Over forty Iraqi aircraft were downed by the U.S.-led coalition in the course of air-to-air engagements during Operation Desert Storm (ODS); I have a “kill table” here.  The table draws upon various official and unofficial historical records that have emerged in the two decades since ODS, and in most cases includes the parent unit and radio callsign of the coalition aircraft that scored the victory.  You will see that the overwhelming number of victories were scored by F-15Cs of the USAF (and indeed, a disproportionate number of kills went to one particular squadron, the 58th Tactical Fighter Squadron of the 33rd Tactical Fighter Wing).  The reasons for this are complicated, involving joint command-and-control arrangements and inter-service politics, and remain controversial even two decades later.

In any event, two air-to-air engagements resulted in kills for the Navy.  The first encounter occurred on the first night of the war (Jan. 17), when two F/A-18C Hornets from VFA-81 “Sunliners” shot down a pair of Chinese knock-off MiG-21s while on the inbound leg to their ground target.  The second encounter occurred on Feb. 6, when an F-14A Tomcat from VF-1 “Wolfpack” shot down an Mi-8 helicopter while on a combat air patrol.

My puzzle related to the question of callsigns.  If you look at the litany of callsigns in the kill table, you will notice that almost all of the callsigns take the form of a call name followed by two digits.  The call name usually follows a theme, such as oil brands (QUAKER, CHEVRON, CITGO) or firearms (PISTOL, SPRINGFIELD), and the two digits indicate the position of an aircraft in an element or flight.  So, for example, the pair of F-15s from the 36th TFW that got four kills on Jan. 27 took the callsigns OPEC 01 (the leader) and OPEC 02 (his wingman).  This uniform system was dictated by the Air Tasking Order (ATO), the theater-wide air plan used to organize and control the very large numbers of armed aircraft crossing the skies over Iraq and Kuwait, the majority of which were ostensibly on the same side and should not be colliding into or employing weapons against one another.

So, let’s look at our Navy flights on Jan. 17 and Feb. 6.  We see that our MiG-killing F/A-18s took the callsigns QUICKSAND 64 and QUICKSAND 62, which appears to be consistent with the ATO system.  But our helo-busting F-14 was using a strange callsign that is not like the others:  WICHITA 103.  This is not an ATO-compliant callsign.  Rather, this is a “tactical callsign” used by Navy carrier air wings, comprised of a squadron-specific call name combined with the three-digit modex number painted on the side of the airplane.  ”WICHITA” was the unique call name used by VF-1 “Wolfpack”, and the jet in question was #103.  (The Navy tactical callsigns for our Hornets from Jan. 17 would have been SUNLINER 401 and SUNLINER 410.)

Why did the Tomcat on Feb. 6 not use an ATO callsign?  It couldn’t have been an Air Force/Navy thing, since the Navy F/A-18s on Jan. 6 were using ATO callsigns.  It couldn’t have been a Tomcat/Hornet thing, since we know that when an F-14B from VF-103 was shot down on Jan. 21, it had the ATO callsign SLATE 46.

For years I assumed that this was simply a question of incomplete recordkeeping, and that there had to have been an ATO callsign somewhere that simply hadn’t made it into the public sources.  But when I inquired with the pilot of that F-14 last year, he told me that to the best of his recollection, his callsign on that day was in fact WICHITA 103.  So it seems there was a discrepancy, but still no indication as to why.

There the matter lay, until last night.  I was reading the transcript of an interview of Maj. Gen. ‘Alwan Hassoun ‘Alwan al-Abousi, formerly of the Iraqi Air Force, conducted by a team of American scholars and analysts after the fall of Saddam’s regime (Kevin Woods et al., Saddam’s Generals:  Perspectives of the Iran-Iraq War, Institute for Defense Analyses 2011).  They were discussing a Jan. 24 incident where a pair of Iraqi Mirage F-1s had made an attack run against a Saudi refinery (the coalition had interpreted this as a move against the fleet in the Gulf).  Gen. al-Abousi expressed surprise that the Mirages had not been intercepted by American fighters immediately upon takeoff, which had been the case in the previous two days.  The American interviewer, Williamson Murray, responded with the following:

We discovered after the war that the combat air patrol (CAP) was being flown by F-14s based in the Pacific. The Pacific carrier air wings (US Navy) did not work with the US Air Force often. They did not have the call-sign and codes for getting the [Air Force] AWACS transmissions. AWACS called them regarding the two Iraqi aircraft, but the CAP was not listening to the transmission. The aircraft went right past the CAPs. A Saudi F-15 pilot, who heard the AWACS transmission, shot down the Iraqi aircraft.

