Cyber
The Magazine of the MCPA




Click here to be published and contribute to the professional dialogue!

Full Text Listing of All Stories


Monitoring the Landscape of Cyberspace

posted Nov 5, 2017, 10:25 AM by James Caroland   [ updated Nov 5, 2017, 10:26 AM ]

By Ray Mollison

In my previous article, Building a Cadre of Cyber Intellectuals, it introduces Cyber Intelligence (CYBINT) as an intelligence discipline providing clarity to understand vulnerabilities, exploits, and threats in cybersecurity. Cyber Intelligence can help build a stronger cybersecurity posture by conceptualizing the cyberspace landscape in three levels: operational, tactical and strategic. This will provide to the decision-makers a comprehensive analysis of state actors’ and non-state actors’ capabilities, skillsets, and intentions of their cyber attacks. 

This article will focus on Cyber Threat Intelligence (CTI), which is a sharing platform within a community on current and emerging cyber threat trends within businesses, organizations, and government entities. The future is uncertain if an impenetrable cybersecurity posture could ever exist or if there is a technical solution to stop cyber threats. It is going to take more than firewalls to stop malicious threats and attacks from penetrating computers and systems. To gain an upper hand on combating cyber threats, there is a need to understand the cyberspace landscape of vulnerabilities and exploits. The implementation of CTI could be a tangible solution to enhance the cybersecurity posture against cyber threats.

Gartner best describes Cyber Threat Intelligence as the “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard”.1 The collection of raw cyber threat information gathered to evaluate and aggregate actionable intelligence, CTI is performed through the lenses of the intelligence lifecycle: plan, collect, process, produce and disseminate information by focusing on identifying types of indicators of cyber threats such as Malware, Spear-Phishing, Password Attacks, Ransomware and Denial of Service (DOS).2   These cyber threats are examples of what a business, organization and government entity become exposed to within their network daily. This highlights the importance in why networks need to be monitored and controlled to ensure computers and systems are secured against cyber threats. 

CTI is the integration of human intelligence with technical intelligence, allowing an organization to concentrate on existing and emerging threats.3 It is a forward leaning methodology in order to detect possible threat trends in real-time. To understand cyber threats, there are three factors to consider when assessing actors’ motives, which are their Intent, Capability, and Opportunity. 

Intent is a malicious actor’s desire to target your organization
Capability is their means to do so (such as specific types of malware)
Opportunity is the opening the actor needs (such as vulnerabilities, whether it be in software, hardware, or personnel)4

Understanding these three factors can add insight of current cyber threat activities and subsequently project future outcomes by analyzing the actors’ actions, means, and needs. Defining the actors’ motives will help understand their techniques, tactics, and procedures. The methodologies and motives of cyber attacks are the virtual fingerprints of cyber threats; therefore, utilizing a collaborative platform to share real-time threats will add clarity to the composition and characteristics of attacks. Using CTI, a Cyber Threat Analyst examines the actor’s digital fingerprint through aggregated collection sources ranging from technical sources, open sources, and closed sources.5

Technical Sources include the Security Information and Event Manager (SIEM), Intrusion Detection Systems (IDS), firewalls, next-generation endpoint security platforms, and logs from any number of devices
Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc.), and media sources
Closed Sources may include community mailing lists, or organizations such as Information Sharing and Analysis Center (ISACs)

There are many Threat Intelligence Platforms (TIPs) available for threat analysts to aggregate, correlate, and analyze threat data from multiple sources in real-time.6 These platforms offer an advantage to Threat Intelligence Analysts to corroborate threat data to quantify the strength of identifying indicators of potential cyber threats. This platform is designed to be shared across small and large businesses, manufacturers, industries, banks, and government and private organizations in order to improve security within a trusted community. An example of a Threat Intelligence Platform is ThreatStream (Anomali), which was pioneered and founded by Greg Martin.7 ThreatStream is a threat intelligence platform designed to Collect, Optimize, Integrate, and Share.8

Collect: portal to access hundreds of threat intelligence feeds.
Optimize: normalizes and optimizes intelligence, making it more actionable.
Integrate: out of the box integrations with SIEMs, firewalls, and other systems.
Share: offers two-way sharing and secure trusted circles for vetted collaboration.

The advantages to utilizing TIPs is that most organizations are currently using threat intelligence as a part of their cybersecurity program, where it has become valuable to their security mission, and it has become necessary to maximize the value of intelligence data.9 TIPs have become critical to organizations that value a collaborative community and exercise innovative solutions to deter and combat cyber threats. However, there are disadvantages to using TIPs.  They are overwhelmingly complex, have difficulty in platform integration with other security technologies, and suffer a lack of alignment between analyst and operational security events.10
The lack of professional expertise is one of the biggest hurdles to overcome in threat intelligence platforms.11 For example, at the heart of a threat intelligence platform is the Security Operations Center (SOC) where technical information is collected in real-time. The SOC is the nucleus of threat intelligence to examine and evaluate current threat trends by technical experts who aggregate data into actionable intelligence.12 The technical experts monitor an integration of systems in real-time from SIEMs to firewalls. The SOC will need technical experts with the right education and experience to correctly and accurately identify cyber threats. These technical experts must possess the technical knowledge and a broad range of capabilities and diversity of experiences.13 Therefore, the pool of talent will be limited to a select few applicants making it hard to the fulfill roles and responsibilities for this position. 

Figure 114 to the right details the process of threat intelligence as a visual representation. The diagram conceptualizes threat intelligence as an ecosystem referring to it as an interactive organism within interconnected communities or systems. The preservation of the Threat Intelligence Ecosystem is positioned in the center, which is governed by other pyramids: a Threat Intelligence Analyst who collects and analyzes information while the Security Operations Center monitors threats in order for the Leadership to make decisions. These pyramids fortify the epicenter of the ecosystem in conserving and preserving a healthy collection of Threat Intelligence for the Leadership to act upon. Most importantly, the Leadership will be able to understand how and what cyber threats impact the cyberspace landscape for the decision makers to accurately develop strategic and tactical intelligence frameworks. The maturity of strategic and tactical intelligence frameworks can help an organization focus their energy and resources to effectively and efficiently neutralize or degrade cyber threats while stabilizing the cyberspace ecosystem.

CTI will soon become a greater part of businesses, government and private organizations’ cybersecurity portfolios, which can help identify the likelihood of future threats. The utilization of CTI can detect and prevent potential threats, which reinforce a strong cybersecurity posture by having the ability to counter threats before they materialize. The Threat Intelligence Platforms can strengthen the collection of data gathered in real-time for the intent to produce accurate and actionable intelligence reports to prepare and plan for potential cyber threats. This could lead to a stronger defensive security posture of developing Operational, Tactical, and Strategic Cyber Intelligence products that is adaptable and innovative against cyber threats. In addition, these platforms can assist in holistically comprehending the virtual landscape of potential threats deployed within cyberspace. Potential future threats will continue to grow and progressively cultivate new threats. 

About the Author

Ray Mollison is a field-grade officer in the Military Intelligence Readiness Command (MIRC) as an Army Reservist. He is pursuing his Master’s degree in Cybersecurity at the University of South Florida. Ray enjoys working out and spending time with family.


--------------------
1iSightpartners (2014) What is cyber threat intelligence and why do I need it? [online], http://www.isightpartners.com/ wp-content/uploads/2014/07/iSight_Parterns_What_Is_20-20_Clarity_Brief.pdf 
2https://www.tripwire.com/state-of-security/security-data-protection/ cyber threat-intelligence/
3iSightpartners (2014) What is cyber threat intelligence and why do I need it? [online], http://www.isightpartners.com/ wp-content/uploads/2014/07/iSight_Parterns_What_Is_20-20_Clarity_Brief.pdf 
4https://www.tripwire.com/state-of-security/security-data-protection/ cyber threat-intelligence/  
5https://www.darkreading.com/vulnerabilities---threats/how-to-roll-your-own-threat-intelligence-team/a/d-id/1326445?
6https://en.wikipedia.org/wiki/Threat_Intelligence_Platform
7https://en.wikipedia.org/wiki/Threat_Intelligence_Platform
8https://www.anomali.com/platform/threatstream
9https://www.infosecurity-magazine.com/news/threat-intelligence-strategies/
10https://www.infosecurity-magazine.com/news/threat-intelligence-strategies/
11https://www.infosecurity-magazine.com/news/threat-intelligence-strategies/
12https://www.recordedfuture.com/security-operations-center-strategy/
13http://www.ey.com/Publication/vwLUAssets/EY-security-operations-centers-helping-you-get-ahead-of-cybercrime/$FILE/EY-security-operations-centers-helping-you-get-ahead-of-cybercrime.pdf
14https://semiengineering.com/threat-intelligence/

Photo credit:  Tripwire.com  


A Low Likelihood of Cyber Attack on USS MCCAIN

posted Oct 29, 2017, 3:24 PM by James Caroland   [ updated Oct 29, 2017, 3:27 PM ]

By Ian W. Gray


On August 21, 2017, the USS JOHN S. MCCAIN (DDG-56) collided with the merchant vessel Alnic MC1 while transiting East of the Strait of Malacca, one of the busiest chokepoints in the world.  The collision was the second instance of a U.S. warship colliding with a merchant vessel this year2, and the fourth instance of a Naval incident at sea this year3.  All of these accidents have occurred in close proximity to Asia, leading analysts to believe that this could be part of a cyber operation4.  Their hypothesis is seemingly supported by increasing U.S. tensions with China over Freedom of Navigation Operations in the South China Sea5, and provocations from North Korea amid nuclear tests and U.S. supported war games6 in proximity of the Hermit Kingdom.  Despite increasing geo-political tensions, coincidence (or the absence of it) is believed to be a secondary factor.  However, this logic has likely led to a confirmation bias regarding cyber-operations that should be further analyzed. 

“Cyber” has become convenient justification for the loss of availability on infrastructure and equipment where technology plays a predominant role (which encompasses most things these days).  This reasoning is further validated by the covert nature of cyber-attacks, and the recent increase of publicized state-sponsored cyber-operations from actors including China, North Korea, Iran, and Russia.  However, unlike infrastructure and computer servers, ships are transitory and susceptible to a number of additional environmental factors like weather and natural lighting conditions.  Additionally, ships transiting high traffic density areas are competing with a host of other vessels, the efficient performance of their navigation and propulsion systems, and the maintenance and operation by their crews. 

In June 2017, the Baltic and International Maritime Council (BIMCO) updated their “Guidelines on Cybersecurity Onboard Ships7” to include further recommendations on network and cyber security.  The potential vulnerabilities that BIMCO identified include bridge systems, cargo management, propulsion and power control systems, access control, and ship-to-shore communications.  The potential attack vectors, similar to shore based facilities, include brute force, supply chain compromise, phishing and social engineering.  The increasing connectivity and automation of shipboard control systems makes them susceptible to these vectors.  However, several navigation and communication systems are also vulnerable to a loss of availability and integrity, through attacks like jamming and spoofing. 

United States warships have a suite of technology designed to complete multiple complex mission areas; though navigation and propulsion remain paramount to crew safety and operational success. Guidelines for the construction and operations of navigation and propulsion equipment for both merchants and warships is promulgated by the International Maritime Organization’s (IMO) Safety of Life and Sea (SOLAS) convention.  The convention has been updated to include the mandatory adoption of technology like Global Positioning Systems (GPS), Automatic Identification Systems (AIS), and Electronic Chart Display and Information Systems (ECDIS). 

Both warships and merchant vessels could be targeted by GPS spoofing and jamming.  These types of attacks have been demonstrated by China to counter U.S. drones in the South China Sea8, and North Korea to disrupt maritime and air traffic in South Korea9.  Other recent reports indicated a mass GPS spoofing attack in the Black Sea10 off the coast of Russia, and as a method by Iran to exert dominance and control over the Persian Gulf11.  The manipulation would cause shipboard GPS receivers to display a position that is determined by the attacker through broadcasting counterfeit signals.  Such attacks could be part of an anti-access/area denial (A2/ AD) strategy, though likely not the cause of the MCCAIN collision. 

SOLAS requires all ships to carry AIS in order to provide information to surrounding ships and coastal authorities for safety at sea.  AIS, which uses GPS coordinates and radio transmissions, is also susceptible to cyber-attacks, as Trend Micro demonstrated in 201412.  These attacks could include denial-of-service, the appearance of a spoofed vessel, the omission of information about a vessel, or other false information including shipboard emergencies.  This information, if targeted properly, could cause a ship to alter their course or speed, or take additional actions that could endanger the safety of a ship.  AIS is not used as a means of navigation, and any maneuvering decision that a ship takes would likely be verified with alternate means, like radar.  

In 2005, the US Navy began a fleet-wide implementation of ECDIS on surface ships and submarines13, a system that integrates with several navigation sensors and GPS receivers to provide an operational picture for voyage planning and ship movement.  The electronic system has the added benefit of downloadable charts and corrections, which eliminates the need for manual pen-and-ink changes on paper charts.  Though a cyber-induced error could occur from ECDIS, any error that could cause a collision would likely have to compromise a number of other inputs, including civilian and military radars, and GPS. 

While the Navy has developed additional countermeasures to protect their systems from cyber-attacks, the merchant fleet has not uniformly employed similar protections.  Though SOLAS has mandated the implementation of GPS, AIS, and ECDIS, merchant ships have been given a timeline of 2021 to integrate their own cyber risk frameworks14.  Though the likelihood of a cyber-attack against U.S. warships is relatively low, the incident investigation should take into account the cyber risk frameworks of the over 51,000 other merchant vessels transiting the high seas. 

The traffic density of the Strait of Malacca lends credence to a more likely scenario, involving the avoidance of multiple merchant vessels through a heavily trafficked area, while possibly also managing an engineering casualty.  Current reports indicate that MCCAIN possibly suffered a loss of steering prior to the collision, and there is currently no indication of a cyber-attack.  Though there are backup control measures to shift steering from the pilot house to the aft steering control room, this may have not been possible to steer clear of incoming merchant traffic.  Though cyber is becoming an increasing attack vector from state actors, we should be careful of prematurely labeling this incident as a cyber-attack.  

Though two collisions of similar shipboard platforms (Arleigh Burke Destroyers/Flight 1A), along with other accidents in Asia, may appear to be a coincidence, we need to examine the factors leading up to and contributing to the incident.  Most incidents at sea are the culmination of a number of factors, including environmental, situational and material.  Though current events dictate that cyber could possibly be a factor, we should not let the possibility of a cyber outcome guide the analysis of an investigation. While the two Destroyers that were recently damaged this past summer can be repaired, the loss of the sailors cannot.  

