2018-03-31

Military Interoperability part I

This is a first part of article on Military Interoperability. The part will introduce the Interoperability measure and explore why military have been seeking it. The second part will focus in building interoperability and benefiting from it in operations.

1. Introduction

Interoperability is at simple “a measure of the degree to which various organisations or individuals can operate together to achieve a common goal.”  Let’s explore this from general system viewpoint:

  • There are two or more entities A and B functioning purposefully
  • There is an environment E where both entities are executing their functions
  • There is a common goal G that both entities aspire to achieve
  • If the common aspiration to achieve G is strong enough there are two ways to cooperate:

1.The entities in A and B may coordinate their separate effort to create an effect in attaining the G, i.e., a hierarchical hub that ensures the synchronisation of independent efforts as depicted in Figure 1.


Figure 1: a simple need for interoperability
2. The entities A and B may choose to channel their combined effort through the shared delivery chain in achieving the common G, i.e., shared value chain as in Figure 2.

Figure 2: a value chain need for interoperability

Applying the above with military systems thinking  viewpoint, the definition for interoperability looks like the one in Figure 3:

  • There are two or more value chains GENERATE, SUPPLY and UTILISE consuming resources from SOCIETY to create an effect on ADVERSARY that is considered valuable to GOVERNANCE (Compiling Clausewitz triangle model with value chain). 
  • The value chains take place in an ENVIRONMENT that effects the open systems, which adjust their functions to adapt to environmental changes or co-evolve with the environment E. 
  • The military system of systems value chain prefers the following definition to interoperability: “The ability of systems, units, or forces to provide services to and accept services from other systems, units, or forces, and to use the services so exchanged to enable them to operate effectively together. ”


Figure 3: a military system of systems need for interoperability

For this work, the interoperability is defined as the ability of systems to provide services to and accept services from other systems and use the exchanged value to gain higher goals effectively. In this context, the system is considered as a socio-technical structure with defined functions and processes to purposeful action.  A system can be a military unit that has been given a mission to accomplish.

There is need to retrofit the components of the military system of systems to improve their ability to interoperate when they are not integrated. Parts of the system of systems can be designed from the beginning and generated together creating a fully integrated entity.
Whether the interoperability or integration, the intention is to exchange the services over the system boundaries. In the socio-technical system , this requires interoperability at least at three levels of the boundary structure as illustrated in Figure 4:

  • People are competent  (i.e., possess understanding, skills and right attitude), share language, are culturally understanding and socially open to cooperate
  • The processes of the cooperating units can exchange transactions both at logical and physical level (i.e., they can exchange information and goods among themselves)


Figure 4: levels of interoperability in the boundary of two units

  • The technical means of exchange services and information are compatible enough to support the transactions over the organizational boundaries. Focusing only to information and communications technological boundaries, the interoperability may be defined as “the ability of distinct systems to share semantically compatible information and to process and manage that information in semantically compatible ways, to enable their users to perform desired tasks.” 

There is also categorisation according to the levels of military hierarchy , which can be used in defining the interoperability :

  • Strategic level seeks to harmonise worldviews, strategies, doctrines, force structures and efforts within coalitions and alliances. “Interoperability is an element of coalition willingness to work together over the long term to achieve and maintain shared interests against common threats.” 
  • Operational level seeks to minimise inefficiencies between multinational command and control, force elements, and ways to prepare, project and sustain the forces in theatre. 
  • Tactical level seeks alignment in engagement and protection. “The benefits of interoperability at the tactical level derive from the fungibility or interchangeability of force elements and units.” 
  • Technical level seeks integration at service and data exchange and compatibility by means of transport and communications. “Technical level interoperability reflects the interfaces between organisations and systems. Benefits of interoperability come primarily from their impacts at the operational and tactical levels regarding enhancing fungibility and flexibility.” 


2. Why military seek interoperability?


Military enterprise seeks interoperability for three main reasons:

  1. To achieve better efficiency within the force means that command coordination between separate units is not providing sufficient performance, but the units need to synchronise their efforts directly.
  2. To achieve better efficiency in multinational coalition or cooperation means that political level requires shared contribution, which directs the military to create multinational units at the operational level.
  3. To achieve better efficiency within national defence means that the homeland defence requires closer cooperation and integration between different governmental agencies.

