Exceptional Release Presents:
Logistics Under Attack
By Capt Alex Pagano

Introduction

A future conflict between the US and our adversaries will be overt and violent.  But perhaps more often, our interaction with competitors will include attempts to deter and deny us our strategic objectives by ambiguous and less attributable means while our adversaries aggressively maintain a coercive pursuit of strategic political goals.

No matter the environment, maintaining a responsive connection between the forward edge of the battle area with the supporting industrial base while under attack in a high-end fight will the Air Force logistician’s greatest challenge.  We must collectively begin to address sustaining operations while our advanced adversaries specifically target our logistics operations.  However, before we can address it, we must first understand it.  This article aims to share my personal journey, which began at I-WEPTAC (Installation-Weapons and Tactics Conference), that took me through the future operating environment, our strategy, and emerging warfighting domains.  I hope you find some of our team’s lessons learned valuable in your own preparation.

Future Operating Environment

When General David L. Goldfein describes the Air Force we need, he describes an Air Force that is survivable and lethal.  He articulates the need for an Air Force that seamlessly combines weapons, sensors, data, and people from the air, land, and space, sea, cyber domains.  The way we will employ multi-domain operations is through an interconnected network of weapons systems.  This will enable unprecedented levels of agility, tempo, and command and control of our operational forces and requires the same of the joint logistics enterprise.

In addition, this force will require much support to sustain it.  A technologically advanced force needs a substantial amount of maintenance and has a high demand for expensive equipment; an interconnected force is one that is susceptible to widespread catastrophe if the network is compromised.  Our future force will be both advanced and interconnected.

Unlike peacetime military operations and exercises, logistics is under attack now—competitors are attempting to shift the strategic advantage in their favor.  Everything is being targeted from the engineering designs of weapons systems, our supply chain and sustainment activities, maintenance equipment, and networks and systems we rely on.

Victory, during armed conflict which may only be a few hours to a few days in duration, will be determined by our ability to move the right assets into the highest priority theatre of operation as rapidly as possible, while shifting our posture from various combatant commands, then moving those assets within the theatre…penetrating the same Anti-access Area Denial (A2AD) environment that our operators will—And we must prepare to do this in a world that is chaotic and unpredictable.  In this fight, we will not have the benefit of knowing where significant events will occur, and when they do, we have will have a short timeline to get there—and what I have come to realize is that this makes us unique.  This is what sets our challenge apart from other private organizations and NGOs.

Logistics Under Attack

We can begin understanding the effects of these attacks by discussing the scenarios through each domain individually.  By air, our adversaries will target airports and seaports within weapons engagement zones with an increasingly higher number of advanced ballistic missiles that can travel faster and farther.  By land, they will attempt to interdict physical lines of communication to include rail, roads, and bridges using highly trained special operations forces.  They will also interdict our sea-lanes of operation to prevent the ability to move the bulk of our assets by ship.  In space, they will attempt to interrupt early warning, and position, navigation, and timing to limit our ability to survive and navigate.  Finally, in the cyber domain, they will attempt to deny, degrade, and manipulate information to weaken situational awareness, which we rely on to move limited resources among and within theatres of operation.

Understanding that we are under attack now and that this is the environment we must be prepared to operate in. We must ask ourselves if we are ready?

How do we begin to prepare with the significant demands we have now taking up much of our attention and time?

I-WEPTAC hosted by Air Force Installation and Mission Support Center (AFIMSC) provided me an opportunity to be removed from the daily challenges and slow down, research, learn, integrate, and gain an understanding of what our senior leaders were seeing at the strategic level.

I-WEPTAC provides tactical level CGOs the opportunity to immerse themselves in an Air Force problem provided by senior leaders.  The lead officer, or Chair, will develop a Mission Area Working Group (MAWG) of cross-functional experts from across the Air Force, Joint, Coalition, and industry partners with the time and funding to travel to conduct in-depth research and analysis.  The MAWG Chair out-briefs the Chief of Staff of the Air Force (CSAF) directly to provide their view and recommendations as they see it from the tactical level in order to quickly change Air Force policy.

