The networked battlefield emphasises the importance of cyber protection. What steps can militaries take to enhance their cyber protection at the tactical level and what steps is NATO taking to this end?

The Lightning Press, a defence and security publisher based in Florida produces a fine line of manuals explaining an array of military concepts. One of recent volumes entitled Cyberspace Operations and Electronic Warfare is penned by Norman M. Wade, its’ proprietor. The book contains excellent discussions and definitions of military cyber operations, including cyber security. This will be a deepening concern as bases, platforms, sensors, weapons and personnel on and above the battlefield, on and below the high seas, are increasingly networked.

The Lightning Press’ Cyberspace Operations and Electronic Warfare book provides an excellent overview of how these two disciplines converge and diverge. Credit: The Lightning Press

Cyber security is preventative in nature. It exists to prevent “unauthorised access to, exploitation of, or damage to computers, electronic communications systems and other (IT/Information Technology systems) as well as the information contained therein,” writes Wade. Cyber security is vital at the tactical level to reduce or eliminate “vulnerabilities that maybe exploited by an adversary and/or implementing measures to detect malicious cyberspace activities.” Such steps can include everything from increasing individual password strengths, using software patches to remove vulnerabilities and encrypting data.

Processes are also vital. Personnel must be aware of cyber security best practices. Access to suspicious websites must be restricted. Nicolas Razy, head of French cyber programmes for Airbus’ defence and space division, says that cyber security risks at the tactical level are like those found at strategic and operational levels: “Weapons systems and IT networks are subject to cyber threats.”

The problem for militaries is that battlespace Internet Protocol (IP) communications are vital. Videos, images, written information and even voice traffic is encoded into IP traffic. This traffic is sent across communications networks. These networks can be Line-of-Sight (LoS) conventional very/ultra-high frequency (V/UHF) radio links between personnel, platforms, bases, sensors and weapons systems. Networks can also be hosted by beyond LoS satellite communications (SATCOM) and high frequency (HF) radio links. Even conventional and fibre optic telephone lines are used, along with cellular communications. At the tactical level, IP traffic carries orders, situation reports and intelligence. Command and Control (C2) systems, regardless of where they are and at what echelon they are deployed, depend on this. To exacerbate matters, soldiers may bring battlefield devices that have been compromised at some point in the supply chain, says Razy: “This means you could have intrusions into tactical networks.” Furthermore, tactical networks do not exist in isolation. “These are often connected to other networks at operational and strategic levels,” he continues.

The digital battlefield’s reliance on IP traffic creates a vulnerability. The enemy can use malicious code to infect these networks. Cyberattacks maybe delivered conventionally through IP networks as they are in the civilian world. They could also be delivered via electronic attack. Rather than a radio signal carrying a jamming payload, as it would in conventional electronic attack against hostile radios and communications, it carries a cyberattack as the payload. The malicious code could infect C2 systems or computers equipping weapons systems, sensors, platforms and even individual soldiers. The attack may be intended to wreck these systems for a finite time or permanently. It may work to prevent IP networks functioning. Likewise, the attack could be used to steal data, and hence intelligence, from these computers or networks. Cyberattacks at the tactical level maybe immediately apparent. Equally, they may be highly covert with the damage taking some time to appear. These risks underscore the importance of tactical cyber security on the battlefield.

Cyber security is but one potential solution. Electronic protection of any equipment depending on a radio connection to the outside world against electronic attack is paramount. Fortunately, radar and radio engineers already make strenuous efforts in this regard. As Wade succinctly summarises “cyberspace risks affect mission accomplishment.”

Cyber Security Fundamentals

“The emergence of IP technology and the need for near-real time information exchange have led modern tactical NATO systems to communicate with higher-level IT systems to satisfy cross-domain and interoperability requirements at all command levels,” a NATO official told the author: “This presents a unique cyber security challenge as tactical networks need to be protected against a variety of both virtual and physical threats,” they continued: “Implementation of static and deployed protective measures helps enhance the resilience of these networks.”

Cybersecurity, tactical or otherwise, rests on the pillars of confidentiality, integrity, availability, authentication and nonrepudiation, writes Wade. Confidentiality safeguards sensitive information from disclosure to unauthorised people, processes or devices. Integrity is the reliability of the hardware, software and processes of a specific information system like a computer. Availability refers to users’ ability to timely access data. Authentication security measures protect communications systems against nefarious or damaging transmissions. It does this by establishing the validity and integrity of a transmission and its sender. Finally, nonrepudiation assures the sender they receive proof of delivery, and that the recipient receives proof of the sender’s identity.

As a continuous process, cybersecurity depends on a layered, defence-in-depth approach. All systems at risk from cyberattack, no matter how small, must be safeguarded. This could stretch from the soldier’s individual ruggedised tablet or smartphone to complex systems handling battlefield logistics. Another prerequisite is redundancy – which parts of a network or which systems can a deployed force afford to lose for a short time? If the logistics computer system mentioned above suffers an attack, how quickly and easily can logistical tasks be performed using other tools, even reverting to pen and paper? Integration is vital. Tactical cybersecurity does not exist in a vacuum. Some of the deployed forces’ computer networks will be connected to operational and strategic systems, or they may connect in some way to local, civilian networks. Are there required levels of cybersecurity in these associated networks? If not, what steps will ensure the tactical networks are kept safe from potential threats affecting these third parties?

