Editor’s note: This article is part of a series, “Full-Spectrum: Capabilities and Authorities in Cyber and the Information Environment.” The series endeavors to present expert commentary on diverse issues surrounding US competition with peer and near-peer competitors in the cyber and information spaces. Read all articles in the series here.
Special thanks to series editors Capt. Maggie Smith, PhD of the Army Cyber Institute and MWI fellow Dr. Barnett S. Koven.
Setting the Board
In the Pacific Ocean, a submarine mast quietly broke the surface of the warm water just before midnight. Its hatch cracked open, and its crew quickly went to work opening dry storage containers and inspecting their contents on the fore and aft decks. The submarine’s captain was thankful for the low winds, calm seas, and dark blanket provided by the new moon. Although off the coast by more than twelve miles, the submarine could not afford to be identified. Capt. Zhao hoped his fellow captains farther up the coast were laboring under equally favorable conditions.
Almost three hundred miles away, Capt. Matt Chandler had just gotten his children to sleep; they were fighting off colds, and bedtime had taken longer than anyone preferred. Being that Matt was a spouse in a dual-military marriage, the kids were his to care for this evening while his wife was flying unmanned aerial vehicles (UAVs) from a small control building at Creech Air Force Base. Out of habit, he checked his phone, though knowing there would not be a text message from her. As a UAV pilot himself, he knew that her phone would be turned off and locked in a box at the entrance of the secure facility while she was flying. Matt sent text messages to his mom and his sister, both to check in with them and to confirm that the upcoming family gathering on Labor Day was still on.
In a nondescript concrete building on the other side of the globe, Bi was sitting at his computer observing the operation and interaction of chosen International Mobility Equipment Identity (IMEI) numbers. The handset he affectionately called “Cai” sent messages to two other handsets. He noted that tonight’s message was a little later than usual. He wondered what must be happening. He also observed that the other handset, most commonly observed with Cai’s phone, had turned off at the expected time and location.
Bi was just one of hundreds of computer operators monitoring selected networks of individuals. These network diagrams had been surprisingly effortless to build. The intelligence apparatus of the People’s Republic of China had combined security clearance forms stolen from the United States Office of Personnel Management with pilfered medical information and all too readily available open-source details provided by Facebook, Twitter, Instagram, and other platforms to create a massive system diagram of large portions of United States security and federal and state political apparatuses.
People’s Liberation Army Navy (PLAN) Capt. Zhao’s crew had finished checking and arming seventy-five drones. These ungainly looking UAVs were not driven by whirling blades, but mimicked the flight of birds, which would confuse radars and other detection systems. This “flock” and others like it would be taking flight shortly, and if all went well, a significant change in the global order would follow.
With all the UAVs off the deck, the captain breathed an enormous sigh of relief; his submarine quietly slipped below the water, heading home. His flock would move northeast, crossing the Baja coast and into the United States. Flying below four hundred feet, it would take the flock almost eleven hours to reach Creech Air Force Base in Nevada.
Just as the PLAN flock passed into the United States, Matt was waking up. He reached to check his phone for any overnight messages. Bi and the other operators watched as various handsets started interacting with the digital world. Bi spoofed Matt’s mother’s phone number and sent a link that would perform a quick redirect before ending at a news article—Matt clicked the link, his phone downloaded some code, and he read the news article that he thought was sent by his mother. The virus activated the phone’s near-field communication capability; this action would drain the battery quickly, but by the time Matt recognized it, the virus would have done its damage. Hundreds of other operators mimicked this action, each with individually crafted messages and targets. Some targets succumbed and clicked the links, while others ignored them.
As the flock passed into Nevada, Matt packed his bag for the day, tossing his phone in the front pocket, where it came to rest next to his keys, wallet, military common access card (CAC), and security access badges. While Matt prepped his children’s lunches, his backpack sat on the kitchen counter. His phone’s near-field communication passed a small packet of information to the radio-frequency identifications (RFIDs) embedded in his gym fob, military CAC, and security access badges. An identical action occurred on some of the other phones whose users had clicked the links. Some of the infected phones were able to pass their packets; others had not been located close enough to RFID-equipped items.
