to discover and then extract data to reveal what is stored on a given network and how it is coded.
This vital first step in planning any cyberattack must be done without the data breach being identified as a hostile presence. In the case of bespoke military systems, this task is made more difficult by the fact that the attackers will not be initially familiar with the coding language and rules of the network, and thus will struggle to mimic legitimate network traffic well enough to avoid rapid detection.
If an attacker is detected, then they will not only be rapidly isolated from the network, but may also be counter-attacked using the gateway connection they have created. The most sensitive military systems are also generally air-gapped, which means that they have no interfaces, either wired or wireless, to outside networks or the wider internet. As such, in order to conduct initial network reconnaissance, attackers will need to bypass physical isolation measures and then set up a remote access connection for data exfiltration and future penetration attempts.
Once a network has been identified as containing useful target data for theft, modification, or deletion, an attacker must attempt to bypass security measures and gain control over administrator accounts which will then grant the necessary permissions. Since almost all military and sensitive civilian systems are protected by multifactor authentication security measures, this either requires human intelligence assets to willingly or unwillingly give up passwords, keys, and biometrics, or hacking to bypass those security measures.
Hacking involves finding ambiguities or errors in the coding of a network that can be exploited to bypass the need to enter authentication information. Most complex systems have potential vulnerabilities, but sensitive networks will also be checked and patched regularly to remove any that are discovered by chance or exposed by a detected attack attempt.
Once access to the required administrator nodes is gained by an attacker, they can leverage them to alter and insert data, including cyber weapons. A cyber weapon is a package of code, typically carefully calibrated to perform a specific function within a specific networked system while making attribution and detection as difficult as possible for defenders. Once inserted successfully, a cyber payload may be triggered immediately. However, if it is intended to be used in the future it must be coded to either trigger automatically when certain conditions are met, otherwise, access must be re-established to trigger it at a desired point in time.
Many military systems operate under emission control posture for extended periods when operating against modern opposing forces, and in the case of ships, mobile surface-to-air missile (SAM) systems, and aircraft in flight, they are also physically isolated from most potential access methods. Software is also regularly updated and patched, which can result in the vulnerability being used for access being deliberately or inadvertently shut off before a cyber weapon’s payload can be triggered.
Software updates can also change the internal logic of a system such that a previously emplaced cyber capability no longer functions as intended when triggered. Furthermore, military networks tend to be protected by real-time monitoring of all traffic across the limited number of known access points. Therefore, each access attempt to either trigger, assure or update an emplaced cyber weapon capability risks detection and subsequent purging or counterattack by the network defenders.
The practical upshot is that developing a cyber capability against a sensitive hostile military asset such as air defense early warning networks, aircraft avionics, or intelligence processing systems takes years of concentrated effort and carries significant risks of discovery and attribution. Furthermore, once established, there is no guarantee that the capability can be triggered on-demand in support of a future kinetic operation, nor that it will not be discovered or patched into irrelevance by enemy cyber defenses before it can be used.
There is also no way to predict with certainty the various potential second and third-order effects if the payload escapes beyond the confines of the system it was designed to attack. Therefore, such capabilities are viewed in most nations as strategic level military tools, and knowledge of their existence, capabilities, and limitations is held at a very high level of classification. Release authorization is also typically held at a much more senior level of the military and political command structure than conventional military assets.
The length of time required to establish capabilities in sensitive, hostile networks, and the difficulties of assurance and triggering for emplaced payloads significantly affect how cyber capabilities interact with the air domain. One of the most important uses of cyber capabilities over the medium to long term is to gather sensitive information about critical enemy systems such as radars, missile guidance logic, or seeker performance. Such data is critical for programming effective aircraft countermeasure systems, electronic warfare suites, optimizing tactics for terminal missile evasion, and far more.
Publicly acknowledged cyber breaches aimed at obtaining this sort of information on American air systems suggest that most state attacks target the industrial supply chain rather than bespoke military systems. This would make sense since the supply chain in many modern aerial combat and air weapons programs is multinational and diverse, which makes finding vulnerabilities and networks with lax security measures easier for attackers. It also has implications for the potential areas of vulnerability for combat air capabilities to more direct cyberattacks in a future conflict.
