Feedback Loops and Fundamental Flaws in Autonomous Warships

0


This month, IBM’s Mayflower Autonomous Ship successfully completed a 3,500-mile transatlantic journey, collecting ocean data for research on pollution and climate change. The voyage was a success: Mayflower‘s sensors and machine-learning systems performed flawlessly. The ship did, however, suffer a problem with electrical power. This was also Mayflower’s second attempt at a crossing. The first was scuttled by a failed metal coupling on the ship’s generator. Fortunately, constant monitoring and communications with a shoreside team identified these failures before they became catastrophic.

As the U.S. Navy pivots to autonomous technologies for its future hybrid fleet of crewed and uncrewed ships, defense professionals and military officers (inspired in no small part by the novels Ghost Fleet and 2034) are keenly aware that every automated system is at risk of intrusion. The focus on cyber attacks, however, obscures a more fundamental cyber reliability problem. When computers replace people in the role of monitoring engineering systems, identifying equipment failures becomes more difficult. Leaving those problems unfixed makes vessels fail earlier, and fixing them puts ships and people at risk. In short, automated systems can introduce system-wide vulnerability even if nobody hacks them.

 

 

Uncrewed vessels will require computers and internal networks to control and monitor hull, mechanical, and electrical systems. Critically, these systems — especially those managing the electrical power generation and cooling — will themselves power the computers and networks monitoring them. Without human operators to identify or fix potential points of failure early, small problems may compound, triggering negative feedback loops. Moreover, uncrewed systems will require near-real-time off-ship communications for command and control, and for monitoring how equipment failures impact the overall force’s readiness. Combined with uncrewed vessels’ expected role as forward sensors, this will make them persistent radiofrequency emitters, exposing them and nearby units to enemy surveillance and targeting.

Integrating hull, mechanical, and electrical systems with computerized controls is therefore an inherent obstacle to achieving a high-endurance, hybrid fleet resilient to cyber attacks, one that will affect force structure, crisis stability, and force employment. Since uncrewed vessels will most likely support forward sensing, mine countermeasures, and anti-submarine warfare, these may be among the first capabilities that a future fleet loses, even before a battle begins. In addition, since situational awareness will degrade faster than the capacity to launch missiles for air defense, anti-surface warfare, and land attack, human decision-makers may face pressure to expend missiles before they lose the ability to use them. During crises, this could increase the risk of conflict. When war has started, it could limit a commander’s flexibility.

Future Roles for Uncrewed Vessels

Recognizing the vulnerability of concentrated capital ship formations to China’s anti-access, area-denial capabilities, the Navy aims to disperse forces during future campaigns, a concept it calls “distributed maritime operations.” The planned fleet will consist of smaller, cheaper, and more numerous ships and submarines, alongside upgunned legacy platforms, networked to coordinate targeting and fires. Uncrewed vessels are integral to this plan.

The Navy’s long-range shipbuilding plan focuses on three categories of uncrewed vessels: large and medium unmanned surface vessels and extra-large unmanned undersea vehicles. The medium vessel’s primary roles will be forward sensing and command and control, and its large counterpart will serve as a missile magazine. The extra-large unmanned undersea vehicle — the only one whose procurement has been funded to date — will carry anti-submarine payloads. The Navy is also considering small expendable platforms.

Depending on testing outcomes, industrial base capacity, and budget growth, the Navy expects to field anywhere from 81 to 153 unmanned surface vessels and 18 to 50 unmanned subsurface vessels by 2045 (out of a total force of 440 to 540 ships). Despite a congressional mandate to consider alternatives to the large unmanned surface vessel, uncrewed vessels feature heavily in the Navy’s plan to meet its force target. The steady retirement of air defense, strike, and anti-submarine platforms such as cruisers, guided missile submarines, and the Littoral Combat Ship (with the Constellation-class frigate not entering service until 2026), leaves few other options.

Engineering Reliability in Automated Systems

The Navy’s 2023 long-range naval construction plan prioritizes developing reliable hull, mechanical, and electrical systems for uncrewed vessels. These systems provide the basic enabling capabilities (e.g., electricity or cooling) for combat systems like a ship’s radar or internal network. On crewed warships, sailors monitor and fine-tune hull, mechanical, and electrical systems around the clock. On ships without people onboard, computers and networks will be expected to do the same.

Given the added layer of computers and networking, some observers have warned that uncrewed vessels face an elevated risk of cyber attacks. Malicious actors could compromise vessel hardware via supply chain vulnerabilities, or by tunneling into satellite terminals for off-ship communications. Once in, hackers can move laterally within the ship’s network, potentially disrupting navigation and engineering systems.