The above three interoperability drivers are studied in the following sections.

2.1. Efficiency within the force

In seeking the understanding of the military enterprise inner interoperability requirements, one may use Beer’s Viable System Model  in Figure 5. A simple enterprise is composed of one or many operational units (L and A) that provide their effect in their specific areas of operation (AOO L and AOO A). These functional units are commanded by the Command element (JC), which balances the use of resources between current and future operations. Militaries have kept for example Land Force separate from Air Force as they are operating differently in their specific areas of operation. Both Services have been commanded by Joint Command that delegates mission command to Service level but may guide more closely the development of future capabilities (or another way around as in U.S. Armed Forces).

Figure 5: Traditional Armed Forces described with Viable System Model

As the units specialise and coordination becomes too detailed and slow, there is a tendency to create value chains through units that are supporting each other in the quest for achieving the same goal set by the Joint Command as in Figure 6. For example, Joint Logistics (JL) is supporting both Services Land and Air in the same Area of Operation (JA). The value chain arrangement required direct interoperability between the supporter and supported as the exchange of services becomes more detailed and higher paced for the Command to be able to coordinate.

Figure 6: Armed Forces organised as value chain

The Ross et al. developed model for enterprise business architecture  as pictured in Figure 7, explains the movement from diversification towards coordination and further to unification. Armed Forces tend to build their new capabilities in diversified units, but once they meet a joint adversary, they prefer the unified order of battle since the Joint Command coordination is too slow and lacks the necessary details. In unified joint force, the interoperability becomes a force enabler. All specialised force components share the same situational awareness of current and planned operations, can synchronise their manoeuvring, engagement, and protection between themselves and exchange their dedicated services to achieve the common goal. 

Figure 7: Business Architecture model for military affairs

2.2. Efficiency in coalition or cooperative

The political level has recently required a multinational contribution in military operations (except Russian operations in Georgia, Ukraine, and Syria). In multinational, combined operations either the force units are coordinated in detail under one command, or they are a part of force group that has one host nation providing joint Command and Control as in Figure 8.

Figure 8: A case for multinational interoperability 

The 1991 coalition against Iraq was a typical U.S. led operation where all units were under the U.S. control, but only the most compatible coalition units could participate the main operations.

The Ackoff (1972) model for purposeful systems  provides a framework to understand types of multinational relationships as pictured in Figure 8. A coalition is formed when nations ends are compatible, but their means may not be interoperable. The cooperation is possible when both ends and means are compatible as presented in Figure 9.

Figure 9: Types of multinational relationships by Ackoff

The more cost-effective and performing the allied military force, the more compatible their means of waging war needs to be. There may even be aiming to unify all troops like the Warsaw Pact was manoeuvring with multinational units, which were mainly using aligned tactics and standard technology.   NATO is currently seeking for similar kind of status among their 26 members and several partners. Their mission statement is that” Interoperability allows forces, units or systems to operate together. It requires them to share common doctrine and procedures, each others’ infrastructure and bases, and to be able to communicate with each other. It reduces duplication in an Alliance of 26 members, allows pooling of resources, and even produces synergies among members.” 

2.3. Efficiency within national defence

There are two dimensions in interoperability concerning national defence: cooperation between governmental agencies in homeland defence and Armed Forces integration with the society itself.

The USA woke up in 911 realising that their homeland is not the sanctuary they were assuming. At the same time, it appeared that the US government organisations were not cooperating in their homeland. Thus, the Department of Homeland Security was established 2002 to coordinate the functions of about 22 different federal departments and agencies.  With establishing this cabinet agency, the USA stepped from diversification to coordination on the business architecture map in Figure 10.

Figure 10: Ross et al. quadrant for business architecture models

Other nations like Finland had exercised the homeland defence since the II WW and were more towards unification as they were sharing weapons, vehicles, C2 systems, etc. 
The other dimension of national defence is the military need to be integrated into the society that is providing it. There are two primary functions of Force generation and supply that cannot be done separated from the society as illustrated in Figure 11.

Figure 11: Interoperability between military and the society it provides

The force generation requires draftees or conscripts. The armament needs to be acquired. The logistics need a feed of supplies, services, and consumables to sustain the forces both in generation and utilisation.