The possibility of a difference in operating practices between Atlantic Fleet units and Pacific Fleet units had not occurred to me before.  The F/A-18s on Jan. 17 were assigned to VFA-81 aboard USS Saratoga (CV 60), which was an Atlantic Fleet carrier with an east coast air wing.  The F-14B lost on Jan. 21 was from VF-103, also from Saratoga.  But the Tomcat that shot down the helo on Feb. 6 was from VF-1 aboard USS Ranger (CV 61) —  a Pacific Fleet carrier with a west coast air wing.  All of the Atlantic Fleet aircraft were using ATO callsigns, but the Pacific Fleet F-14 was using a tactical callsign on Feb. 6.

A footnote in Saddam’s Generals led me to a naval history of ODS conducted by another D.C. thinktank (Marvin Pokrant, Desert Storm at Sea:  What the Navy Really Did, Center for Naval Analyses 1999), which contains the following passage:

NavCent [U.S. Navy Central Command] fighters . . . strained interservice command and control.  Sometimes it worked very well.  For example . . . on 6 February a NavCent F-14 Tomcat in the [southern] BarCAP station shot down an Iraqi helicopter only because of the vectors from the AWACS controlling the Tomcat.  At other times, command and control was not so smooth.  Conflicting call signs resulted in endless confusion.  Generally, NavCent aircraft would be controlled first by their parent carrier, then by the control ship in the northern Persian Gulf.  Crossing the coast, they would transfer control to the AWACS; this series of handoffs reversed on the return trip.  NavCent and CentAF [U.S. Air Force Central Command] used two different systems of call signs.  NavCent controllers used call signs based on the squadron call sign and the side number of the aircraft — for example, “Fast Eagle 101.”  CentAF controllers wanted to use the call signs listed in the ATO, such as “Factory 40″ for a section of two aircraft.  Typically, neither control agent kept track of the other’s call signs.

Pokrant confirms the difference between Navy tactical callsigns and USAF-style ATO callsigns, but he doesn’t make the Atlantic/Pacific distinction that Murray did during the interview with the Iraqi general.  Instead, Pokrant simply refers to “NavCent” aircraft — that is, all U.S. Navy aircraft operating under the control of U.S. CENTCOM, which was running the war.  During ODS, the Navy operated aircraft carriers both in the Persian Gulf and in the Red Sea; Ranger was in the Gulf, while Saratoga was in the Red Sea.  It is interesting that the passage above refers to air control arrangements over the Persian Gulf, but omits mention of naval air activities in the southwest originating from the Red Sea carriers.

This suggests an explanation for why the F-14 that shot down the Mi-8 on Feb. 6 used a Navy-style tactical callsign, while its sister fighter and strike-fighter squadrons on the east coast adopted ATO callsigns consistent with USAF standards.  There were procedural inconsistencies between the methods applied by the Air Force and the Navy in controlling fighters, exemplified by two separate callsign systems.  The Atlantic Fleet squadrons (perhaps more familiar with the USAF way of doing business because of joint training opportunities in the Mediterranean) were able to overcome this friction and adapt to the USAF-run ATO process, including using ATO callsigns.  But Pacific Fleet squadrons, whose usual operating area was the vast western Pacific Ocean, did not “speak Air Force” as fluently, and tended to retain their usual operating methods (including Navy tactical callsigns).

It’s also possible that it was not strictly an Atlantic/Pacific Fleet issue, but differences between the Red Sea and Persian Gulf operating environments, such as the amount of time Red Sea-based Navy aircraft spent under USAF AWACS control as compared to their Gulf-based counterparts.  Navy aircraft originating from the Red Sea had to fly a considerable distance over Saudi territory to reach targets in Iraq.  If the Air Force’s AWACS crews, rather than the Navy’s own E-2 controllers, had primary responsibility for overland control (as Pokrant suggests was true), then the Red Sea Navy may simply have been forced to deal more closely with the Air Force as a matter of geography.

In the end, of course, the details of a particular radio call sign used on a particular day over twenty years ago are unimportant.  But all of this highlights the teething problems that the USN and the USAF faced in developing the processes necessary to conduct truly joint air operations.  We see that two Iraqi Mirages were able to slip through a gap in the counterair screen as a result (at least until they ran into a Saudi F-15).  And although this merits a much longer discussion, these command and control problems may have also contributed to the uneven distribution of air-to-air victories between the USAF and the USN.

In the two decades of extended joint air operations conducted by the U.S. that have since elapsed, most of these problems have since been addressed.  It will be interesting to see how new rising air powers, looking to develop similar operational synergies between their land-based and naval air arms, will fare at the same task.