About the Author

Ian W. Gray is a senior intelligence analyst at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime. Ian is also a military reservist with extensive knowledge of the maritime domain and regional expertise of the Middle East, Europe, and South America.


--------------------
1H. Beech and M. Haag, “10 Missing After U.S. Navy Ship and Oil Tanker Collide Off Singapore,” Aug. 2017; https://www.nytimes.com/2017/08/20/world/asia/uss-john-mccain-collision-merchant-ship.html.
2J. Borger, M. Farrer and O. Holmes. “Pentagon Orders Temporary Halt to US Navy Operations After Second Collision,” Aug. 2017; https://www.theguardian.com/us-news/2017/aug/21/us-destroyer-uss-john-s-mccain-damaged-after-collision-with-oil-tanker.
3S. Ferrechio. “John McCain Supports Navy Operations Pause After Fourth Accident,” Aug. 2017; http://www.washingtonexaminer.com/john-mccain-supports-navy-operations-pause-after-fourth-accident/article/2632143.
4C. Chang. “Hacking Link To USS McCain Warship Collision? Expert Says ‘I Don’t Believe in Coincidence’,” Aug. 2017; http://www.news.com.au/technology/online/hacking/hacking-link-to-uss-mccain-warship-collision-expert-says-i-dont-believe-in-coincidence/news-story/7bce663e0c93774d2b1f755e22704dcd.
5A. Panda. “China Reacts Angrily To Latest US South China Sea Freedom of Navigation Operation,” Jul. 2017; http://thediplomat.com/2017/07/china-reacts-angrily-to-latest-us-south-china-sea-freedom-of-navigation-operation/.
6J. McCurry, E. Graham-Harrison, S. Siddiqui. “US Increases Pressure On North Korea After Missile Test,” Jul. 2017;https://www.theguardian.com/world/2017/jul/05/north-korea-missile-test-new-threat-world-says-us-military-force-sanctions-workers.
7The Guidelines On Cyber Security Onboard Ships, white paper. BIMCO. Jul. 2017
8D. Goward. “GPS Spoofing Incident Points to Fragility of Navigation Satellites,” Aug. 2017; http://www.nationaldefensemagazine.org/articles/2017/8/22/viewpoint-gps-spoofing-incident-points-to-fragility-of-navigation-satellites
9K. Mizokami. “North Korea Is Jamming GPS Signals,” Apr. 2016; http://www.popularmechanics.com/military/weapons/a20289/north-korea-jamming-gps-signals/.
10S. Goff. “Reports Of Mass GPS Spoofing Attack In The Black Sea Strengthen Calls For PNT Backup,” Jul. 2017. http://www.insidegnss.com/node/5555.
11I. Gray. “Cyber Threats To Navy And Merchant Shipping In The Persian Gulf,” May 2016; http://thediplomat.com/2016/05/cyber-threats-to-navy-and-merchant-shipping-in-the-persian-gulf/.
12Threats at Sea: A Security Evaluation of AIS, white paper. Trend Micro. Dec. 2014
13J.Rhodes and M. Abshire. “U.S. Navy Announces Plans To Convert Fleet to ‘Paperless’ Navigation,” Jul. 2005; http://news.northropgrumman.com/news/releases/u-s-navy-announces-plans-to-convert-fleet-to-paperless-navigation.
14I. Gray. “Petya Attack Shows The Need For Cybersecurity Rules,” Jun. 2017; http://maritime-executive.com/editorials/petya-attack-shows-the-need-for-cybersecurity-rules1

Photo credits (in order of appearance): DoD Live, Wikimedia

Building a Cadre of Cyber Intellectuals

posted Sep 4, 2017, 6:43 AM by James Caroland   [ updated Sep 11, 2017, 12:31 PM ]

By Ray Mollison

Cyber-attacks are growing progressively and evolving rapidly each year which is making it harder to effectively combat cyber threats. One can best understand cyber-attacks through the applications of intelligence to learn “about the cyber adversaries and their methods combined with knowledge about an organization’s security posture against those adversaries and their methods”. [1] Cybersecurity has become a centralized topic of discussion in the government and business sectors where both sides are looking for solutions in a complex cyber world.

Cyber Intelligence (CYBINT) is a marriage between the two disciplines of information technology and intelligence studies. Information technology is the study of creating, processing, storing, securing, and exchanging electronic data. [2] Intelligence is the study of credible and actionable information through collection, analysis and distribution. [3] Even though CYBINT is relatively infant as an intelligence discipline in academia and professional industries, Cyber Intelligence provides clarity to understand cybersecurity vulnerabilities, exploits, and threats. There is a good amount of analysis in information technology or “cyber” type roles using intelligence. [4]

Just like Clausewitz famously identified the three levels of war in his book "On War”, the Cyber Intelligence Task Force from the Intelligence and National Security Alliance identified the same three parallel Levels of Cyber Intelligence: Strategic, Operational, and Tactical. [5] These Levels of Cyber Intelligence can help to acquire key information about U.S. adversaries’ capabilities. The three levels are:

Strategic Cyber Intelligence is to minimize risk to an organization’s critical mission and assets of value by conducting assessments of threats and vulnerabilities. [6]
Operational Cyber Intelligence facilitates analysis to determine the specific threat actors in order to reduce risks to critical information and intellectual property. [7]
Tactical Cyber Intelligence contains the processes of examining priority requirements, collecting data, and developing actionable products. [8]

These Levels of Cyber Intelligence help to deter and neutralize threats through the process of analysis. It is important to note that Joint Intelligence (JP 2-0) publication is the baseline in providing fundamental principles and guidance to enhance the quality of tradecraft in intelligence to support joint operations. [9] This doctrine parallels the Levels of Cyber Intelligence which ensures all intelligence disciplines are crafted with the highest level expertise to minimize mistakes and maximize quality of results for the decision-maker. 

The challenges of cyber are constant and it is vital to continuously gain knowledgeable insight to learn from past and present in order to improve future cyber operations. The Levels of Cyber Intelligence are to define and refine how information is collected through the lenses of data quantification in information technology. As shown in figure 2, the intelligence collection process in cyber must contain the “cycle of collection, analysis, dissemination, and feedback which must be continuous—not a periodic or intermittent—process.” [10]

Filtering information on networks will strengthen the cybersecurity posture to be more proactive rather than reactive. Unfiltered information on networks will weaken the U.S. cybersecurity posture by making it more reactive versus proactive. Cyber Warfare conflicts range from political conflicts, espionage, and propaganda and the types of actors are nation-states, terrorists, and sociopolitical groups. [11] In Cyber Warfare, our adversaries’ intentions are to attack our vulnerabilities which could degrade, disrupt and deny users’ access, or destroy data, servers and networks, or steal personal identification information. The application of Cyber Intelligence is to gain knowledge of our adversaries by learning and studying their virtual footprint in cyber practices and methodologies.

Therefore, the levels of Cyber Intelligence play a role in filtering information to determine the reason of the attack, the intent of the conflict, and the type of malicious actors. Cyber Intelligence relies on fusing Human Intelligence (HUMINT) with timely and accurate Signal Intelligence (SIGINT) to respond to emerging and reemerging threats. [12] HUMINT, SIGINT, and CYBINT are inseparable disciplines and rely on each other together to collect information to achieve actionable and reliable intelligence in Cyber Warfare.

In conclusion, the cyber world will continue to be unstable; however, it can be stabilized by learning about adversaries’ tactics, techniques, and procedures to maintain a superior cybersecurity posture at all three levels of Cyber Warfare – strategic, operational, and tactical. Cyber Intelligence can help build a stronger cybersecurity position by offering insightful knowledge to better defend against an adversarial cyber-attack.


About the Author

Ray Mollison is a field-grade officer in the Military Intelligence Readiness Command (MIRC) as an Army Reservist. He is pursuing his Master’s degree in Cybersecurity at the University of South Florida. Ray enjoys working out and spending time with family.


--------------------
[1] RSA. Getting Ahead of Advanced Threats. Jan. 2012. Web. <http://www.emc.com/collateral/industryoverview/ciso- rpt-2.pdf>
[2] Rouse, Margaret. Information Technology. TechTarget. Apr 2015. Web. <http://searchdatacenter.techtarget.com/definition/IT>
[3] Duverge, Gabe. Intelligence Studies vs Criminal Justice. POINT PARK University. Mar 2015. Web. <http://online.pointpark.edu/intelligence/intelligence-studies-vs-criminal-justice/>
[4] TRIPWIRE. An Introduction to Cyber Intelligence. Jan. 2014. Web. <https://www.tripwire.com/state-of-security/security-data-protection/introduction-cyber-intelligence/>
[5] Bamford, George, John Felker, and Troy Mattern. Operational Levels of Cyber Intelligence. Cyber Intelligence Task Force, Intelligence and National Security Alliance (INSA) White Paper, 2013
[6] Dennesen, Kristen, Felker, John, Feyes, Tonya, and Kern, Sean. Strategic Cyber Intelligence. Cyber Intelligence Task Force, Intelligence and National Security Alliance (INSA) White Paper, 2014.
[7] Hengel, Steven, Kern, Sean, Limbago, Andrea. Operational Cyber Intelligence. Cyber Intelligence Task Force, Intelligence and National Security Alliance (INSA) White Papers. 2014
[8] Hancock, Geoff, Anthony, Christian, and Kaffenberger, Lincoln. Tactical Cyber Intelligence. Cyber Intelligence Task Force, Intelligence and National Security Alliance (INSA) White Papers. 2015 
[9] Joint Publication JP 2-0. Joint Intelligence. Oct. 2013. Web. <http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf>
[10] Randy Borum, John Felker and Sean Kern. "Cyber Intelligence Operations: More than Just 1s &amp; 0s" Proceedings of the Marine Safety and Security Council: The U.S. Coast Guard Journal of Safety and Security at Sea Vol. 71 Iss. 4 (2014) 
[11] Sanjay Goel. Communications of the ACM. Cyberwarfare: Connecting the Dots in Cyber Intelligence. VOL 54. No. 8. Aug. 2011. Pg 132.
[12] “What is Cyber Threat Intelligence and why do I need it?”. iSIGHTPARTNERS. 2014.
[13] “62% OF INFORMATION SECURITY PROS EXPECT BREACH IN 2016 – AND THEY MAY BE TOO OPTIMISTIC”. Ikanow Editorial. Feb. 23, 2016. <http://www.ikanow.com/62-percent-information-security-pros-expect-breach-2016/>
[14] Ezendu, Elijah. “Competitive Intelligence”. Slideshare. Jan. 2, 2010. <https://www.slideshare.net/ezendu/competitive-intelligence-2814940>



Cyber Threat Heat-Mapping

posted Aug 25, 2017, 4:49 PM by James Caroland   [ updated Sep 11, 2017, 12:32 PM ]

By MAJ Joe Marty

DISCLAIMER: All content in this article is derived from ideas in the author’s head, based on his experiences and observations. None of the methods or ideas presented describe actual methodologies used by the U.S. Army or any service branch of the Department of Defense. All information disclosed is UNCLASSIFIED.

Most people in the information security field are familiar with the "Cyber Kill Chain," [1] and some are also familiar with its successor in threat-mapping, the more granular MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix. [2] These models allow incident responders, cyber security defenders, and intelligence analysts to chronologically map the activities of intruders. Most threat activities can be categorized under one of the kill-chain stages, and under one of the tactics listed in the MITRE ATT&CK matrix.

Figure 1

    The benefit of modeling threat activities in these frameworks extends into both the past and the future. By identifying what a threat actor has already done, or recognizing what they have been known to do in other incidents/campaigns, incident responders can focus their clean-up and recovery efforts with targeted forensics. By identifying what the threat actor has done in other similar incidents, Cyber Security Service Providers (CSSPs) can focus their hardening efforts towards defense-in-depth strategies that will be effective at preventing the threat actor from succeeding in the next stages of the kill chain that have not yet been executed. 

    Each service branch in the Department of Defense (DoD) has drawn upon the proven methods of their respective domain (land, sea, air) and adapted their operations and apply them in the cyber domain. One classic method of developing intelligence in the tangible domains focused on nation-state threats. This method is sensible for conventional operations because, whether it is an offensive or defensive operation, our military expected to attack or defend against forces of a specific nation, nations, or non-state actors that often operated with similar capabilities and tactics. 

    Adapting this classic methodology to the cyber domain is still effective for offensive operations because targeted cyber effects would typically be directed towards a specific entity. However, the benefits of this classic methodology of developing intelligence to support defensive cyberspace operations (DCO) provide limited tactical benefit because defenders are expected to defend against all threat actors regardless of their origin. Although the classic methodology can provide strategic context and high-level overviews, the tactical activities in DCO are not enabled because the defenders cannot build comprehensive defense-in-depth from stove-piped information. One method that would develop actionable intelligence for DCO would be to use a "heat-map" of the cyber kill-chain or MITRE ATT&CK matrix. 

    Heat-maps traditionally indicate concentration of activity (or whatever is being measured) by a color scale, where a darker color indicates greater concentration. Over time, as more threat activity is mapped, the most common/popular activity will appear darkest on the heat-map. Generating a cyber-threat heat-map will help CSSPs prioritize their defense-in-depth efforts, and enable them to secure their organization by focusing on the most likely attack vectors. Thus, when an intruder encounters the roadblocks built by the CSSP, those seeking easy entry will move on, and the persistent threat actors will be forced to change their behavior to succeed in their campaign. At worst this will delay their activities; at best, it will deter adversaries from continuing their pursuit, encouraging them to move on to “lower-hanging fruit” or another vector with less resistance.

    Using this cyber-threat heat-mapping methodology, an organization could populate a database with documented activities. [3] The events they observe and record could be categorized by kill-chain stage and MITRE ATT&CK method, and then tagged by threat actor. This database would enable analysts to quickly respond to identified threats because, as soon as observed events are queried in the database, the analyst can easily spot what the intruder has most likely done so far, and what they are most likely to do next, based on their documented pattern of behavior.

    To maximize accessibility, the organization could build a simple interface to the database (e.g., web page front-end) that allows defenders to quickly identify the most popular/common attack vectors, enabling them to focus their efforts on where they will be most effective. The threat actor tags for each event allows for simple data correlation of queries with documented activities stored in the database. This enables quick identification of the APT that is most likely responsible for the observed activity based on the matching data points. This threat-hunting heat-map would enable intelligence analysts to provide actionable intelligence to defenders in cyberspace.

Figure 2

    Figure 2 (above) is an illustration of how activities during an observed campaign could be documented and tagged across the cyber kill-chain. Each row below the kill-chain stages indicates a separate (hypothetical) campaign. Each activity tagged for a specific APT indicates attribution of similar behavior based on analysis of past events. [Note: The activities and corresponding APTs are provided only to demonstrate how the interface might be used – the attribution is intentionally inaccurate, and the figure should not be used as a reference.]