2018-03-19

Slingshot: Sophisticated Cyber Espionage Platform

Definition

Slingshot is an advanced, cyber-espionage threat actor that has been persistently infiltrating and collecting data since 2012 while avoiding detection until February 2018. Some research organisations have lately detected some hundred infected cases mainly from Africa and Middle-East. 

The attack routes for Slingshot remain mainly unidentified, but there is evidence that it may infect their target through 0-day vulnerabilities in routers. Once on-board, the Slingshot collects information from the target and sends it to the C2 server invisible to the user. The code seems to be unique referring to nation level manufacturer using English as mother language.

Attack vector

The one known attack vector for Slingshot is through a type of router. The attackers use a faulty feature of the router to take over and download their application. Then they start distributing ipv4.dll files to targets, have it loaded into their memory and execute. The DLL application connects back to the router, downloads other malicious components, and runs them. Slingshot avoids detection by using two mechanics: one is the use of encrypted virtual file system located in an unused part of the hard disk, and the other is to encrypt all text strings avoiding the virus detection with text string seeking. 

As the Slingshot is a collection of separate modules, each module is also downloaded in diverse ways. During the downloading and gaining the kernel rights, the Slingshot tampers the system logs leaving no tracks.


The Slingshot operates in the kernel, so it has access to all data stored in drives or internal memories. It has been reportedly logging content from screenshots, keyboard, network, passwords and USB connections. There is no hard-coded lines of C2 but listens to the address from each incoming IP packet to kernel.


Protection

The following general advice may apply to protection against likes of this kind of espionage:

  • The military should build a deepness for their cyber environment which makes it harder to reach the valuable targets.
  • Keep the versions of the ICT infrastructure as updated as possible.
  • Have several layers of detection, not only fingerprints but traffic patterns in and out of the system.
  • Have access to newest threat intelligence data through the cyber defence coalition network. 
  • Exercise your cyber defence crews having red teams attacking them also using persistent ways.



References


  • https://thehackernews.com/2018/03/slingshot-router-hacking.html
  • https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf
  • https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/
  • https://www.businesswire.com/news/home/20180309005046/en/Kaspersky-Lab-Uncovers-Slingshot-Spy-Router



2018-03-05

False Flag Attack Against Winter Olympics in South Korea

Incident

The opening ceremony February 9 of the Winter Olympics in South Korea was hacked according to the game organisers. The hacking disrupted the Internet and broadcasting services related to Olympic Games. Many of the attendees were unable to print their tickets for the ceremony, resulting in empty seats. 

According to US sources, the attack was made by the Russian organisations as retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping violations.

The Russian hackers were trying to provide a false flag, i.e., trying to convince that the attack originates from North Korea. The mask-swapping included injecting fingerprints of other known attackers in malware that was used to take down several hundreds of computers just in time for the opening ceremony.

Details

The hackers attacked the Olympic organisation with different tools:
  • The Olympic Destroyer malware tore down the computer networks just ahead of the opening ceremonies, paralyse display monitors, shutting Wi-Fi networks, and denying access to Olympics’ website. The malware used the password-stealing tool, Mimikatz and spread via Windows PSExec and WMI before encrypting or destroying data. It destroyed precisely the amount of data than the North Korean Lazarus hacking team. The attackers proxied their avenue of approach through North Korean IP-addresses. The code of Olympic Destroyer shared almost 20% similar to known Chinese team APT 3 and created the encryption keys similar to another Chinese team APT 10.
  • The known Russian hacking team Fancy Bear had been attacking Olympics-related organisations for months before the opening, stealing documents and leaking them.
  • The Russian military intelligence organisation GRU had gained access to as many as 300 Olympic-related computers early February.
  • January, the GRU hackers were infiltrating in South Korean routers to capture more intelligence data. During the opening ceremony, they rerouted the traffic, thence prevented the access to web pages.
It is claimed that GRU was working through the Main Center for Special Technology, GTsST, which allegedly was behind the NotPetya attack against Ukraine last year. This is not the first time that Russian is trying to masquerade their attack vectors since they have previously used fronts like Russian CyberBerkut, ISIS Cyber Caliphate, and Romanian Guccifer 2.0.
The mask-swapping is easy in the cyber environment; use the similar open source code, use same filenames, copy some of the functions elsewhere, use typical attack vectors for others, and reroute the command and control connections elsewhere.

