Prepared by the CyberWire (Friday, April 7, 2017) ”The month's news in space and cybersecurity turned on North Korean development of long-range missiles, recommendations for US cyber deterrence policies that would affect space-based capabilities and involve a full range of potential kinetic response, and a look at some start-ups who see opportunities for space-based information storage and transmission that would address security concerns.
Remotely Inducing Launch Failure
The US is reported to have an on-going program of cyber attacks designed to interfere with North Korean ballistic missile flight tests. The campaign, said to cause missiles to fail within seconds of launch, began under President Obama and seems likely to continue under President Trump. It's unclear from early reports how effective the campaign has been--failed DPRK launches may have been caused by design flaws or operational errors. As North Korean launch tests over the course of the month, however, and as the DPRK appeared to move closer to a realistic long-range nuclear strike capability, observers in South Korea publicly wish for some effective cyber attack tool that could cripple the North's missiles. (Japan is clearly within range; some reports suggest even Australia and Hawaii soon might be, although that seems a stretch.)
In any case, North Korea successfully launched a series of ballistic missiles this month. The tests were obviously not impeded by any cyber attacks. so either the US elected not to interfere with the flights, or US ability to do so was exaggerated in early reports.
The Defense Science Board's Task Force on Cyber Deterrence made its final report publicly available at the beginning of March. The report offers a standard definition of deterrence and notes the hesitant and incremental way in which US deterrence has so far evolved.
"...cyber deterrence is the use of both deterrence by denial and deterrence by cost imposition to convince adversaries not to conduct cyber attacks or costly cyber intrusions against the United States, and in at least some instances, to extend this deterrence to protect allies and partners. Just as cyber is a relatively new domain, cyber deterrence is a relatively new endeavor. For the most part, to date the United States has been establishing its cyber deterrence posture step-by-step, in response to attacks. Although the United States responded with diplomatic moves and economic sanctions to North Korea's Sony hack, China's IP theft, and Russia's meddling in U.S. elections, it is far from clear that such responses have established effective deterrence of future cyber attacks and costly cyber intrusions" (DSB TF on Cyber Deterrence, 3).
Part of the difficulty of developing an effective deterrent lies in different adversaries' very different sensibilities and susceptibilities: major powers, minor powers, and non-state actors make distinctive risk calculations. The principles the Task Force argues should inform cyber policy are familiar from other, earlier forms of deterrence: a mix of denial (that is, defenses that would reduce vulnerabilities and dissuade attacks by convincing adversaries of their futility) and cost-imposition (the credible, assured prospect of retaliation that would impose unacceptable costs on an attacker).
Effectively implementing such deterrence depends upon success at two intelligence tasks: first, understanding what adversaries value, and second, high-confidence attribution of cyber attacks to specific actors. Deterrence must be highly tailored to specific adversaries. While retaliatory measures ("rungs" of escalation) need not, and should not, be exclusively cyber, including a range of diplomatic, legal, and kinetic responses, the Task Force strongly recommended development of "scalable strategic cyber offensive capabilities.
The US should achieve an assured retaliatory capability in the form of a second-strike cyber-resilient military capability. That capability should extend to "cyber, nuclear, and non-nuclear long-range strike." This would require cyber-hardening of key combat and C4ISR systems. The Task Force recommends that priority be given to hardening strategic strike capabilities. They envision an extensive technology scouting program to find new, more capable ways of achieving cyber resilience. They also advocate establishing technology accelerators to prompt development along such lines.
One conclusion is surprisingly blunt: a wintry statement to the effect that, while norms of conduct in cyberspace ("rules of the road") may be valuable, cyber arms control agreements are in practice "not viable." Another key recommendation is easy to say, but hard to implement: develop effective, reliable means of attribution. They see three areas in which work could improve attribution (DSB TF on Cyber Deterrence, 25):
- "Improving identification and authentication of the users of our systems;
- "Sharing situational awareness between adjacent systems; and
- "Conducting behavioral analysis (tying actions to actors), rather than just depending upon transaction analysis (looking principally at tripwire events)"
These at least suggest the lines along which future work might proceed (and a great deal of that work remains to be done).
