2014-06-13

How Signals training should evolve to meet requirements of Digitized Battlefield and Post-Modern Society? Part A


This is the first part of a series of writings on Signals troop production, training and continuous performance improving in conscript army. This part includes a short introduction of current situation in Signals training of Finnish Defence Forces, a discussion on some challenges in Signals Unit production and a analyze of requirements coming from modern digitized area of Signals Operation. Further parts do propose some remedies and solutions to introduced challenges.

Introduction


Military operations have been evolving lately more enabled by information technology, puzzled by complexity of conflicts in post-modern era and waged amongst people  and information . Military training in other hand is perceived more as a discipline than creating competence. Military training has to prepare individuals and collectives to enter into harm's way and perform physically and mentally demanding tasks at the highest possible levels of proficiency. As commanders in Greece during Persian wars in 480 – 479 B.C. were focusing on team integrity of their phalanxes, history of war repeatedly tell tales of devastating losses after soldiers abandon their tasks, break and run under the pressure of combat. 

This paper defines one possible strategy to change military signals officers and soldiers training for better to meet the demands of post-modern military operations. Main focus of this paper is in training conscript signal soldiers but similar concepts may be utilized in transforming the training of regular signal corps also.


Current Situation in Training of Finnish Signal Corps


Training system

Signals training requirements are analysed from essential tasks of the fighting system of systems mission. Analysing process is systematically identifying what should be performed on the job, what should be instructed and how this instruction should be developed and conducted.  These instruction tasks are composed to courses for individuals and collectives and authorized centrally to be followed in all training units along with practical ways to measure the level of troops’ quality.

Individual soldiers, station teams and signals units are trained to meet same standard with similar methods throughout the force. Training is proceeding following the pace of average individual and team starting from individual skills up to fighting system of system capabilities usually with linearly increasing complexity as defined in fig.1.


Figure 1: Systematic training process of Signals skills

The owners of capabilities  are controlling the quality of individual and team competence with regular evaluation during field exercises. Results of these quality controls are fed back to training units and their instructors for immediate correction and for rewarding purposes. Further remarks and results are included into lessons identified and possible larger changes are included in the capability building plans for following years. This creates continuously evolving system that improves capabilities both by lean development  and with strategic investments. 

Conscript and reserve training


Current Signals conscripts and reserve units training in Finland is outlined in next figure.


Figure 2: Signals soldiers training as a conscript and in reserve

Within first eight weeks all conscripts overcome same basic individual combat skills training to be able to survive in modern battlefield. The actual signal’s skills training starts after basic training. Within nine weeks’ time the understanding and skills of individual signalist, team and squad level is instructed. This includes lectures, formal hands-on training and applied skills training with sub-systems and systems. 

Last nine weeks of conscript training is done mainly within the appropriate framework of fighting system of systems (i.e. in battalion task force or brigade composition) learning how to co-operate with other arms in typical terrain and weather conditions of area of operations. Only adversary effect is simulated since live fire exercises are included in this phase. After this intensive unit training session conscripts are send to reserve, where their signal skills, physical ability and understanding will evaporate exponentially unless refreshed by continuation training. 

Military training at battle technic level of Signals has a challenge in integrating crew discipline with automated individual skills in order to quickly capture situation and state of complex C4I system of systems. This requires in one hand extensive theoretical understanding of systems interrelations and behaviour in a given environment and in other hand tight integrity of one's crew functions together with individual automatic reactions, when operating devices in life threatening situations. This is best achieved when signals crew is facing together as a team gradually hardening and challenging situations, which together they are able to solve and further gain experience and understanding. This is called progressive drilling within simulated environment in order to exercise both automated responses and cognitive control under stress. The process of this progressive training is depicted in figure 3.

A signalist is first learning both operating skills by hands-on training and nature of signals phenomenon by theoretical lessons. Then these skills and understanding are utilized in frame and theme exercises to further hone skills and extend understanding of function as part of bigger system of systems. After that individual and team skills are utilized in more demanding environment of live exercises, where System of Systems understanding is extended and adversary’s countermeasures become familiar. At the end of conscript training session live fire exercises will crystallize the importance of co-operation of all links in fighting chain. Skills and understanding are amalgamated with real military business driver.


