JHU/APL Rethinking Seminar Series
Rethinking Global Security Constructs,
Threats and Potential Responses
www.jhuapl.edu/rethinking
18 February 2016
Colonel Michael Brown (USMC, ret)
Johns Hopkins University Applied Physics Laboratory
Rethinking Cyber Warfare
Notes:
1. The opinions expressed by the speaker are solely his own and do not necessarily represent the
opinions of the Johns Hopkins University Applied Physics Laboratory.
2. Below are informal notes taken by a JHU/APL staff member at the Seminar.
3. Links to the video, audio, bulletized notes, and any presentation files for this and past seminars
can be found on www.jhuapl.edu/rethinking and the JHU/APL YouTube Playlist.
Introduction
Colonel Brown began his discussion of the growing convergence of cyber espionage, cyber crime, and
cyber warfare by noting how much cyber has become part of our lives. IPhones weighing only ounces
and costing a couple hundred dollars can now be used for running GPS applications, tracking stocks,
providing various forms of communications including email, and much more. Only 46 years ago Apollo
11 took to the moon a 75-pound computer that cost about $3.5M and had about 1300% less computing
power than today’s average IPhone. Given that we can expect major technological leaps forward every
18 months, cyber problems are likely to increase.
Cyber Case Studies
The Maroochy Shire Incident (Australia, 2000)
 A computer expert, Vitek Boden, who was turned down for a government job near Brisbane,
decided to take revenge using only a notebook PC and a radio transmitter
 Boden had been working for a company that installed SCADA (supervisory control and data
acquisition) systems for a local wastewater facility
 In a 2-month time frame Boden was able to take control of the wastewater facility 46 times and
spilled over 250,000 gallons of liquid human waste into nearby river, causing $1M in damage
Stuxnet – The Gold Standard in Cyber Attacks (Iran, 2010)
 What made Stuxnet so effective and so dangerous was that it was designed like nesting dolls with
several key components having probably been introduced from a thumb drive
 Basically, a worm that was capable of propagating itself, entered into the SCADA system which
controlled about 19,000 centrifuges involved in uranium enrichment
 Two root links were also installed – one to hide the malicious code which was put into the
operating system and one so that operators could not see what was happening with the centrifuges
o Operators believed that the equipment was working correctly but the centrifuges were
made to spin at a much higher rate than normal
 As a result, thousands of centrifuges were ruined
1
Saudi Aramco (Saudi Arabia, 2012)
 Believed by some to be Iran’s response to Stuxnet
 The oil conglomerate’s computer network was struck by a self-replicating virus that
infected and ruined up to 30,000 of its 50,000 computers
 A month later Wall Street firms started seeing similar denial of service attacks
o The situation got so bad that the US military offered to help
o Little came out publicly since the firms didn’t want to scare investors and depress
the market
Other Threats
 Edward Snowden in 2013 took vast amounts of NSA material to Hong Kong, provided it
publicly, and is now living in Russia to avoid his indictment under the 1917 Espionage
Act
 Russia has apparently launched cyber attacks against Ukraine and other foreign entities
 A young hacker used social engineering to get into the private email accounts of CIA
Director, John Brennan
 Bottom line: This is the new norm and will be getting worse as our world and our
electronic devices becomes more interconnected giving adversaries more opportunities
Cyber History
1930s: Allan Turing proposed concepts that would lead to computers and the internet
1946: The US Ballistics Research Lab built the first operational computer to help with artillery
calculations
1960s: ARPA, UCLA, and Stanford found a way for early computers to talk to each other
2
1970s: Personal computer modems, Apple II with a color interface, and a keyboard and mouse were
introduced
1979: NORAD accidently loaded exercise tapes into their computers making it appear to operators as if
thousands of Soviet missiles were on the way
1983: The movie War Game came out
o Then: no one knew what a hacker was and the lead actor in War Game was told his
character was to be bright but unmotivated
o Now: We must deal with hackers who are extremely bright and extremely motivated
1984: Tim Berners-Lee invented the world wide web
1991: First web page was written – now there are over 30 billion webpages
2000: Internet had 360 million users with the number growing to 2 billion by 2010
2008: Malicious worms appeared but the game changer was the 2010 Stuxnet – a weapon that no one has
yet claimed showing that can no longer be sure who the adversary is because all was happening in code
2009: US Cyber Command was established
2013: Joint Staff agreed to a Cyber Mission Force of about 6,300 cyber warriors probably in response to
Saudi Aramco and Wall Street cyber attacks—at a time when the overall forces are being drawn down
Cyber Adversaries
 Most sophisticated: Russia
o Big problem is that those attacked may not even know the Russians are in their systems
o Russian hackers have created a variety of problems in Estonia, Ukraine, Georgia, etc.