After dropping his kids off at daycare, Matt headed to the gym, where he used his access fob to gain entrance. The fob left a little code behind in the door reader. After the gym, he headed to Creech, where he would have coffee with his wife for a few precious minutes.
As the sun hit the West Coast of the United States, a different group of Chinese operators and hired cyber mercenaries from a former Eastern Bloc country began a series of denial-of-service and ransomware attacks against infrastructure and communication networks. Facebook connections slowed, as did links to Outlook and other email services and education learning management platforms. The list of issues and targets was wide and varied.
As the birds came within twenty miles of Creech Air Force Base, Matt was walking into his UAV “cockpit” to begin his work day. He met his sensor operator at the door. Both had used their military CACs to move through the various levels of security and control. Of the two, only Matt’s CAC carried the digital hitchhiker. Every time he scanned his CAC, the package multiplied; everyone who scanned after him gained an extra bit of code on their CACs. Spreading like the mark in the handshake game, quickly, almost every door scanner at Creech Air Force Base was infected, and nearly every military CAC became a carrier. Out in Las Vegas, anyone who had entered the gym after Matt had also picked up a traveler, which quickly spread across town in a similar manner. This same pattern was propagating across RFID-enabled entrances across the United States.
Flipping the Table
The UAV flock split into three elements, with over half continuing toward Creech Air Force Base. One formation migrated toward Las Vegas, and the other dispersed, heading toward the city’s surrounding desert.
The autonomous UAVs, having flown hundreds of miles using ground-following radar, began their terminal approaches. The targets for the flock going to Creech were not people or buildings, but cooling coils for air conditioner units and electrical transformers. The group that had dispersed into the desert began to destroy the large step-down transformers critical to electric power transmission. At the same time, the flock in Las Vegas started to target smaller step-down transformers. The city’s lights went out.
The power fluctuation forced a quick reboot of the systems, and the hitchhiker that had infected the security doors turned on, scrambling the firmware and permanently locking the doors. In response to the loss of power, backup generators kicked on across Creech Air Force Base. As the generators heated up, their heat signatures rapidly rose. Using their forward-looking infrared cameras, a contingent of drones that had been held back began targeting and destroying the backup generators. And with that, the United States military UAV capability collapsed.
In Las Vegas and the surrounding areas, the power fluctuation had similar outcomes, with secure doors locking tight, hindering access in hotels, banks, schools, and businesses of all sorts.
Even with the disruption to the internet, messages, photos, and links began to appear in social media feeds, and reports of explosions across the United States started to spike. Most messages were posted by the cyber mercenaries in Eastern Europe. Infrastructural disruptions using a global botnet of unsecured and poorly secured internet-of-things devices targeting various SCADA (supervisory control and data acquisitions) and internet systems stirred across the United States; water pumps ceased, rolling brownouts occurred as power grids became unstable, internet service slowed, and multiple Domain Name System servers were disrupted.
The flocks from the other submarines damaged the infrastructure at numerous ports on the West Coast of the United States. At Creech, building interiors began to become unbearable from the Nevada sun. The heat only became worse after forcing and holding open the layers of security doors. The rising temperature caused the servers operating on battery backup to shut down. The United States drone fleet around the world was blind.
Matt’s mom and sister and thousands of other friends and family members listed on the stolen security clearance forms began receiving pictures via text message of destruction of bases that had not occurred. Immediately, those thousands of family members and friends started calling and texting military members stationed in the Pacific Ocean and in the western United States—further straining an already disrupted internet and telecommunications network.
It would take weeks for the actual limited and targeted amount of destruction to become known. But the immediate response of the American population was to panic. Similar to the population’s reaction to the supply chain disruptions brought on by COVID-19, the Colonial Pipeline attack, and the JBS attack, hoarding of and runs on commercial goods followed.
This behavior of the American populace and the need for a domestic recovery response caused the United States government to blink. Politicians were divided between rapidly responding to the Chinese aggression in the Pacific and the needed domestic recovery. Americans rapidly rallied around the flag, but the disruption of the ports on the West Coast interfered with and delayed the mobilization and transportation of the heavy military equipment needed for a rapid response.