Figure 3: An example of progressive training method of signals soldiers in Finland

Both individual and squad skills should remain at feasible level about 15 years in reserve with only few days continuous training if none. Signals reserve should be able to restore their skills and understanding within 2 to 14 days of intensive training before being assigned to first operational tasks.

Currently there is unsolved problem between scarce field training days, almost non-existent continuation training and skills needed to operate fighting system of systems in complex crises situation. Loosing skills and constraints in training are challenge even to regular armed forces with years to train and several tours in operation .


Training of Commissioned Officers


Signals commissioned officers education and learning schedule in Finland is depicted in figure 4
Figure 4: Signals officers’ career from education and learning perspective.

After conscription training signal reserve officers may apply to Military College for bachelor studies and get temporary assignment as a signals instructors. 3 years of bachelor studies do give basic skills and understanding to be instructor at signals individual and team skill levels together with ability to be a war time commander of Signals Company and understand of battalion task force fighting system of systems.

After about 3 to 10 years as signals instructors, senior lieutenants and captains may apply to 2 years master studies to become qualified for peace time company commanders, apply tactics and military technology and become war time commander of Signals Battalion with understanding of brigade and above fighting system of systems.

After several years serving in different instructor, leader, analyst, staff officer and commander tasks signal officer is appointed to one year staff officer course in order to graduate as capable for staff officer duties at operational level. The best and most suitable officers are selected to continue at general staff officer course to become potential staff officers, commanders, developers and leaders of higher levels in defence organization.

Together 30 years of active service after graduating from bachelor level with 3-4 years of advanced education and after that about 10 years in reserve. It is questionable if signals officer is able to update himself enough to manage changing world. Especially when Information and Communications Technology is changed in three years cycles. There is rising demand to all instructors to renew their technical and tactical skills more often than current career education is supporting.

There is also problem with current approach in training. Curriculums and courses are defined as “singular, packaged interventions” as described by Brinkerhoff and Apking (2001) . Training is a session that students sit through and afterwards receive a certificate and new title that grant permission to behave differently. Unfortunately often in units new skills and understanding is not supported but replaced by legacy behaviour. Thus culture of Signals training is not easy to change. Next picture 5 is describing these typical errors.

Figure 5: Typical course based training errors that prohibit effective learning

Instruction approach is mechanical. Learning is matter of effort and repetition. Motivation is forcing and correction is only way to get things right. This ends up with students memorizing to exams and forgetting everything after that. There is no orientation, bigger picture or meaning since all subjects are reduced to small pieces that should be “learned” by “writing things in to memory” . 

After describing current Signals troops and officers training system and analysing their contemporary challenges, this paper moves to investigate challenges in general troop production and sustaining skills in reserve.



Challenges to Signals Unit Production from Educational, Learning and Forgetting perspective



Learning and forgetting


I hear and I forget. I see and I believe. I do and I understand. - Confucius 

These wise words of Confucius may be further extended to “I teach and I apply”. Only after teaching others one really gains the wisdom behind phenomena and is able to apply general rules more innovative way. This is one of the main reasons why reserve officers and under officers should be used as instructors of their troops.

In sustaining capability of reserve forces there is a problem of short conscript training time and long period of readiness with only brief moments to refresh skills. When one has to learn motoric skill, there is the need to do repetitions in variable conditions and with consideration to achieve a skill that can be repeated without focused intention. If number of repetitions falls short or learned thing does not make any sense to conscript, skill is forgotten quite fast. This is illustrated in figure 5. 


Figure 5: An example of human learning and forgetting if lesson is nonsense or repetitions are not considered

With reserve forces major mistake is to train conscripts without any sense and remorseless drill. These skills or understanding do not last long when out of action in reserve. If focused attention is lacking during training, conscripts take subject as nonsense and disciplinary action, there is no feedback after repetition or it is only negative or applied phase is lacking totally, there will be no lasting competence sustained during reserve time. Unfortunately conscript training is vulnerable to changes in instructor resources, training areas, live fire ranges and especially annual defence budgets. Often short term resource constraints are producing long term shortages in Signals capabilities.