USAF F-22A from 1st FW, in formation with USN F/A-18E from VFA-27. USAF photo.

The sheer diversity of Soviet submarine platforms has always given me a headache.  Take the 1950s-era “Project 613″ conventional fleet submarine, known to NATO as the Whiskey-class, for example.  The Whiskey quickly spawned many variants.  In 1955, a Whiskey was adapted to carry the P-5/NATO SS-N-3c cruise missile, with the testbed being called “Project P-613″ and the six operational missile-carrying units called “Project 644″ (NATO Whiskey Twin-Cylinder).  In 1961, a series of new-build Whiskeys were commissioned with quad-tube P-5 missile mounts (Project 665/NATO Whiskey Long Bin).  Project 640 (NATO Whiskey Canvas Bag) was a radar picket variant launched in 1957, and Project 613S and Project 666 were dedicated rescue submarines.  As late as 1974, the Whiskey design was being used as a propulsion testbed (Project 613Eh).  And, of course, it wasn’t until 1981 that a Baltic Fleet Whiskey (S-363) ran aground off the Swedish coast in the infamous “Whiskey on the Rocks” incident.  All told, there were over two hundred Whiskeys built for the Soviet Navy.

And there was even more diversity among classes.  In the jargon of the western navies, we have Echo I/II/IIIs, Foxtrots, Hotels, Romeos, Victor I/II/IIIs, Charlie I/IIs, Yankees of many stripes, Alfas, Sierra I/IIs, Oscars, Kilos, Typhoons, an unfortunate Mike, and an endless procession of Golfs and Deltas–not to mention many ships of lesser celebrity, to which NATO never assigned code names.  With all of these ship designs floating around, it is often difficult to discern the relationships between classes.  Indeed, the common NATO code names are sometimes misleading, as the Soviet admiralty usually saw no reason to be transparent on these subjects to the intelligence services of their class enemies.

Over the New Year’s weekend a few years ago, I was reading Norman Polmar’s and K.J. Moore’s excellent submarine design history, and, feeling lost as usual, thought that I’d chart out the basic Soviet class lineages for myself.  The result is this very large timeline map of Soviet submarine classes since 1945.  In addition to class and sub-class lineages by timeline (flowing left to right), I’ve added (a) indicators for the total number of hulls in the class (green circles); (b) boundary markers for the “four generations” into which Soviet nuclear submarine designs are commonly divided (shaded boxes toward the bottom); and (c) concurrent timeline tracks for major known Soviet submarine incidents for each class (white dotted lines and triangles).

This chart is a first draft, and may be incomplete or erroneous in a number of ways. After that weekend, I had intended to go back and refine its contents, but haven’t yet found the time to do it.  With that caveat, I thought I’d share it with others who might find it interesting and/or useful.

[Download high-resolution JPG image, 6394x3648, 1.2MB]

Most people think of Stuxnet’s exploits as some complex, but structured hacker stuff on the operating system level, plus some mushy, arcane 70s-style controller code that cracked centrifuge rotors. In reality, the automation side of Stuxnet is as modular, structured and complex as the coding that can be found at the operating system level.  So let’s try to break down Stuxnet’s exploits in categories:

1. Operating system exploits (generic)
1.1 Two stolen digital certificates
1.2 Four zero-day vulnerabilities plus at least one known vulnerability
1.3 Peer-to-peer update logic

2. Windows application exploits (generic)
2.1 Default database password for SCADA application, plus SQL injection, plus forced SQL execution
2.2 Hijacking the legitimate driver DLL (s7otbxdx.dll)
2.3 Executing arbitrary code in project folders of the engineering software

3. Controller exploits (generic)
3.1 Code injection to any operation block, taking priority over legitimate code
3.2 Hooking system functions
3.3 I/O Filter & faker

4. Physical process exploits (mostly target specific)

From all the exploits listed, only exploit category four is tied to a specific target configuration.

In short, Langner believes that a lot of this stuff is more reusable than people appreciate, and worries about the proliferation risk.  In the worst case, he thinks that we may soon see the free availability of pre-packaged, fully configurable cyberweapons to “immoral idiots and geniuses alike,” much like the arming of the “script kiddies” in the prior decade.

I personally suspect that he may place too much weight on weapon engineering (and underestimates the intelligence and targeting activity that presumably preceded it), but read his whole argument.

Of course, there is a good reason for such evasiveness:  trying to be too precise about whether a certain form of cyberwar is “strategic” rather than “operational” or “tactical” leads us straight into a definitional swamp.  I won’t try to drain the swamp here; however, it strikes me that it might be useful to spend some time getting a little more resolution on what we mean by “strategic” (and, correspondingly, what will be directly addressed in our model, and what will be abstracted away).