    The benefit of using an interface like this should be clear – the more tags that appear across a row, the more likely it is that the corresponding APT is the culprit of the campaign. Depending on which stage of the kill-chain spun up the incident response team (IRT) into action, the analysts would be able to quickly identify what the intruder has already done, and they can advise the CSSP on where to implement the most effective countermeasures further down the kill-chain, both based on expected behavior supported by historical data in the database.

    Figure 3 below is a similar illustration using the MITRE ATT&CK matrix. Optimization of the interface becomes critical for this model because data can become confusing very quickly if not properly presented. This illustration presents another hypothetical example of a single campaign where each observed activity is documented, and the APT tag indicates which threat actor has demonstrated the behavior in past campaigns that have been analyzed. The dotted lines link activities observed by the same threat actor. [Again, attribution is intentionally wrong.]



Figure 3

    This example visually expresses which threat actor most likely conducted the campaign based on recorded behaviors. In this hypothetical example, the campaign is equally likely to have been prosecuted by APT 1 or APT 29, as three activities observed from each matched tagged entries in the database of recorded APT behaviors.

    The real value of following this methodology is the heat-map. Figure 4 below depicts how the heat map develops over time as more tagged data is recorded in the database. When an analyst displays ALL recorded threat activity, the darkest points indicate the most common tactics and methods used by APTs. 

    Once defensive countermeasures are identified for each tactic listed in the ATT&CK matrix, the ‘hot-spots’ in the heat map can quickly spotlight where a CSSP should prioritize its defense-in-depth efforts. In this example, the ‘hottest’ APT tactics that should be addressed are account enumeration, remote desktop protocol (RDP), and removable media. These observations might lead the CSSP to create fake accounts to detect account enumeration, implement multi-factor authentication for RDP access, and whitelist the removable media they use to prevent usage of unauthorized removable media.

Figure 4

    The classic, nation-centric development of threat intelligence may provide strategic context in support of DCO, but the usefulness is much more limited down at the tactical level. The use of a heat-map overlay on either the cyber kill-chain or ATT&CK matrix can enable responders to identify, contain, and recover from intruder activities (i.e., forensics). The cyber threat heat-map can also enable defenders to prioritize their efforts where they will be most effective (i.e., build defense-in-depth). Cyber threat heat-mapping provides actionable intelligence for the tactical defensive cyberspace operators, and it helps CSPs maximize their efficiency and effectiveness in defending their organization.


About the Author

Joe Marty leads a Cyber Protection Team (CPT) as a field-grade officer in the US Army Cyber Protection Brigade. He has experience conducting several incident response and proactive defensive cyberspace operations with his team in both Enterprise and Industrial Control Systems (ICS) environments. When he's not on the road leading his team, Joe enjoys writing, hacking, and traveling with his family.

--------------



What We Can Learn About Cyber Security from the Cold War and the Global War on Terrorism

posted Aug 18, 2017, 6:39 AM by James Caroland   [ updated Sep 11, 2017, 12:32 PM ]

By Dan Cahill, Commander, United States Navy

Cyber Security/Defense is often presented as a complex and expensive problem. However, if viewed through the proper prism, the fundamentals can be distilled down to a few lessons from history like the Cold War and the “Global War on Terrorism.” When considered in this context, the solutions become clearer and more cost effective.

If the Cold War taught the U.S. one thing, it should be that armies don’t win wars, economies do. A corollary to this would be that solid business principles build economies and win wars. While the U.S. was building its overall economy, the Soviet Union was building up its military. Non-Military Soviet manufactured goods could not compete on the world stage and were limited to Warsaw Pact/Soviet Bloc nations. Throughout the Cold War, the U.S. had a manufacturing based, export oriented economy. The U.S. supplied the world with high quality manufactured goods and the U.S. economy grew by leaps and bounds.

During the Korean War, in the early 1950s, the U.S. spent 15% of its Gross Domestic Product (GDP) on military spending which dropped precipitously to just over 10% at the end of the Vietnam War and stayed below 8% from 1972 onward [1]. In contrast, up until the early 1980s, the Soviet Union contributed 15-17% of its GDP towards military expenditures with increases of 4% to 7% per year since the end of World War II [2]. When considered in the context of the Cold War, this represents highly disparate expenditures.

The Soviet Union attempted to keep up with the U.S. in military spending/power projection. The problem for the Soviet Union was that the U.S. economy, for much of the Cold War, was three times larger than the Soviet economy [3]. The U.S. beat the Soviet Union by drawing it into a fight the Soviet Union could not win and one that was fought by only two parties: the North Atlantic Treaty Organization and the Warsaw Pact.


Fast forward to September 11th, 2001; a terrorist operation that probably cost less than one million dollars prompted a multi-trillion dollar response; this is 1 x 106 versus 1 x 1012 (a million to one). This demonstrates the effectiveness of asymmetrical warfare; the damage far exceeds the cost to produce it.

If we apply these principles to the cyber realm, we see that the U.S. Government, and more specifically the U.S. Department of Defense, is fighting a much larger economic war than what the U.S. fought during the Cold War. Unlike the Cold War, where the U.S. had an economy three times larger than its adversary and was pitted against the Soviet Union in a dollar for dollar war, the cyber-landscape is much different. Virtually every country in the world and most every company in the world which relies upon the Internet to conduct business is in the market for Cyber Security solutions. In 2016, worldwide spending on Cyber Security was nearly 74 billion U.S. Dollars (USD) [4]. The entire U.S. Defense budget for 2016 was approximately 585 billion USD [5]. By 2020, worldwide Cyber Security spending is projected to reach over 100 billion USD, which would be 1/5 of the entire U.S. Defense budget. [6]

The U.S. Department of Defense, or the U.S. government for that matter, cannot and should not attempt to compete simultaneously with the European Union, China, Russia, Microsoft, Apple, Google, Exxon and virtually every other entity in the world that utilizes the Internet to conduct business. If it tried, with the U.S. economy being only approximately 25% of the world economy, it would have to spend 4 to 1 against the rest of the world [7]. If the U.S. wants to compete in the 21st century, it needs to look at Cyber Defense/Security in business terms and not try to compete with what is already a functioning marketplace for cyber-related risk management. The better approach is to spend simultaneously on developing effective offensive cyber weapons, decoupling mission critical national security information from the Internet by placing it on classified networks, and letting the soon to be 100 billion USD Cyber Security market and 2,500 billion (2.5 trillion) USD insurance industry develop solutions to protect non-mission critical national security information and private industry networks and data [8].

----------------

[1] Council on Foreign Relations.  “Trends in U.S. Military Spending”.  Accessed July 15, 2017.  http://www.cfr.org/defense-budget/trends-us-military-spending/p28855
[2] Federation of American Scientists. “Russian Military Budget”. Sept 7, 2000. http://fas.org/nuke/guide/russia/agency/mo-budget.htm
[3] The Maddison-Project, http://www.ggdc.net/maddison/maddison-project/home.htm, 2013 version.
[4] Fortune Magazine. “Here’s How Much Businesses Worldwide Will Spend on Cybersecurity by 2020”.  Accessed Jul 13, 2017.  http://fortune.com/2016/10/12/cybersecurity-global-spending/
[5] The U.S. Department of Defense. “The FY-2016 Budget Proposal”. Accessed Jul 13, 2017. https://www.defense.gov/News/Special-Reports/FY16-Budget/

[6] Fortune Magazine. “Here’s How Much Businesses Worldwide Will Spend on Cybersecurity by 2020”.  Accessed Jul 13, 2017.  http://fortune.com/2016/10/12/cybersecurity-global-spending/

[7] The World Bank. “Gross Domestic Product 2016”. Accessed Jul 31, 2017. http://databank.worldbank.org/data/download/GDP.pdf

[8] Swiss Re.  Global insurance industry grows steadily in 2015 amidst moderate economic growth but outlook is mixed, Swiss Re sigma report says”.  Accessed Jul 13, 2017.  http://www.swissre.com/media/news_releases/global_insurance_industry_grows_steadily_in_2015_amidst_moderate_economic_growth_but_outlook_is_mixed_sigma_report.html


Photo credits (in order of appearance):  Wikimedia Commons, Wikipedia


About the Author

Daniel Cahill holds a commission as a Commander in the United States Navy and serves in the U.S. Navy Reserve where he supports the Naval Inspector General, including oversight of the U.S. Navy’s Cyber Security program.  He holds a Bachelor’s Degree in Marine Engineering, with a concentration in Nuclear Engineering, from the United States Merchant Marine Academy.  He earned graduate certificates in both International Relations and Business from New York’s Columbia University, where he is currently a Masters candidate in their Enterprise Risk Management (ERM) program.  Commander Cahill's academic work has focused on applying business principles to government decision making and resource allocation.



Proliferation in Cybersecurity

posted Jul 23, 2017, 5:09 PM by James Caroland

By Trey Herr

The WannaCry ransomware, and more recent notPetya wiper, are the latest but certainly not the only examples of proliferation when it comes to malicious software. What is this proliferation? Basically – someone writes a piece of malware, a third party finds it, adapts it, adds in some of their own code …et voila, a new piece of malware is born. This latest epidemic is based on a commonly used ransomware, combined with a modified version of the NSA’s leaked exploit, and tied together with some new encryption functionality and part of an open source security tool.1 

Proliferation deals with the diffusion of capabilities, often new weapons technologies, between different actors in the international political system. In cybersecurity, this proliferation describes how groups learn from and reuse tools developed by others, whether intentionally as through collaboration, or unintentionally. Unintentional proliferation is the process whereby the target of a piece of malicious software takes it apart to learn and reuse it. This unintentional proliferation is an issue not unique to cybersecurity but vastly more prominent than in traditional domains of conflict. 

Malware
Within cybersecurity, intentional proliferation of malware involves direct intelligence support and transfer of software from one party to another. States have no monopoly on capabilities here. Non-state groups are a constant source of innovation on both offense and defense. Proliferation of malware can include a range of different types of information: from highly valuable software vulnerabilities to complete malicious software programs and the supporting infrastructure to covertly deploy them. The skills and capacity of groups on the receiving end of this proliferation can vary dramatically.2 

If code can move across borders with little more than an email, what does counter-proliferation look like for cybersecurity? Because there are no special weapons materials, like plutonium, necessary to create malware, the challenge becomes how to impose costs on attackers. One answer stems from how many kinds of malware are built. Rather than a weapon like a brick, which can be thrown against nearly any object, most malware depends on a software vulnerability. These vulnerabilities are small flaws in software which an attacker, or curious researcher, could take advantage of to manipulate the target computer. 

By reducing the supply of these software vulnerabilities, defenders can raise attacker’s cost to develop and use malicious software. To achieve this, governments should reduce the number and significance of software vulnerabilities (on which malware often depends) by encouraging more effective vulnerability discovery, disclosure, and patching by private companies and researchers. In a new paper, I suggest ten things the policy community in the United States can do to reduce the supply of vulnerabilities and help disrupt the activity of attackers.3  The goal with any of these policy recommendations isn’t to ‘solve’ a problem – security is not something in need of a solution but rather gradual process improvements. Proliferation in cybersecurity is a low cost activity for attackers right now but policymakers can do more to change that. 
-----------------

1For more on the recent notPetya wiper, see: https://lawfareblog.com/ransomware-remixed-song-remains-same
2Portions of this article will appear as a chapter in the upcoming Springer volume, “Cyber Weaponry: Issues and Implications of Digital Arms”
3For more on this, see: Countering the Proliferation of Malware: Targeting the Vulnerability Life Cycle - http://www.belfercenter.org/sites/default/files/files/publication/CounteringProliferationofMalware.pdf



About the Author

Trey Herr

Trey Herr, Ph.D, is a postdoctoral fellow with the Belfer Center's Cyber Security Project at the Harvard Kennedy School. His work focuses on trends in state developed malicious software, the structure of criminal markets for malware components, and the proliferation of malware. Trey is co-editor of Cyber Insecurity — Navigating the Perils of the Next Information Age, an edited volume on cybersecurity policy, and is a non-resident fellow with New America's Cybersecurity Initiative. He previously worked with the Department of Defense to develop a risk assessment methodology for information security threats. He holds a Ph.D. and M.A. in Political Science from George Washington University and a B.S. in Theatre and Political Science from Northwestern University.




Photo credit:  "Malware" from infosecinstitute.com

Cyber Making Waves: The Need for Maritime Cyber Security Frameworks

posted Jul 23, 2017, 4:41 PM by James Caroland   [ updated Sep 11, 2017, 12:33 PM ]

By Ian W. Gray    

90% of the world’s goods are shipped via the oceans on over 51,000 merchant ships belonging to multiple different countries.  For the last several years, the International Maritime Organization (IMO), a specialized agency of the United Nation concerned with the safety and security of international shipping, has been discussing the possible implications of cyber-attacks to global commerce. This has been prompted by multiple developments within the Maritime Industry. As ships, port terminals and businesses become more interconnected, they also risk becoming more vulnerable to cyber intrusions and possible attacks.  However, the maritime industry has not had a significant cyber incident that could help quantify the possible losses, until recently. 

In June 2016, the IMO published Interim Guidelines on Maritime Cyber Risk Management (MSC.1/Circ.1526) with the intent to provide a risk management framework and prevent large-scale cyber-attacks that could potentially endanger lives, affect the availability of network based shipping systems, or stall global trade.  These threats manifested themselves on June 27, 2017 when A.P. Moller-Maersk was affected by a strain of ransomware dubbed “Petya.”

Petya Ransomware
The Petya ransomware exploited the same Microsoft Windows vulnerability (Eternal Blue) from the WannaCry ransomware strain that infected thousands of computers in May 2017.  That ransomware spread through a patched vulnerability that was unavailable for unsupported versions of Windows.  The attack was likely not targeted towards Maersk, spreading throughout organizations with operating systems that are beyond their lifecycle. 

The ransomware spread through a file-sharing bug that affected organizations around the world, encrypting hard drives and halting critical business operations.  Petya had a similar effect on the Danish shipping company, forcing them to shut down systems to contain the attack.  Though Maersk’s ships were able to safely maneuver, Maersk’s APM Terminal units, which serve 76 port and terminal facilities in 59 countries, were unable to load or unload cargo in select sites around the globe.  Several major ports were impacted, including the Port of Los Angeles, Port Elizabeth in New Jersey, the Jawaharlal Nehru Port Trust near Mumbai, affecting their ability to clear cargo.    