A problem occurs, if there is not enough collaborative sessions within crew or not realistic environment and adversary effects exposure during theme and live exercises. Skills might be there, but understanding of larger system and real operational environment are not achieved.

There is a classic  method for learning and that means always learning while belonging to an improving society, extending understanding gradually by building over existing understanding, applying learnt skill in varied environment and reflecting feedback as group. This is explained in figure 6.


Figure 6: Using classical education principles to train conscripts and sustain their skills better while resting in reserve

When learning has social context and new things are explained with already learned issues, then forgetting is remarkably slower. Since everything new has to fall into the structure already in pupils mind, instruction needs to be cognitive oriented providing orientation, extension of existing understanding and making new things interesting. There is major challenge to instructors to provide learning environment to conscripts in a way that their competence sustains through reserve time. It is different than training of enlisted soldiers that will go directly operations to utilize their skills.

During the readiness phase in reserve, another problem occurs, if systems technology or adversary's countermeasures undergoes a major change. How to change both skills and competence of crew in reserve and readiness? Deep into crew’s social and individual’s motoric level behaviour is hard to get rid of and needs more time and repetition than when learned at first time. This means that all changes in technology should be done in balance with human competence, since every change does first lower readiness of reserve force it they are not trained.

There is a challenge in signals education at tactical level to integrate system of systems technical understanding with fighting understanding and further with understanding of adversary's possibilities together with understanding of human collectives behaviour in combat stress situations. Especially signal officers should be able to analyse situations from all these approaches. 

The end state of understanding and skills is perceived through extensive live field exercises or real operations, which are very expensive or mostly out of reach. Here simulation training, gaming and experimental learning has good opportunity to give strategic advantage over the skills of adversary's tactical level.


From individual skills to crew behaviour and performance – learner or curriculum centred training


There are military forces that have very specifically defined roles for individual experts in their force and they are being trained following a strict hierarchy. This restriction of not understanding “above one’s pay grade” has been questioned, when functional experts have met the complex situations for example in Afghanistan operation. In complex operation within non-clear area of operation a general understanding and agility in action has been more successful than keeping strict stove pipe roles and functions. The increased complexity in post-modern battle technical level is called as intertwined levels of war i.e. traditional technical, tactical, operational and strategic levels are mixed together when fighting among people.  These dimensions of challenge are illustrated in following figure.


Figure 7: An example of dimensions of challenge in training of Signals crews

The high degree of technology in Signals and extensive interaction with all other arms requires certain level of individual specialization but always in context of larger human collective and technical system. Thus Signals should maintain same standard of training over all parts of the fighting system of systems, but enable distributed crews to adapt to unfolding situations. Because Signals are considered to be the glue in fighting system of systems, it demands that their availability and reliability are at high level. To habituate crews to hard conditions and effect of adversary, Signals training should be executed in as real environment and against as live adversary as possible.  

Since signals tasks are executed by small crews distributed to nodes of large system of system, their collective training should be a mixture of very intense crew training with tight proximity and virtual collective training with other teams. This creates similar challenges as artillery has when they are training forward observer teams, signals teams, bearing calculation teams and cannon crews together as a system although geographically separated. Understanding other teams sometimes require to change roles. This is possible in system frame exercises, where distances between nodes are minimized. This helps to capture the understanding the interrelationships between different teams and subsystems and mature the processes within larger system of systems.

Interaction skills between teams and subsystems is hardest to achieve over distributed system of systems without extended exposal for variety of cases and scenarios. Each team may achieve up to 55 % better capability than any sole person but with non-functioning relationships stay as low as 26% of any single person’s capability.  Signals collective integrity within team members is most important. Thus signal soldiers should remain members of same team from beginning of special training until the end of their readiness period. Since time for conscript training is short, team integrity should be supported during the time in reserve.

Learning by listening or by doing - Trial and error


One of the strengths of classic Roman Army was ability to maintain fighting readiness all the time when marching, camping or training. This was achieved by progressive exercise, overweighed training weapons and demanding levels of measurement (like about 30 km march within 5 hours in full travel gear) . In signals lectures should be minimized when hands-on doing and teaching others should be the main method of learning. This aligns with human learning behaviour of less interested or less meaningful content depicted in next figure.


