The expansion of commercial and military activity from land to oceans and eventually to space continues into cyberspace at a rapid pace. In the oceans and outer space, as in cyberspace, we see domains that are useful to us in many ways, but that present challenges because they are inherently not part of any country.
To operate in these areas, we have had to rethink how we execute security — and effective security in cyberspace is perhaps the most challenging of the three. With the spread of information technology to the battlefield, cyberspace is now part of every mission.
Our adversaries include traditional nation-state actors as well as nonstate actors (organized crime groups, gangs, terrorists, hackers, pirates, etc.) that operate fluidly across borders and in regions where there is not a strong rule of law. The U.S. armed forces have evolved into a global, multimission, rapidly deployable fighting force. This approach in force structure allows the U.S. military to respond proactively to persistent and emerging threats. The objective of the global mission is to provide the right response, at the right time, and in the right place. To accommodate this global mission, the armed forces are fundamentally changing their concept of operations.
Integral to this concept of operations is securing an information advantage over adversaries, which can be translated into a decisive war-fighting edge. Staying ahead of highly flexible and mobile adversaries requires timely, high-quality information. It is necessary to understand the mission requirements, the multimission elements, the locations of dispersed adversaries and the physical characteristics of their surroundings.
Gathering this multimission situational awareness and gaining the ability to make high-quality informed decisions requires force networking, information sharing and service delivery. Infrastructure must dynamically reconfigure in a global environment and scale to handle the electronic information supply chain and the information volume associated with the digitized battlefield demands.
Electronic infrastructure is a critical enabler of success on the battlefield, delivering mission intelligence to war fighters, commanders and policymakers. It can be easy to get caught up in solely physical security — when we look at a ship and its contents, it is easy to identify what we are protecting. Or is it? The obvious answer (“We are protecting the ship and its contents”) may not be the answer that will produce the best results. Instead, consider the answer: “We are protecting the crew’s mission.”
Today’s physical world is heavily integrated with the virtual world of information in cyberspace. The vast amount of information from any source, along with the intelligence it produces, has always been a component of a military mission. Now, we communicate and store information in more accessible ways — accessible to both us and our adversaries.
To protect a mission, we not only need to protect the physical assets required to accomplish the mission, but also the information that could put the mission in jeopardy if discovered by adversaries. All branches of security are part of mission assurance — protecting the mission from both intentional and unintentional threats. Global connectivity provides adversaries with global reach to attack at any time, from any place, from any direction with any degree of sophistication. The mission must be secured against traditional malicious threats as well as emerging threats and those already in the network.
Traditional threats range from virus infections to denial-of-service attacks. Common approaches to protecting an infrastructure against these threats involve building firewalls, deploying host-based virus scanning, and monitoring intrusion detection and prevention appliances. These solutions operate within the context of perimeter protection. In light of the global multimission roles that the infrastructure will need to support, the idea of perimeter is difficult to define — and thus, is difficult to protect — especially as our forces leverage indigenous regional infrastructures. Additionally, the environments in which our missions already operate have advanced threats that test against the standard commercial and known defenses.
ADVANCED PERSISTENT THREATS
For information technology-dependent missions, one of the greatest threats and reasons for us to change the way we think is the advanced persistent threat. Advanced persistent threats present the nightmare scenario to any mission-oriented organization: They are able to infiltrate, hide and maintain access to an organization’s data across a long timeline. Traditional firewalls, intrusion-detection devices and host-based scanners have difficulty eradicating advanced persistent threats because the individuals behind them test against these defenses. Adversaries know the weaknesses of these defenses and need only to find a single vulnerability through which to compromise the mission. Once inside the “castle wall,” these threats map the infrastructure, add back doors, harvest account credentials and even determine information of value and leak that information. Adversaries work hard to maintain access to all the information (and its explicit knowledge).
Unfortunately, this is the current reality. We must operate under the assumption that our networks are already “owned” and that no amount of castle wall construction (firewall) or moat building (virus scanning) is going to protect them. In a globally multimission world, this perimeter view of defense is outdated. Traditional defense-in-depth approaches of securing mission systems are only partially effective. These approaches fail to integrate with the missions and often do not reflect the mission priorities. Not only does the infrastructure need to support traditional war-fighting missions, but it needs to support rapidly reconfiguring missions — not just rapidly reforming networks. The infrastructure must mirror the modern force structure and geographic dispersal of a fighting force.
Perfect security is not possible because of the rate of change of cyber threats and adversary methodologies, the burden of information technology security costs, the lack of integration of layered defenses and the limits of the technology used to protect information systems. Unlike perfect security, however, mission assurance is an achievable goal. We need to see network and information security as elements in protecting an overall mission. To reach this goal — protecting, under persistent threat, the important elements of infrastructure that support key mission activities — we must look at the mission, holistically considering its infrastructure, its desired behavior and the information that underpins it.
To succeed, we need to change how we think:
Global, multimission interdependencies require a shift from a local perspective to a contextual global perspective.
Protecting electronic infrastructure requires an integrated and continuous mission awareness, instead of a static, periodic snapshot.