Preventing the Game
The above scenario is, of course, a fictional description of an opening gambit in a surprise military operation by China. The United States government and population have historically relied on the great defensive walls of the Atlantic and the Pacific Oceans to defend the continental United States. These geographic barriers have enabled the American homeland to suffer only minimal direct impacts from foreign aggression. Yet, the interconnected modern world and its open network structure allow adversaries of the United States, both state and nonstate, to directly impact, influence, and observe the American way of life on a scale previously unimagined.
Recognizing the digital interconnectedness of the world and the resulting vulnerabilities is critical for building resilient and flexible responses to attacks on critical infrastructure and systems. Recent actions by the United States government have begun the process of further securing critical infrastructure. The Biden administration’s executive order on improving US cybersecurity has provided initial guidance on how the federal government should develop an integrated response and incident prevention network. However, the authority of the United States government is limited because the majority of what influences and affects the American population exists in the private sector, outside the government’s direct control.
While the executive order provides a way forward for the federal government, additional steps should be taken to further empower the Cybersecurity and Infrastructure Security Agency to take a more proactive stance on addressing private sector security vulnerabilities. The convoluted bureaucracy governing the various supply chains and digital and physical infrastructures creates the need for better guidance, coordination, and supervision. Additionally, having a conversation on implementing systems that permit more open sharing of information among those who conduct offensive and defensive cyber operations on behalf of the government and the private sector will reinforce and create a cycle that improves both offensive and defensive cyber functions.
Moving from the macro to the individual, in 2020, 85 percent of Americans reported owning a smartphone. These computers in our pockets provide immense value in our daily lives; at the same time, they supply insight and access to individuals that were previously unavailable—insight and access also available to malign actors and marketing firms. Personal data availability, combined with the collection of both open-source information and stolen and purchased data sets, enables the creation of enormous social network diagrams and provides possible connections that can be exploited by nefarious actors. Countering any self-collected human and open-source intelligence will require examining and discussing techniques for mitigating the digital breadcrumbs we all leave behind as we go about our daily lives.
Unfortunately, good digital hygiene and the absence of digital signatures can also betray sensitive information—Matt, in the above scenario, and his wife and colleagues turned off and left their smartphones outside their workspaces, indicating the presence of a secure facility of intelligence value to foreign adversaries. Therefore, organizations need thoughtful and ongoing exposure risk mitigation plans that acknowledge the spectrum of ways that digital signatures can impact operations.
In addition to smartphones providing a window into our pattern of life, connected devices also create digital access points to interact with our environment directly. Touchless payments, near-field communication, and poorly secured or unsecured internet-of-things devices are all access points into our physical world. There are simple ways to isolate the digital world from our physical world—RFID-blocker card sleeves being an example—but the public must be both motivated to adopt security measures and willing to be an active participant. Without an understanding of the vulnerabilities that exist and knowledge of the readily available solutions to mitigate exposure risk, the public remains blissfully unaware of how a simple link-click can open personal records to foreign agents and cybercriminals. Education, starting as early as elementary school, should include technology orientation and the steps to securing digital information to mitigate the risk of exploitation.
As former national security advisor H.R. McMaster noted, “There are two ways to fight the United States military: asymmetrically and stupid.” It is most likely that an adversary will create confusion, turmoil, and strategic and operational dilemmas before conducting aggressive actions—similar to Russia’s actions in Georgia in 2008. Recognizing, reducing, and building resilient physical and digital systems will not prevent all vulnerabilities, but will increase the cost of asymmetric operations—increasing safety, security, and stability for the United States and its population.
Thomas G. Pledger is an infantry officer in the US Army National Guard, currently serving at the Secretary of Defense Strategic Thinkers Program at Johns Hopkins’ School of Advanced International Studies in Washington, DC. His professional and academic research is focused on a holistic approach to counterfacilitation, network targeting, stability operations, and irregular warfare.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, Department of Defense, US government, or any organization with which the authors are affiliated.
Image credit: Staff Sgt. Ryan Callaghan, US Air Force