Figure 8: Average student retention rates by National Training Laboratories, USA 

For learning less meaningful skills, the best retention time for signals soldier in reserve is achieved when it is practiced by doing and under-officers are used as instructors of their teams. Challenge rises when signalist is required to understand the complex technology structure of C4ISR system of systems. How to capture this competence without spending hours in classroom trying to teach basic technology and physical phenomenon to soldiers?

Getting enough practical cases and solved problems under their belt, Signal soldiers are assigned to field exercises more often that some of their peers in other arms. Unfortunately large part of this time in field is spend providing available information and communications services to other troops. Thus repetition rates and variable conditions tend to remain too low.

Signals competence is mainly measured as on-the-job performance with whole C4ISR system of systems operating in as real environment as possible. Costs of measuring are high, because one must use third party judges and field exercises of a battalion task force to get genuine measures. This cost may be lowered by using troops own instructors and supervisors as judges. This though may end up with subjective results. There might not be field exercises big enough available and measurement may be restricted to performance of singular teams without interrelation with other parts of the fighting system. This gives wrong impression and feedback for both team members and their instructors of C4ISR system of systems total performance.

During field exercises the adversary countermeasures and overall combat stress are mostly simulated. Pyrotechnics is utilized for simulating effects of kinetic warheads, practice jamming is simulating adversary's electromagnetic countermeasures and red teams attacks are simulating cyber-attacks against C4ISR systems. Lack of simulating people often restricts these measures. There is an increasing concern that signal soldiers are not experience enough to face adversary's effects and still perform steadily and provide their services in support to other arms.

After defining new requirements to Signals troop production and sustaining skills in reserve, this paper takes a look to Signals Area of Operation.

Digitized area of Operation is challenging the Learning and Training of Signals Skills and Understanding


Military operations in digitized global area of operations have wider range of missions from support to home-land defence agencies through peacekeeping via counter-terrorism and stability operations ending with high-intensity conflict. Operations are full spectrum covering offence, defence and stability or civil support operations simultaneously.  Missions are almost always executed among people instead around people  and under all seeing eyes of digitally connected world. Missions include multiarms effect, effort of international partners, action synchronized with interagency bodies and joint awareness and fires.  Information and communications technology (ICT) has changed the productivity of post-modern industry and commerce. Now it is transforming military operations. System integration and pervasive information usage are changing combat technics, tactics and art of operations.  Digitalization is enabling many more stake holders to try to change the behaviour of people in the area of operation. Thus Signals own integrity and spirits are as vulnerable as is home front, neutrals, adversary and global opinion to “entities seeking to influence them through marketing and advertising at one end and coercion and loyalty at the other” as McKay and Tatham (2011) expresses it. 

Complexity of C4ISR -systems and integration in system of fighting systems


Information and communications technology is enabling to integrate fighting systems together and achieve integrated military force effect not seen this far. Military forces are now in the brink of the 5th generation fighting system.  Weapon platforms are integrated with other subsystems like intelligence systems, logistic systems, sapper systems, air defence systems and C4ISR systems. Of course there are soldiers, vehicles, leaders and their plans similarly as with the earlier generations of fighting systems. The 5th generation military system provides not only massing of effect by similar fighting platforms like main battle tanks, but exponentially increasing capability by networking together specialized subsystems.  The functions of modern military task force is based on integrated fighting system in which any of the sensors that sees a target can give tracking to the best weapon platform optimized according to situation. Machines and men are collaborating, sharing information and creating understanding, learning from past experiences and sustaining the asymmetric capability over the opponent.  The integrated 5th generation fighting system owes its capability mainly to programming and electronics. The hardware may even be a mixture of products from civilian, governmental and military shelves.

Signals is there in the midst of System of systems enabling the force integration by providing information services and maintaining ICT systems. If Signals fails, whole force will become disintegrated. This requires signalists to team up within their crew to achieve higher performance. Crews to cooperate over distributed systems and tackle complex changes in configuration. Signals awareness and mission command to enable multiple nodes to work together without latency created by single hub of control.