Automatic, predictive defenses are needed to ensure mission assurance, instead of manual, passive defenses.
Networks must be examined to understand the bidirectional flow of information, rather than solely focusing on what is inbound.
Targeted, granular responses, not gross actions, are essential.
A local perspective used to be sufficient because nothing that you couldn’t see could harm you. But today someone from clear across the world could be a threat to mission success at your back door. Just as the connectivity within an organization puts information at your fingertips, connectivity outside of the organization also gives your adversaries easy access.
By developing and maintaining global situational understanding and contextualizing it for a specific mission, it is possible to predict attacks before they occur. Predictive analysis incorporates an understanding of threat development and an adversary’s maturation, drawing from information found outside one’s own network. Early warning indicators can be acted upon based on the context of the known state of the mission infrastructure, current missions or planned missions. These include registration of bot command-and-control channels, emerging threat vectors, discovered vulnerabilities, and specific attack approaches being developed. Automatic defenses (connectivity managers, content sensors and filters, activity indicators and warnings, leakage detectors, behavioral sensors, intrusion detection and prevention, resource management and vulnerability scanners) can be “armed” to be ready to take action before malicious activity threatens the mission.
Just as the perimeter view of defenses is outdated, so too is the focus on what is inbound. In the case of advanced persistent threats, the malicious code evades detection by traditional perimeter defenses and can establish itself within a network. Only when a network and its behavior are well-understood might it be possible to detect the outbound flow of information that the advanced persistent threat has initiated. Infrastructure needs to be recognized as a mission-critical element, rather than a mission-support element. While there will always be uncertainty in a hostile environment, we shouldn’t add uncertainty about our own systems to that mix. The infrastructure of a multimission environment needs to be understood to provide optimal deployment of capabilities and capacity to the right priority.
Mission-critical infrastructure may be scattered globally. Many of these resources are shared, raising questions of responsibility. To assure a mission, it is necessary to have an understanding of mission-critical systems, links, applications and services, as well as any interrelation with other missions. As an example, a mission commander should know if a network device in another hemisphere is critical to his mission. He should know about the maintenance schedule and whether there is an alternate data route if the device goes down. He should know whom to call if there are problems, who controls the gateway and what service providers are in play.
The cyber environment is constantly changing, and to make the best decisions, a decision maker’s understanding of the available information needs to keep up. The use of IT systems in military environments adds to the level of complexity of a given situation; in addition to understanding the core mission functions, it is necessary to understand critical infrastructure elements and their alternatives, infrastructure vulnerabilities, threat postures and remediation options. Operations and tempo can be maintained only when there is an understanding of how responses to cyber threats affect the infrastructure and missions (ongoing and planned). The integration of the mission concept of operations, risk assessment and precise understanding of the infrastructure will provide the best data to decision-makers.
It is not only the effect of threats and vulnerabilities, but the actions of network operations and maintenance that can threaten a mission. Decision makers need precise data about the impact of any remediation action, maintenance action, configuration action or other mission actions that may affect their ability to be successful. This knowledge already exists — extracting it and quantifying impacts can inform critical decision making.
With in-depth situational understanding (real, executable knowledge about the devices, links, services, protocols, timelines and mission flows) decisions can be tested in advance, missions can be planned and modified, and a higher degree of success can be achieved. It is through this process that commanders can gain knowledge of the true nature of their mission infrastructure.
Identifying likely attacks and planning for them gives the commander an advantage. Understanding that an attack is heading at the critical mission infrastructure or at noncritical infrastructure elements is important to know — but is not sufficient for informed decision making.
Determining the potential impact of the attack (or the service maintenance outage) in light of the current situational understanding can provide the commander data-driven alternatives. These alternatives should match the mission threat that exists. For example, it does not make sense to shut down all external connectivity if a simple virus is discovered on a nonmission-critical computer. Finding malicious activity that is exfiltrating a large amount of important data from a mission-critical computer, however, certainly provides the justification to sever the “call-home” link. Remediation action or maintenance actions should be taken, with deliberate foreknowledge of their impacts and it should be matched to the mission impact.
The mission of our fighting forces is changing, so the electronic infrastructure must also change along with the way we view its defense. Cyber-threat sophistication, intensity and speed are increasing — under this persistent load, relying on a system that is locally sensing with a high reliance on manpower has fundamental limitations to assuring the mission operation at the rate and scale required of a battlefield commander. The local sensing and reaction of traditional cyber defenses must be supplanted by a globally predictive capability — one that determines threats before they cause mission-critical impacts, one that lowers the opportunity for attacks and reduces the impact of attacks.
Mission assurance needs to be elevated to the same status as the war-fighter capabilities. It needs to progress from an IT support service to mainline mission activity — one that fully considers the concept of operations. This progress can be achieved only through close collaboration among the various mission elements. Cyberspace is another new realm opened to our use through technology, and we need to expand our thinking to make sure we protect the assets we connect to the global online community. Without this broader perspective, critical mission elements will remain at risk and be subject to compromise, as evidenced almost daily in the news. AFJ