The closed and heavily monitored nature of most avionics and mission systems make direct cyberattacks on aircraft and command systems difficult (although perhaps not impossible) for adversaries to accomplish in practice. However, it would not be surprising if less heavily defended ancillary logistics and industrial supply networks suddenly started to malfunction or fail during critical phases of a future state-on-state conflict as a result of previously embedded hostile cyber payloads.
If spare parts are not delivered reliably, then even the simplest combat aircraft will rapidly lose effectiveness, as fleets are cannibalized to maintain a steadily decreasing number of jets ready to fly and fight. If munitions and fuel cannot be supplied, then effectiveness and sortie rates will drop even more rapidly. As the extent of digitization of the supply and maintenance chain on which western air forces depend becomes ever greater, the potential attack surface also expands.
It is impossible to assure every aspect of the enterprise against sophisticated and dedicated state attackers all the time. Therefore, the best defense against a potentially crippling cyberattack targeting key air assets in wartime might well be to increase the level of redundancy and extra capacity in the maintenance and spares system to reduce the impact of attacks when they inevitably occur. This would also have significant potential benefits in terms of improving overall availability but as always, the limiting factor that constrains such ‘inefficiency’ in peacetime is cost.
In terms of real-time cyber enablers for conventional operations, the first key question for air forces is what enemy systems have been infiltrated and implanted with relevant cyber payloads capable of causing operationally useful effects? If the conflict in question is against an adversary nation or in an area that was not a major focus for defense planners prior to the outbreak of hostilities, then it is unlikely that cyber payloads are already in place. Given the time scales required to develop and successfully install them, cyber professionals cannot simply create operationally relevant effects from scratch at short notice. However, critical assets such as the air defense networks of well-established adversary nations are likely to have been the target of longer-term efforts, and there may be useful payloads in place either in the main systems themselves or within ancillary systems upon which they depend.
The second question at that point is whether the officers planning an airstrike at the operational level are aware that the potentially useful cyber capability exists or not. Offensive cyber capabilities are some of the most highly classified national security tools. Even if planners are aware of the existence of a potentially useful cyber capability, they may well lack the authority to authorize their use in support of conventional strike operations. High-end cyber payloads embedded within important components of a state adversary’s defenses take years to develop and emplace, and once used will be rapidly discovered, patched out, and potentially attributed. The adversary will also gain detailed knowledge about the techniques employed as they examine the code within the payload, which could help them improve their own offensive cyber capabilities over time. Therefore, the authority to use them will be vested at a very senior level, most likely head of state or at least Joint Chiefs level.
If the capability is known and can be authorized in sufficient time to be incorporated into the planning process for a conventional air operation, the third vital question is whether it can be coordinated sufficiently closely with the precise timings of aircraft movements and weapons releases.
The emergence of Active Electronically Scanned Array (AESA) radars as a primary sensor and emitter on modern combat air platforms does offer a potential way to remotely trigger previously emplaced cyber payloads in enemy systems. Since any radar must be, by its very nature, a receiver that transmits an interpretation of electronic signals as encoded data into a network, AESA radars can be used to interact with enemy air defenses in a more sophisticated manner than traditional EW.
With a sufficiently detailed understanding of an enemy radar system and the way it interacts with the wider defense network, airborne AESA radars could be used to either transmit coded activation signals for a previously emplaced cyber payload, or electromagnetic energy patterns designed to be recognized as a trigger signal by the payload when they are picked up by the hostile radar.
However, bearing in mind the difficulties in assuring remote triggering access and proper functioning of a previously installed cyber payload in an enemy system, any air operation which includes cyber enablers must accept a significant risk that the cyber capability does not work as expected. Furthermore, once used, an adversary will quickly dig out and identify the code in question, so cyber payloads – while potentially capable of causing significant disruption at key moments – tend to be single-shot weapons with temporary effects.
In the air domain, cyber weapons are best thought of as tools that can help open a temporary window of vulnerability for a major strike force, given sufficient preparation time, permissions, and understanding across multiple command levels. The challenge they pose to air forces is primarily a persistent disruptive threat to information security, ancillary systems, and logistics chains. For rapid, on-demand degradation of key enemy sensors and weapons systems, however, kinetic strikes and digitally-enabled electronic warfare remain far more important.
Justin Bronk is a Research Fellow for Airpower at RUSI
Click here to receive 83% off VPN services from Private Internet Access