Development in information and communications technology


Information in Afghanistan mission network increases about 40 Exabytes a month. Currently all military knowledge becomes history within 3 years, but military education fails to fill the cap often enough. Leaders are pressed to learn continuously because once they cease adapting new things their subordinates will be first to notice and stop trusting to them. 

Networked information and communication technology is evolving continuously. COTS hardware and software are not normally supported but for 3 years. Countering malevolent software requires daily updates of fingerprint files. COTS software providers are publishing monthly patches to fix weaknesses in their products . Major integrated circuits (IC) are not manufactured longer than 18 months to keep up with their competitors and fulfilling Moore's law  of doubling the number of transistors in one IC.

With this pace of technical change in ICT systems of which one is described in the following picture, a signals team should be able to cope during intense operation, when everyone’s function is relying on services provided by them.

Figure 9: An example of ICT -cloud structure that is supporting multiarms mission in National Defence operation.

Capabilities of integrated force are enabled by military business processes that are pervasive through the whole body of force and extending over domain borders reaching to all support elements. Systems are managing both structured and unstructured information with different data models. Sessions are multi-tiered (n-Tier) where there are many sequential functions to support one session from terminal via communications to main access proxy. Then continuing to main presentation layer and being forwarded to processing level which retrieves data from multiple sources through network. Most of the hosts are running instances on either virtualized or other middleware layers. Basic In-Out System (BIOS) is adjusting middleware to Hardware levels.

All levels of layers are being updated and maintained with a different pace. Hardware may change every three years, BIOS once in every three years. Middleware is updated for example twice a year, operating system is patched every month. Application is updated every two months and changed every three years. When this normal maintenance is frozen during mission, the risk of being exposed to some high severity vulnerability  is increasing linearly.
Luckily new generations of soldiers are born with internet and mobile communications thus they are more computer-savvy than older generations but it still takes more than industrial way to teach simple repeatable actions to motoric memory level. With digitized environment one has to understand how system of systems works to be able to define root cause and isolate it without creating more harm.

Need to learn in operation and in reserve


In Irak General Stanley McChrystal found out that 2-3 person teams of adversary may become hyper-empowered with connections and digitized information. These networked teams cannot be overtaken in performance with linear and authoritative organizations. While maintaining operation Gen. McChrystal’s led Special Operations Forces went through a major transformation. They learnt new operational procedures and new ways to fight against insurgents. They become more flexible to counter improvised threats and change their modus operandi. In the end SOF was able to react to the pace of information age countermeasures changes like Improvised Explosive Devices development which was about 24 – 36 hours.  Much faster than tactical surprise of Soviet T-34 tanks during operation Barbarossa. 

Since patrols tasks are executed in intertwined structure of former separated layers of technics, tactics, operations and strategy, a mission command is only way to lead even a patrol. This requires major change to rank and specialization based training curriculum. In United States this is called as training as early to need. Chris Faris has defined early need as “an examination across the operational and strategic levels of war and control, not just operationally as applied in joint full spectrum conflict, but also in Title 10 force generation, training, management and budgeting aspects, and then appropriately applied based upon career progression pertinent to duties and responsibilities”.  Mission is not waiting soldiers to learn with age and courses, it needs skills and understanding before patrols are given a mission to accomplish. Unit training during operation becomes, not only possible by advanced C4ISR, but also required as mission complexity increases and pace of change accelerates.

As change of military understanding and ICT systems are changed within three years, soldier in reserve is forgetting drilled skills within couple of years, it is not possible to train reserve forces during short conscript training period (5-9 months) and then assume that skills and understanding is sustained for longer periods in reserve. This challenge is solved either having more often continuation exercises or practice to reserve troops, freezing technology in military system of systems and bear the consequences of obsolete technology or training troops for longer period before sending them to their first mission.