The traditional rule of thumb about the levels of war (drawn from the world of kinetic violence) is that tactics are about battles, operational art is about campaigns, and strategy is about wars. Unfortunately, this amounts to more marble-mouthed garble when it comes to the gray zone that cyberwar inhabits.  None of the traditional military intuitions of time, scale, or geography really apply here:  is a sustained DDoS attack conducted over several days against the servers of a dozen companies a battle, a campaign, or a war?

To try to address this, we can adapt the old aphorism to the technical particulars, which would produce something like this:  If tactical cyberwar is about attacks on a particular network, and operational cyberwar is about attacks on a system of related networks, then strategic cyberwar is about attacking the adversary’s system of systems.

But that does not seem any more helpful.  Depending on how one chooses to define “network” and “system,” that proposition could mean anything (or nothing) at all.  Part of the problem is that there is no particular relationship implied between the scale of the “network” or “system” and the size of the strategic actor.  Indeed, taken literally, nothing prevents any operator of a “system of systems” from becoming a strategic actor.  Intuitively, this is not what we mean.  An iPhone is a complex device with many different component systems.  But we do not generally view the teenager who has “jailbroken” her iPhone as having committed an act of strategic cyberwar.

Where do these intuitions come from?  I think that the answer is found not in “strategic,” but in “cyberwar.”  In the end, cyberwar is still war. There may be plenty of strategic behavior in cyberspace, just as there is plenty of strategic behavior in the kinetic world, but only a subset of that strategic behavior pertains to a prosecution of a war.

That declaration, of course, does not wholly solve the problem; questions of exactly what constitutes a war in our age of global terrorism, insurgency, international sanctions, etc., continue to vex academics and lawyers.  But we need not decide the precise boundaries of war and peace; our purpose is only to set up a scale for our model.

So, to put it all together:

• In the levels-of-war hierarchy, the strategic layer sits atop the operational layer, which in turn rests on the tactical layer.
• At that top level, the applicable scope of concern is attacks upon a “system of systems.”  This implies high complexity and subspecialization near the top level of organization  — in effect, the “macroinfrastructure” of the affected strategic actor.
• Cyberwar is still war.  War implies violence.
• Nation-states continue to enjoy a monopoly on legal violence.  The entities that purport to wage war are either nation-states or those who aspire to the sovereign status of nation-states.
• Therefore, “strategic cyberwar” relates to attacks upon the macroinfrastructure of either (a) nation-states; or (b) entities that aspire to the sovereign status of nation-states.

This is not to say that other actors will not have important roles; in fact, I expect to see nation-states employ “tactical delegates” to a much greater extent than is the case in the kinetic world.  And there will be no shortage of “non-aligned” marauders roaming through the substrategic (operational and tactical) levels of cyberspace; most crime, for instance, is an essentially tactical endeavor.  But I believe the nation-states and their aspiring peers will set the strategic agenda.

Admittedly, there is a circular feel to some of this reasoning:  cyberwar is war; by definition, only nation-states can wage war; ergo it must be that nation-states constitute the important level of analysis.  Part of this may also be the result of the Westphalian bias that afflicts students of modern military history.

But I think that there is at least one other reason to believe that nation-states, rather than private subnational entities or even public transnational entities, will continue to occupy the seat of decision when it comes to cyberstrategic warfare.  I believe that the nature of cyberweapons — or at least the kind we can reasonably call “strategic” — will be such that they will effectively require the sovereign authority of a nation-state to develop and maintain.  This is not so much because national governments have abundant financial and technological resources (wealth and genius are not the sole province of national governments).  Rather, it is because the intelligence requirements to design, construct, test, and maintain a strategic cyberweapon may be so extensive (and require such intrusive and likely illegal measures to collect) that only a sovereign entity will be capable of doing it on a competitive scale.  We will consider this issue in a future post on the nature of strategic cyberweapons.

