Cyberattack is a versatile option for air defence suppression. It is being taken seriously in NATO and allied nations. The UK’s National Cyber Force (NCF) is a joint Ministry of Defence (MoD) and Government Communications Headquarters (GCHQ) organisation. GCHQ is the UK government’s Signals Intelligence (SIGINT) collection agency. The NCF is responsible for offensive cyber warfare operations. Established in 2020, it operates alongside the National Cyber Security Centre (NCSC). The latter protects the UK government and its departments, alongside critical national infrastructure, from cyber warfare.
Announcing its creation in November 2020, GCHQ’s press release said the NCF would perform “cyber operations to disrupt hostile state activities, terrorists and criminals threatening the UK’s national security.” These ‘operations’ include “countering terror plots to supporting military operations.” One of mooted latter missions was ““keeping UK military aircraft safe from targeting by weapons systems.” This was reiterated in the UK government’s Global Britain in a Competitive Age paper published in April. The paper outlined the British government’s post-Brexit strategic and foreign policy commitments.
Global Britain may have articulated the words, but the UK MoD’s Command Paper articulated the actions. Published shortly after the former, it details the capabilities the country will acquire and sustain in the coming years. The paper reveals that the UK has developed offensive cyber capabilities. These will be made wielded by the NCF. They will be made available to NATO as and when required. The Command Paper says the NCF will provide “capabilities that will be used to deceive, degrade, deny, disrupt, or destroy targets in and through cyberspace in pursuit of our national security objectives.”
The commitment to keeping British military aircraft “safe from targeting by weapons systems” is interesting. It is an outgrowth of the UK’s airpower posture detailed in the MoD’s 2018 Combat Air Strategy. This merged industrial and military trajectories to ensure the country possesses cutting edge airpower. The strategy gave clues on the place of cyber warfare in this wider posture: “Cyber domains will also become increasingly important as we seek to maintain information advantage.” Neither the Combat Air Strategy, the Command Paper nor the Global Britain explains how the NCF will help safeguard UK military aircraft. Nonetheless, it seems likely that the NCF could perform cyberattacks against hostile air defences threatening British aircraft. What might this mean in principle?
In theory, the NCF could attack hostile air defence systems like Surface-to-Air Missile (SAM) batteries. It could also engage hostile radars. This is alongside battle management, command and control systems and communications integral to air defence. Any component of an Integrated Air Defence System (IADS) or deployed Ground-Based Air Defences (GBAD) accompanying the manoeuvre force relying on computers would be at risk.
Cyberattacks against hostile air defence could take many forms. Primarily they fall into two categories, disruptive and destructive. Disruptive cyberattacks could focus on denying certain computer functions or networks to an adversary. Destructive cyberattacks take things further. These aim to destroy hostile computers or computer networks. Both disruptive and destructive cyberattacks are performed with malicious code. This could be inserted into an IADS/GBAD through communications networks linking their constituent elements. These networks will use standard military radios, satellite communications or civilian/dual-use conventional telecommunications. Code could also be delivered via electronic attack. A standard RF (radio frequency) jamming attack against a hostile radar or IADS/GBAD communications system could be ‘syringe’ through which the code is ‘injected’ into a specific weapons system, sensor or other targets in the IADS/GBAD network. Official US documents say the US Air Force’s Lockheed Martin EC-130H COMPASS CALL communications intelligence/jamming aircraft has used its electronic attack payloads to deliver cyberattacks into hostile IADS.
Hacking IADS/GBAD computer systems may allow data theft. This data could be converted into useful intelligence. This may betray valuable information on the working of the IADS/GBAD and accompanying weapons. It may also indicate comparatively weakly defended segments of airspace. Such areas might be exploited for ingress or egress routes to and from targets.