o Putin just added $500M to the military budget to increase cyber capabilities
o Russian hackers are using these denial of service attack attempts to test what they could
do against the West
 China has the next best capabilities but has been concentrating on stealing intellectual property
o Best example is the very close resemblance between China’s newest fighter jet, the J-31,
and the US Joint Strike Fighter
 Iran has carried out attacks mostly in the financial and utilities sectors
 North Korea is best known for the attack against Sony Pictures and has recently added 6,000
more people to its cyber attack efforts
 Lesser tier
o Syrian Electronic Army since 2013 has attacked the Associated Press, the White House,
Facebook, and others
o Non-state hacktivists have caused a growing number of problems, especially the group
Anonymous
 Lowest tier
o Problem: Distinctions between hacktivists and state-sponsored actors have been blurring
 Russia in particular has used hacktivists as cut-outs for their actions
 Likely to see more of this
o ISIS was effectively using Facebook, Instagram for comms and C2 of operations
 Then moved to PlayStation once they knew they were targeted on Facebook
 Their success in drawing young people to their views is aided by the fact that
young people are so completely tied into using these social media systems
The Operating Environment: Crime vs. Espionage vs. War – Blurred Lines and Motivations
 The Obama Administration defined cyber warfare as activities that would have a significant
consequence
o However, the attack on Sony Pictures allegedly by N. Korea was not considered war
while it did cause significant consequences to a large multi-national organization
 Complicated by the difficulty of proving that the culprits were N. Korean
3
o
o

For retaliation, we normally use proportionality and discrimination – a concept that
works in the laws of war but can’t really be used in the cyber domain
Adversaries may also use cut-outs, which may be operating across the globe from where
the attack was perpetrated
US response capabilities
o The first slide below identifies government entities and their roles in the cyber domain
o The second slide details DOD entities in the cyber domain and their relationship to one
another
o
o
FBI has world-class cyber capability for cyber forensics when conducting criminal
investigations especially in their NCIJTF and the cyber unit of the New York Field Office
Department of Homeland Security is also doing good work and has been given
permission to establish 48 cyber protection teams under the new Cyber Security National
Action Plan
 Expect to see DHS take a more proactive role in cyber
 Principal role is to protect the .gov entities and work with .com and other public
and private partners
4
o

DoD established Cyber Command and its commander is also the Director of the National
Security Agency
 Also, moving cyber efforts from the Title 50 domain to the Title 10 domain
 National Mission Forces work under Cyber Command
 Each of the service’s cyber components have Cyber Mission Teams (CMT) for
offensive operations and Cyber Protection Teams (CPT) for defensive operations
 Already have 133 cyber teams – including some in the Coast Guard
 For their 15,000 networks the Services already had Computer Network Defense
Service Providers (CNDSP)
 Now the CPTs are permitted to do interior patrolling and to take actions
to find and rout out adversaries within networks – game changer
 CPTs now will also support cyber requirements of the Combatant
Commanders
Protecting the Combat Commanders (COCOMs) involves combining cyber with all of the
traditional domains (air, sea, land, SOF, etc.)
o Concept has only been exercised once
o Exercises once involved specific locations (latitudes and longitudes) to identify areas of
concern
 Now must worry about areas of interest and influence which could be worldwide
and cross COCOM boundaries
 Will often find the source server far from where the action is taking place
5
o
Exercise Cyber Flag 2014 was designed to build new ways of working jointly to face
cyber threats
The Way Ahead – What DoD Needs
 DoD needs a permanent cyber exercise environment
o DoD has specific exercise areas for the various domains (land, sea, air) but has nothing
similar for cyber
o Cyber Flag 2014 established a network to work cyber problems but it was disestablished
once the exercise was over
 Although a decision to establish such a training environment was made in 2014,
it has not yet been implemented
 Portsmouth, VA, appears to be the most likely location
 In the cyber fight the US lacks operational level art and design
o At the strategic level there are already established policies, guidelines, and most of the
needed authorities
o At the tactical level DoD already has very good cyber operatives especially on the
defensive side
o US lacks that middle operational art level and so needs:
 A better understanding of adversaries’ command and control: Would allow the
Combatant Commander to fight against the adversary’s forces more directly
 Must figure out how to make own force connections that are necessary
 Better planning: Determine how to bring cyber into the joint operating planning
process
 Effects based operations was at one time a central concept and then
discarded but now must consider what effects cyber actions can create
 Sometimes it is too difficult to explain to non-technical leaders what will
be done with some binary code so need to look at the effects
o Instead must describe the tactical effect such as degrade the
adversary’s systems in certain ways
 Must avoid getting too bogged down in technical jargon
 DoD must fight as it trains – learn to be resilient
o Need to be able to fight in a degraded electronic environment
 Too often take perfect comms capabilities for granted
 In wartime should expect to lose GPS and have limited C2
 Need again to train to use old HF nets, paper and pen, celestial navigation, etc.
