UNITED STATES

01.27.2023

Audio by Kristen Taylor 

U.S. Army War College Public Affairs

✔ ✗ Subscribe

7

Communications form the critical backbone of the modern world, connecting more people and more devices more completely than ever before. The benefits of this hyper-connected society drive ever-increasing reliance on secure, reliable, and resilient communications. Potential adversaries to the North Atlantic Treaty Organization certainly understand the importance of communications—those they seek to target and those they use themselves—so it is critical to fully understand the sector, the risks it faces, and the best ways to mitigate those risks.

This podcast based on Chapter 9 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1) provides a foundation from which to better understand the criticality of communications for national security and emergency preparedness and common important characteristics of the sector and their implications for security and resilience.

Click here to read the book.

Click here to watch the webinar.


Episode transcript “Communications Resilience” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)
Stephanie Crider (Host)

You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government. Conversations on Strategy welcomes Chris Anderson, author of “Communications Resilience.” Anderson’s, an incident management and infrastructure protection expert with three decades of government, military, and private-sector experience. He’s currently the principal advisor for national security and emergency preparedness at Lumen.

Welcome to Conversations on Strategy, Chris. I’m glad you’re here.

Chris Anderson

Thanks for having me.

Host

You recently contributed a chapter to Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. Your chapter talks about communications resilience, the backbone of the modern world, in your words. Give us an overview of the communication sector, please.

Anderson

It’s really hard to overstate how important commercial communications is to government and military communications of all kinds. So, sort of the traditional national security kinds of things—command-and-control networks, intelligence sharing. Even highly classified information typically travels over commercial networks for a big part of its lifespan. But then as you start thinking even in more detail, things like civil preparedness, police, fire, EMS discussions, how you issue civil defense alerts to the civilian population, et cetera. On top of all that, communications is critical to economies and the citizenry in general.

In the US, we’ve started this concept called national critical functions, which sort of distinguishes the inherently governmental functions from the other things the nation needs to be able to do in order to have a vibrant economy and support the government and keep citizens safe, et cetera. And comms is really central to a lot of those national critical functions.

The sector itself is incredibly diverse. So when we talk about communications, and in the book chapter I talk about sort of the breadth of communications as encompassing sort of the traditional wireline services. You know, twisted pair copper and fiber optic cables that make up the old, you know, Bell telephone kind of networks that have now become the broadband connections that we all use in homes and businesses throughout the world. It also includes wireless communications. So wireless, you know, everyone thinks of 4G point-to-point5G cellular communications, but wireless also includes things like point-to-point, microwave and other uses of the radio frequency spectrum.

There’s the cable business, which is in some ways very similar to wireline. I like to stress cable in particular because I think there used to be a civil defense perspective of like, well, that’s not really critical infrastructure. You know, if somebody can’t watch Game of Thrones for a day or two, that’s not a big deal. But increasingly, the cable companies provide the same sort of broadband backhaul, for example, that enables wireless communications. So they’re really critical too.

Similarly, with broadcast. Broadcast TV and radio, not just about entertainment, but in some ways that is the most survivable, giving you that one-to-many communications capability to reach a large number of people. One of the things I like to say is, you know, “you can hand crank a radio. And so a citizen on their own, with nothing more than a radio with a hand—crank you can communicate with that person in a pinch.”

And then, of course, satellite networks which are themselves undergoing a massive transformation right now.

Across all five of those segments, though, there are a couple of things that I think are important to keep in mind as we think about communication resilience. Probably the biggest one is really over the last 20 years, the massive transition of communications technology from primarily analog to primarily digital. So the transition to Internet Protocol packets for voice, for video. Almost everything that’s pumped over radio frequency is now packetized, digitized, and then reassembled on the other end. That meshed and packetized network is, by its nature, resilient. The packets can travel multiple paths, and, in fact, that’s the whole design of the Internet. It was designed to be resilient, and if that path is no longer available, now I’ll go this path, and I’ll still get the packets there in time.

The market itself is highly competitive the different carriers and cross modes and within modes are fiercely competitive with each other. But at the same time, the nature of the business requires that we work closely together as well. So it’s this strange sort of coopertition (cooperation + competition) model that makes it all work.

You know, for example in interconnection, the whole point of communication networks are to be able to communicate with whomever you want. And so that means we have to exchange traffic with each other from carrier to carrier, from mode to mode, in order to get those packets where they need to go. And that interconnection implies a couple of really critical things. One is the importance of international standards so that things will work across these vast and disparate networks, (for example) the need for very big companies to work seamlessly with very small companies who have very different perspectives on how to operate their networks. And it also means that we’re generally interconnected with potential adversaries. So the network of networks that is the Internet has a lot of players on there and not all of them have our best interests at heart.

