Sunday, October 25, 2015

We're making our military leaders stupid or WTF is "tactical making?"

I was pretty openly critical on social media about the silly "cyber rifle" publicity stunt at the AUSA convention a few weeks ago.  CPT Brent Chapman, spoke with Popular Mechanics and described the build of the cyber rifle as an idea we call tactical making, or expeditionary making."  Additionally, Chapman goes on to say:
In the future, when targets are guarded by drones and bunkers are vulnerable to exploits, soldiers could easily cobble together practical cyberweapons that cater to their specific needs on the spot, without having to radio back to home base for equipment. " If the Army supports and funds the ability for that infantry platoon leader on the ground to rapidly fabricate a solution with his organic elements (in this case, the "cyber capability rifle"), then we can save lots of time and money," 
The site adafruit.com, which provides maker tools and supplies, was understandably complimentary of the Army's stunt, saying:
All of the tech was placed onto the rifle frame, making it easier for senior military leaders to appreciate.
Of course, having a maker site claim that supplying the Army with maker equipment (on a wide scale no less) is no more surprising than Boeing lobbying for continued support of the KC-135 and KC-X projects.  While I'm happy AdaFruit supports the ideas of Army makers, you can hardly call this endorsement unbiased.
Pretending to "shoot down" a drone with the "cyber rifle"
I'm all about enabling technology in military operations.  And I think we all know that if you include the word "cyber" in the name of your project, you automatically get funding.  But when you "place the tech onto a rifle frame" you don't "make it easier for senior military leaders to appreciate" - you make your leaders stupid.  They equate the capability with the rifle.  At the range the drone was "shot down" from, the same could have been done from the soldier's iPhone.  Yeah, the antenna does provide some extra range, but having it mounted on the rifle frame didn't do anyone any favors.

Also, it took some digging to determine that the original capability didn't use jamming and instead took advantage of a known vulnerability in the Parrot Drone.  This is where the rifle analogy really breaks down.  When you build a rifle that shoots a bullet, it inflicts damage against all targets equally.  But cyber capabilities (or God help me, "cyber bullets") are only effective against a particular technology.  While the "cyber rifle" ground an unpatched AR Parrot, an entire battalion of soldiers with cyber rifles are completely ineffective against my Husban X4.

I'm not sure what agenda CPT Chapman has going in trying to convince the Army that "expeditionary making" is feasible.  My company, Rendition Infosec, does what he is talking about.  We research vulnerabilities to create new 0-days for attacking software in the customer environment, and we regularly use Raspberry Pi hardware with customized software to get the job done.  We even own a 3D printer for building device enclosures.  But there's a pretty significant difference Rendition and CPT Chapman's proposed "expeditionary makers."  I could hire maybe one in 1000 infantry platoon commanders that have the skills to build field expedient cyber weapons for exploiting known vulnerabilities.  But even then, are we to believe that forward operating bases will have the equipment available to build tactical cyber devices?  I think this is a pipe dream that is more than a decade away in the best case.

I've had a number of disconcerting in-person exchanges with military leaders concerning cyber operations (these two were from unclassified environments).  In one exchange, a one star general asked if we could make the DVD drives of enemy computers explode since "I saw that on Mythbusters."  In another exchange, a two star general talking to CND operators demonstrated his mastery of the cyber domain by explaining that "data packets are like bullets and your walls of fire are like the armor that repels them."

I'll assume that by "walls of fire" he meant firewalls, but that's not the point.  His understanding of that which he was commanding was laughable.  It's on par with an Air Force commander who thinks his squadron pilots flying dragons.  And he's making decisions about something he has no clue about. I don't need to know how to fly a bomber to understand its capabilities, but I should understand some key points like crew rest, flight ranges, station time, etc. if I'm making decisions about its use.  Cyber should be no different.

We need to be educating our leaders, not trying to explain things in terms they already understand - especially if those are inappropriate analogies.  Military officers, especially those at the field grade and general level are not stupid (well most of them).  Tell them the truth so they can make good decisions.  The alternative is that leaders become increasingly confused about their own capabilities.  And let's be fair, we don't want leaders confused about the capabilities of their tanks or bombers. Why should they be confused about their cyber capabilities?

1 comment:

Note: Only a member of this blog may post a comment.