Reconsidering military ICT security

Executive summary

Gulf Cooperation Council (GCC)¹ armed forces face an information security conundrum. On the one hand, they need to develop “information superiority” — the ability to meet the information requirements of supported forces with greater timeliness, relevance, accuracy, and comprehensiveness than an adversary. This involves investing in technology (such as networked assets) and processes that provide commanders greater situational awareness, enabling them to make better and faster decisions and disseminate orders with alacrity. On the other hand, the danger that such information could be breached by an adversary encourages the overprotection of information, rather than its sharing and exploitation.

Thus far, most GCC commanders have erred on the side of caution, relying on isolated systems that are not interoperable. Consequently, they are inefficient in peacetime. Worse, during military operations commanders have to function with partial information — possibly ceding information superiority to adversaries.

The best way to resolve the conundrum is through a risk-based approach that allows commanders to acquire and exploit the right information at the right time, while managing the information security based on the likelihood or impact of its loss. This approach involves four steps:

1. Develop the right strategies and translate them into specific policies and processes.
2. Generate buy-in among senior leaders to drive the change in culture and practices throughout the organisation.
3. Put the right organisational elements in place, including a chief information officer (CIO), a design and procurement function, and a systems operating authority, among others.
4. Keep pace with ongoing technological developments.

Initially, militaries can perform pilot tests on support functions such as procurement or maintenance. They can thereby build up their information security capabilities over time, while minimizing the potential damage from compromised data.

Click here for the full report

¹ The GCC countries are Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and United Arab Emirates.

The information security conundrum

Modern military operations have been transformed by the use of technology to gather information and give commanders greater situational awareness. As a result, they can make better and faster decisions and disseminate orders more effectively, both in peacetime and during active operations. Even as most governments around the world have reduced overall military spending, they have invested more in technology to give themselves an edge through information superiority. According to ICD Research, global military spending on command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) is estimated at US$18.5 billion in 2017, with the total likely to grow to approximately $22 billion by 2021.² Although the GCC countries today represent a small percentage of this (between 2 to 3 percent), their spending is likely to increase exponentially as they seek to catch up with other countries.

We define information superiority as the ability to meet the information requirements of supported forces with superior timeliness, relevance, accuracy, and comprehensiveness than can be achieved by an adversary.³ The need to access and share accurate and timely information is particularly critical for GCC forces, which often operate as part of coalitions in which militaries operate side by side.

However, networking assets to share information brings a significant risk that information could be vulnerable to security breaches. For many commanders in the GCC, the potential for this kind of breach stops them from investing in, or effectively using, integrated systems. Instead, they have developed workarounds, typically running multiple isolated systems. Although this approach can protect information, it makes militaries far less capable. It is both manpower- and time-intensive, as the data gathering, analysis, and presentation tends to be manual. Armed forces that function this way struggle to produce the accurate intelligence needed to give commanders greater situational awareness. Collaboration is nearly impossible, and additional systems are required in order to provide common direction to all. These issues are compounded during military operations, where available support personnel are limited and there is a far greater emphasis on timely decision making.

The problem will only grow. Already, military equipment such as engines and aircraft frames are being designed with embedded sensors that can capture and relay information back to headquarters or to forces in the field (see “The F-35: An aircraft and an information platform”). That will give an even larger advantage to forces that have the capabilities in place to collect, analyse, and disseminate information of such greater detail and volume. Conversely, militaries that do not have such capabilities in place will fall further behind, ceding information superiority to the adversary. Putting security considerations ahead of information superiority is akin to never driving a car because one fears a traffic accident.

The F-35: An aircraft and an information platform

The F-35 is an aircraft and an information platform. As an aircraft it is the fifth generation of fighters able to conduct aerial combat missions. At the same time, it is a platform for information capabilities that are described as “information rich,” according to the Australian government (one of the partners in the F-35 project). To achieve this capability, the F-35 has two features. First, it is tied into the armed forces’ information, communications, and technology (ICT) infrastructure. Second, it can interact and interoperate with other platforms, systems, and sensors. Whenever the F-35 flies, it acquires significant amounts of mission-relevant data that needs to be stored, processed, and communicated — which demands considerable connectivity. Another burden on bandwidth is the F-35’s Autonomic Logistics Information System (ALIS). To provide the necessary maintenance support to the F-35, ALIS is integrated with military and external contractor systems through multiple ICT networks and systems. ALIS is protected by multiple layers of cybersecurity, and it would be impossible to operate the F-35 without sophisticated and secure ICT networks.

Source: Australian Government, Department of Defence, “Defence ICT Strategic Direction 2016–2020”.

² ICD Research, “Command, control and intelligence to 2021: the global C2/C4ISR market”.

³ Hugo Trépant, Mark Jansen, Abdulkader Lamaa, and Andrew Suddards, “Achieving information superiority: Five imperatives for military transformation,” Strategy&, 2014.

Conclusion

Thus far, the approach among many GCC militaries regarding information — in which data is something to be protected at all costs, rather than exploited — has been a hindrance. This will worsen as technology advances. Military operations have changed significantly in the past several years, and the coming decade will see even greater changes, as the ability to share, analyse, and distribute information becomes the key determinant of military success. As GCC militaries acquire new, network-enabled platforms and systems, they will be forced to reconsider their approach to ICT security. Forces that begin adjusting to that new reality will build the capabilities to capitalize. Those that do not may pay the cost of that overly cautious approach on the battlefield.