The last thing I think is important to understand about communications is just how tightly integrated we are with other critical infrastructures. Pretty much every other critical infrastructure relies on comms for it to be able to function in its normal capacity. And comms is itself reliant on other critical infrastructures—in particular, heavily reliant on commercial electric power. And where commercial electric power is either out because of a temporary disturbance or is simply not available, then the continued availability of liquid fuels for on-site generation becomes really, really important.

Host

Let’s talk about threats to communications. What are the ways in which the integrity, availability, or confidentiality of communication systems might be degraded or compromised?

Anderson

In the book, I talked through the “Big Three” set of things that can impact communications infrastructure. The first one is natural disaster and there’s physical attack. And I’ll lump in there industrial mishap kinds of accidental damages. And then same thing on the cyber front. There is cyberattack and cyber misconfiguration mistake kind of issues. There are some similarities across those three and some differences to tease out among them.

So in terms of natural disaster, you know, sort of the gamut of bad things Mother Nature can throw at us also damage information systems and communication networks. So that’s storms, hurricanes and tornadoes, and derechos and you name it. Those can variously cause different types of physical damage either to key facilities (central offices, Internet exchange points, or to conduits, either underground cabling or aerial fiber. Stuff that’s not aerial, tends to be more susceptible to things like flooding or even to things like train derailments, or things that can damage the conduits—earthquakes for example). The other thing that natural disasters tend to do is impact the availability of commercial electricity. So if commercial electricity isn’t available then access to alternate fuel sources becomes really important.

There’s also Mother Earth’s environment. So there’s geomagnetic storms and space weather that can impact satellites and can impact, depending on the frequency bands, radio frequency spectrum to varying degrees.

Transitioning more to sort of the man-made attacks. Physical attacks. Either attacks or mishaps. As I mentioned, that sort of meshed packetized network makes these harder to be impactful, but there are still areas of concern around, for example, choke points. So things like undersea cable routes often have either one viable path (the cheapest shortest path where you’ll see a lot of cable stacked up) or they’ll be natural choke points. You know, for example, in the eastern Mediterranean Sea, there is a pretty tight choke point just off the coast of Egypt. A bunch of undersea cables run through there and then run down through the Red Sea on their way to wherever they are. They also have other concentration points like Internet exchange points and sort of massive data centers, which all by themselves can be huge and massive and important assets, but they often cluster together. Thinking about physical attacks, bombs and cutting of the cables, there’s also the less-nefarious accidents that can accomplish the same thing. Whether that’s, you know, construction facilities and a backhoe tearing through your fiber optic cable. And then finally, there’s, in the radio frequency world, spectrum-based attacks, so spoofing and jamming are also ways that you can physically, I’m doing air quotes here that you can’t see because it’s a podcast, but it’s a similar kind of attack vector.

And then finally there’s cyberattack vector. So comms is an interesting character in this realm because we’re both a conduit for those attacks. But we’re also a target. And so those targets, in turn, target exactly as you teed up the confidentiality, the integrity, the availability of networks and data through a range of methods.

I mean from an availability perspective, there are distributed denial-of-service attacks, where you flood the target system with so many requests for service that the system just can’t answer all those requests and it becomes unavailable to legitimate use. There’s ransomware where you’re able to, you know, get the ransomware on a system (and) shut it down so now it’s unavailable for its normal uses.

Or disruptive malware. In terms of confidentiality, you have, you know some of those same players . . . ransomware, destructive malware, also routing attacks that target the ability to how packets determine where they move and the path that they take to get from the originating server to the destination server. If you can hijack that route, you can put a man in the middle and either listen in on those packets as they transit or potentially reroute them to somewhere else.

And then finally, there’s integrity attacks on communications. Again, ransomware, advanced persistent threats. And I think integrity, in particular, with the book’s focus on critical infrastructure with respect to terrorist attacks, thinking through the potential complex attack scenarios where adversaries may seek to harm the integrity of communications so that they can control messaging. So that’s attacks on broadcast networks, on social media, on the places people will go for “reliable” sources of news that if the adversaries are able to track the integrity of those, they can amplify the effects of, say, a physical attack that’s coupled with, you know, social media and misinformation/disinformation.

Host

What are your suggestions for improving communications resilience against terrorist attacks or other threats?