We spent months traveling to units and organizations across the Air Force and Joint Partners.  We either went to your unit or had a chance to talk to your higher headquarters.  We had conversations with the Joint and HAF Staff, COCOM and MAJCOM Staffs, and significant integration across warfighting domains with intelligence and cyber operators.  At each organization across our mission sets, you told us that you:

  • understood the strategic environment,
  • articulated your unique challenges and,
  • you each described solutions which you were working towards

It turned into a frustratingly repetitive cycle where we would return to our hotel rooms, discuss a new problem we thought existed, develop potential solutions, go to bed ready to discuss those ideas with the people in the unit we were visiting only to be told that “we tried that, we are doing that, or that won’t work because…”

With each organization and each person, it seemed these challenges were being addressed in some capacity.  But, a problem still existed; we needed to take a step back and better define how we can contribute.  Therefore, we decided to focus in on a mission set that is most common to the LRSs across the Air Force—the distribution process and more simply understand their vulnerabilities across the domains.

The MAWG broke down the distribution process into five key functions.  First, the ability to communicate that a requirement for support exists.  Then to have the physical inventory of that asset, ability to source the asset, transport it, and deliver it with the verification that it was the right part delivered to the right place.  Throughout this process, what may be most important is that all these functions were predicated on having logistics situational awareness, which is currently accomplished through our logistics IT systems.  In order words—although our Air Force logistics functions rely on capabilities within each domain, the one domain that has touch points across all our core competencies is the cyber domain.

Armed with this new end-to-end framework, and the recognition that the cyber domain is our lynchpin, we decided that we needed to begin to focus on the effects of how a cyber-attack would disrupt our operations and whether we were prepared for it.

We started to learn that not only will a cyber effect have a significant impact to logistics operations, but it is also becoming a preferred method for adversaries to utilize.  It’s preferred because it can be:

  • exploited prior to armed conflict,
  • has a low political cost of employment,
  • and creates effects on centers of gravity deep within the enemy’s territory.

We must also acknowledge that our dependence on networked systems and foreign suppliers will continue, and the volume of cyberspace vulnerabilities will only increase.  China, Russia, and various other bad actors are taking advantage of that by targeting key terrain in cyberspace and seek to deny, disrupt, or manipulate Air Force core missions to break the seamless connection that I previously described.

We assessed an attack through the cyber domain is the most likely to occur, has a significant impact, and based on conversations we have had around the Air Force over the last year, it is least understood by our logistics community.  Therefore, we sought to continue to focus on his domain.

There are already many examples of adversaries using the cyber-domain to deliver outcomes, and we can study the effects cyber incidents have had in areas like Ukraine being targeted by Russian actors.  One of the most notable case studies is a malware attack known as NotPetya.

Case Study: NotPetya

NotPetya was designed as a precise cyber munition with a blast radius set to not go beyond organizations that conduct business in Ukraine.  But it turns out there are enough global organizations who do business in Ukraine that within a few hours, it had infected organizations around the world and caused effects in ways the Russians had not originally intended.

Maersk, the world’s largest shipping company that conducts business in Ukraine, was one of its victims.  When the NotPetya malware propagated through its systems, it immediately began to destroy logistics data.  As a result, Maersk was forced to close-off all its 76 ports and replace 45,000 of their computers.  It took Maersk 10 days just to start the recovery process and resume operations, but the company didn’t fully recover until over three months later.  Even when they recovered, their shipping capacity had decreased by over 20%.  Overall, the cost to operations was well over $300 million.  What’s interesting is that Maersk was only able to recover in this time frame because of a stand-alone computer they had in Ghana, which was only off the network because a typhoon knocked out power during the spread of the malware.  Pure luck and happenstance saved them.

Effects to Logistics Operations

We will not have the convenience of time.  It is possible a cyber disruption to our network will immediately be followed by a kinetic event.  The success of our response will be determined by our ability to withstand the cyber event. To understand the potential impact, we must first understand what our reliance and vulnerabilities of our IT systems.