But another risk resulting from the dependence of uncrewed vessels on computers and networking has received less attention. At the most fundamental level, uncrewed vessels will need propulsion, electrical, and auxiliary systems to conduct sustained operations at sea. Without people watching them, these systems will require computerized monitoring and regulation via an internal network and off-ship communications. At the same time, the network and communications equipment will need the outputs of the same engineering systems they monitor, especially electrical power and cooling. The potential for degradations and failures — equipment “casualties” — to result in negative feedback cycles is serious. Even if some of these casualties can be resolved remotely, others require corrective maintenance performed by human operators, whose availability will be more constrained in crisis or combat than in peacetime.

Graphic by the authors.

First, both internal control networks and secure off-ship communications require reliable, uninterrupted power sources. A 2021 Office of Naval Research solicitation sought a power-generation system that could use current military fuels, survive in rough seas, and require no scheduled maintenance for over 4,000 hours. Experimental power sources like solar and wind have drawn interest, but variable weather conditions and battery capacity present major hurdles. Other traditional power sources, such as steam or gas turbines, are too maintenance-intensive. Based on the requirements and current platforms being tested, diesel engines are the most likely candidate to drive electrical power generation in uncrewed vessels.

Diesel engines require daily monitoring for early signs of life-cycle-limiting casualties or catastrophic failures. On crewed vessels, safe operating parameters are established based on the potential for catastrophic impact. Other parameters, however, are left unmonitored — either completely or for long intervals — and seemingly menial tasks help control risk. For example, listening for abnormal noises, or ensuring quality lubricating and fuel oils, can prevent larger casualties. The presence of particulates or water in lubricating or fuel oil — even at levels within parameters — may still be noted by a human observer as an early warning of degraded mechanical systems.

Second, cooling systems provide either water-based or air-based temperature control to machinery and rooms that house network equipment. On uncrewed vessels, there are fewer opportunities to identify mechanical failures in the vast array of pumps, air handling units, compressors, and other components that make up cooling systems. Opportunities to take action prior to cascading failures are similarly constrained. For instance, operations in the littorals or in warmer waters are more likely to result in clogged sea chests — where water is ingested through the hull — because of higher densities of sea life and plants in these environments. Whereas watchstanders on crewed vessels can identify differential pressure changes, and then clean sea chests or replace filters, they cannot do so on uncrewed vessels.

An array of transducers, cables, and servers enables interactions between these hull, mechanical, and electrical systems, the internal networks that oversee them, and off-ship communications. Disruptions to power and cooling, made more likely by less monitoring and data collection, will degrade these interactions. Unstable power can interrupt communication signal paths, and insufficient cooling can cause data loss or hardware shutdowns. Additionally, the maritime environment imposes the same physical pressures on computers as it does on low-tech hardware. For instance, a cabinet’s cable connection or circuit card may jostle loose in rough seas. Without a watchstander available to re-seat the network connection, control over basic engineering systems or the capacity for off-ship communication will degrade accordingly.

Finally, off-ship communications must take place over secure channels. That requires loading time-limited cryptographic devices: regularly changing electronic keys that encrypt or decrypt transmitted information. Although cryptographic devices that “roll keys” (deactivate the old encryption and replace it with a new one) automatically are under development, if a new key fails verification or loads incorrectly in an uncrewed system, troubleshooting will have to occur remotely. While over-the-air cryptographic updates are viable, the engineering reliability problems identified earlier suggest that interruptions requiring a new cryptographic key load, such as a power shift, are likely to occur more frequently on uncrewed vessels.

Impacts on Force Structure, Crisis Stability, and Force Employment

For both crewed and uncrewed platforms, survivability diminishes the longer a vessel is at sea, as equipment suffers from routine wear-and-tear or damage. If a vessel operates in a degraded state, the likelihood that a casualty will worsen or cascade to other systems increases. Since a fleet operates as a team, warships must periodically notify supervising units of equipment casualties that could affect the overall force’s mission-readiness. Adversaries can exploit these electromagnetic emissions to locate and target a ship.

Because crewed vessels can repair some casualties at sea, they can occasionally forestall both cascading casualties and off-ship reporting. Hence, even if both uncrewed and crewed vessels possess equipment of comparable quality, and suffer the same casualties, the survivability of uncrewed vessels decays more steeply over time. All else held equal, their systems fail or they produce exploitable radiofrequency emissions before crewed vessels do.

Since uncrewed vessels are more suited to some roles than others, these reliability issues will not be evenly distributed across a future fleet’s mission areas. Given the current state of the technology and forward projections, it is likely that uncrewed vessels will ultimately support forward sensing, mine countermeasures, and anti-submarine warfare. If Congress’ skepticism resolves, they may also serve as adjunct missile magazines. Based on the foregoing, we suggest implications for force structure, crisis stability, and force employment.

Structuring the Force

Force planners assume that, even without battle damage, some platforms will fail due to design flaws, poor workmanship, rough seas, collision, and corrosion. Each successive loss of a platform degrades the warfare area to which it is assigned. And because of component uniformity or common architecture across platforms, some failures may affect multiple units assigned to the same area.

