Commentary: Challenges to the Tactical Cyber Defense
By Adam Tyra, San Antonio Chapter
Mounting an effective cyber defense challenges any sizeable organization operating an enterprise network. However, defending an enterprise network within a tactical unit headquarters has unique problems that increase the challenge significantly. I discovered a number of these issues first hand while serving as the Chief of Information Assurance for a division headquarters. In June of 2015, the division underwent a Warfighter Exercise that included support from the U.S. Army’s 1st Information Operations Command’s World Class Cyber OPFOR (WCCO). While notional land and air battles occupied the rest of the division staff, the division’s cyber defenders were confronted with a live, realistic, and interactive threat of their own on the division’s network.
The following are my views on the challenges of developing and conducting an effective cyber defense for the tactical network. These views are based on my experiences before and during Warfighter Exercise 15-5. Although my descriptions and terminology are Army-centric, I suspect that several of the challenges that I discuss here will be familiar to readers with other backgrounds.
Note that by “tactical cyber defenders”, I am referring to service members who are not part of a designated cyber unit, such as the National Cyber Mission Force, or a Cyber Protection Team. Instead, they are assigned to unit headquarters throughout the military with the (potentially collateral) responsibility of conducting information security activities for their units’ tactical networks. Any other term such as “security practitioner” or “security professional” includes all service members with information security responsibilities.
The Empty Cyber Holster
The Army's Warfighter Integrated Network-Tactical (WIN-T) system of systems forms the heart of the Army division headquarters’ tactical network. Although it includes a full suite of enterprise network services, it does not include or integrate robust tools that enable tactical cyber defenders to detect, identify, or engage cyber attackers within the network.
Many tools that have become mainstays of private sector Security Operations Centers (SOCs) such as endpoint and network intrusion detection systems, Security Incident and Event Management (SIEM) suites, and automated malware analysis are simply not available for tactical networks. Interestingly, the Department of Defense already uses some of the most innovative and effective security tools available (Security Onion, Kali Linux, etc.). However, the Army’s current concept of cyber defense requires division headquarters to explicitly request support for these capabilities from designated cyber forces when needed rather than having them available continuously for local use.
Tactical network defenders are challenged to receive support from organizations such as the Army Computer Emergency Response Team (ACERT), its Regional Computer Emergency Response Teams (RCERT), or from Cyber Protection Teams (CPT). Doctrinally, tactical unit headquarters require mobility and may operate on their own for extended periods of time. This means that integrating them into RCERT defense systems is difficult in general and nearly impossible on a consistent basis. Further, if the unit does successfully integrate with an RCERT, the support that can be provided from afar is severely limited. Unit commanders, primarily concerned with mission command and situational awareness, likely won’t allocate precious bandwidth to upload scan data, log files, and other artifacts for analysis at the RCERT.
Even in cases where bandwidth is not constrained and tactical defenders receive active support from an RCERT, the distribution of resources is still sub-optimal. RCERTs, whose set of available tools could grant them superior visibility on the tactical network, don't have the direct access to affected systems required for timely reaction to malicious activity. Tactical defenders, on the other hand, can directly access their systems in order to take action against attackers. However, they are denied the superior real-time network visibility available to their remote counterparts.
This problem might be solved by the deployment of a CPT to the division headquarters in order to leverage the capabilities of cyber mission forces with the access of the tactical defender. However, if tactical defenders are not able to effectively monitor their network in real time, they are unlikely to discover that they need assistance from a CPT in the first place. Also, the Army’s projected development timeline for Cyber Protection Teams makes their near term availability to the division headquarters a dubious prospect.
A better solution to this capability mismatch is to deploy to tactical units the same tools employed by designated cyber forces to gain real-time host and network visibility and conduct analysis. This will allow tactical units to detect and eradicate attackers as necessary without relying on external assistance. Admittedly, this course of action has issues. The availability of expertise to use the tools at the tactical unit is probably the main issue, but access could be controlled by a certification of some sort just as we control the ability to drive military vehicles with a driver’s license. In any case, the discriminator about who gets what tools should be threat and competency based rather than unit based. Tactical headquarters should not be barred from using specific tools that are available to cyber forces simply because they are not a designated cyber unit.