Using cyber warfare to support Suppression of Enemy Air Defence (SEAD) missions is not new. Dr. James A. Lewis, a leading cyber security expert, observed in his 2015 paper entitled “The Role of Offensive Cyber Operations in NATO’s Collective Defence” that “as cyber and EW merge into a single activity, air operations will require cyber support.” This can translate into attacks “against command and control systems … and against the software that runs advanced weapons such as surface-to-air missiles.” Cyber and electronic warfare have much in common. It is no accident that NATO increasingly groups these two missions together under the Cyber and Electromagnetic Activities (CEMA) umbrella. A 2019 US Congressional Research Service publication entitled Convergence of Cyberspace Operations and Electronic Warfare said that both constitute “efforts to dominate aspects of the electromagnetic spectrum that transmit packets of information.”
Using cyber warfare as a SEAD component has several attractions. It can help keep some aircraft out of harm’s way. Planners may decide the certain IADS/GBAD targets are too dangerous to hit kinetically. Consider a Sector Operations Centre (SOC) controlling a swathe of hostile airspace. The SOC maybe deep in enemy territory. Aircraft might need to travel hundreds of miles through heavily defended airspace to reach this target. Stand-off air-to-surface or surface-to-surface weapons may face similar threats. Attacking the computers controlling the SOCs may have a similar impact to a kinetic attack sans the cost in blood and treasure. The cyberattack might have little risk of causing collateral damage reducing the danger to civilians. Although the SOC’s computer networks will be damaged, if not destroyed, the SOC may still be usable after the conflict. This is particularly important if the military action is intended to be limited, or as a warning.
Cyber warfare is increasingly part of the SEAD toolkit. Details are scant, but it is known that cyber effects have been used to attack IADS/GBAD over the past two decades: On 6th September 2007, the Israeli Air Force (IAF) was believed to have used cyber weapons during an IAF attack on a nuclear reactor in Deir ez-Zor governate, eastern Syria. The attack took place on a Thursday evening. Intelligence sources have shared with the author that computers controlling the Syrian IADS were hacked shortly before. This involved blocking the feeds from radars funnelling data into the IADS to produce the national Recognised Air Picture (RAP). Instead, a fake RAP was produced. This showed the usual Thursday pattern of air traffic over and around Syria for when the strike was to take place. Syrian Air Defence Force cadres staffing the IADS would have been none the wiser that their systems were hacked as the national RAP would have looked unremarkable.
The sources continued that the malicious code was not transmitted into the IADS via electronic attack. Operatives working covertly in Syrian are thought to have physically loaded the malicious code into the computers. This may have been done to overcome efforts the Syrians had taken to ‘air gap’ their IADS computers. Air gaps exploit the physical separation of computers from the internet to prevent their infection with malicious code via this route. Other physical security measures can include the omission of Universal Serial Bus (USB) sockets or other apertures through which malicious code could be inserted. In practice though all air gapping can do is reduce the risk of code finding its way into computers rather than eliminating it.
Fast forward to 20 June 2019, when US Cyber Command (USCYBCOM) attacked Iran’s IADS. This occurred after Islamic Republic of Iran Air Defence Force SAMs downed a US Navy Northrop Grumman RQ-4A GLOBAL HAWK uninhabited aerial vehicle. Tehran claimed that the RQ-4B had violated Iranian airspace near the Strait of Hormuz. USCYBCOM reportedly targeted fire control systems used by IRIADF SAM batteries. The exact scope of the attacks is in the realm of conjecture. That said, it may have prevented SAMs being launched, prevented batteries sharing their data with other parts of the IADS, or both. This was the first offensive action by USCYBCOM following its activation as a full combatant command in May 2018.
The attack may have employed Northrop Grumman’s Unified Platform. This is what its manufacturer calls “an integrated full-spectrum cyber warfighting capability.” USCYBCOM employs the Unified Platform for offensive and defensive cyber operations. Alternatively, the US might have employed BAE Systems’ SUTER cyberattack apparatus. Like the Unified Protector, precise details on the workings of SUTER are sparse.