Until I stopped work due to other real-life priorities, I had articulated a crude set of general principles which addressed, among other things:

• A basic model of a strategic cyberattack weapon (what I’m tentatively calling a “logic attack weapon” or “LAW”)
• The minimum intelligence requirements for a strategic LAW
• The essential need to reliably predict a LAW’s effects on a complex target system
• The notion of a “shelf-life” of a given LAW against a given target system
• The need for a wide array of supporting “live” interactions with the enemy in cyberspace (for intelligence, testing, and strategic pre-positioning purposes)

I also sketched out a physical map concept intended to describe the strategic geography of the battlespace, with discrete “terrain” elements denoting civilian non-critical infrastructure, civilian critical infrastructure, and military infrastructure.  Naturally, the map wasn’t intended to portray physical distance, but rather an “attack distance” determined by weapon effectiveness, network architecture, defensive arrangements, and so on.  I borrowed from the safecrackers’ view of the world and decided that the appropriate metric of attack distance for these purposes was time.  Predictably, the mechanics get a little bit complex with a two-dimensional paper map since the attack distances between different elements might change at different rates — and, after getting a headache, that’s about where I left things.

In any event, I had all but forgotten about this shelved work until I recently ran into Bruce Costello (designer of the First Strike and Dropshot I/II/III strategic nuclear wargames) on the consimworld forums.  Bruce also has been thinking about cyberwar concepts for a number of years (and in fact is working on a new game design).  This inspired a conversation about these topics, and I’ve been inspired to pick this effort up again.  Strategy is a timely subject, with the U.S. DoD taking its first baby-steps toward articulating a doctrine of cyber-retaliation.

My objective over the next few months is to think about and articulate a complete set of principles for this strategic model of cyberwar.  I don’t know that this will result in a playable “game,” per se (I have no game design experience and really am only a fledgling wargamer).  However, if it provides some useful vocabulary and concepts to the broader discussion, I think it will have been a worthwhile exercise.  Let’s see where this all goes.

So, the lunacy continues: I am now learning MySQL/PHP.  Hope to have a test database up this weekend.

In more substantive news, the Chinese appear to have flown the J-20.  More interesting is the manner of the reveal:

Ma Xing and Zhang Jun may believe their obsession with all things military is just a hobby. That may be true but earlier this week, they saw something that made headlines across the world, and turned them into celebrities.

They got some of the earliest glimpses of China’s first stealth fighter plane.

In December, after word about a possible radar-evading plane circulated on the Internet, both men began monitoring a local airport widely considered the home base of such planes.

This is the PRC, mind you, where traditional attitudes toward “state secrets” are not ordinarily conducive to amateurs watching “local airports” where unannounced fifth-generation stealth fighters happen to be based.  Especially amateurs with websites:

Each time he saw something worthy of sharing, he told his friend, who passed it on to Zhang, 32, another military fan in Jiangsu Province. Zhang posted the information on fyjs.cn, a military forum he established in 2004.

On Tuesday, after Ma saw the J-20, he immediately called his friend, and Zhang did not wasted a moment before he posted the news on his website.

Domestic newspapers, such as Shanghai-based Oriental Morning Post, referred to Zhang’s website. Zhang was surprised that even the Wall Street Journal quoted his website.

“I thought the website was just a platform for interaction between military enthusiasts. I did not think that both the domestic and foreign media will be concerned about it,” Zhang said. “The military strength of China is enhancing, which enables the country to have an impact on the international stage.”

Official, unofficial, or “unofficial,” the proliferation of open sources on Chinese military modernization makes for an interesting picture.  The times, they do change.

In any event, with the new information on the Desert Storm air war available, I’ve applied several different “filters” to the original kill matrix, which reveal some interesting facts about those engagements.  For example, a surprising number of engagements using the AIM-7 Sparrow (a medium-range missile most associated with beyond-visual-range (BVR) fights) were actually made within visual range.  There were also quite a few kills made by wingmen (in some cases where their flight/element leads did not also score), underscoring a tactical fluidity that was very different from the rigid fighter doctrine prevalent in Vietnam, at least in the USAF.

Ultimately I would like to collect and chart more data on these engagements, including geographic locations, precise range of shots, day/night, etc.  But unfortunately I think this may have to wait—while some of the necessary information can be gleaned from pilot accounts, I imagine that the complete dataset is probably still classified, even after twenty years.  Might be worth considering a FOIA request, as both the AIM-7M and AIM-9M have been superseded by newer weapons in the U.S. inventory.  We’ll see.

I will probably convert the other two Desert Storm air campaign tables this week, and begin implementing some updates based on more recent sources.  The original trio of air campaign tables was based on the statistical annex to the USAF’s official 1993 five-volume survey.  But Desert Storm began twenty years ago this month, and since then, more detailed accounts of the air campaign have emerged, in some cases correcting errors that appeared in the earlier sources.  Two especially useful works are Craig Brown’s Debrief: A Complete History of U.S. Aerial Engagements 1981 to the Present, and Steve Davies’/Doug Dildy’s F-15 Eagle Engaged — I plan to use both of them to update, validate, and expand my Coalition air-to-air victories table.