Port Terminal

The attack came just days after the Maritime Safety Committee (MSC) 98 meeting in June 2017 where a paper (MSC 98/5/2) proposed making cyber risk management onboard ships as mandatory, where previous International Union of Marine Insurance made these requirements voluntary.  The guidelines for these risk assessments were developed by shipowner association and classification societies such as Baltic and International Maritime Council (BIMCO), the International Chamber of Shipping (ICS), Intertanko, Intercargo and Cruise Lines International Association (CLIA).  These organizations exist to maintain standards throughout the maritime industry, among international stakeholders and governmental organs like the IMO. 

The cyber risk management proposal arrives as the shipping industry is leaning heavily towards digitization and automation.  In May 2017, Maersk published a statement announcing that they were partnering with IBM to digitize their administrative processes and transactions with blockchain technology.  The blockchain will help track shipments around the world through a universal ledger and transition to a paperless system that will keep a reliable and secure record of shipping transactions. 

Other partnerships with companies like Microsoft similarly promise to streamline supply-chain management and lower operational costs through data science.  Additionally, several shipping companies are beginning to test autonomous operations onboard ships to increase safety and efficiency.  Such autonomous systems would likely include cargo handling and navigation, while the drive to lower operational costs could possibly automate the entire shipping process         

Shipping Containers

While the industry is developing in a direction that will likely increase efficiency and decrease costs, the necessary safeguards to protect these automated systems is not fully realized.  The Petya ransomware illustrated the potential effect of a cyber-attack on a major shipping company and port terminals.  The attack could have been far more severe, affecting navigation or engineering systems on merchant ships with possible threat to human life or the environment. 

If ship owners begin to take accountability for cyber security, the industry is likely to progress towards a less vulnerable state. The cost and initiatives to harden their digital infrastructure will take a considerable amount of time and resources. These actions will require, at the least, significant threat modeling to include additional measures like penetration testing, table-top exercises, and periodic audits.  The progressive move towards an automated and digitized shipping infrastructure increases the urgency of these corrective actions, as existing vulnerabilities could be exploited by attackers for financial gain or strategic objectives 

The proposal (MSC 98/5/2) for the MSC 98 advocated for ships to identify cyber risks and implement safeguards.  Additional recommendations from MSC.428(98) recommended that cyber safeguards take effect under the International Safety Management (ISM) Code, with a deadline of 1 January 2021.  Owners risk having their ships detained if they fail to meet the ISM standards for cyber risk.  However, the potential for a cyber-attack on these ships could also prevent them from safely pulling into port. 

Navigation System

While there have been previous incidents of cyber-attacks on merchant shipping, whether targeted or proof-of-concept, the Petya ransomware illustrates the potential large effect of a piece of ransomware. The 1 January 2021 date is a practical deadline for ship owners to implement cyber risk management frameworks; however, it is currently unclear if existing cyber practices can meet the rapid pace of new technology onboard ships.  The shipping industry will have an upstream battle to implement safeguards and identify methods to assess vulnerabilities.  The consequences of failure to meet these standards could affect not only the ship owner, but global commerce.  

Nearly a week after the initial attack, Maersk resumed normal port operations.  The shipping company has not yet assessed the financial damage of the cyber incident, though it significantly affected its ability to load and unload cargo.  Multiple bookings had to be cancelled, and Maersk needs to deal with settlements and liability issues with individual shippers. However the cyber incident is quantified, ultimately the effects were felt throughout the world. This attack has created a sense of urgency to implement new controls, and hopefully they can be met before the 2021 deadline. 


About the Author

Ian W. Gray


Ian W. Gray is a senior intelligence analyst at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime.  Ian is also a military reservist with extensive knowledge of the maritime domain and regional expertise of the Middle East, Europe, and South America.







Disclaimer:  Any views expressed within this report are solely the author's and not reflective of nor endorsed by any organization with which he is affiliated.

Photo credits:  All photos within article from Wikipedia Commons


Knockout by Cyber Strike – Fighting Like It’s 1989

posted Jul 1, 2017, 8:03 PM by Clara Bayne   [ updated Jul 3, 2017, 6:07 PM by James Caroland ]

By John Dobrydney


The “Pearl Harbor” metaphor for a successful cyber strike against the United States is an apt one and provides a vehicle for the discussion of initial post-strike reactions and actions, and for suggested policy improvements aimed at deterring crippling attacks. Cyber attacks capable of exploiting critical vulnerabilities, such as the United States government’s and commercial sector’s excessive operational dependence on interconnected computer networks are exceptionally problematic to deter or, if attacked, to determine an appropriate response strategy. Therefore, this paper proposes the following hypothetical: A presumed nation-state launched a cyber strike against the United States, which successfully destroyed its cyber and networking capabilities, thereby rolling back the nation’s ability to wage war as if it were 1989. 


The hypothetical calls for several assumptions. The adversary will attempt a non-attribution attack to obscure the strike initiator and reduce the probability of counterattack. Kinetic or non-kinetic retaliation will be extremely difficult if the United States cannot categorically state who launched the attack and, likewise, other nations will be reluctant to use or condone military force for the same reason. The adversary will also calculate on the attack causing maximum damage and yet still remain beneath the threshold for war. This is, in any event, a challenging response for the United States, as there is no precedent for war in response to a cyber attack.                


The United States will be most vulnerable to physical attack in the immediate chaos and confusion following a cyber strike. Since so much of the United States military’s advantage is rooted in its highly networked command and control systems, a cyber strike will curtail its ability to conduct highly synchronized, well-planned operations or rely on technically advanced intelligence, surveillance, and reconnaissance (ISR) assets. Logistics planning and execution will rapidly lose synchronization, and commanders will quickly lose visibility on what resources they have, where they have them, and their material condition. One can assume that information stored in the “cloud” or on servers connected to the Internet will be corrupt until proven otherwise, or will not be available if the strike destroyed the storage point or the means to access it. Rarely is information stored in anything other than digital form, so information recall in support of operations and planning will be limited.           


A paralyzing cyber strike will affect all elements of national power. Diplomatically, the United States will be in a weakened position because it failed to deter the cyber strike, and this position will only be exacerbated if the U.S. cannot attribute the attack or find a way to answer - either in kind or via some other means. International solidarity may waver if there is no convincing cause to rally around.


Exceptionally strong leadership coupled with a messaging campaign signaling resolve and resilience will calm public reaction and focus the American people and the international community on solving the problems at hand. This will be challenging, as the normal modes of broadcast communication largely rely on the Internet. Use of newsprint, radio, town hall meetings, and other creative methods will have to suffice until system administrators restore Internet capabilities. Leaders from government and industry will need to cooperate on a way ahead considering both sectors rely on the same Internet for their critical services. This united front requires communication to and support from the public during the initial chaos, and follow-on Internet restoration and potential retribution against the attackers. 


The United States would be militarily correct to assume that a kinetic attack would most likely follow a crippling cyber strike. Quickly raising defense conditions, possibly even considering a nuclear response if “the sleeping giant” deemed it necessary would signal that it is taking the cyber attack most seriously. Disasters such as Pearl Harbor in 1941 and 9/11 have shown that the American people “won’t abandon any involvement” but will become “drawn in” and will want to see a tangible response.1      


Military power relies heavily on cyber assets to provide it with its informational advantage over a wide range of adversaries and capabilities. Joint Publication 3-13 defines information superiority as “the ability to collect, process, and disseminate an uninterrupted flow of information while exploiting and/or denying an adversary’s ability to do the same.”2 David Albert highlights the competitiveness in information gathering: “Information Superiority in military operations is a state that is achieved when competitive advantage is derived from the ability to exploit a superior information position. In military operations this superior information position is, in part, gained from information operations that protect our ability to collect, process, and disseminate an uninterrupted flow of information while exploiting and/or denying an adversary’s ability to do the same.”3 Destruction of the DoD Information Network in a cyber strike means that surface, sub-surface, land, air, and space sensors cannot communicate with each other to provide shared battlespace understanding. This lack of sensor information denies the United States the superior informational position necessary to exploit higher tempo operations or to negate an adversary’s quantitative or even qualitative advantage. In short, an asymmetric cyber attack will level the information playing field by defeating its underlying physical network.     


The economic disaster following such a strike will perhaps be the worst tangible effect, as it will cause a cascading global financial meltdown. Cyber attack targets will most likely include financial networks on Wall Street and institutions in other locations, as they are historically soft targets. They are an easy asymmetric attack that will greatly degrade US strategic strength and will instill fear in the populace via a very tangible plunging Dow Jones, decreasing 401(k) balances, and the pronouncements and reminders of a 24-hour media cycle. At best, the strike would cause a short-term lack of access to financial information, causing a recoverable ‘hiccup’ in the system. At worst, corrupted or lost data will lead to a data integrity problem and long-term financial market chaos. Firms will not know what they own, what they sold, or the value of what they hold on their books. To the extent that they can, investors will naturally sell off their stocks and bonds and subsequently tank the economy as fear and increasing uncertainty set in. Moreover, the dollar will lose value, possibly kicking off a cascading global financial collapse. 


One “benefit” of the Internet’s interconnectedness is that most nation states capable of a significant cyber strike on the United States have a stake in the interconnected global economy. Much like the global meltdown caused by the housing mortgage crash in 2007, the effects of a severe economic attack on the United States will cascade across the world and will, most likely, affect the nation that either launched or supported the cyber attack. However, as history has shown, the market will rebound and the United States’ economic capacity is amazingly resilient. Congressional research following 9/11 showed that “the loss of lives and property on 9/11 was not large enough to have had a measurable effect on the productive capacity of the United States” and that “the overall economic impacts of the 9/11 attacks were even lower than initially estimated, indicating that the United States economy is more resilient in the face of disaster and intentional attack than commonly assumed.”4 It might be the case then that any country capable of launching a successful cyber strike against the United States will not be able to escape the metaphorical blast pattern and will only succeed in harming itself.


Joint Publication 1 both notes that cyberspace resides in the physical domain, and defines it as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures including the Internet, telecommunications, networks, computer systems, and embedded processors and controllers.”5 The physical domain supports information creation, storage, and transfer and is the physical network upon which the more familiar informational dimension the World Wide Web depends. Cyber is globally interconnected and ubiquitous; it supports the four elements of national power, all military warfighting domains, as well as virtually every global commercial process. Therefore, an attack causing a cyber-service disruption will have a noticeable impact of varying degrees depending on the level of connectedness to the point of attack.

 

At its conception, the Internet’s designers never considered how their creation might evolve to the phenomenon it is today. The small group of academics designed the ARPANET in 1969, in part, to provide an alternate communications path in the event that a nuclear attack disrupted primary communication routes. An ARPANET spinoff produced a rudimentary network that allowed academics to share their findings amongst participating United States universities. Membership was small, and a shared professional ethic disallowed foul play. As such, the system expanded without considering explicit security controls. Over the years, and with a desire to push new technology, the network expanded with the invention of the web browser to provide everyday users with access to the World Wide Web.  Coupled with a virtually free telecommunications infrastructure left over from the dot-com boom and bust, the Internet grew virally throughout most industrialized countries. A “virtuous cycle” arose as faster computing power via the Internet led to more business productivity. In turn, greater productivity led to a desire for faster computing power, and so on.6 Security was a minor concern in the design phase and soon became prohibitively expensive, and inhibited business operations when security managers added vulnerability mitigations as an afterthought.


Securing the Internet is largely a contest of measure and countermeasure. The inherent flaws and vulnerabilities in computer hardware, software, and in the users who operate and administer networks give both the initiative and the easier task to the offense. Any defense must be 100% foolproof, whereas an attacker needs only a single penetration to conduct whatever malicious activity he has planned. The defender requires skills in areas as diverse as preventing physical access to servers and routing hardware; preventing “social engineering” whereby an attacker deceives a user by phone, email, or in person to gain restricted network access; detecting malware injection via phishing scams; applying supply chain risk management, which seeks to secure the end-to-end supply chain; ensuring proper encryption use; ensuring new hardware and software versions do not introduce new vulnerabilities; and implementing cyber security controls  properly so they do not introduce their own new vulnerabilities. Adding to a defender’s problems is the fact that skilled attackers can hide their presence, which causes delay in attribution and response. Given enough time and resources (e.g., state sponsorship, education, and Internet provided information ironically), the offensive has the upper hand.    


Strategic actions and responses following a “Cyber Pearl Harbor” would be similar to the bold and unorthodox responses following the 1941 Pearl Harbor attack. In the aftermath following that attack, the United States found its strategy for countering and destroying Japanese aggression in the Pacific suddenly unfeasible, its means sidelined until repairs and new ships came online, and its confidence severely shaken.7 The attack sidelined the mobile fighting strength in the Pacific, its battleships, until the United States could shift to a wartime economy to reinforce remaining strength and support strategic ends. Fortunately, the remaining perceived American military strength deterred the Japanese from following through with a second strike on Pearl Harbor to destroy oil farms, shipyard facilities, and submarines. This gave the United States time to “catch breath, restore morale, and rebuild forces.”8 Driven by events, submarines and naval aviation took center stage following Chief of Naval Operations Admiral Stark’s order six hours after the Pearl Harbor attack: “Execute unrestricted air and submarine warfare against Japan.”9


The Pearl Harbor attack in 1941 and a Cyber Pearl Harbor attack in present times suggest several strategic parallels. Initial deterrence did not work, but for various reasons, Japan did not press its advantage. This point leads to another.  Intelligence in late 1941 lost track of the Japanese carrier divisions and was unable to detect preparations and movements. It is far more foreseeable today that the United States would use its extensive ISR capability and the analytical capabilities within the intelligence community to detect preparations for an attack large enough to follow an initial cyber strike. For an adversary to wait and make preparations following a cyber strike would not only be a race against who can mobilize fast enough for decisive results but would also forfeit the element of surprise one of the advantages afforded by a crippling cyber strike. No one, then or now, can match the United States’ economic might. It would be prudent for an adversary to either launch a non-attributable cyber attack against the United States and then maintain normal operations or continue to cripple the United States with an electromagnetic pulse set off by nuclear weapons as a quick follow-up that needs little preparation time. Otherwise, the United States, as historically shown, will rapidly use overwhelming force.    