Internet of Military Things

Tactical cybersecurity is already essential, but its importance will only grow in the coming years. Most technologically savvy militaries are taking steps to deepen networking within and between their forces. Militaries want to outpace potential adversaries in their Observe, Orient, Decide, Act (OODA) cycles. US strategist John Boyd asserted that whichever individual or force navigated the OODA loop quickest would prevail in any engagement. Outpacing hostile OODA loops largely depends on moving information in the most practical, secure and efficient way possible. Protecting this information, the networks it travels on, and the systems depending on it, is vital.

The dependence of militaries on IP moving around the battlespace at the tactical level will only increase in the future, particularly as concepts like the Internet of Military Things make their presence felt.
Credit: US Army

The coming decade will see the advent of the Internet of Military Things (IoMT). At the tactical level, the IoMT will network computers used by all deployed personnel, sensors, weapons, platforms and bases. The goal is to ease the organisation and sharing of all information collected by all these assets. Let us suppose a platoon’s unattended radar detects a vehicle moving towards an army checkpoint. This information is immediately shared to the ‘combat cloud’. This is a cloud computing environment where intelligence, surveillance and reconnaissance data are deposited and retrieved. Other users of the combat cloud include deployed artillery and the company command post. The latter’s Battle Management System (BMS) is alerted that new data is available on the cloud, sent from the unattended radar. The commander sees the information being collected by this sensor in real-time. Automatic number plate recognition software embedded in the commander’s C2 system confirms the vehicle is hostile. Data provided by the sensor includes the vehicle’s coordinates as it approaches the checkpoint. These coordinates are sent to the cloud by the C2 system in the form of a call for fires. The artillery command post, also connected to the cloud, is alerted to the call for fires and downloads the information. The command post confirms the target and tasks the howitzer best placed to attack the vehicle. The shell is fired, fused to explode at a specific point of aim based on the vehicle’s speed and direction. The vehicle is destroyed, and the mission accomplished in the time it took you to read this paragraph.

Following the fire mission, the howitzer’s own computer automatically sends information up to the combat cloud that one of its shells has just been expended. Logisticians connected to the cloud receive an alert on their C2 system that this howitzer will need at least one shell to be replenished. This will either be delivered to the howitzer or replenished after the mission. The howitzer’s computer has also uploaded health and usage monitoring data to the cloud. It says oil levels will need to be topped up and two suspension springs will need replacing within the next 24 hours. Once again, logisticians will either deliver these and perform the necessary repairs, or do so when the mission is complete, whichever is more pressing. Both these scenarios are dependent on IP data moving around the battlefield across a plethora of communications networks used by the manoeuvre force. However, this can create vulnerabilities: “The use of cloud computing introduces new information threats,” warns Razy: “This is a major consideration as concepts like multi-domain operations emerge.”

Fancy Bear

The cyber threat, and the need to protect against it at the tactical level is not hypothetical. Ukrainian troops have already experienced of the damage such attacks can cause. Following Russia’s 2014 invasion of Ukraine, Russian cyber warriors devised malware to infect Ukrainian Army artillery C2 systems. X-Agent malware targeted computers running the Android operating system used by Ukrainian artillery. CrowdStrike, a cyber security company, identified that X-Agent was developed by a Russian cyber warfare group dubbed ‘Fancy Bear’ (Note: not the outfit’s real name, the codename comes from a designation system developed by Dmitri Alperovich, formerly of Crowdstrike). Open sources state that Fancy Bear is strongly suspected of close links with Russia’s GRU military intelligence service.

Russia’s X-Agent malware developed by its ‘Fancy Bear’ cyberwarfare group was thought to be highly effective in locating Ukrainian artillery for targeting by counterbattery fire. Credit: CrowdStrike

X-Agent specifically targeted ‘Correction D-30’ Ukrainian Army fire control software. Developed to provide fire control for the army’s PJSC 2A18/D-30 122mm howitzers, the software could provide artillery targeting times of circa 15 seconds. However, any artillery unit using the software had to input their own location to obtain their correct gun laying instructions. X-Agent was thought to have stolen artillery unit location data from the Correction D-30 software. Stealing this information gave Russian Army gunners detailed information on where their Ukrainian adversaries were. From a counter-battery perspective this was invaluable. Experts have told the author that the software was almost certainly wirelessly inserted into Ukrainian Android devices running Correction D-30.

Ukrainian Army sources have told the author the malware may have been delivered from Russian Army electronic warfare platforms. The latter’s RB-341V Leer-3 Communications Intelligence/Jamming (COMINT/COMJAM) system could have been used for this task. Leer-3 employs three Orlan-10 Uninhabited Aerial Vehicles (UAVs). These are equipped with a COMINT/COMJAM payload to locate hostile troops based on their radio emissions. This can include mobile phone signals on frequencies of 900 MHz to 1.9 GHz. Given their service ceiling of 5,000 m (16,000 ft), the Orlan-10 UAVs could have delivered this code via a jamming attack from ranges of 380 km (205 NM). X-Agent almost certainly helped Russian artillery target Ukrainian guns. Analysis written by Henry Boyd, research fellow for defence and military analysis at the International Institute for Strategic Studies (IISS), a London-based think tank, estimates that up to 20% of Ukraine’s pre-invasion D-30 inventory was wiped out by Russian attacks.