o Expect adversary to attack cyber elements because they are the source of US strength
 DoD needs to step up its recruiting and training of cyber warriors
o Type of recruits the military usually gets is not what they need for cyber duties
o Will need cyber warriors who are nefarious – not the type to make it through normal
military screening for morality and behavior
 Need defenders who first can think as attackers do
 Must figure out how to get such hackers out of their basements
o DoD must be willing to pay cyber warriors what industry would pay for the same
qualifications
o Must train all recruits to think critically – not just go by the traditional checklists
 Need critical thinkers at the E-4/E-5 level; can’t wait for them to mature
 Now don’t get much critical thinking training until field grade
 The younger these recruits are the better it will be for DoD
 Bottom line: Need improved cyber C2, planning, resiliency, recruiting and training
o DoD is making progress but not enough
6
Way Ahead Nationally – Protecting the US Center of Gravity, the Economy
 Attacks against systems supporting the economy went up by 1700% between 2011 and 2013
o Adversaries know where they can attack the US so need to shore up the weak spots
 Laws needed to expand functions have been sitting in Congress since 2013 waiting for passage
while adversaries are not waiting to exploit US systems
 Improved integration is needed between DoD, Homeland Defense and the FBI
o Apple’s refusal to crack into the San Bernardino terrorist’s phone had more to do with
stockholders concerns than the government’s or civil liberties
 Problem: How can the government work with industry without sacrificing
individual civil liberties?
 JHU/APL held a 4-day tabletop exercise to help integrate DoD, FBI, and DHS so that they could
work better together
o Such exercises need to be held more often than once a year
o Industry players must also be invited in as partners
Protection of Civil Liberties
 Situations and capabilities are moving very quickly
 Example: High school senior with a cell phone app to disrupt Bluetooth device repeatedly shut
down the projector in a class he found boring until the unaware teacher ended the class
 Given the tremendous growth of cyber capabilities, how much license will the American people
give to the government to take action?
o Big debate has already be raging up at NSA for years
o The current FBI/Apple issue may be the catalyst for the necessary discussion
QUESTION & ANSWER SESSION
Re: FBI & Apple Dispute over Opening a Terrorist IPhone
 FBI sees the situation as a criminal matter
 Phone was owned by terrorist’s government employer making the situation more complicated
 Generally would side with Apple since opening the phone would make everyone more vulnerable
o It’s a good thing that IPhones provide individual uses another level of security
o The FBI should find other ways to crack the case
Re: Using Cyber Means in War
 In cyber warfare don’t need to go computer versus computer
o Need to identify adversary’s center of gravity and go against whatever supports it in the
best way possible
o Best way may be the SCADA system, but young cyber operators may not be that familiar
with such systems
 Need to go to very nuanced and skilled training to get that understanding
 SCADA understanding should be in cyber operators immediate vernacular
 Example: Should not go after N. Korea’s missile launch systems but against the SCADA and
other systems which support the missile systems
 Missile would then be useless
 Need to determine how to train cyber operators to work in this area
 Example of a potential asymmetric use of cyber: In 2003 powerline in Ohio caused a problem
that cut power for two days because of a SCADA glitch
o Had an impact on 8 states and part of Canada costing the region $6B in lost revenue
7


o A carefully designed cyber attack could have an immense asymmetric impact
o Most people aren’t prepared to be without power even for a few days after storms
o Long term degraded utilities could cause anarchy
Massive transformers are the backbone of the power system and hard to replace
o 75% of these devices are now made overseas mostly in China and take 6 months to build
o May take 22 days to transport across the Pacific and then would need special rail cars to
carry a new transformer that could weigh 400,000 to 600,000 pounds – very slowly
o What would the environment look like while waiting so long for a new transformer?
Former SecDef and former CIA Director Leon Panetta warned that it might take a cyber Pearl
Harbor to push the US to do more to be prepared
Re: Hybrid Warfare
 Russia appears to be writing the blueprints on how to carry out this type of war
 Goes beyond denial of service attacks and social media exploitation to very sophisticated cyber
capabilities
 Russians are better at Operational Art
 The US is hindered because it follows international rules of law and its own laws, while Putin
doesn’t need to follow any
Re: Identifying Cyber Crime vs. Espionage vs. Warfare
 Experience has shown that we generally start out considering cyber incidents as a criminal
activity unless it can be traced to a specific adversary probably determined by FBI forensics
operators
 Edward Snowden’s activity began as a crime that moved into espionage
 Could use the same way of thinking that the Supreme Court did in 1984 on obscenity: I can’t
define it, but I can recognize it when I see it
 Need to identify the motivation behind cyber incidents to determine which entity will handle the
response – FBI if crime; NSA or DoD if determined to be a cyber attack
 What the Administration chooses to consider an incident will have significant consequences
o Loss of life would be considered significant
o Could use a monetary consequences as a method to decide when to shift from one to
another but what would the threshold be?