The 1941 attack greatly changed the conduct of the Pacific war; likewise, a crippling cyber strike would change the conduct of a potential follow-on war.10 War Plan Orange called for the battle line and supporting ships to steam west in defense of the Philippines and other United States territories in a climactic showdown with the Imperial Japanese Navy. December 7, 1941, obsoleted that line of thinking. Regardless, the new Commander-in-Chief of Pacific Fleet, Admiral Nimitz, a submariner by trade, had to use what he had at hand to defend Hawaii and the west coast of the continental United States, to conserve his fighting force for the long road to Tokyo, and to rebuild the destroyed fleet he inherited. Forced to center stage by events, the unscathed submarine force and naval aviation assumed starring roles in an initial strategic defense and later, an offense of the Pacific. In today’s context, a cyber strike will force Joint Force Commanders to use what they have at hand and will need the flexibility required to either revise or develop a new strategy that does not initially rely on information superiority until the United States can restore its networks and cyber capabilities. The technology, United States workforce, and economic potential would still exist, so it will be possible to rebuild the networks and capabilities over time. Small intranets firewalled from or not connected to the Internet during the cyber strike could still operate and provide rudimentary services and access to the network’s information. In the interim, strategists may determine that the Internet and the current command and control model has been more of a hindrance to effective operations and by necessity in extremis may find another way to solve the problem, similar to aviation and submarines displacing battleships. For example, there has been much discussion on dispersion and swarming tactics that rely on decentralized decision making with only a generalized higher headquarters intent. Perhaps with today’s advances in HF/VHF/UHF radio technology, units can adopt such methodology and still retain agility and flexibility, while higher headquarters make do with far less information and decision-making authority. 


Given the United States’ excessive operational dependence on its networks, a strategy to both deter a crippling cyber strike against the United States and to maintain a minimum level of operational capability, should such an attack occur, is called for. Deterrence must be real and tangible, and thought of as a “…psychological relationship; the goal is to shape an opponent’s perceptions, expectations, and ultimately its decisions about launching an attack. Thus, deterrence requires an ‘opponent’ who is thinking, or might readily think of attacking. Ideally deterrence short-circuits that thinking…making it a deliberately contrived relationship with an opponent.”11 Further, “deterrence is not only used to prevent attacks and war via threats of harm. It is often used via attacks and war, that is, deterrence by doing harm.”12


International informational and diplomatic signals that state that nations who engage in certain levels of cyber attacks will suffer tangible repercussions can be a powerful deterrent. Nuclear deterrence during the Cold War provides a precedent. Nations that used nuclear weapons could expect a nuclear response per the Mutual Assured Destruction policy. Capabilities assigned the mission of responding to a cyber strike must remain untouchable from the cyber domain, else the deterrent effect is lost and those forces be susceptible to the same cyber threats as any other network user. 


The remaining problem is attribution. While greater emphasis and capabilities are required to determine an attack’s point of origin, the United States should make it clear that the time delay common in determining attribution will not have an attached statute of limitations. Deterring a crippling nation-state cyber strike depends on adversaries absolutely knowing that a coalition of wide ranging resources will identify them, and that overwhelming harm will soon follow.


In case deterrence fails to stop a cyber strike, the United States must have a strategy of decentralization, resilience, and rapid healing. A good form of defense is to make the offense’s capabilities irrelevant. In the case of the Internet in its current form, it will always have exploitable vulnerabilities; therefore, networks will always be under varying levels of attack whether by state employed experienced hackers, amateur “script kiddies,” or something in between. The goal should be to stay a few steps ahead of the attackers and maintain a level of survivability such that the command and control structure can still function, albeit in a restricted fashion. Decentralized network control is an effective method to rapidly respond to network attacks and prevent such attacks from propagating through the network. Users must know the role they need to play: “Disaster researchers have shown that victims are often themselves the first responders and that centralized, hierarchical, bureaucratic responses can hamper their ability to respond in the decentralized, self-organized manner that has often proved to be more effective.”13       


Resilience and rapid healing apply not only to the physical network itself but also to the infrastructure, agencies, and processes operating the network.14 One characteristic of a well-designed communications network is that operators can expect a certain percentage of degradation and faults, and overall network operation will not suffer. If the primary route fails, then alternate routes are available during the time it takes to repair the primary. Well-designed networks require planning, constant attention to network operations, and well thought out policy that takes network failures into account. Failure recovery becomes a part of normal operations. Likewise, users who depend on communications networks for their operations must develop their own means of resiliency in case of network degradation, or even destruction following a cyber strike. Recalling the lessons of Pearl Harbor, resilience calls for an open mind, broad experience, and a willingness to innovate and take risks on unorthodox concepts. Designing a more resilient stock market, banking infrastructure, news media, government, and logistics organization that can operate on degraded or lack of Internet access will mitigate the effects of a potentially crippling cyber strike, and will ensure that organizations and users are better able to operate in a degraded environment. These social networks must have the same rapid healing characteristics as the physical network and must be part of normal operations. Increased resiliency in not only the physical network but also in the social networks, coupled with decentralized authority to take appropriate action with minimal communications capabilities, will reduce United States networking critical vulnerabilities, complement primary cyber deterrence means, and enable the United States to continue to execute its national security strategy with today’s capabilities.15

 


About the Author

A Marine Communications Officer, Lieutenant Colonel John Dobrydney is an experienced cybersecurity and network operations planner. He recently served as the Commanding Officer of Marine Wing Communications Squadron – 18, the Executive Officer of 7th Communication Battalion, the Network Operations Officer for the III MEF G6, and served as the Enterprise Information Assurance Branch Head at Headquarters, Marine Corps C4 Directorate. He currently serves as the Cybersecurity Division Chief, Joint Staff J6. Lieutenant Colonel Dobrydney has a Masters of Security Studies from the Marine Corps War College and a Master of Science in IT Management from the Naval Postgraduate School.

 

 

End Notes

1. Sean Lawson, “Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History,” Mercatus Center at George Mason University, 2011, http://mercatus.org/sites/default/files/publication/beyond-cyber-doom-cyber-attack-scenarios-evidence-history_1.pdf.

2. Alberts, David S, John J. Garstka, and Frederick P. Stein, Network Centric Warfare, (Washington, DC: CCRP Press, 2003), 54.

3. Sean Lawson, “Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History,” Mercatus Center at George Mason University, 2011, http://mercatus.org/sites/default/files/publication/beyond-cyber-doom-cyber-attack-scenarios-evidence-history_1.pdf.

4. Alberts, David S, John J. Garstka, and Frederick P. Stein, Network Centric Warfare, (Washington, DC: CCRP Press, 2003), 54.

5. Joint Chiefs of Staff, Joint Publication 1, Washington, DC: DOD, 2009. P. I-7.

6. Carey, Davis and John E. Morris, King of Capital, (New York: Crown Business, 2012), 149.

7. Gordon Prange, At Dawn We Slept, (New York: Penguin Books, 1991), 582.

8. Ibid.

9. United States, ed., How We Fight: Handbook for the Naval Warfighter (Washington, D.C.: U.S. Government Printing Office, 2015).

10. Alan D. Zimm, Attack on Pearl Harbor, (Philadelphia: Casemate, 2011), 385.

11. National Research Council (U.S.) et al., Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (Washington, D.C.: National Academies Press, 2010), http://site.ebrary.com/id/10425159.

12. Ibid.

13. Sean Lawson, “Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History,” Mercatus Center at George Mason University, 2011, http://mercatus.org/sites/default/files/publication/beyond-cyber-doom-cyber-attack-scenarios-evidence-history_1.pdf.

14. Ibid.

15. Ibid.


Photo credits (in order of appearance):  salon.com, TELEGRID, forbes.com, TruthHugger.com, History of Domain Names, navy.com, linkedin.com, LinkedIn

Developing a Strategy for Cyber Conflict

posted Jun 22, 2017, 12:48 AM by Clara Bayne   [ updated Jul 3, 2017, 6:06 PM by James Caroland ]

By Arnold J. Abraham, Institute for Defense Analyses


Introduction

History teaches the importance of developing the right strategy to adapt to a changing situation on the world stage. At the dawn of the last century, a significant shift in the global balance of power began to emerge. Germany’s power was rising, but it still faced significant rivals on both her Eastern and Western borders. The Schlieffen Plan was developed as a strategy to meet this challenge and was put to the test in World War I. The strategy called for Germany to leverage its military and infrastructure strengths to rapidly mobilize and concentrate forces to quickly defeat the French army on one front before shifting east to face the Russians. The strategy failed and the results were catastrophic. Almost ten million soldiers died in that war, far exceeding any conflict to date, and the unresolved struggle soon led to another war, which was even more devastating.


Now, in the early 21st century, the United States is the sole global superpower, but new concerns require non-linear extrapolation to develop a strategy to overcome current and future adversaries. In particular, the emergence of the cyberspace domain presents unprecedented opportunities and challenges for national security. Nations around the world have begun to recognize the significance of this dynamic, but the United States has the most at stake due to its premier position. With this in mind, U.S. Cyber Command is in the process of training and deploying a cyber force. But to optimize that force, the right strategy is needed.


This paper explores the question, “How do we develop the right force optimization strategy for cyber conflict?” It is important to invest time and effort to work through the concepts because the stakes are enormous. The first issue to address is the significance of conflict in cyberspace, not just as an aspect in the evolution of modern warfare, but as an integral element of today’s society and world. Within this context, optimal approaches for conducting cyber warfare are explored, including the best ways to posture and utilize the cyber force. Ultimately, a risk management approach is proposed to allow for leverage against many unknown factors. In the absence of hard-earned lessons learned through full-scale conflicts, simulation, exercises, and war games become the vital ingredients for developing successful strategies. But these tools can only go so far—the objective strategy may require a significant restructuring and rebalancing effort. The scale of the change seems daunting, but as cyber conflict transcends military conflict, the change should be dealt with in a revolutionary manner that does not underestimate the growing importance of cyberspace in global affairs. 

What is Strategy? 

Why bother to discuss strategy after the April 2015 publishing of the Department of Defense Cyber Strategy to guide the development of DoD’s cyber forces and strengthen its cyber defense and cyber deterrence posture? That document did an excellent job of describing the drivers behind the need for a strategy and articulated a set of five strategic goals and over a dozen detailed objectives. However, it is better characterized as a “strategic implementation plan” rather than a strategy itself. It is a good roadmap, but one based on the assumption of a known objective end state. Alternatively, this paper calls for an examination of underlying premises because even the best map cannot be used to chart a path if one is not yet sure of the ultimate destination or method of travel.

Developing a Strategy is the art of balancing Ends, Ways, and Means against Risks. Ends are the objectives (what is to be achieved), Ways are the courses of action or methods (how and when are the available tools used to get the job done), and Means are the resources (what tools are to be acquired and used). Assessing Risk involves recognizing the Strengths and Weaknesses and the Opportunities and Threats presented by the environment and the actors. Unfortunately, U.S. leaders sometimes overlook the importance of using this model to develop optimal strategies. Instead, over-reliance on superior technology and greater resources is seen as the path to victory. When it comes to Cyber Strategy, these advantages are no longer determinative, and thus pressure is building for a more astute approach.

What is the significance of cyber conflict in modern warfare and society?

For much of human history, nations fought over control of territory. Fertile land, rich mineral deposits, navigable rivers, and safe harbors were the early prizes that eventually evolved into vital industrial and population centers. Land and sea forces were the predominant means to seize and maintain these objectives. As technology advanced, control of the airspace became an important contributor to determining the outcome of battle. Similarly, the automation of command and control mechanisms added the potential for actions in the cyberspace domain to affect conflicts between air, land, sea, and space forces. But cyber power now also offers a potential approach to conflict independent of military engagement in the traditional air, land, maritime, and space domains.

Where will the most significant struggles play out for dominance in the cyberspace domain?

Virtually all modern battlefield weapon systems have some connection to cyberspace. This means existing arsenals of air, land, and naval weapons themselves represent potential direct targets in cyber conflict at the tactical level. Similarly, administrative, logistical, and other support networks essential to conducting military operations are reliant on cyberspace and therefore are potentially vulnerable to cyber attacks as part of theater-wide campaigns. Finally, critical civilian national infrastructures that provide the foundations for military force projection now also have cyber vulnerabilities that can be exploited at the strategic level. Thus, cyberspace operations must take place at the tactical, operational, and strategic levels of conflict.

The ability for cyber power to be applied across all levels of war has led several strategists to consider the development of airpower as an analogy. Aircraft offer a similar range of options, starting with air-to-air or air-to-ground engagements (e.g., dogfights, tank plinking), moving up to targeting military installations (e.g., airfields, logistics depots), and finally to directly disrupting strategic infrastructures (e.g., petroleum-oil-lubricants and ball bearing plants). As airpower developed, significant debate ensued as to where along this spectrum it would be most effective. Even after more than 100 years of using airpower, the debate continues. A similar debate has begun on the application of cyber power. However, instead of expecting a definitive answer, the lesson to be applied from the airpower analogy is that we must be prepared to use cyber power across each level of war from the tactical to strategic.

The cyberspace domain is more than the newest realm for extending traditional military conflict to achieve military ends. The pervasive nature of cyberspace in modern society has led to challenges beyond those that typically fall within the purview of a military force. First, the age-old struggle between the concepts of freedom of information/transparency versus personal privacy has been amplified significantly through the emergence of cyberspace. Second, the entire global economy is increasingly intermeshed with cyberspace, and the competition for information advantage has become an essential ingredient of private sector profitability. The cyberspace domain has become an integral part of modernity. Given this unique dynamic, the airpower analogy falls short when trying to extend lessons beyond the military dimension. Instead, we must look to other models.

Deterrence and Cyber Conflict 

The theory of deterrence, which is as old as war itself, has been applied with varying degrees of success to avoid conflict entirely or discourage use of particular weapons and attack techniques. During the Cold War, much thought went into nuclear deterrence theory in an attempt to grapple with the extreme consequences of atomic weapons. The “Wizards of Armageddon” developed concepts such as the strategic triad, massive retaliation, and mutually assured destruction, which became part of national strategy.

The potential to apply deterrence to cyber conflict has garnered interest, and “deterrence of cyberattacks” is discussed in the DoD Cyber Strategy. However, much work remains to be done, starting with determining what goal is really being sought. Is this a version of “cyber arms control” or “de-escalation?” Or does the United States seek to retain freedom of action to use cyber power as it deems necessary while restricting any potential adversary’s range of options? Answering these questions requires first figuring out our strategic concept for the use of cyber power.

Additionally, deterrence requires predictable actors whose decisions can be influenced through the right combination of words and deeds targeted to affect their interests. This is particularly challenging for future cyber conflict, which may include unpredictable and radical non-state actors, some of which remain unidentified, while others may not yet exist. Thus, discussion of cyber deterrence should be pursued within the context of developing an overarching strategy for cyber conflict – the optimal mix of “ends,” “ways,” and “means.”

What will the primary nature of future cyberspace struggles involve? What are the “Ends” we should strive to achieve?