It is thought that SUTER exploits radar or communications antennas as its point of entry. Once inside the radar or radio it may remain there restricting its nefarious activities to that system. Alternatively, it may access the networks linking together an IADS/GBAD. It will get to work disrupting the computers controlling the IADS/GBAD or accompanying sensors and weapons. Information in the public domain says that three variants of SUTER have been developed. Each adds progressively more capability: SUTER-1 lets attackers to extract the RAP seen by hostile air defenders. SUTER-2 lets attackers gain control of the IADS/GBAD, accompanying weapons systems and sensors. Finally, SUTER-3 can disrupt communications datalinks controlling ballistic missiles or SAM batteries. Reports say that SUTER has been used by US forces in the Afghan and Iraqi theatres since 2006. The paucity of a serious air defence threat in both countries from 2006 indicates that SUTER may have effectiveness beyond SEAD supporting other tactical or operational missions.
SUTER is thought to be deployable from an aircraft. This would make sense. If code is to be inserted via a radar or radio antenna then the platform performing the attack will need to be in a Line-of-Sight (LOS) range. This does not necessarily place that platform in danger: The RQ-4B has a cruising altitude of 60,000 18,000 metres. This would give on-board communications systems transmitting SUTER a LOS range of over 300 nautical miles (557 kilometres). In practice, SUTER would probably be transmitted into a hostile IADS/GBAD from a closer range, given the transmission power that such a range would require. In fact, transmission power levels are probably kept to a minimum. This would help to avoid alerting the targeted radar or radio it is being attacked. Nonetheless, an attacking aircraft may remain at a safe stand-off range performing the attack. The EC-130H discussed above is one platform thought to deploy SUTER. The RQ-4B maybe another although it seems unlikely that the RQ-4B shot down over Iran in 2019 was deploying SUTER given the IRIADF’s initial success.
Operational / Tactical
There appears to be a division of labour for SUTER and the Unified Platform. As it can reportedly inject a cyber-attack directly into hostile IADS/GBAD and accompanying weapons and sensors, SUTER may be used at the tactical/operational level. It could be the weapon of choice when a cyberattack must be responsive and render only a part of an IADS/GBAD temporarily unserviceable. It appears that the IAF may have employed its SUTER-style software for exactly this purpose during the Syrian attacks.
Conversely, Unified Platform may have an operational/strategic bent. It might be used to close down the entirety of a hostile IADS/GBAD for a much longer duration. It would not be surprising if the Unified Platform was used for the opening stages of an air campaign where SEAD focuses on a major roll back of hostile air defences. The different yet overlapping focuses of SUTER-style software and the Unified Protector shows that these two capabilities can complement each other. This provides cyber SEAD tools commanders can use as and when required.
From a NATO perspective, several issues must be tackled if cyber warfare is to play a meaningful role in SEAD. Representatives from the alliance’s Joint Airpower Competence Centre (JAPCC) told the author that responsibility for performing such tasks must be addressed: “The difficulty NATO faces is the multinational aspect.” Cyber warfare capabilities are owned by partner nations and are not NATO-wide capability per se. This creates opportunities for the alliance to codify and formalise cyber warfare SEAD doctrines. This could take the form of common tactics, techniques and procedures, the JAPCC representatives continue.
Key to this is ensuring all air personnel are ‘cyber minded’: “Cyber is not well understood by all personnel. We need to make sure that our people understand the concept.” Electronic warfare is familiar to air forces and well understood. An understanding of cyber and electronic warfare synergies, increasingly seen through the CEMA prism is paramount. This will unlock cyber’s SEAD potential. Air campaign planners will need to understand cyber effects and that these are likely to be localised and time limited: Specific nodes in an IADS maybe targeted by a cyberattack, but the enemy may see the attack and take remedial action. An anti-radar missile attack against a radar may take that system out of the fight either permanently or for a prolonged period. A cyberattack might be quicker to recover from. Therefore, cyber effects and their characteristics must be considered not only in battle but during the planning process.
Cyberattack is part and parcel of contemporary SEAD capabilities and its importance is certain to increase. Electronic and kinetic warfare have hitherto been the two capabilities available to commanders when prosecuting SEAD. Cyber offers a host of additional capabilities. The UK has shown it is prepared to exploit these capabilities to the full, as have the US and Israel. Other NATO and allied nations will do the same.
This article originally appeared in the July issue of European Security & Defence. Click hereto download the full issue in PDF format.