Istanbul '09 Workshop
New Cyber Strategies for Military Operations
Mr. Tim Bloechl
Managing Director, Worldwide Public Safety & National Security, Microsoft
The first time I participated in this workshop, which was in 2004 in Berlin, I was still with the U.S. Department of Defense and I remember that the group participating in the cyber defense panel was much smaller. There was interest but not major interest. It is quite telling to the importance placed on cyber security that, five years later, almost everyone attending this year’s event is here for this discussion. The cyber security problem has continued to grow; the circumstances we have seen over the past couple of years, particularly the cyber-attacks against Estonia and Georgia, show this is an issue area almost everybody cares about today. What is also telling, from a U.S. perspective, is the creation of a four star level command this year to manage cyber defense.
I tend to look at the cyber security problem from several different angles: as a military officer, as a former cyber defender, and now from an industry perspective. From an industry perspective, at Microsoft where I come from, we are not a defense company so we don’t reside within the traditional defense system integrator community. We have to work with everybody around the world-many countries, many industries-and yet security for us has become an extremely important part of what we do as we develop software for customers. Our main focus when we build software is not the military or defense; it is the consumer market. As a result, we are very focused on finding new and exciting ways to use technology so that people can connect with other people in better ways and so that technology becomes an enabler for all kinds of possible activities in life. Despite a down economy, we will spend even more money on Research and Development, over $9 billion, and some of this funding supports advances in security. How one can use Information Technology in a military and intelligence environment, and also how Information Technology can improve or change military and public safety operations, is what I would like to talk about.
I would like to focus first on where we are and where are we going. There is a lot of forward movement into the areas of Cloud Computing and Virtualization which, to some extent, is very important for the defense community to consider. It is a way in which we can save money; it is a way in which we can reduce hardware costs and-if we can ever figure out a multi-level security solution which allows us to move information back and forth seamlessly between top secret, secret, and unclassified levels-we will have a significant impact on reducing budget requirements for our networks. Additionally, there is a focus on mobile data centers which we are developing today. There are new data handling capabilities which you can plop into the middle of a crisis zone, quickly stand up a system to support military operations and, when the crisis is over, throw the data center away.
COMPELLING NEW TECHNOLOGIES FOR MILITARY OPERATIONS
There are other very compelling technologies that we are deploying which have implications for military operations:
Geographic Information Systems. I am amazed at some of the mapping and imagery systems in use today and there are even more coming out on the market in the near term. These technologies include capabilities to merge commercial and military-grade imagery into single, low cost servers which provide exciting ways to manipulate and see the data. In some cases, one can produce virtual 3-D worlds of the target area to enhance planning, war gaming, pre-combat exercises, and post-combat after action reporting. These geographic systems greatly improve command and control operations, enhance our ability to provide a common operating picture, and make it easier for us to share imagery across units, across organizations, and across different types of operations.
Presence Information. Using a new type of software on the cell phone I am holding, or when using my laptop or desktop computer, I can see if the people I care about are online or not, whether they are available or in a meeting or call, and I have multiple ways to get hold of them, either through an instant message, a web call, or by using my phone or computer to call one of their listed numbers. Furthermore, this same software allows me to talk to a number of people through these means simultaneously, all through the click of a button using the power of the Internet. The presence capability we can deliver today in the commercial and consumer world can provide much improved communications for military or public safety operations.
We are also seeing an explosive growth in social networking software, such as Facebook, LinkedIn, or Twitter. The people serving in our military units, or in our businesses, are using this technology at home for many different reasons. Given this capability and the apparent usage of it to some degree of success or advantage, what are the implications for our operations? Is this a technology we should use to improve collaboration and interoperability? I do not know the answer to this question but the younger people in our organizations are going to push us to use this technology and we should experiment with it to see what can be done to yet again improve operational capabilities.
I want to mention a couple collaboration examples using this new technology because these cases directly impact NATO at this point in time. One is the Civil-Military Cooperation Portal which was established at NATO Headquarters and is being used today round-the-clock to support the movement of information between non-governmental organizations, local, regional, and national-level political leaders, as well as the military, in Afghanistan. This portal uses the power of the Internet and our collaboration software called SharePoint. There are some who consider SharePoint to be the military C2 system of today as it is used in so many ways by today’s military organizations which deploy this technology.
Another current system example is called KNIFE (Knowledge Information Fusion Exchange). This is a joint Microsoft-U.S. Joint Forces Command (USJFCOM) project, which allows for the sharing of counter Improvised Explosive Device (IED) related information in the Iraqi and Afghanistan theaters of operation. Using KNIFE, again a SharePoint application backed by several other Microsoft products, U.S., NATO and Coalition forces share information across a number of classified networks. KNIFE is designed to support current operations and military planning, fusing together all known information on IEDs. Using KNIFE, friendly units call into the KNIFE command center, or contact the organization via a variety of networks and check the latest information on IED locations, types of munitions used, or other related information to consider before going out on patrol. We believe this capability is saving lives on the battlefield.