System of systems learning ability


As soldiers are constantly learning from operation and their adversary, should their technical systems be as agile in their reprogramming or reconfiguring. Otherwise tools become constraints to soldiers and they are easily abandoned. This requires new method of maintaining C4ISR systems by signal troops. Reprogrammable or software defined system of system can be educated to new procedures or understanding during operation, if Signals maintenance structure is enabling the following functions:
  • All configurable items (sub-systems) are connected to a delivery system within reasonable window of upgrade. This is to maintain interoperability among sub-systems and to sustain all troops at same level of version. 
  • Signals has a change management that is aware of assets, their need for update and operational situation to balance requirements for technical change with requirements for operational availability.
  • Signals has test procedures and Alpha – Beta -test environments to verify each iteration in small world conditions and assure its interoperability.
  • Signals has a structured way to develop capability of the system of systems with small iterations and not only by monolithic update procedures. 
If Signals is using software defined ICT infrastructure and applications and information management is programmed with semantic web technologies, integrated fighting system of systems may learn new things within 24 hours. This requires new level of maintenance skills from Signal troops. Signals should have a “learning management system” both for technical system and for soldiers and their leaders.

Signals area of operation and training from competence approach


Signal troops are operating and training in the same area of operation than other military troops. Some of them may be positioned further from adversary's geographical proximity but not able to evade adversary's kinetic and non-kinetic effects. Besides normal air-land-see dimensions, Signals is heavily involved with electromagnetic and cyber dimensions together with facing adversary's non-kinetic effects.

Signals soldiers have to operate in environment that requires understanding of following variables also depicted in figure 10:

Effect of weather
  • Weather conditions have effect on electromagnetic wave propagation, life of battery, antenna construction, ability to be detected, operational security and behaviour of integrated circuits and displays.
Effect of vegetation and ground conductivity
  • These effects change electromagnetic wave propagation and antenna construction. Vegetation provides either disguise or enable detection.
Other users of electromagnetic spectrum
  • Other transceivers of electromagnetic waves cause interference by near site effective radiated power, modulation errors in phase or frequency, high powered microwaves, etc.
Propagation of electromagnetic waves through terrain and atmosphere
  • Terrain and atmosphere do change the propagation of all forms of waves: direct wave, ground wave, tropospheric scattered wave, ionosphere wave and space reflected waves.
Behaviour of C4I system of system through all layers and nodes
  • Command, Control, Communications, Computers and Information System consists of multi-layered instances and nodes that are interacting with each other and with human beings thus system of systems functionality has many interfaces which may not be functioning correctly. 
  • There are also technical functions in many layers as defined in ISO OSI layer model. 
Change of site locations, link peers and shareholders in network
  • Signals system of systems itself has to move continuously to evade targeting and kinetic effect by adversary. 
  • Signals has to move aligned with supportees to be able to provide required services on right time. 
  • Users of Signals services are moving constantly from one connection point or cell to another and their requirements for applications and information services are changing according to situation and role.
Time to change encryption keys, position, to provide information, to provide support, to update, to supply, etc.
  • symmetric key encryption should be changed since time of usage will increase probability to loose information to adversary; 
  • signal operators should know adversary's satellite and airborne detection schedules to evade detection; 
  • signal operators need to know emission control phases to turn-on or off their transmitters; 
  • signals should know when to provide special information assets to users or when to optimize availability of their services; 
  • signals should know when to update their applications to balance probability for enemy cyber attack and availability of their C4I systems.
Adversary's capabilities to effect with kinetic measures against C4I structure
  • Signal soldier should understand the probabilities and conditions for adversary to be able to detect, locate, and destroy signals transceivers, stations or vehicles. 
  • He should be able to counter these measures and shelter himself and equipment if necessary.
Adversary's measures to detect and intercept or jam electromagnetic functions
  • Electromagnetic counter measures are widely used in electromagnetic dimension of operation. 
  • Adversary's capabilities, technics and tactics should be known and understood as well as own capabilities and procedures to counter these countermeasures.
Adversary's measures to intercept and attack in cyber space
  • In Signals areas of operation it is assumed that adversary has somewhat “man-in-the-middle” of Signals operated C4I-system. 
  • Adversary should also be anticipated to capture nodes, information storages and system management connections to suppress, misuse or capture their content. 
  • Adversary is capable to create malevolent software, inject those to C4I-systems and exploit system vulnerabilities to harm or prevent usage of information, applications or connections. 
  • It is also assumed that adversary is capable to breach security domains and launch distributed denial of service (DDoS) attacks.