Military. As noted above, conflict in cyberspace can have multiple dimensions. First, there is the application of cyber operations as a component of military power to enable, supplement, or replace use of other capabilities. This can be done through either force-on-force attacks or by directly attacking other military targets. As cyber weapons mature and proliferate, these types of attacks will likely become a standard part of military conflicts. Providing information assurance for conventional weapon platforms will be as vital as providing an air defense umbrella for land and sea forces and rear areas. The ability to disrupt an adversary’s weapon platforms through cyber-attack will also be a valuable tool, but possibly less vital in most cases due to the availability of existing kinetic options to service the same potential targets. Cyber-attack options will be most valuable when political considerations constrain the use of traditional military force. Although the application of cyber power can lead to casualties and physical destruction, there is also the potential to launch attacks whose effects are intentionally limited to being non-kinetic, temporary, reversible, or all three, and that may be more suitable for the early stages of an international crisis. On the other end of the scale, military cyber-attacks may provide the only feasible means to penetrate hard targets without paying too high a price in terms of friendly force attrition against heightened physical defenses. However, to date, no direct cyber casualties have been recorded.

Intelligence/Counterintelligence. While cyber power will grow to be a significant complement to kinetic force application during military conflict, it will have even greater roles in other areas as evidenced by recent events. Cyber capabilities have already radically altered the landscape for intelligence and counterintelligence. The amount of digitized information far exceeds what has previously been available, and the center of gravity for the intelligence world has already shifted to the cyberspace domain. If a nation wishes to keep its secrets, it must first provide adequate security for its networks. A single insider with wide network access can wreak havoc, as has been demonstrated on more than one occasion (e.g., Snowden, Manning). On the other end of the spectrum, a determined power can develop remote accesses that lead to transfers of valuable information on an unprecedented scale. In 2012, General Keith Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command, described the loss of industrial information and intellectual property through cyber espionage as the “greatest transfer of wealth in history.” Thus, conventional weapon platforms may still dominate current and future military conflicts, but the tide has already turned in the world of espionage and the role of cyber power within it.

Homeland Security. Homeland security is another area of which cyber power has become a crucial component. Critical civilian infrastructures in sectors such as power, transportation, banking, and communications increasingly rely on cyberspace components. The increased efficiency of the advances has benefited society, but it comes with a price that has not yet been fully realized. A whole new class of vulnerabilities exists, which requires attention beyond the physical protective measures we have traditionally relied on to remain secure. Further, unlike in the physical world, the potential to exploit those vulnerabilities is not limited to those actors in close proximity to the facilities. This is a particularly irksome challenge for the United States to face after having enjoyed the buffer of its oceans for two centuries. Hostile actors from anywhere across the planet now represent a direct potential threat. Such actors may have no affiliation with foreign militaries or intelligence services. They may not even be part of any recognized terrorist organization and could remain “under the radar” from the perspective of traditional geopolitical security interests.


Law Enforcement. On a day-to-day basis, law enforcement is the one area that has been affected by the cyberspace domain even more notably than espionage or homeland security. The vast majority of cybersecurity incidents are not traced back to foreign military forces, intelligence agents, or terrorists—they are simple criminal acts, often committed by low-level perpetrators, including some who may not even have malign intentions. Hackers are everywhere today, ranging from the teenage lone-wolf script kiddies in competition for bragging rights to international criminal syndicates organizing multimillion-dollar embezzlement schemes. This ubiquitous challenge is complicated by the fact that the technical signatures of malicious cyber activity are often hard to distinguish when first detected (if they are detected at all). This means that activity appearing to be a criminal breach may ultimately be traced to state-sponsored action with political or military motives. While national security concerns continue to grow, the predominant cyber threat to guard against today remains criminal activity, which now costs the global economy over $400 billion per year.

Regulation. The final area for consideration is the most mundane and most removed from the high-adrenalin crisis-oriented world of military conflict. In fact, the greatest risks and destructive impacts within the cyberspace domain to date have been crises that neither the military nor homeland security or law enforcement forces could prevent. Instead, the greatest damage has been due to inadvertent technical failures, which are more akin to acts of nature and natural disasters than acts of a determined adversary. These threats are best addressed by regulation and safety measures. The most prominent example was the self-inflicted wound of “Y2K” and subsequent remediation, which cost over $300 billion worldwide. Industry generally riles against government regulation of cyberspace, but as the risks to public safety grow, the role of regulation and oversight will inevitably increase. Cybersecurity managers will eventually find solace in regulations that help to define standards of due care considered by the courts to determine liability with some predictability. The traffic safety model offers an analogy of where things may be headed in cyberspace. Before the automobile, anyone with the physical ability and resources could ride a horse with little interference from the government. As the automobile became prevalent, an entire regulatory scheme and supporting infrastructure evolved to ensure safe transit (speed limits, traffic lights, highway guard-rails, vehicle registration, license plates, driver’s licenses, mandatory insurance, etc.). Unfettered access by any and all to the “information super-highway” may soon become a risk society can no longer afford. How to manage that risk through optimal regulatory means and enforcement mechanisms may be the most daunting cyberspace challenge faced by the government.

What are the optimal organizational approaches (i.e., the “Means”) to help achieve and maintain dominance in cyberspace?

While some conflicts between nations consist primarily of military contests, it is clear that the struggle for dominance in cyberspace involves multiple axes of effort as noted above. Given the widely varied nature of the threats faced in the cyberspace domain, the question of how to best posture our capabilities becomes crucial. Defending the network on one day may mean blocking hostile attempts to overload a system with denial of service traffic, but on the next day, it could require enforcing maintenance of a firewall standard on a private company’s server. It could involve discovering and countering malware implanted in critical platforms, or strikes against the source of such attacks to cut off their command and control. Cyber threats continue to evolve and escalate at a pace beyond what we are used to in the physical domain. The struggle for dominance in cyberspace will require a versatile force that can operate within and across the variety of challenges found in the military, homeland security, intelligence, law enforcement, and regulatory realms.

Can existing structures be adapted to meet the new challenges? Currently, the bulk of the U.S. Government’s cyber resources reside within the Department of Defense (DoD), including the National Security Agency, U.S. Cyber Command and Cyber Command’s Service Components. The Federal Bureau of Investigation, the Central Intelligence Agency, and Department of Homeland Security (DHS) also have key roles. However, none of these elements have the complete range of authorities and capabilities to deal with the full scope of the challenge. The Commander of U.S. Cyber Command, Admiral Mike Rogers, recognized this reality when he described cyber as “the ultimate team sport” because no one organization has all the answers or the capability to solve all problems.
 

Bolstering any one of the existing elements, a combination of them, or even all of them will still fail to address the seams and inherent frictions of interagency bureaucracy. But there is no need to accept the status quo and rely on virtual “pick-up” teams drawn from across a sprawling network of independent agencies. Instead of trying to wedge cyberspace into the existing apparatus, a new model should be explored. Cyberspace presents many new and unique challenges, but this is not the first time that the nation has had to struggle with problems that do not present themselves neatly within current frameworks. Organizations such as the United States Coast Guard, the Merchant Marine, and the Public Health Service provide useful models that could be templates for building a cyber force to address all of the nation’s concerns. Those organizations were formed to fill crucial gaps that once existed, and they continue to provide unique services today.

The Coast Guard is a uniformed, armed military service that resides within the Department of Homeland Security during times of peace, but can operate under the Department of Defense when war is declared, or by direction of the President. Its missions fall within the categories of maritime safety, security, and stewardship. The Coast Guard is the pre-eminent law enforcement authority within its domain. In addition to securing waterways against intrusion by unauthorized personnel or materials, the Coast Guard develops and enforces vessel construction standards and domestic shipping and navigation regulations. To ensure compliance, it reviews and approves plans for ship construction, repair, and alteration, and it routinely inspects vessels, mobile offshore drilling units, and marine facilities for safety. Finally, the Coast Guard provides aids to navigation and search and rescue services that are welcome by all legitimate mariners. Unlike any other military force, the Coast Guard has a pervasive domestic presence, interacting in an authoritative manner on a day-to-day basis with civilians operating in their domain. The public not only accepts the Coast Guard’s role, but generally embraces and depends on it as a valued partner in maritime pursuits. The cyber force of the future should have a similar ability to transition smoothly from regulatory, to law enforcement, to security functions, adapting to different challenges as they present themselves. Strong relationships with the private sector are likewise essential, because the primary domain for conflict is not a remote battlefield across the globe, but the server farms and databases of companies forming the backbone of the new digital economy. A future “U.S. Cyber Guard” (or an independent “Cyber Agency” or a new cabinet-level “Cyber Department”) could be postured to directly repel attacks on critical infrastructures, aid the private sector and government in remediation efforts or resiliency measures, and help set and enforce day-to-day standards in cybersecurity for issues that impact the nation’s security. The Coast Guard model deserves careful study because, despite the pressing need, the public is not inclined to endorse DoD or the Intelligence Community with the broad responsibilities needed for true effectiveness in cyberspace. Thus, a new organization outside of those elements is needed at the Agency or Department level—independent, yet interdependent. Regardless of what it is called, the new organization must have mixed authorities and responsibilities for cyberspace in a manner similar to those the Coast Guard has in the maritime domain.

Two other important organizations that offer lessons learned are the Merchant Marine and the U.S. Public Health Service. These organizations are relatively minor components of the Federal Government today, but they have rich histories going back to the early days of the United States. They were established outside of the predominant organizations to perform vital niche functions that contribute to national and homeland security. On one end of the spectrum, the U.S. Public Health Service is a small cadre of experienced medical personnel who are commissioned as officers and distributed to serve across numerous federal organizations. Taking the opposite approach, today’s federal component of the Merchant Marine exists only in the form of a training academy that teaches new mariners, who can then work as civilians manning vessels. Following one of these models, a “U.S. Cyber Academy” could be established to train the finest network security engineers, who would then fulfill their federal obligations by serving in key cybersecurity positions for the private sector. In the other model, a “U.S. Cyber Hygiene Service” could be created to manage a cadre of operations experts who would be assigned to work within each federal department to fill key cybersecurity roles.




Merchant Marine – a Model for Integrated Government and Private Sector Cyber Partners

The United States Merchant Marine is a fleet of over 400 U.S.-registered, privately owned civilian merchant vessels that carries imports and exports during peacetime, and that can become a naval auxiliary during wartime to deliver troops and war materiel. The Merchant Marine is complemented by the National Defense Reserve Fleet, which consists of “mothballed” ships that can be activated during national emergencies, either military or non-military, such as commercial shipping crises.

Merchant mariners move cargo and passengers between nations and within the United States, and they operate deep-sea merchant ships, tugboats, towboats, ferries, dredges, excursion vessels, charter boats, and other waterborne craft on the oceans, the Great Lakes, rivers, canals, harbors, and other waterways.

During World War II, the U.S. Government controlled the cargo and the destinations, contracted with private companies to operate the ships, put guns and armed Navy personnel on board. The U.S. Maritime Service trained the men to operate the ships and assist in manning the guns. Over 240,000 served, and they suffered one of the highest casualty rates of any Service in the war. Today, the uniformed Merchant Maritime Service exists only at the U. S. Merchant Marine Academy, a federal service academy that educates licensed Merchant Marine officers who serve U.S. marine transportation and defense needs in peacetime and war. Graduates are obligated to serve aboard vessels or be commissioned as officers in the military or National Oceanic and Atmospheric Administration Corps.

A cyber equivalent of the Merchant Marine could involve a range of options. To mirror its current form, a U.S. Cyber Academy would provide trained cyber experts who would populate private cybersecurity firms upon graduation, but they would have reserve commissions and be on tap for recall in the event of crises. On the far extreme, significant investments could be made in a dual-purpose cyber infrastructure that would not only aid in commerce but also bolster resiliency and be subject to direct government re-purposing in the event of national need.

U.S. Public Health Service (USPHS) – a Template for National Cyber Hygiene?
The USPHS consists of a uniformed commissioned corps of 6,500 public health professionals who serve within federal agencies such as the National Institutes of Health and the Centers for Disease Control and Prevention. The USPHS provides rapid and effective response to public health needs, leadership in public health practices, and advancement of public health science. USPHS traces its beginnings back to the U.S. Marine Hospital Service, which protected against the spread of disease from sailors returning from foreign ports and screened the health of immigrants entering the country. Today, USPHS officers are involved in health care delivery to underserved and vulnerable populations, disease control and prevention, biomedical research, food and drug regulation, mental health and drug abuse services, and response efforts to natural and man-made disasters as an essential component of the largest public health program in the world.

A cyber equivalent of the USPHS would consist of a new uniformed Cyber Service, separate from the Army, Navy, Air Force, and Marines. Just as when the Air Force was formed, this does not mean every cyber operator would need to be pulled from his or her current home. Instead, the Cyber Service could be a small cadre that focuses on only advanced offensive or defensive cyber operations—and like current USPHS professionals, they could be embedded within other elements of government to aid those organizations.


None of these examples are sufficient to serve as complete solutions, but they highlight the potential for unconventional approaches. It is clear that cyberspace conflict is not just a military issue. A successful strategy begins with recognizing the scope of the problem, and posturing correctly to address the challenge. Whatever form it would take—U.S. Cyber Guard, U.S. Cyber Service, or U.S. Cyber Academy—it cannot be just another element of DoD. Beyond Title 10 warfighting responsibilities, strong law enforcement, regulatory, and intelligence authorities are also needed. A hybrid element bridging both DoD and DHS, like the Coast Guard, holds the most promise to handle the full range of issues.

What are the best “Ways” to strategically posture and operationally utilize the Cyber Mission Force?      

Once the overarching challenges are addressed, there will still be a need for a military cyber force devoted to military missions. The U.S must first choose whether the cyber force currently under development should become the kernel of a new comprehensive solution or focus solely on the military mission. The former requires significant political advocacy for changes in authorities and organizational structures that are unlikely to materialize without an external catalyst (e.g., a “Cyber Pearl Harbor” or “Cyber 9/11”) to force new thinking. The latter means ceding ground on which most of today’s cyber conflicts and internal controversy resides, but it allows a focus on the military’s traditional spheres of expertise.

A force optimization strategy that confines the Cyber Mission Force to a military focus requires evaluating cyber weapons’ utility as a substitute for or complement to other military capabilities. The key question is whether cyber weapons provide “another arrow in the quiver” or a whole different method of conflict. Do cyber weapons simply provide another means to take out existing priority targets, or do they represent something entirely different—such as the next stage in the evolution of combined arms warfare?

Employing a combination of military techniques to leverage the strengths of particular weapon systems against the weakness of others is a mainstay of modern conflict. This approach, known as “combined arms” (originally conceived to involve infantry, mounted cavalry, and artillery), continues to evolve as technology brings new weapons to the battlefield. Today, military officers are still taught the critical importance of synchronizing attacks through different means to defeat adaptive adversaries.