In summary, whether it is social networking, geographic, presence, data centers, cloud computing, virtualization, SharePoint, or other Information Technology advances, our ability to integrate these technologies into military operations provides exciting choices for military leaders. At the same time, our ability to acquire and deploy these technologies and the potential risks involved must be considered as we consider these new techniques and capabilities.
Are we agile enough to take this technology and employ it in our organizations? When one considers the procurement processes and the bureaucracies we have to deal with to add technology into our military organizations, one has to question our ability to adopt change. It is a real problem. These kinds of capabilities do not take ten or fifteen years to develop. They are developed almost overnight and they suddenly are used around the world within a matter of weeks or months. Yet, there are some potential good uses for this technology in our operations. How do we change the system to allow for the use of the technology?
Then we have to consider the risk. What do we have to do in our Information Assurance programs, and in our certification processes and procedures, to check these new kinds of capabilities to insure they are safe to use and can then be placed on our military networks to support our operations? This is a very challenging area. We are trying to integrate off-the-shelf commercial technology into legacy systems which have been around a long time. The impact of government procurement and budget cycles, plus the need for agile Information Assurance, certainly makes for a complicated employment environment. Some of the methods used by NATO, including spiral development and the Coalition Warfighter Interoperability Demonstration (CWID) program may be part of the answer. The ability to test new technology against current operational considerations, including assessing security risks, is the initial key action required to get these capabilities to our military organizations. How we assess the risk is perhaps the long pole in the tent.
VULNERABILITIES OF THE NEW TECHNOLOGIES
The other concern I have is the ability of threat forces to use the same technology. While we often lack flexibility to acquire and deploy these new technologies-Al-Qaeda does not have this problem. They can use new technology overnight if they want to. I wonder what the risk is to us if the threat is able to use such technology quicker and have the agility to take advantage of these new capabilities before we do in our operations. This really concerns me.
Let us turn now to our current view of cyberspace, the network centric warfare concept, and some of the new operational means and ways we are using on the battlefield, in particular the networks themselves upon which we operate. I wonder if these networks are not our Achilles heel. The greatest threat to these networks is not for a competing nation-state to develop a computer network attack capability, I consider this a given and we must plan for it. The greatest threat is an attack capability in the hands of a terrorist organization not bound by the laws of land warfare. Furthermore, these groups will not limit themselves to our military networks. They will want to do the greatest possible damage to our societies, which indicate to me that they will attack critical infrastructure to maximize the damage to our civilian populations and the psychological impacts of their attack.
Now that we have reviewed the opportunities and risks that new Information Technology pose for us, what are some of the roles for industry and government as we move forward? From an industry perspective, we have to do several things. First, we have to continue to put money into research and development to improve our security posture and reduce our risk. R&D efforts should focus on improving the software development process, thus making it more secure for both civilian and military use. Additionally, industry needs to put programs in place to improve our capability to deliver usable software on our military networks. Methods that we should replicate across the software industry include rigorous software security development life cycles, source code sharing with government, and security cooperation programs where we share information on cyber threats and newly identified vulnerabilities.
Partnerships are also extremely important. Microsoft has a long-standing partnership with NATO. It has been very successful, focused on cyber defense, technology exchange, and R&D futures, enabling both NATO and Microsoft to anticipate the impact and value of change across an evolving, vibrant network. At the same time, we are developing a new partnership with INTERPOL to focus more on cyber crime and other types of Internet-based criminal activities and how our technology can improve police operations. I mention this effort as it has implications for military and intelligence operations as well.
Jointly, there are some things we can do together. We need to develop mechanisms to anticipate and reduce risk. We generally understand the present problem facing our current networks, but we also have to build capabilities to anticipate risks in advance and build improved processes for sharing information between government and industry. Perhaps we need an international military-industrial body which helps guide us in this regard. When I was supporting U.S. DOD international cyber security efforts, we tried bilateral and multilateral approaches and found this did not scale very well. We may need a body which sits above any particular national military interest, perhaps at the international government level, with an initial focus on information-sharing and policy development. As we continue to develop our partnership with INTERPOL and work to help this organization improve its information-sharing mechanisms, this may help us in the military-industrial space as well.
Finally, there are two key areas for government engagement required today. One is to review software certification processes. For example, Common Criteria, which is archaic, too expensive, and largely ineffective in detecting software system risk, needs significant improvement, if not a complete overhaul, to ensure the software we put on our networks is really ready for prime time. The second key area lies in international law. Today there are no international legal standards which reduce the risk from the implied illegal uses of the Internet and software that we have been discussing in this panel. Until the international community takes action to put effective laws in place to enable safe use of the Internet, we will face an uphill battle to effectively defend our networks from the variety of threats we face today, let alone attacks from terrorists or nation-states.