Satellites as Cloud Hosts
On March 3 the CyberWire spoke with Cliff Beek, president of Cloud Constellation. His company is an interesting start-up with near-term plans to put cloud infrastructure, "Spacebelt," into low-earth orbit. Beek sees space-based infrastructure as inherently less vulnerable to spoofing than terrestrial systems; he also sees such infrastructure as offering an alternative to locating data within certain terrestrial jurisdiction where it would be accessible to national legal authorities. Cloud Constellation intends to place fifteen small satellites into low-earth orbit (roughly 400 to 800 kilometers, well below the geostationary plane). Their satellites are expected to carry 4 to 8 petabytes of storage, and will lease transponders from geostationary satellites already in place. They claim a breakthrough in antenna technology that will enable them to establish a global transport ring. They have a number of partners and customers lined up (an early customer is a digital currency) with substantial interest from several nations' diplomatic services interested in sovereign data storage and transmission.
Today's edition of the CyberWire reports events affecting China, Japan, the Democratic Peoples Republic of Korea, the Republic of Korea, Russia, and the United States.
Did cyber attacks slow down North Korea's missile progress?(NK PRO) On March 6, 2017, the New York Times published an article arguing that the United States had deployed cyber attacks against North Korea's missile tests. The article implied that these attacks might have succeeded in causing the failure of several North Korean missile tests, stating: "The North's missiles soon began to fail at a remarkable pace.
(3rd LD) N. Korean leader observes new high-performance engine test(Yonhap News Agency) North Korean leader Kim Jong-un observed the ground jet test of a new high-thrust rocket engine, the country's state-run media said Sunday, an indication that Pyongyang may engage in future provocations despite warnings by the international community.
To abort military action(koreatimes) U.S. Secretary of State Rex Tillerson's tough talk on March 17 of possible military action against North Korea's nuclear threats raised concerns about the prospect of a second Korean War.
Final Report of the Defense Science Board (DSB) Task Force on Cyber Deterrence(Office of the Secretary of Defense: Defense Science Board) The United States gains tremendous economic, social, and military advantages from cyberspace. However, our pursuit of these advantages has created extensive dependencies on highly vulnerable information technologies and industrial control systems. As a result, U.S. national security is at unacceptable and growing risk.
Targeted control system cyber attacks - not when, but how much damage(Control Global) Targeted control system cyber attacks have been identified in many countries that include destruction of centrifuges, damage to blast furnace, loss of fuel loading, tilting of an off-shore oil rig, and significant environmental discharges. However, there have been almost no US government or NERC public identification of control system cyber attacks in the US despite the fact that targeted control system cyber attacks have occurred in US critical infrastructures with attendant damage.
Lawmakers sound alarm on space security(TheHill) Retired military officials, a former deputy administrator for FEMA, and the House Committees on Homeland Security and Armed Forces uniformly lamented not doing more to prevent strategic attacks against satellites, despite a full decade of knowing they were increasingly vulnerable.
UAS Symposium: FAA Can't Take On Cybersecurity Alone - Avionics(Avionics) The FAA cannot tackle the issue of cybersecurity without industry, FAA's Wes Ryan told the crowd during a cybersecurity panel at the 2017 FAA UAS (unmanned aerial system) Symposium last week. Audience members voiced concerns regarding both manned and unmanned aircraft, but the basis to any solution is that there is a need for an â€¦
Mars Needs Lawyers(FiveThirtyEight) The Liberian flag is easy to mistake for the U.S. flag. There's the red, white and blue. There's the stripes. The only difference is that the Liberian flag features one star in the upper left corneâ€¦
Compiled and published by the CyberWire editorial staff. Views and assertions in linked articles are those of the authors, not the CyberWire or Cosmic AES