When applied to airpower, combined arms meant that one could not rely solely on anti-aircraft artillery to defend airspace but also needed the ability to scramble fighters to intercept and engage in air-to-air combat with intruding bombers. In turn, the bombers were given fighter escorts to aid in penetration of enemy defenses.

At sea, a complex network of specialized vessels and aircraft has been developed, including attack submarines, frigates, destroyers, cruisers, and aircraft carriers. No fleet sails without the appropriate combination of these platforms to ensure capability against a range of threats.

Inclusion of cyber attack and defense in combined arms warfare will apply to land, sea, and air combat. Just as ground forces learned to consider their vulnerability to air strikes, all military forces must now become prepared for cyber attacks. Under this construct, future Army Divisions may each require their own cyber battalions, responsible for tactical offensive and defensive cyber maneuvers within their areas of operation. The same would be true of Navy, Air Force, and Marine equivalent forces.


An alternative way to envision cyber forces is as specialized strategic capabilities limited to certain extreme cases, in a manner such as chemical, biological, radiological, or nuclear weapons. These weapons, judged by society as particularly gruesome means of causing death and destruction, are generally reserved for dire circumstances. In most cases, their use is tightly controlled by treaty, agreement, or public policy. Unlike the combined arms model, which would lead to inclusion of cyberspace engagements in practically any and all conflicts, this method of employment would see offensive cyber power become highly restricted.

While cyber attacks may someday be viewed as similar to attacks by other weapons of mass effect, they do not currently carry such a stigma and are therefore relatively free of internationally recognized restrictions on battlefield employment. However, the fear of potential widespread secondary and cascading effects do bring significant political pressures to bear when using cyber power against civilian targets or other networks connected to the Internet. Therefore, cyber power may best be employed in a hybrid manner. The first method is on a tactical and operational level, in conjunction or integrated with other military forces, in a counter-force role to disrupt or otherwise defeat adversary military weapon systems and forces. The second method is on a strategic level, independently as a counter-value capability to directly affect an adversary’s national power through cyber attacks on civilian and economic centers of gravity.

There is another fundamental question beyond determining how cyber forces best fit in alongside and integrated with other military forces to achieve objectives. Within the cyberspace domain itself, the individualized tactics to achieve optimal effects remain a vital issue. Other weapon systems are limited by geography and many other physical constraints, but these do not apply in cyberspace. For example, there is no need to conserve firepower due to the logistical strains behind storage and transport of available rounds of ammunition. There are also no circles to be drawn on the map to depict the maximum effective range where targets can be held at risk before fuel or gravity holds sway. Additionally, there is no need to apportion the physical terrain as a means to avoid friendly fire and fratricide. Instead, the limiting variables are access to detailed intelligence, maintaining access on extremely dynamic networks, and perishability of exploits once specific attack mechanisms become public or after first use.


Within these new constraints, the most effective means to employ cyber power will likely vary because of the fluid nature of the domain. However, certain techniques may be worth using as the default. For example, a basic question is whether it is more effective to concentrate firepower or distribute it. The “deep and narrow” approach and the “shallow and wide” approach (e.g., precision-guided weapons versus carpet bombing) each has its benefits and detriments in different scenarios.

Similarly, one must consider whether to apply “strength versus strength,” or is it better to use one’s strongest force to exploit weaknesses in an adversary’s defense? Sun Tzu wrestled with these questions 2,500 years ago, and his sage advice stood the test of time in the physical domain, but it may or may not translate well to the virtual world.

Another consideration is the sequencing of attacks. Should cyber power be held in reserve for the turning points in battle, or can it be best used as the preliminary strike? Or should it be applied as a constant unrelenting barrage throughout an engagement?

Some answers are known already. For example, the classic “3:1” ratio of forces needed for offense to defense, developed as a gauge for ground combat, is clearly not applicable in the cyberspace domain. But other warfighting principles and techniques, from the basic through the advanced, remain to be discovered. For example, what is the cyberspace equivalent of the “Immelmann” air maneuver that came out of World War I dogfighting, or the “Crazy Ivan” developed by Cold War submariners?

Defensive strategies must also be further developed. For example, when should fixed-point fortifications be relied on versus mobile defensive countermeasures? These and many other combat strategies cannot be relied on using a default solution based on the first idea presented or the program that is cheapest or quickest to implement. Instead, dedicated and concentrated effort must be applied to development of cyberspace strategies and techniques, as was done in other realms of conflict. Many modern battle techniques have emerged from Service War Colleges and Command and Staff schools.

While it is too early to determine the optimal strategic, operational, and tactical employment of cyberspace forces, we do not need to wait until after a major conflict to find the answers. Instead, a robust simulation, war game, and exercise program should be pursued as the primary line of effort. Sun Tzu’s ancient prescription to “know your enemy, know yourself, and in 100 battles you will not be defeated” must be adapted to the virtual test range. Even though a particular technique or formation may appear to be working, the alternatives must be considered until every feasible angle is investigated. While it is true that exercises, simulations, and war games do have a role in today’s military, they are often seen as a drain on resources away from the day-to-day operational mission. This dynamic needs to be reversed for cyberspace to ensure the right investments for the future.

Conflict in the cyberspace domain does not benefit from the natural evolution mankind experienced in the physical domain. We are used to judging distance and speed by eye and can readily apply such lessons. Similarly, hundreds of years of experience in structural engineering yields, as a byproduct, the ability to calculate the destructive effects of explosives against facilities. In comparing the domains, even our most advanced cyberspace practitioners are still novices when it comes to fully understanding the terrain and methods of maneuver. The potential risks and rewards are too great to wait to learn these lessons the hard way—in the course of battle. Therefore, while simulation, war games, and exercises are part of every military mission, they must play an even more extensive role for cyber conflict.

Instead of selecting a particular strategy now and pursuing it straight away, a sizable portion of the cyber force should be devoted to developing the path ahead. For much of the Cold War, a majority of military forces focused on getting ready for a battle they fortunately never fought. A return to this type of model may be prudent for cyber forces, filling the calendar with a variety of realistic exercises and virtual force-on-force simulations. Strategic Air Command was the pinnacle of this approach, being well-known (one could say almost “infamous”) for its rigorous exercise, training, and evaluation program to support readiness. The procedures for nuclear conflict had been finely honed, but painstaking practice was needed to ensure precise execution of the plan if called upon. The current state of cyber conflict requires a similar level of intense effort, far beyond the current level of commitment to exercises and training.

Cyber teams should be developed along different conceptual approaches and tested against each other—again, and again, and again. It may seem counterintuitive to take troops “off the line” when cyber incidents are occurring on a daily basis, but the long-term risk must be balanced against that of the present day. When the time comes to execute a major cyber conflict, we can ill afford to be surprised by major developments.

Conclusion

While the United States currently enjoys military superiority across the globe, developing the right strategy for cyberspace operations can mean the difference between victory and defeat in future conflicts. In the early 1600s, a tiny nation rose to pre-eminence in global affairs. The Dutch Gilded Age saw a transformation of the Netherlands from a minor possession of the decaying Holy Roman Empire into the world’s foremost maritime and economic power. The Dutch East India Company was at the heart of the “Dutch Miracle”—it was the world’s first multinational corporation financed by the first modern stock exchange. The story is relevant today because it is essentially a tale of new technologies and new organizational concepts being combined in a game-changing strategy, altering the global balance of power. Such stories are inspiring to some, but are potentially foreboding for the United States today.

The 21st century is no longer a time for business as usual when considering the shifting balance of power in cyberspace. Today, the United States, Russia, and China dominate, but tomorrow it could be smaller but highly advanced technical powers such as Israel, Japan, and Singapore that take the fore. Alternatively, the very essence of national power may be redefined as super-empowered individuals and international non-state actors such as the Islamic State in Iraq and Syria (ISIS), Anonymous, and Google seize the initiative in a rapidly evolving landscape…as the Dutch did 400 years ago.

Without a crystal ball, it is impossible to know what the right strategy is. But we do know that the wrong strategy can lead to disaster. It is necessary to adapt to the changing situation readily apparent across the spectrum of day-to-day affairs. Today’s environment requires a non-linear extrapolation. The best swordsmen of their day, with the most training and finest steel, could not stem the tide of firearms and explosives. Now is not the time to just keep sharpening the sword. But it is also not the time to throw down the sword and take up an entirely new type of arsenal. Instead, a risk-management approach to balance the right ends, ways, and means of strategy demands spreading efforts across the range of potential outcomes to guard against both likely and unforeseen contingencies.
 

Rather than waiting for the aftermath of a major cyber conflict to show the way, a robust simulation and exercise program must explore a range of alternatives. This will require some sacrifice of readiness to execute current missions, but it is an investment in the future to avoid outcomes with the potential for much greater harm. The answers cannot be constrained to existing paradigms, so an important part of the future investment is to establish an organization free of ties to legacy structures and policies. DoD and U.S. Cyber Command should lead the charge in calling for a new organization to be their vital partner in developing the optimal cyberspace strategy for the nation. While U.S. Cyber Command focuses on its military role, another non-DoD element will be able to transcend the military, intelligence, law enforcement, and regulatory functions. Even while the Cyber Mission Force is still being fleshed out, it is time to raise the flag of the “United States Cyber Guard.”

David and Goliath

The story of David and Goliath is well known as a classic example of the improbable victory of an underdog over a more powerful foe. The author Malcom Gladwell, whose works focus on unexpected implications of social science research, recently published a book which concludes that giants are sometimes not as powerful as they seem, and history is replete with examples of unexpected outcomes of this nature

Gladwell suggested the hidden weakness of “Goliath” enterprises is their tendency to assume that the strategy that made them great will keep them great. The Goliath story shows that someone perceived as an underdog may actually have an advantage by employing an alternate strategy.

Favoring the underdog is a part of American tradition, but when it comes to cyber conflict, the United States is the “Goliath” of the tale. The February 2015 National Security Strategy states, “We possess a military whose might, technology, and geostrategic reach is unrivaled in human history.” From our 21st century telecommunications infrastructure and $13 trillion economy to our $600 billion DoD budget (which represents more than one-third of the entire global market), and seemingly omnipresent Intelligence Community, the United States rests atop a perch as the world’s sole superpower. But many are actively seeking to change the status quo, and a range of potential new foes is on the horizon. Developing the right strategy for cyber conflict is crucial because the United States cannot continue to rely on its size and strength to defeat future “cyber-Davids.”


About the Author

Mr. Abraham is a Distinguished Graduate of the National War College, a Principal Attorney with The CyberLaw Group, and member of the MCPA's Board of Advisors. He previously served as a Senior Executive in U.S. Cyber Command, the Department of Homeland Security, and the Office of the Director of National Intelligence. He wrote this paper based on research sponsored by the Institute for Defense Analyses.

Photo credits (in order of appearance):  AFCEA International, onthenetgang.com, Huffington Post, Littlegate Publishing, Duffel Blog, Eder Flag, Department of Defense, GameSpy, RC Airplane World, Cryptome, silist.com.

The Cyber Security Ratio

posted Mar 30, 2017, 2:42 AM by Michael Lenart   [ updated Apr 20, 2017, 5:15 PM ]

By Daniel Cahill

 

Introduction

 

Governments and private firms spend significant amounts of their budgets on cyber security to ensure confidentiality, integrity, availability of data, and to limit liability. How much is enough? How do private firms compare to each other and how do they compare to governments and government agencies? These questions are difficult to answer because there are neither baselines nor standards. Current accounting practices and analysis consider cyber security expenses as a percentage of overall expenses. This method, however, misses the mark for two reasons. First, there is no standardization for cyber security requirements and therefore no baseline from which comparisons can be made. Second, it does not consider the value of the transactions and assets exposed to cyber threats. The Cyber Security Ratio allows for a fairer comparison across sectors by assigning a value to what is being protected and then comparing that value to what is being spent on cyber security.


Background


The U.S. Department of Defense (DoD) utilizes multiple computer networks to conduct its daily operations; the two primary networks are SIPRNET and NIPRNET. Both SIPRNET and NIPRNET utilize the worldwide web (internet) to exchange information, the difference being that NIPRNET can actually send information and receive information/data from the Internet whereas the SIPRNET merely utilizes the NIPRNET/Internet as a means to securely tunnel encrypted information. No information/data originating from the Internet enters or leaves the SIPRNET network or vice versa. Furthermore, SIPRNET terminals are only connected to the SIPRNET, so there is no other method for data to move onto or off the system. In theory SIPRNET is inherently secure, with all of its contents being encrypted.1,2

 

The SIPRNET concept eliminates a vast majority of problems associated with network security as no unencrypted data is ever exposed to the Internet and the terminals themselves are fully shielded from the Internet. There is very little risk of data being compromised or malicious code being introduced directly from the Internet. The only real risk, aside from an insider threat, is denial of service. The additional, minimal expense with SIPRNET involves encrypting data at the point where data leaves the local network and decrypting data where data enters the network.

 

The NIPRNET is more like a typical business network and exposed to the same risks.  The cost of securing this network should be similar to that of any other network. In fact, an argument could be made that a typical firm is required to store and transmit all of its data in a manner that exposes it to the internet, whereas the Department of Defense has the option to transmit and store much of its sensitive data on SIPRNET.

 

Virtually every firm engaged in business utilizes the Internet in some way, shape, form, or manner, and very few firms utilize the “encrypted tunneling” technique in the way that DoD does. That is, very few firms use terminals that cannot send or receive data from the Internet. Considering this, how do these firms secure their data and networks? In government terms, a vast majority of these private firms utilize commercial off the shelf (COTS) solutions.



In order to determine the proper amount to spend on cyber security, the most important question is: How “sensitive” is the data being secured? The second question to ask is what is the threat? The answer to the first question is the foundation (or denominator) for the Cyber Security Ratio (alternately referred to as the Cahill Ratio/Number). There are five methods that can be used to accomplish this, all of which involve 1) assigning a dollar value to what is being secured, and 2) equating a dollar value to determine sensitivity. Once the value of what is being secured is determined, it can be compared to the expense of protecting it, which is the annual cyber security budget (the numerator of the cyber security ratio).

The Cyber Security Ratio can therefore be calculated as follows:

(Annual Cyber Security Budget/Annual Value of Assets and or Transactions Exposed to the Internet) x 10,000

 

These methodologies will be demonstrated and discussed below in the “Examples” section using data reported in financial disclosures from some well-known financial firms and the U.S. government.


The answer to the second question, “What is the cyber threat?”, is that all entities, government and private, face very similar threats and therefore no correction factor has to be applied to account for difference in risk. Most insurance policies/underwriting have an exception for war, meaning it is possible to insure a civilian airliner but not military aircraft. However, in the realm of cyber warfare there is no distinction between civilian and military. All entities are targets, including state/government functions and private enterprise.