o The attack on Sony was more about a loss of intellectual property
Re: Need for a Cyber Force
 A separate cyber service is not necessary since it is important that each of the services brings its
own culture and way of thinking to the cyber domain
 The concept of Space Command becoming a service was talked about a great deal, but nothing
happened there although some talk still lingers
o Something similar may happen in cyber
 More important is inculcating cyber training throughout the services from the entry level
o The Marine Corps is now only talking a little about cyber at the 0-3/0-4 level
o Need to begin teaching cyber understanding starting with recruits
 Cyber Security National Action Plan was just released and contains a call to arms for the country
to get more involved in cyber including building interfaces between government and industry
o Includes incentives for college students to get more involved in cyber security even
funding opportunities for those getting degrees
o Actually need to begin building an understanding of cyber issues in grade school – make
them sexy enough for well-qualified high school students to take an interest in security
8
Re: Foreign Nationals at Universities and Individual State Threat Intel Fusion Centers
 Foreign nationals pay a great deal more than US students to attend college so we will have to
expect to continue to seeing foreign nationals in American universities
 More importantly, there should be greater efforts put into the state-supported threat intel fusion
centers that all states were to build after 9/11
 Not all have, but Kansas has the best so far
o Run by the National Guard, it even has SCIF capabilities
o The FBI also is involved as are entities of the state and local governments
o Representatives of the private sector have been invited in
o On occasion, the center had identified foreign national students who were doing nefarious
things, and the universities involved were notified
o Center could also better protect the Kansas corn and livestock from bio-weapons
o Kansas should be a model for all the other states
 States may not have enough money to build such capabilities but they must get started
o The federal government can’t do everything
o However, if an incident causes catastrophic problems, the states will be the ones to react
Re: Big Data Analysis
 Big Data and the analytic schemes to support Big Data are the future
 APL and other research organizations are working on efforts
 The future is already here as is cloud computing and what DoD is trying to do with the Joint
Information Environment.
Re: Cyber Culture vs. Military Culture
 The military is trained to follow all the rules, but that does not work well in the cyber domain
 Cyber warriors need to be trained first as attackers so that they can understand how to defend
o Currently, DoD is training defenders to be defenders, not to think as attackers would
 Now giving them toolkits and rules that say use this tool against that malware
 Instead they should stand back to determine what is the right tool in each case
o Not giving them the critical thinking training to help identify what was the adversary’s
intent behind the attack
o In reconstructing a cyber attack, often find that the adversary has us looking over in one
direction when the real damage was being done elsewhere
 Too much emphasis on patching problems when the real damage is being done with less
noticeable backdoors
o May find that there is an operational gain/loss that we don’t want
o May even be best to let an incident play out a little further while watching everywhere for
a different incursion
Re: Social Media
 The services are already looking at social media as an element of all-source intelligence gathering
 Example #1: Mass shooting at a mall caused great confusion for hours after the shooter was dead
o Tweets and texts were coming from all over the mall from people remaining in voluntary
lockdown
o Responders did not know the shooter was dead for some time even though their
command center was swamped with tweets and texts
o APL afterwards came up with a way to gather and sort these info sources as intel and
provide information back to those inside the mall by asking people in the mall
 Exactly where they were in the mall and what they could see
 To send pictures from their phones
9


Example: #2: The 2013 Super Typhoon in the Philippines
o Great damage everywhere but phones still worked
o A US Joint Task Force arrived to provide triage for relief needs
o Would have been useful to send images of the damage to get a better idea of what
suppliers were needed and what needed to be done
o Targeting needs would help cut down the amount of time it would take to get relief where
it was needed
Bottom line: Social media can be used as part of an all-source intel capability
o Some policy elements need to be worked out to figure out what the military can do using
Facebook and other similar systems
 Likely be sorted out so that responders can take advantage of existing capabilities
o Must also look at the way that ISIS is using Facebook, Instagram, Twitter, etc. to run
command and control as well as for its fund raising and recruiting
 Need to know how to get into that system to influence those involved
Re: Recruiting Cyber Warriors with the Proper Ethics and Morality
 May fear that cyber recruits who can think in a nefarious manner about cyber will also be
ethically challenged, but strong non-commissioned officers could keep them straight
10