A Checklist is Not a Defense
The tactical cyber defender must devote a tremendous amount of time and energy to ensuring that the unit remains in compliance with the vast constellation of federal rules and policies that govern information security. This leaves little time to develop or practice an effective cyber defense. I don’t mean to imply that policy compliance does not have its place in securing the network. Security governance is important to every organization, and the U.S. military has the most mature security governance structure that I have seen anywhere. However, a checklist is not a defense. Adhering to a checklist may ensure that we meet a minimum baseline of secure configuration and operation, but it does little to defeat an imaginative and adaptive attacker.
Security is an effect rather than a destination, and compliance does not create this effect. Compliance regimes can only address known vulnerabilities and weaknesses, while attackers can exploit a limitless number of known and unknown attack vectors in a system- including one that is fully compliant with all government requirements and directives. In addition, compliance represents merely a snapshot in time, while operations are continuous across time. For the cyber defender, yesterday's clean bill of cyber health means nothing against today's adaptive attacker. An effective cyber defense cannot be based on compliance and must feature a significant active and real-time operational component.
To illustrate this point, consider compliance in the land domain of warfare. Soldiers comply with policies by wearing uniforms and body armor, carrying an ID card, maintaining communications with higher headquarters, and carrying the prescribed amount of ammunition and supplies. While important, none of these activities create security. To create security, soldiers must also maintain situational awareness, find cover and concealment when necessary, and be ready and willing to use force. Unfortunately, even a high level of security is insufficient on its own to defeat an enemy. What we really need is a deliberately planned defense. Further, defense requires knowledge of an adversary in order to make predictions about what he will do, so defenders can focus their plan on countering it. A cyber defense, like a defense in the land domain, is therefore composed of a collection of activities deliberately planned and executed to prevent an enemy from achieving his end-state.
Compare the concept of defense just described with compliance. Compliance activities are not adversary focused. The fact that they focus solely on what you can't do and what you must do neglects a significant cyber "dead space" of things that you should do in any given situation based on the adversary. Finally, unlike security, compliance is a destination. When security practitioners achieve compliance, they usually stop until the next inspection cycle starts. Adversaries don't stop. They continuously vary and evolve their tactics to circumvent defenses and manipulate users.
Continuing to focus the bulk of tactical cyber defenders’ efforts on compliance is akin to planning to catch terrorists using strictly enforced speed limits. We may get a few, but the bad guys we really care about must be actively hunted and defeated. We must convey this message to commanders, so they can make informed decisions about cyber risk and shape their deployment of security resources appropriately. Non-compliance with military rules and regulations is generally not acceptable. However, compliance activities should be put into their place as a building block of a larger concept of cyber defense rather than forming the entire concept of defense by themselves. When we succeed in selling the idea of defense in favor of compliance, we must also be prepared with a creative, dynamic, and effective course of action to offer in its place. This will result in more effective tactical defensive cyberspace operations and will generate the added benefit of clearly articulated resource requirements that commanders can use to remedy some of the resource shortfalls discussed previously.
The “Culture of No”
Along with a mature security governance system, the military also has a healthy regard for structured risk management. Military leaders at every level are fully capable of assessing the risks associated with a wide variety of objectively dangerous situations from foot marches to high intensity combat operations. We are also capable of devising appropriate safeguards and applying them to mitigate risks to acceptable levels. However, in the context of information systems, many leaders reflexively reject risks whenever possible rather than objectively evaluating them. During the planning and initial execution phases of the Warfighter Exercise, I experienced this problem first hand while attempting to rectify the tool problem discussed previously.