References

1. https://www.wired.com/story/russia-false-flag-hacks/
2. https://www.digitaltrends.com/computing/olympics-2018-hack/
3. https://www.msn.com/en-us/sports/winter-olympics/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/ar-BBJxnxv

2018-03-04

Using military and civilian technology to banish the troops of Islamic State from Raqqa, Syria

Syrian Democratic Forces (SDL) were fighting against Islamic State in Raqqa and retook the town October 2017. During the Raqqa campaign, the Kurdish-dominated SDL was supported by US Special Forces and US Air Force. 

Interoperability Through a Simple, Shared Application

One of the main means for interoperability was the US produced smartphone application that provided SDL land troops services for navigation in the city, coordination of their strikes and ordering air strikes. A simple app was available to all SDF fighters, and they were able to orient themselves around the city, and when engaging the enemy, even untrained men were able to define the target coordinates and order close air support.

Demolished Raqqa © Delil Souleiman / AFP / Getty

As the urban area of Raqqa was modified by the defenders and destroyed by the attackers, it becomes challenging to navigate or locate oneself. The map used in the application was partially captured from the enemy, patched and updated with air pictures. The situational awareness provided through the app-enabled SDL troops to know where the other friendly troops located, where the enemy has been sighted, define safe places to manoeuvre through and identify routes that enemy suicide vehicles may approach.

Shared Situational Awareness and Air Domination Enabled the Operational Superiority

The way that Raqqa was taken was enabled by surrounding the city and by sharing their location, the SDL troops were able to launch coordinated strikes from each direction. 

Map of the SDF advances and control situations in Raqqa city, during the battle

The Enemy was not able to foresee their manoeuvre, and furthermore, all enemy locations targeted were engaged from the air. There was continuous coverage of drones reconnoitring over the city and F-16 jets circling on-call to take down all verified targets. Additionally, a spy network within the city provided confirmations to observed target data. The enemy locations, command and control posts, logistics points and barracks were constantly being hit. The Islamic State troops were denied the ability to move men around and have a coherent defence.

Smart Device Intelligence

The Islamic State troops were using smartphones and laptops also to manage information and command their troops. The US has been capturing smartphones and laptops systematically from ISIL and recovered the data from them. Smartphones, for example, hold massive amounts of information critical to intelligence analysts, including photos, telephone numbers, GPS data and Internet searches. The Users generally assume the device will not be compromised and don’t take precautions to protect the data.

Islamic State uses the app - called Nasher - to catalogue written reports, radio news, and video files. © Mirror 6 August 2015

The data include tens of thousands of personnel records on foreign fighters and their families with dates of birth, aliases, phone numbers, jobs and other valuable intelligence. The Islamic State run their governance with smartphones and laptop. Hence there is information on developing drones, chemical weapons, financing and propaganda operations. Some leaders were also planning to run their organisation with their smartphones after fleeing from Syria and establishing cells in other parts of the world.

References

Battle of Raqqa, 2017; Wikipedia. Retrieved from https://en.wikipedia.org/wiki/Battle_of_Raqqa_(2017)

Michaels, Jim (2018): How the US is using terrorists’ smartphones and laptops to defeat them, USA Today, January 31, 2018. Retrieved from https://www.usatoday.com/story/news/world/2018/01/31/smartphones-computers-terrorists-intelligence-agency-united-states/1079982001/

Parsons, Jeff (2015): Hidden ISIS android app lets terrorists spread news and recruit members directly through their smartphones, Mirror, August 6, 2015. Retrieved from: https://www.mirror.co.uk/news/technology-science/technology/hidden-isis-android-app-lets-6203483

Press Association (2017): App used in battle against Islamic State was a game changer. Daily Mail Online, 18 February 2018. Retrieved from: http://www.dailymail.co.uk/wires/pa/article-5405555/App-used-battles-against-Islamic-State-game-changer.html

Taylor, Alan (2017): The Battle of Raqqa, The Atlantic, October 12, 2017. Retrieved from: https://www.theatlantic.com/photo/2017/10/the-battle-for-raqqa/542778/