“At the tactical level, the majority of cyberwarfare risks are not really different from classical threats,” says a written statement provided by Hensoldt. “It is just the way the attackers try to achieve their objective … Instead of jamming communications networks in the classical way, the attacker aims to reduce this via an attack on the operating system of the equipment.” X-Agent was primarily confined to the Correction D-30 software used by Ukrainian artillery. Nonetheless, once a threat has entered one battlefield network, there is no telling where it might end up.

Moreover, a tactical cyberattack could be indirect. Perhaps battlefield networks and systems are left alone, but personnel are instead targeted to weaken their morale. This arguably crosses into the information warfare domain. Given how much information is now delivered via the world wide web this is not surprising. Hensoldt says that online disinformation campaigns can target the morale of individual soldiers. These campaigns could extend to soldier’s families with the intention of weakening their morale or spreading lies about their relatives or the wars they are involved in. The latter has arguably more of an operational or strategic impact and is more likely to be effective over a prolonged timescale. Open source intelligence providers can often detect when disinformation campaigns maybe underway. This helps provide early warning that personnel, their families or populations at large are being targeted.

Hensoldt is taking a holistic approach to the tactical cyberwarfare risk. The company says it “addresses cyber risks early on in the development process of our products and systems independent of the level at which they are going to be used. The includes a detailed cyber risk analysis of individual components, overall system architecture and its interaction with third-party equipment.” It also helps that materiel specifications now routinely include cyber resilience as standard.

Likewise, Airbus provides tactical cyber security solutions: “We use commercial off-the-shelf technology tailored to meet the military requirements of our customers ensuring necessary levels of security and resilience,” says Razy: “The concept of operations is to be as simple to operate and fully effective for the client.” The company has delivered its Tactical SOC product to the French armed forces. It is operated by the Armée de Terre (French Army) Commandement des Systèmes d’Information et de Communication (COMSIC; ENG: Information Systems and Communication Command).

Airbus’ Tactical SOC is a cybersecurity system for use at this level of war. It has been procured by the French armed forces and is operated by the French Army’s Information Systems and Communication Command.
Credit: Airbus Defence and Space

NATO’s Outlook

At the NATO level, individual members are responsible for their national cyber defence, an alliance official told the author. This is the case at the strategic, operational and tactical levels. NATO does have a Standardisation Agreement or ‘STANAG’ pertinent to tactical cyber protection. This provides guidelines that can be shared among the allies, the official continued, “for use in deployments as they see fit.”

As the X-Agent attacks underscored, staying abreast of the threat is half the battle. “NATO and allies exchange information about cyber threats in real time, including through a dedicated Malware Information Sharing Platform,” the official continued. “We also share information on cyber threats with the European Union.” Forewarned is forearmed and this helps improve national and supranational cyber resilience and defence, whatever the level of war. Individual awareness is front and centre of this approach: “NATO attaches great importance to cyber security awareness among all its personnel. (The alliance) regularly releases cyber-related information to its staff, and provides regular security briefings and mandatory training that takes into account threats at local level.”

The cyber threat on and off the battlefield is unlikely to diminish in the coming years, instead it will most likely increase. This is driven by the relentless march of technology in the civilian and military worlds alike. “The security environment is becoming increasingly complex, and as technology advances, the cyber threat to NATO and NATO allies increases.” To this end, it is important to be realistic, the official adds: “Cyber threats will never be fully ameliorated or eliminated. The alliance is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats, including in the context of hybrid campaigns.”

NATO’s Cyber Coalition exercise in Tallinn saw alliance officials detail a new messaging standard under development which will greatly assist the movement of cyberwarfare information around the battlespace.
Credit: Estonian Ministry of Defence

Recognising and engaging these threats is not just about technology. Having the right people and processes are crucially important. “NATO and its allies respond to these threats by strengthening our ability to detect, prevent and respond to malicious cyber activities while continuously adapting to advancing/emerging technologies, tactics, techniques and procedures.” During a visit to NATO’s Cyber Coalition exercise in Tallinn, Estonia in late November 2022, the author was told about a new tactical messaging standard NATO is developing. Like the J-Series messaging protocols exchanging tactical information across NATO tactical datalinks, a similar messaging protocol will assist cyber operations. This will help easily move cyber threat information between allies. NATO experts expect the cyber messaging standard to undergo tests during alliance exercises this year. The messaging protocol may then be formally adopted as a NATO STANAG. Such developments are important. They will greatly simplify the efficacy with which the alliance can manoeuvre in cyberspace at the tactical level and beyond: “All of these steps help make NATO as strong in cyberspace as we are on land, in the air, in space, and at sea.”

Thomas Withington