This is not the fault of risk owners (leaders) themselves. As in the private sector, most leaders are not technologists and therefore can't be expected to immediately grasp the details of security risks. Instead, the fault is ours as IT and security practitioners. Security practitioners have a responsibility to explain problems and offer solutions in terms that can be understood by leaders- regardless of their background. They must also interpret risks through the lens of the organization's mission and overall risk profile rather than as purely technological issues and offer mission-tailored solutions.
When security practitioners fail to properly frame the "so what" of cyber problems or resort to digital fear mongering, they create a situation in which a commander is required to make decisions about issues that he doesn’t understand and which are accompanied with a potentially unjustified sense of urgency and danger. The outcome in these cases is predictable- rejection, denial, and the imposition of no. When risk rejection is combined with the complicated and overlapping authorities inherent to military information network operations, the result is an obstacle course of conflicting policies that limit our ability to effectively use technology. This, unfortunately, also ensures that security practitioners will never be authorized to expend the effort to examine and quantify our actual cyber risk or develop suitable controls.
To be fair, risk rejection isn't necessarily a short-sighted or unenlightened course of action, but it shouldn't be used as a long-term option in the face of continuously advancing technology. Consider our current severe limitation on the use of removable media. This was originally a response to a malware outbreak on a classified network in the fall of 2008 (if you don’t recall this, see publicly available information about Operation Buckshot Yankee for details). Without immediately and completely halting the use of external hard drives and USB flash drives, the malware outbreak could have become an epidemic and caused significant damage to many more government information systems than it actually affected. Thus, banning removable media was necessary- in 2008. In the years since, security technology has continued to evolve, but our sophistication in the area of cyber risk management largely has not. IT personnel could have devised a range of policies which would have allowed us to assimilate advancing technologies while mitigating our risks. They haven't done this, and many commands are still burning CDs and DVDs like it’s 1999.
The introduction of new technologies into the operational environment will accelerate into the foreseeable future. Tactical units, burdened with immediate threats and imperatives for mission accomplishment, can’t afford to simply reject the risks associated with complex but effective technological courses of action. Ultimately, the institutional knowledge of the military will expand such that future leaders feel as comfortable discussing cyber risk as current leaders feel about discussing combat risk. Until then, security practitioners will need to become much more proactive and imaginative both at explaining risks and devising solutions. We must guide discussions of risk along the lines of operating safely rather than focusing solely on what we shouldn't do- the culture of no should evolve into a culture of “how?”. Our net gain will include improved productivity, decreased frustration, and the cultivation of an information security culture that tries to understand and thoughtfully manage change rather than rejecting it.
Technicians vs. Soldiers
I started my career in the military as an infantryman. Although few of the infantry activities that I did previously resemble what I do now as a security professional, most of the thought processes are the same. I learned to plan and conduct small unit missions, survey terrain with a critical eye, and identify weaknesses in both my own team and in the enemy. In short, I developed a tactical mindset. Since my transition away from combat arms, I have not observed a tactical mindset generally among military information security practitioners. Even as cyberspace has been elevated to the status of a domain of warfare, we have continued to treat our systems like leaky pipes that just need patching and adjusting rather than the complex contested battlespace that they are. The result of this is that we don’t conduct operations. Instead, we “put out fires”. While the former results in defenders seizing and retaining the initiative, the latter cedes it to the adversary.
I observed this first hand while serving as a cyber OPFOR team member in a previous exercise. Unlike the OPFOR that we faced during our Warfighter Exercise, the OPFOR that I served with had no restrictions on the contractor-managed network. Short of causing physical destruction, our exercise network was essentially a cyber free-fire zone. As such, we used a combination of commercial, open-source, and home-brewed tools in conjunction with social engineering and deception to gain the upper hand however we could. As a team, we designed our activities to accurately mimic a realistic set of attackers unconstrained by rules or policies. Unfortunately, the blue team also appeared to operate without any rules, policies, or even a coherent strategy. Instead of hunting us, they appeared interested only in cleaning up after us.
