Military Review English Edition May-June 2014 | Page 10

reviewed during the plan review cycle. No further resources are expended on maintaining access to the target until the plan is executed. By contrast, designating a target to be engaged with OCO starts the immediate allocation and expenditure of additional resources. Maintaining and developing a target requires a significant amount of time. During Operation Odyssey Dawn in 2011, U.S. officials debated the use of OCO against Libya but decided against it for several reasons—mainly because of time. Analysts at the New York Times reported that “in reality it takes significant digital snooping to identify potential entry points and susceptible nodes in a linked network of communications systems, radars and missiles like that operated by the Libyan government, and then to write and insert the proper poisonous codes.”15 How the joint targeting cycle applies to OCO. The first step to engage a target with OCO is to gain access to it. Without physical or electronic access to the target, it is impossible to proceed with OCO. A system linked to the Internet is, in general, more accessible, though getting into its targeted portions may be challenging due to its own network security environment. A closed system, such as the Iranian nuclear program, would require insider access to gain firsthand knowledge of the computing environment in the target facility.16 Once forces gain access to a target system, they need to maintain it as long as they might wish to strike the target. Network upgrades or system changes made in the regular maintenance of the target could make it difficult to maintain or regain access. The risk from gaining access to a system is that an adversary might detect the hacking well before the attack. The adversary would discover which systems were being targeted. Moreover, discovery would assuredly result in access being lost—and the possibility of the adversary studying the attack to understand U.S. cyberspace operations and develop better defenses or even counterattacks. Once access is gained, the next step is to learn the unique internal attributes of the targeted system. Cyber attackers may need to acquire the software being targeted so they can determine its nature and vulnerabilities. For commercially available systems, this is relatively easy to do—a copy can be purchased. For rare systems or those whose development and use are limited to a given 8 country or region, forces might need to obtain insider knowledge of the network environment (as may have occurred with Stuxnet).17 Depending on the system to be attacked, the code might be commented in a language other than English. For whatever reason, if USCYBERCOM is unable to gain technical insight into the targeted software, then OCO cannot proceed; coordinating the proper effect is impossible. The JTF commander must consider these attributes of OCO when setting target priorities during deliberate planning. Once USCYBERCOM has coordinated a means for continuous access and learned the targeted system, they must then coordinate acquisition or development of the weapon with which to attack it. Some weapons designed to attack common operating systems such as Windows are commercially available. However, systems produced and used only in certain countries typically require forces to develop weapons from scratch. This becomes a software acquisition project, in both the technical and legal sense. For purposes of defense acquisition, software development projects are more complex than physical engineering projects.18 Developing a cyber weapon is a complex challenge for this reason and many others. Once a weapon has been developed, the attackers must constantly maintain access to and monitor the target. They must ensure routine system maintenance does not nullify their labors until the weapon is employed, or until the target is removed from the joint integrated prioritized target list (JIPTL). OCO force assignment challenges. All of these actions require a significant amount of time, perhaps months, before anything besides a rudimentary attack can be launched with a presumption of success. Furthermore, depending on the target and its accessibility, a weapon may need to navigate through several networks to its intended target. According to cyber forensics analysts, Stuxnet may have infected its target environment through a removable device inserted by a willing or unwitting third party or insider.19 Stuxnet would have needed numerous developers working up to six months to infect target computers in the Iranian nuclear program’s closed network. Currently, USCYBERCOM coordinates all OCO, with the concurrence of the appropriate combatant command. This further complicates the challenge May-June 2014 MILITARY REVIEW