While failure rates are likely to be higher for uncrewed than crewed vessels during routine operations, they will be even greater during hostilities. Attrition will be highest for the most frequent emitters: uncrewed vessels that are radiating either because their role, or their engineering monitoring and casualty reporting, requires it. The uncrewed mission areas, therefore — forward sensing, mine warfare, and anti-submarine warfare — are therefore more likely to lose capacity before the crewed mission areas do.

This suggests that, in a future hybrid fleet, crewed vessels will need to retain some residual capacity for those roles assigned to uncrewed vessels, especially those integral to defense of the high-value units (such as anti-submarine warfare). In addition, optimal manning on the remaining crewed platforms will depend on whether they operate within or beyond the uncrewed vessels’ line of sight. Concepts of operations for within-line-of-sight missions will have to specify the conditions under which crewed platforms should service failing uncrewed vessels and allow for the additional manning required to do so.

Losing Sensors Before Missiles

Force composition can affect incentives for preemption before conflict begins. Scholarly work based on unmanned aircraft suggests that they can help states avoid escalation, because the loss of a drone is less severe than loss of human life . But uncrewed ships introduce a novel factor into maritime warfare: the disaggregation of capabilities. In the missile era, the trend in naval warfare has been to aggregate capabilities on multi-mission platforms. Large and medium unmanned surface vessels, however, are specifically designed to separate shooting from sensing.

Accordingly, uncrewed vessels’ reliability problems could have a disproportionately greater impact on a hybrid fleet’s sensor capacity (provided by medium unmanned surface vessels) than on its capacity to launch missiles for air defense, anti-surface warfare, and land attack (provided by crewed destroyers or large unmanned surface vessels). Medium unmanned surface vessels will be responsible for finding and fixing targets, and, given the reliability problems identified here, will likely decline in mission-readiness more rapidly than the crewed vessels that will be responsible for launching missiles.

This presents heightened escalation risks. Diminished situational awareness can raise a ship or force’s sense of its own vulnerability, lowering the self-defense threshold in ambiguous scenarios, or increasing incentives for preemption. If the mission-readiness of uncrewed assets declines faster than that of crewed vessels, human decision-makers may face the pressure to “attack effectively first” — or put crewed vessels at greater risk to accomplish the same missions — before situational awareness and defensive capacity reach unacceptably low levels.

Use It or Lose It

Once a conflict has started, the higher attrition rates of uncrewed platforms will also depress the ratio of sensors to shooters. As the volume and quality of incoming sensor data diminishes, human decision-makers may face pressure to expend missiles before the common operational picture degrades further. This could result in firing at less than ideal targets, and prematurely depleting magazines. Fifth-generation aircraft, unmanned aerial vehicles, or space-based assets can replace sensor capacity from failing uncrewed vessels, but the surface fleet will have to compete with other elements of the joint force for these assets.

The disparate effects of uncrewed vessels’ reliability problems across warfare areas also presents a dilemma for force protection. If uncrewed vessels suffer engineering failures, then are physically captured and exploited, adversaries could penetrate fleet networks and threaten multiple units. At the same time, if uncrewed vessels communicate to warn ships in company of impending failure, they can give away the location of nearby units. Hence, uncrewed vessels must be far enough from crewed units to avoid exposing the latter’s location via electromagnetic emissions, but close enough that they can be repaired, recovered, or scuttled to prevent capture and exploitation if and when their hull, mechanical, and electrical systems fail.

Conclusion

The success of distributed maritime operations will depend on robust networks among vessels that maintain stable propulsion, power, and cooling. But current plans to achieve this architecture rest on an aspirational version of uncrewed vessel technology. Even with ongoing — and well-funded — land-based testing requirements aimed at resolving reliability problems in automated systems, some of the drawbacks associated with removing people from ships are likely to remain long-term features of the Navy’s future hybrid fleet.

Crewed warships will thus have to fix uncrewed vessels, step in to fill their roles, or face tough choices to employ weapons systems with incomplete information. The aspirational vision of uncrewed technologies thus makes crewed vessels more important, at the same time that it forces their premature retirement. And this is perhaps the most dangerous feedback loop of all.

 

 

Jonathan Panter is a Ph.D. candidate in the Department of Political Science at Columbia University. His research examines naval organizational practices and crisis management. Prior to attending Columbia, he served as a surface warfare officer in the U.S. Navy.

Johnathan Falcone is an active-duty surface warfare officer in the U.S. Navy, serving as chief engineer aboard a littoral combat ship. He is a graduate of Princeton University’s School of Public and International Affairs and Yale University.

The authors thank Ian Sundstrom, Anand Jantzen, and conference participants at the Cyber and Innovation Policy Institute of the U.S. Naval War College for assistance with earlier drafts of this article. The authors’ opinions do not reflect the official stance of the U.S. Navy.

Image: U.S. Navy





Source link

Leave A Reply

Your email address will not be published.