I have a specific anecdote to illustrate my point. One of the tactics that we employed to compromise the blue network was to deploy multiple custom built software implants that would provide back-door access and execute malicious commands remotely. Because they were built especially for the exercise, our implants could not be detected by anti-virus software. However, they did generate malicious network traffic that could be picked up by the blue team. The intent was for defenders to detect the unauthorized activity using network monitoring, trace it to the affected hosts, and conduct a thorough incident response in order to contain the activity, investigate it, eradicate it, and enact measures to prevent it from occurring again.
Instead, defenders opted to simply block the outbound connections from our implants to our "malware mothership." When they did this, we initially believed that our implants had been eliminated. However, we were able to quickly penetrate the blue network again and discovered that this wasn't the case. After regaining access, we saw that all of our malicious implants were still alive and well across the network. Defenders had made no attempt to locate them and shut them down and had instead relied on a hardened perimeter. Once we breached that perimeter, every one of our implants became 100% effective once more.
The implicit concept of the blue team’s defense, reliance on a hardened perimeter, demonstrated none of the characteristics of the defense according to Army doctrine. I attribute this failure to the absence of a tactical mindset rather than an absence of cyber-centric doctrine. Although we don’t yet have specific cyber doctrine to guide cyber operations, there is no reason why a savvy technologist could not apply our existing operational doctrine to operations in cyberspace.
Tactical cyber defenders must think like soldiers first and technicians second. To protect the tactical network, we must plan a coherent and deliberate defense and develop battle drills to respond to hostile activity just as we would for a combat outpost. Further, as in the physical domain, cyber defenders must seize and retain the initiative in identifying and eradicating intruders from the network. Eventually, these concepts will surely be integrated into our cyber doctrine, but this won’t solve our problem. The best way for us to change the way we think about our operations is to first change the way we think about ourselves as tactical cyber defenders.
The problems that my team and I experienced in preparing for and conducting defensive cyberspace operations during Warfighter Exercise 15-5 were small compared to the difficulties in store for the tactical cyber defender required to operate against a determined enemy under real battlefield conditions. Whether commanders and staffs in tactical units acknowledge it or not, the cyber fight is already a part of today’s battlefield. Recent history is full of examples of military usage of cyberspace in combat. Russian operations against Ukraine are one notable strategic theater-level example, but adversaries have also used cyberspace capabilities to target tactical units. In one recent incident, a German Bundeswehr Patriot missile battery deployed in Turkey near the Syrian border was penetrated by hackers who issued “unexplained orders” to the missile systems. American units have likely experienced similar (detected or undetected) intrusions into their tactical networks and will probably see more in the future.
Given our reliance on information technology, a future increase in the use of offensive cyberspace operations against fielded forces is inevitable. We must begin to separate the issues faced by defenders of non-tactical networks from those faced by the tactical defender in order to understand them in their proper context and devise solutions. Some of our problems can be solved by policy changes or technology purchases, but others are embedded in our culture. By identifying and discussing our challenges now, we can begin the complex task of devising workable solutions to prepare for the conflicts to come.
1 Vergun, David. "Cyber Chief: Army Cyber Force Growing 'exponentially'" Army.mil, The Official Homepage of the United States Army. March 5, 2015. Accessed July 4, 2015
2 Nakashima, Ellen. "Defense Official Discloses Cyberattack." Washington Post. August 25, 2010. Accessed July 16, 2015.
3 ADP 3-90: Offense and Defense. Washington, D.C.: Headquarters, Department of the Army, 2012.
4 Shahani, Aarti. "Report: To Aid Combat, Russia Wages Cyberwar Against Ukraine." NPR. April 28, 2015. Accessed June 19, 2015.
5 "'Hackers' Give Orders to German Missile Battery - The Local." 'Hackers' Give Orders to German Missile Battery - The Local. July 7, 2015. Accessed July 16, 2015.
About the Author
Adam Tyra is an officer in the Texas Army National Guard and is currently assigned as the Chief of Information Assurance / Computer Network Defense for the 36th Infantry Division. He also serves as the President of the San Antonio, Texas chapter of the Military Cyber Professionals Association.