Anderson

Well, I think in the interest of time, I’m going to limit it to sort of three things that I would talk about in terms of lessons learned. The first one is blue Sky relationship building. If you think back to even the way that I described how communication systems work, comm providers need to work with other comm providers who need to work with first responders who need to work with national security and national defense experts. And those relationships can’t just happen after “Boom” has happened. And now you need to figure out how to work together. It’s really important under blue-sky scenarios. To establish those relationships, work through how are you going to coordinate flow of information? Flow of request? What’s the disaster reporting process so people know in advance here’s what kind of information the government is going to need. And here’s the format I’m going to give it to them. And oh, by the way, what’s the definition for this one esoteric thing that actually means something different and different contexts. It builds those cross-sector relationships. Not just from comm provider to comm provider but making sure that we’re working with other infrastructure providers, especially energy, but not only energy. And then exercising and testing how all that stuff will work. So when the black-sky day comes, you have mechanisms that you’ve built out that you’ve practiced. That you know how to use. With people you’re used to talking to. You just can’t overstate enough how important that is in this public-private partnership.

The second suggestion I would have is, you know, really methodically, look to identify and mitigate risk. So I talked earlier about those sort of choke points and concentration points. Make sure if you have mission-critical communications that you understand what that path diversity is. That it’s not just logical path diversity, but it’s physical path diversity, depending on your resilience needs. It doesn’t maybe necessarily buy you all that much to have two redundant circuits if they both go through the same central office or over the same undersea cable, et cetera. And then using, on the cyber front, you know, whatever baseline practices are most appropriate to your communications network, know them and use them. In the US, we use the NIST cybersecurity framework. The sector itself has done a huge amount of work to tailor what the NIST framework means to the different subsets of communication. But really, those cyber best practices are the really important resilience builders upfront.

And then the third thing is to think through what will be the likely post-incident resilience enablers? How do you get comms back up and on its feet quickly so that the impacts of any disaster or any attack are minimized? And the big three that always come up, whether it’s an attack whether it’s a natural disaster are access, fuel, and security. So access. How are first responders or the military or whomever going to control who gets in and gets out to the disaster area. And making sure that commercial providers understand where they are in that hierarchy (and) what they need to do in order to be properly credentialed to get in at the point at which it’s appropriate and safe for them to do so.

The second one is fuel, so it’s not just, “Hey, how do we prioritize commercial power.” But in a disaster where commercial power has been significantly impacted, suddenly the demand for those alternate fuel sources is going to be huge. And thinking through how that prioritization is going to work, which doesn’t even necessarily mean comms should be at the front of the line because there are going to be hard decisions to make. Does the hospital get that truckload of fuel? Does the state Emergency Operations center get it? Does the central office facility that’s routing everyone’s communications get it? But you need to think through those things in advance because that’s gonna be a critical decision point, a critical resilience enabler for post-disaster preparedness.

And then the last one is security. After a big, particularly a broad (in terms of geography) disaster or attack, security is going to be an issue. So communication providers are going to be very concerned about putting personnel in harm’s way where it may or may not be safe. They’re going to be nervous about putting expensive equipment out in a field somewhere if they can’t secure it. And certainly, in this sort of a post-disaster environment, we’ve unfortunately seen that generators are pretty high-value commodities. And a generator that’s sitting on its own in a field next to a cell tower is a pretty tempting target. So thinking through how our government and industry going to work together to identify what’s safe. What’s appropriately safe for communications providers to put people and equipment out in the field, and then what are the ways that we can work together to make sure those are kept safe over the course of their response?

Those are the big three—blue-sky relationship building, identify and methodically mitigating the risks that you see, and then thinking through what post-incident resilience enablers are and how you’re going to function them. And if you can do those three things, you’ll go a long way towards building communications resilience for your nation.

Host

So much food for thought here. Thank you so much for your time and for spending it with us today.

Anderson

Great, thanks for having me.

Host

Learn more about enabling NATO’s collective defense and communications resilience at press.armywarcollege.edu/monographs/955. If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.

Author information: Chris Anderson is an incident management and infrastructure protection expert with three decades of government, military, and private-sector experience. He is currently the principal adviser for national security and emergency preparedness at Lumen, a US-based global network provider and tech company. He previously held various senior leadership positions in emergency management and national security at the US Federal Communications Commission and US Department of Homeland Security. Anderson began his career as a US Navy helicopter pilot, completing 24 years of active and reserve service. He holds master’s degrees in national security strategy from the National War College and in management information systems from Bowie State University, and he received his undergraduate degree from the University of Virginia.