 

Examples

 

The first method for calculating the Cyber Security Ratio (CSR) equates the value or sensitivity of the data to the annual expenses of the firm.

 

The U.S. Department of Defense (DoD)

Budget for 2015: 560 Billion USD3                                 ($560,000,000,000)

Cyber Security Budget for 2015:  4.7 Billion USD4         ($4,700,000,000)

CSR = 4,700,000,000/560,000,000,000 x 10,000   =     83.93

 

JP Morgan Chase (JPM) 2014-2015

Expenses for 2014:  61 Billion USD5                              ($61,000,000,000)

Cyber Security Budget for 2015:  250 Mil USD6             ($250,000,000)

CSR = 250,000,000/61,000,000,000 x 10,000         =    40.98

 

Bank of America (BAC) 2014-2015

Expenses for 2014:  75 Billion USD7                              ($75,117,000,000)

Cyber Security Budget for 2015:  400 Mil USD8             ($400,000,000)

CSR = 400,000,000/75,117,000,000 x 10,000         =    53.25

 


  

 

The above calculations demonstrate that spending on cyber security as compared to expenses varies significantly between the two financial services firms. Bank of America's CSR exceeded JP Morgan Chase's by 29.93%. This difference is significant because if one assumes other expenses are relatively similar, then the difference in cyber security expenses has a significant impact on net income. In the case of Bank of America, whose net income was $8.3 billion in 2014, this cyber security expense was 5% of its net income.

 

When we compare cyber security spending in the financial services sector to the U.S. Department of Defense, we see that DoD’s spending on cyber security as compared to expenses is 104.79% greater than JP Morgan Chase’s and 57.61% more than Bank of America’s. These numbers are well outside the realm of differences seen within the financial services industry and suggest DoD is over spending on cyber security – at least from the perspective of overall expenses.

 

A challenge of this method is that expenses may not accurately represent the value of the data that is being protected, particularly for firms who manage a large amount of assets. Using data from the aforementioned entities (and sources), we see that there is little correlation even within the financial services sector between expenses, assets managed (held), and shareholders’ equity (net assets). Bank of America’s expenses versus assets held is 50% greater than that of JP Morgan Chase. Bank of America’s expenses versus shareholders’ equity is still 20% more than that of JP Morgan Chase.

 

The second method is to measure the value of the firm in terms of either shareholders' equity or market capitalization. In the case of the Department of Defense, this would be the same as assets because for all intents and purposes DoD owns its assets outright. This only makes sense if you believe the total losses of a company are limited to shareholders’ equity and you disregard the loss of assets and/or liabilities.

 

The U.S. Department of Defense (DoD)

Total Assets for 2015: 2.3 Trillion USD9                      ($2,292,137,000,000)

Cyber Security Budget for 2015:  4.7 Billion USD10    ($4,700,000,000)

CSR = 4,700,000,000/2,292,137,000,000 x 10,000 = 20.50

 

JP Morgan Chase (JPM) 2014-2015

Shareholder’s Equity for 2014:  232 Bil USD11           ($232,065,000,000)

Cyber Security Budget for 2015:  250 Mil USD12        ($250,000,000)

CSR = 250,000,000/232,065,000,000 x 10,000      = 10.77

 

Bank of America (BAC) 2014-2015

Shareholder’s Equity for 2014:  243 Bil USD13           ($243,471,000,000)

Cyber Security Budget for 2015:  400 Mil USD14        ($400,000,000)

CSR = 400,000,000/243,471,000,000 x 10,000      = 16.43


 

 

 

Using the Shareholder’s Equity method we see that the Bank of America spends 52% more than JP Morgan. The Department of Defense spends 90% more than JP Morgan and 25% more than Bank of America. Again, we see that Bank of America is spending significantly more than JP Morgan and that DoD is spending significantly more than JP Morgan and marginally more than Bank of America.

 

Many, if not most, accountants consider the maximum loss as something similar/equivalent to shareholders’ equity. Any suggestion of considering the maximum loss as being total assets would be dismissed as unrealistic because you can’t take any more from a firm than shareholders’ equity (Shareholders’ Equity = Total Assets – Total Liabilities). This firm-centric perspective is dangerous because it dismisses the potential loss of assets held on behalf of the client. To put it simply, you can steal vastly more from a bank than the value of shareholders equity; this is a fact. And the Federal Deposit Insurance Corporation (FDIC) does not cover losses that result from theft or fraud. The next method will take this possibility into consideration.

 

The third method is to consider the total assets of the firm, whereas the value of the data is the value of the total assets held by the firm. Using total assets makes sense if one believes the ultimate or most catastrophic loss is a loss of all of the firm’s assets rather than “net assets” or shareholders’ equity.

 

The U.S. Department of Defense (DoD)

Total Assets for 2015: 2.3 Trillion USD15                     ($2,292,137,000,000)

Cyber Security Budget for 2015: 4.7 Billion USD16      ($4,700,000,000)

CSR = 4,700,000,000/2,292,137,000,000 x 10,000 =  20.50

 

JP Morgan Chase (JPM) 2014-2015

Total Assets for 2014: 2.6 Trillion USD17                     ($2,570,000,000,000)

Cyber Security Budget for 2015: 250 Mil USD18              ($250,000,000)

CSR = 250,000,000/2,570,000,000,000 x 10,000 =    0.97

 

Bank of America (BAC) 2014-2015

Total Assets for 2014: 2.1 Trillion USD19                     ($2,100,000,000,000)

Cyber Security Budget for 2015: 400 Mil USD20          ($400,000,000)

CSR = 400,000,000/2,100,000,000,000 x 10,000 =    1.90

 

 

 

 

The aforementioned calculations demonstrate that even when considering total assets managed (or assets at risk), the results are highly disparate. Using this method, we see that Bank of American spends 95.81% more on cyber security than JP Morgan. When comparing Bank of America to DoD in this manner, we find that DoD spends a staggering 10 times or 976.51%  more on cyber security. When comparing DoD to JP Morgan Chase in this manner, DoD is spending a similarly staggering number of 20 times or 2,007.90% more. I believe this calculation most accurately represents the true picture of what is being spent on cyber security and also highlights the most excessive disparities between the Department of Defense’s spending and the spending of financial services firms. Again, the threats encountered by both are the same and both have similar assets to lose, yet some are spending drastically more than others.

 

The fourth way to measure value of the data is to measure the actual value of the transactions that take place across the network. An argument can certainly be made that this is what’s truly at risk for a firm above and beyond any other number presented above (at least from a cyber security perspective). Certain sectors, such as the financial services sector, deal with transactions that far exceed their expenses or even the value of their companies. An excellent example of this is the New York Stock Exchange (NYSE), which executed transactions in excess of 11 trillion dollars in 2015.21 Yet, the parent company Intercontinental Exchange (ICE) had expenses of approximately 1.6 billion dollars, assets totaling 50 billion, and shareholders’ equity of 12 billion.22 This fourth manner is the one that presents the most challenges, as most firms do not publicly report the actual value of transactions that take place across their networks. Furthermore, estimates based on required disclosures would be difficult because many values are reported as “net values,” which negates the ability to estimate the value of actual transactions. All of this makes it extremely difficult to ascertain the CSR using this methodology. Additionally, the value of transactions does not necessarily represent the number of transactions taking place, which would be important because every time a transaction crosses the Internet, there is a risk of compromise. 

 

The fifth method would involve a combination of the first four methods. Perhaps a starting point would be sum of assets, value of transactions, and market capitalization/shareholders equity.

 

Challenges

 

Challenge #1: The most fundamental challenge with utilizing the CSR is a lack of data as most firms (and the government) are not willing to report all aspects of their cyber security spending. Most firms are afraid of the consequences of being deemed irresponsible regarding budget allocation for cyber security. Similarly, the federal government has funding mechanisms designed to obfuscate true spending. 

 

Challenge #2: Assigning a value that truly represents what is being protected. What is the price or cost of losing a client’s personal data/identity data? What if the client’s available credit is $100,000 versus $5,000? What is the firm’s reputation worth?

 

Challenge #3: How much spending is enough? If 50% more in spending only provides 5% more security, is that spending worth it? Related to the challenge of assigning a value is how can risk be measured if what is being protected does not have an objective, accurate, designated value?

 

Challenge #4: How much cyber security related information is the U.S. Department of Defense sharing with the private sector? Is it being shared equally? How much is the private sector benefiting from this sharing and what would the dollar value be to this support? A corollary of this is if U.S. firms operating in the EU are exposed in Europe, does that mean that the U.S. Department of Defense will share DoD derived information from their program with non-U.S. entities? Will the U.S. fund worldwide cyber security efforts by sharing the information derived from its cyber security programs? Where would the U.S. draw line in sharing cyber threat information?

 

Challenge #5: As discussed above – what is the threat, because without knowing the threat, it is difficult to assess risk. The threat faced by firms is the same threat faced by government and militaries, therefore an accurate assessment of the absolute threat is necessary to determine what cyber security measures must be taken. Basically, if it is determined that U.S. Department of Defense networks face threat “x,” then all networks worldwide would face the same threat.

 

Conclusions

 

Use of the CSR to compare financial services firms has identified significant differences across the sector. What does this mean? Most managers ask the following two questions: What does is cost? How much will it save? (Or how much income will it generate?) In the case of cyber security, the answers to those questions are apparently ambiguous. Rating agencies and actuaries have had a difficult time assessing risks and threats, particularly as they apply to cyber threats and financial services firms in general. Also, as discussed above, underwriters are not in the business of underwriting risks associated with war and cyber threats are a result of warfare – cyber warfare. Therefore, at this point, the proper amount to spend on cyber security are the best estimates of those directly involved/invested. As cyber security risks become underwritten, standards will be developed and enforced by insurers and/or government regulators/regulations; in the meantime, these expenditures appear to be rather arbitrary. The above notwithstanding, it does appear that either the U.S. Department of Defense is spending too much on cyber security or financial services firms are spending too little. It is also quite possible that Bank of America is spending too much on cyber security and JP Morgan Chase is spending too little. Regardless, it is difficult to conclude that each of the entities considered above is spending the proper amount on cyber security.

 

Perhaps most importantly regarding the Department of Defense, it has always been difficult to assign a value to national security. The U.S. Department of Defense is not only securing itself, but is securing the entire nation. That said, as we’ve identified above, there are many firms, like the New York Stock Exchange (NYSE), that are securing vastly more than their own value (net assets and/or shareholders equity). I would venture to say that in a similar manner, the value of the daily transactions across the network of financial services firms are much greater than the value of their assets. So perhaps the argument that the Department of Defense is securing the entire nation is moot OR there is a dollar value to assign to the support being provided to firms by the U.S. Department of Defense. If the latter is true, then dollar value for the support provided by DoD can then be added to what firms are spending and/or subtracted from the cyber security spending by foreign entities (and perhaps domestic as well) not protected by the U.S. Department of Defense.

 

Furthermore, unlike financial services firms, the Department of Defense has the SIRPNET to secure much of its sensitive information. I would offer that the cost of maintaining this SIPRNET is vastly less than the difference between what DoD is spending on cyber security versus financial services firms. Considering this assumption, what would be the value of the remaining information left on the NIPRNET? Perhaps the best way for DoD to secure its NIPRNET is with COTS technology that would be more in line with what financial firms are utilizing. 

 

Epilogue

 

Both firms and governments need a balanced approach to cyber security spending to ensure confidentiality, integrity, and availability of data, and to limit liability. The most efficient approach to spending is usually spending in a manner that provides the most absolute gain. As discussed in challenge number 3, if 50% more in spending only provides a 5% increase in security, is that spending worth it? If our adversaries (or other firms) are obtaining a 90% solutions by spending half as much, how should that affect our spending? From a national security perspective, if our adversaries are removing their “sensitive” networks from the internet, essentially precluding a data compromise, does that negate the need for traditional cyber security for those networks? What would be the true cost of total compromise of the DoD’s NIPRNET? Is DoD placing too much sensitive data on the NIPRNET and not enough on the SIPRNET? Again, hopefully the CSR will assist firms, government policymakers, and underwriters in developing the most appropriate courses of action.

 

 


About the Author

Daniel Adams Cahill is a Commander in the Navy Reserve, where he supports the Naval Inspector General. He holds a Bachelor's Degree in Marine Engineering, with a concentration in Nuclear Engineering, from the United States Merchant Marine Academy. He earned graduate certificates in International Relations and in Business from Columbia University, where he focused on applying business principles to military strategy and foreign policy.


 

End Notes


1. “Secret IP Data”. Defense Information Services Agency. http://www.disa.mil/Network-Services/Data/Secret-IP.  Accessed 24 Mar 2017.


2. “Using the SIPRNET”. Defense Human Resources Activity. U.S. Department of Defense.  http://www.dhra.mil/perserec/osg/s1class/siprnet.htm. Accessed 12 Mar 17.


3. “ UNITED STATES DEPARTMENT OF DEFENSE FISCAL YEAR 2016 BUDGET REQUEST”. Comptroller – U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/defbudget/fy2016/FY2016_Budget_Request_Overview_Book.pdf. Accessed 12 Mar 17.


4. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


5. “JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


6. Glazer, Emily. “J.P. Morgan CEO: Cybersecurity Spending to Double”. Wall Street Journal, http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976. Accessed 12 Mar 17.


7.  BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


8. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


9. “AGENCY FINANCIAL REPORT, FISCAL YEAR 2015”.  U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/afr/fy2015/3-Financial_Section.pdf.  Viewed 12 Mar 17.


10. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


11.  JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


12. http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976


13. “BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


14. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


15. “AGENCY FINANCIAL REPORT, FISCAL YEAR 2015”.  U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/afr/fy2015/3-Financial_Section.pdf.  Viewed 12 Mar 17.


16. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


17. “JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


18. Glazer, Emily. “J.P. Morgan CEO: Cybersecurity Spending to Double”. Wall Street Journal, http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976. Accessed 12 Mar 17.


19. “BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


20. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


21. “ Daily NYSE Group Volume in NYSE Listed, 2017”.  The New York Stock Exchange. http://www.nyxdata.com/nysedata/asp/factbook/viewer_edition.asp?mode=table&key=3141&category=3.  Viewed 12 Mar 17


22.  Intercontinental Exchange, Inc. (Filer) CIK: 0001571949” (NYSE Parent Company 10-K).  Intercontinental Exchange, Inc. http://www.sec.gov/cgi-bin/viewer?action=view&cik=1571949&accession_number=0001571949-15-000003&xbrl_type=v#.  Viewed 12 Mar 17.


Photo credit: globalknowledge.com



1-10 of 48