Quick Tanks: The Best of Long-Form Defense Analysis, Briefly
A weekly review of the long-form content from the national security policy, defense policy, and related technology analysis community.
Good afternoon and welcome back, defense bookworms.
This week, I have two incisive reports to share with you. The topics include:
Quantifying the uncertainty of software vulnerabilities in order to inform the US Marine Corps Joint Cyber Weapons program
How Australia can support and reinforce US naval posture in the Indo-Pacific region
Quick Tanks is a weekly collection and summary of the latest long-form analytic content on the topics of US defense, force structure, innovation, and policy considerations. We strive to aggregate all of the key sources of analysis and present brief, neutral summaries to help keep you informed. Should you feel inclined to learn more about any study, please reference the full report via the links provided.
The sponsor of the newsletter is the Hudson Institute’s Center for Defense Concepts + Technology.
Tank you for sharing and subscribing, and happy reading.
Quantifying Vulnerability Lifespans for U.S. Marine Corps Joint Cyber Weapons
by Devin Tierney, Bradley Wilson, Hansell Perez, Augustine Bravo, Megan McKernan, and Thomas Goughnour
RAND Corporation
Link to PDF; Link to Report Page
Focus: In order to inform acquisition planning for the US Marine Corps Joint Cyber Weapons (JCW) program, the report quantifies uncertainties related to the cost and operational time of software vulnerabilities.Analysis: The report leverages novel datasets of real-world vulnerabilities and software update cadence data to simulate JCW program costs over 5 years, accounting for varying assumptions of weapon complexity and operational lifespan.Argument: Quantifying the lifespan of cyber vulnerabilities remains an immense challenge with profound implications, as illuminated by the swinging estimates for JCW program expenses over a 5-year term. Depending on assumptions around vulnerability duration, assessed costs range from $125 million to $375 million for keeping merely 5 offensive cyber capabilities continuously operational. Insights: Information Technology (IT) infrastructure-impacting vulnerabilities markedly outlast other vulnerability varieties, exhibiting lifespans exceeding 1,000 days versus averages of 200 days — suggesting JCW exploitation of these enduring gaps could require lower expenditures with prolonged viability. However, accelerated patch release cadences could vastly constrain cyclical usage opportunities, particularly with minor updates every couple of months.Recommendations: Further research should continue collecting Common Vulnerabilities and Exposures data to uncover further lifespan patterns. Moreover, IT infrastructure vulnerabilities should be distinguished from other categories in future analysis.As the battlefield becomes increasingly digital, cyber warfare capabilities are more vital than ever to national security. This timely RAND report provides an in-depth analysis of acquisition costs and operational timelines for cyber weapons leveraging software vulnerabilities. Quantifying these uncertainties will prove critical as the US Marine Corps scales its Joint Cyber Weapons (JCW) program to bolster cyber arsenals.
A core facet of the report is the assembly of two novel data sets on publicly cataloged cyber vulnerabilities, together representing nearly 1,000 data points. The first data set (CVE DS 1) contained 233 verified exploited vulnerabilities from Google Project Zero and other industry sources. By estimating the time elapsed between software updates, the authors calculated the “operational times” when vulnerabilities could be leveraged, shedding light on real-world timelines. The second data set (CVE DS 2) utilized Trend Micro data on 746 additional vulnerabilities to identify patch development timelines. With the data points categorized by vendor and product types, the authors observed several noteworthy trends.
For one, vulnerabilities in enterprise and non-enterprise IT infrastructure systems averaged exceptionally long lifespans — 1,175 and 1,078 days respectively. This suggests that exploits attacking infrastructure may have higher cyber weapon value compared to targets such as consumer devices and desktop software. On the other hand, minor software update frequencies (every 20-178 days) indicate there can be very short timeframes for vulnerabilities to be exploited.
By parameterizing an exploratory model of JCW investments with the vulnerability lifespan data gathered, the authors estimated five-year costs to maintain operational cyber capabilities under various conditions. Assuming low-medium complexity and medium-long lifespans, costs ranged from $125 million to $375 million to sustain at least five cyber weapons. However, under worst-case assumptions of high development complexity and rapid update cadences, cyber weapon expenses ballooned up to $625 million given the volume of procurement required.
As research continues, the report suggests collecting expanded Common Vulnerabilities and Exposures datasets could reveal additional lifespan patterns across software families. Additionally, the authors argue future examinations should isolate IT infrastructure exposures as a separate category given their markedly longer active durations. In closing, this report’s novel vulnerability data sets and parameterized cost model provide useful guidance for navigating JCW resourcing decisions amidst swirling uncertainty. To engage with the analysis and data more closely, I highly recommend reading the full report.