To use an example—if I am an Aircraft Maintenance Unit’s OIC at Spangdahelm AB, and I need a DMT for one of my unit’s F-16s.  In order to request it, assuming it’s not on base, I’m going to requisition the part.  That demand signal is then sent to the 635th Supply Chain Operations Wing at Scott AFB, where they utilize ILS-S to begin processing the MICAP request.  After it is processed and pulled from the shelf of the sourced warehouse, it travels to the port of debarkation where the data is entered into CMOS, GATES, SMS, IGC, or potentially a commercial shipper’s system, each providing in-transit visibility information.  The part then makes it to the port of embarkation, and finally to the point of need.  The physical movement of the part is happening while the IT systems are simultaneously being updated to track the asset.   In order to move this single part, it took six primary systems to accomplish this request.  Moreover, these primary systems are supported by 323 other wholesale and retail systems with hundreds of interfaces between them that drive the entire logistics enterprise—each one a vulnerability.

Our reliance on these systems is revealed through the changes in logistics response times when we begin to operate in a degraded environment.  Continuing to use the European theater as an example—under normal day-to-day operations, it takes approximately twenty minutes to issue a part if it currently resides in one of the kits or in the warehouse on base.  To transport that part, it takes, on average, 5.4 days to move it from the homeland into the European theater.  Now consider data corruption in a supply system—corruption so severe that it shuts down the primary logistics IT systems we use.  The issue, sourcing, and delivery time now more than triple when our Airmen begin to utilize degraded operations procedures to process transactions.  With even further system degradation, they are relegated to using non-traditional communication means, and the sourcing time triples again.

This scenario begins to describe what is happening at a single location on just Day-One of the fight.  Logistics response times in these conditions only compounds and worsens as degraded operations continue, and assets are moved from various sources—any semblance of accurate and timely asset visibility is lost.

As we begin towards recovery and the network begins to come back online—we now must begin entering the manually tracked data back into the system.  Not only does this take time, but also operations don’t slow down to focus on just this task.  Once all previous entries are entered in, the unit begins to return to normal operations with all systems back up and running.

Security experts within the DoD consistently find mission-critical vulnerabilities in each of these systems and in nearly all weapon systems that have been developed or are under development.  Do you think we are doing enough to address the cyber risk to the logistics mission properly?

Way Forward

From a strategic perspective, our senior logistics leaders are focusing on establishing a Combined Joint Logistics Enterprise (CJLE) that is better postured for a rapid transition to conflict operations, increasing the ability to sense significant events by creating actional logistics intelligence, and respond the threats below and above the threshold of armed conflict.  But, how can leaders at the tactical levels begin to address the risk to logistics missions?

The first step is understanding that we own the risk that warfare across each of the domains has to provide a seamless connection between the forward edge of the battle area with the industrial supporting base.  We can no longer only view risk from the standpoint of Operational Risk Management (ORM), where risk is only viewed from a safety perspective.  If a critical system that mission processes rely on goes down, we are still responsible for continuing to operate.  If space assets critical to communication are jammed, the logistician is still responsible for communicating.  We must include resiliency into our processes the same way we have through more traditional warfighting domains, like attacks from the air.

If you suddenly heard an ALARM RED FPCON DELTA—would you instinctively know what to do?  I bet most of us would.

Our Airmen at all levels know exactly how to react to an air attack and CBRNE scenario.  Upon identification that a missile is inbound, our Airmen take protection by taking cover and donning MOPP gear, then detecting damage and additional hazards, restoring operations even through the attack, and recovering from damage after a strike.  When a cyber incident propagates through your organization, will your Airmen be able to respond with the same instincts?


About the Author

Capt Alex Pagano is a US Air Force Aircraft Maintenance Officer currently assigned to Kadena AB, Japan, as the 44th AMU OIC. He is a graduate of Advanced Maintenance and Munitions Operations School (AMMOS) and former Logistics Career Broadening (LCBP) Officer. His previous maintenance experience includes providing executive airlift to the POTUS, VPOTUS, and senior government and military officials as well as experience as an F-16 AMU OIC at Shaw AFB, SC. Osan AB, ROK, and deployed to SW Asia. 

Thank you to our sponsors