Enduring presence
How Australia can support a more resilient US maritime posture in the Indo-Pacific
By Blake Herzinger
United States Studies Centre
Link to PDF; Link to Report Page
Focus: The report discusses how Australia can support and reinforce US naval presence and access in the Indo-Pacific region, given rising threats and vulnerabilities in US posture.Analysis: The report employs an qualitative examination of naval capabilities and infrastructure drawing extensively on US and Australian government data, announcements, agreements, testimony, and exercises.Argument: The US Navy faces acute vulnerabilities in the Indo-Pacific due to its concentration of forces in Japan, aging ships/infrastructure, and declining shipbuilding/maintenance capacity. However, Australia is well-positioned to offset these challenges through expanded combined cooperation on shipbuilding, basing, logistics, sustainment, prepositioning and maintenanceInsights: Existing agreements provide a framework for expanded at-sea logistics cooperation between the US Navy and the Royal Australian Navy (RAN). Moreover, prepositioning ships and supplies in Australia would reduce dependency on vulnerable Diego Garcia/Guam hubs, and transferring maintenance work to underutilized Australian shipyards would increase regional US Navy readiness.Recommendations: Australia should pursue a combined approach to US naval fleet support in 5 key areas: shipbuilding, basing/infrastructure, sustainment, prepositioning, and maintenance. Some specific recommendations include establishing a formal planning process for transfers of ship maintenance and repair, setting specific capability targets for initiatives like combined sustainment exercises, and embedding officers in the other’s navy to identify cooperative logistics opportunities.This United States Studies Centre report examines how the US-Australia alliance can address acute vulnerabilities in America’s overstretched naval posture across the Indo-Pacific. As China rapidly expands its own naval fleet and anti-access/area denial capabilities, the US Navy struggles with concentrated bases, strained logistics, aging support ships, and decaying shipyards that jeopardize its regional presence. Australia, meanwhile, possesses significant excess capacity to mitigate US concerns on shipbuilding, basing, sustainment, prepositioning, and maintenance.
The report first highlights how US shipbuilding is unreliable due to monopsonistic dynamics and inconsistent government demand, hindering naval expansion. Conversely, Australia maintains advanced shipyards and skilled labor that could offset US shortfalls. The report’s recommendations include assessing supply chain integration, boosting RAN mine countermeasures to backfill a key US deficiency, and developing a shared submarine tender design to support the future AUKUS nuclear fleet.
As for basing, the US depends on vulnerable Japanese locations within the range of Chinese missiles. From a geographical standpoint, Australia could prove essential to distributing US forces. The report advocates establishing a combined headquarters in northern Australia to enable complex joint operations, laying the groundwork for permanent US basing structures, and incorporating Exmouth’s Gascoyne Gateway port to support Indo-Pacific contingencies.
“The dilemma facing the United States is a paucity of access in its most consequential area of operations, combined with the fact that its existing access is well within the range of a suite of weapons designed by its primary adversary to target those facilities and its forward-deployed forces. Even in a peacetime contingency, this concentration of military basing in Northeast Asia will lengthen response times to emergencies like natural disasters or other humanitarian crises. Dispersing US forces will not only lessen the likelihood of a surprise attack catching a majority of the US Seventh Fleet in one place but also amplify US ability to project naval power in peacetime to respond to regional needs.”
Regarding sustainment, the report highlights several critical issues limiting the US Navy's operational effectiveness in the Indo-Pacific, including overstretched sealift capacity, an aging maritime workforce, and scarce supply vessels which would be prime targets in a major conflict. Australia has replenishment capabilities in HMAS Supply and HMAS Stalwart which could provide support, and its new Maritime Strategic Fleet initiative mirrors the US Maritime Security Program. Consequently, the report recommends expanded cooperation on sharing fuel and supplies, logistics staff exchanges, combined logistics exercises, and linking Australia's new fleet to the US Maritime Security Program. It should be noted that the US Navy already has extensive resupply integration with Japan on the basis of key bilateral agreements, presenting a feasible framework for Australia to enhance interoperability with US logistics forces.
With respect to prepositioning, worries mount over the age- and labor shortage-related vulnerabilities of America's Maritime Prepositioning Squadrons, especially as forward-positioned equipment and supplies will be vital for any US contingency response. The report advocates offering Australian pier space to these ships, shifting their materiel to more distributed Australian storage facilities, and ensuring Australian production and stockpiling of critical munitions like Tomahawks and Mk-48 torpedoes.
“For a force that would expect to move around 90 percent of its equipment by sea in the event of a major conflict, present trends are distinctly unfavourable. In 2020, the Administrator of the US Maritime Administration (MARAD) testified that the civilian mariner workforce needed to operate the US sealift force was 1,800 personnel short of its minimum wartime requirements. These issues are recognized at the upper echelons of US military command, with the head of US Transportation Command, General Steve Lyons, naming sealift as the command’s “number one priority” in 2019. In 2020 written testimony delivered to the Senate Armed Services Committee, General Lyons cited a 59 percent readiness level across the US sealift fleet, compared to a target of 85 percent. At that time, Lyons indicated that over half of the US sealift fleet would be unusable by the mid-2030s. Efforts to reverse these trends, including divesting the fleet of obsolete ships and acquiring used ships to fill capacity gaps, are making limited progress but have yet to completely resolve the issue. Thus, for the coming decade, US forces are likely to require as much equipment as possible situated as near as possible to potential areas of contingency, because the sealift to move required supplies will simply not be available barring change at a speed and scale that are unlikely.”
The US also faces a critical shortfall in ship maintenance capacity at its overburdened domestic shipyards, with extensive delays impacting readiness. Australia has maintenance facilities like Captain Cook Graving Dock able to accommodate US Navy vessels, plus a new Regional Maintenance Centre network under development. The report's recommendations include advancing plans for a Western Australia drydock, creating a combined US-Australia maintenance plan for combatants/auxiliaries, and working together on floating drydock technology development.
In sum, the report comprehensively audits intersecting pressure points and opportunities for Australia to reinforce strained aspects of American sea power through substantive policy steps and joint projects. I urge interested readers to examine the full report as its wide range of tangible steps merit attention.