Figure 10: Some variables in Signals area of operation

After analysing new requirements that are borne from human being himself, System of systems complexity, area of Signals operation and advanced adversary, this paper moves to define solutions to challenges introduced this far.


2014-06-10

Part B: Host Based Information Security and Security operations in Military Digitized Environment

This is the second part of Host based information security and security operations in military digitized environment including example of survivable infrastructure and some ideas for signals training.

3. SURVIVABLE OPERATION CENTRE INFRASTUCTURE


Surviving under kinetic strike

Assets distribution and transferability are main means of survivability in area of operations, where missile attacks, special operation forces and information operations are main means that opponent might be using against ICT infrastructure. Since Command and Control and system management centres are opponent’s main targets, they should be protected unless seamless dominance in air defence and perimeter defence is sustained. First principle of survivable architecture is to separate people centres from data centres since both gain more from specific protection. Staff and their facilities may be fixed, transferable or mobile, but data centres should be sheltered in fixed facilities since amount of information is too large to be replicated on demand. Figure 10 is depicting a concept for survivable operation centre structure, where people are divided into several smaller staff elements, which are transferable or mobile and may be distributed or collected according to threat or mission.


Figure 10: Example of survivable operation centre structure

Since Information, Processing, Communications services are separated from Staff elements they can be distributed through space of operation to create a C4I service network, which might be built according to private cloud computing architecture. Staff elements can be employed flexibly as collected under one shelter to optimize face to face cooperation, ordered to create task oriented command posts as situation requires (planning staff, forward command post) or be deployed in distributed way that no element is at same place at same time. Transferable staff elements may change place between shifts and increase further their non-detectability.


Staff elements

Staff is operating divided into operation centre elements that take and sustain a crew of five staff officers. They are working for example in 20 feet container, which is transferable both on sea, air and ground. When collected together containers may be piled together and each above one other under single shelter. Unloading a container and preparing it to be operational should not take more than 15 minutes. If one requires to deliver decoys, it is easy to deploy similar sea containers with some heat and electromagnetic radiation source. Concept is depicted in figure 11.


Figure 11: An example of staff element for distributed and transferable command structure

ICT in containers may be Commercial-Of-The-Shelf technology since end devices do not store any information but only provide a view to the presentation layer. All information and processing services are provided from C4I cloud thus element needs to be online to operate.

For example one shift of Security Operation Centre may be in one container and one place while doing their 9 hour shift. Second shift is being transferred to new location and will be on line one hour before shift change to insure proper handover. Third shift is on rest while this is happening in third place and in worst case can restore operational control within half an hour after being awakened.


Sheltering Data centres

Military management system requires data centres and since the amount of information denies to carry them with transferable or mobile staffs, they are well sheltered in fixed, distributed sites with volume relative to opponent’s power of effect. Data centres do create together a cloud computing structure which allows data and services be flowing or transferring between data centres. One shelter for data centre is depicted in figure 12.


Figure 12: An example of a fixed shelter for distributed data centre

Singular data centre should be restricted from cooling and floor space dimension not to allow asset grow too valuable at one location. Centre is sheltered from normal kinetic strike, but availability should be only medium level since number of parallel centres are providing required availability. Shelter should also provide electronic protection from both Electro Magnetic Pulse (EMP) and High Powered Microwave (HPM) strikes. One should not install in one centre nothing valuable that is not replicated elsewhere or is logically transferable within 30 minutes. This requires special logical configuration but current software defined cloud computing structures provide much easier high availability than earlier cluster structures.


Surviving from logical attacks

The logical structure of ICT infrastructure is protecting both from physical and logical attacks. Defendable ICT infrastructure is illustrated in figure 13. Network level is divided into two main purposes: Core production network and Access networks. Core network is more stable, but very connected network with high performance links between data centres. Around data centre there should be one or two rings of physical cabling and at least layer 2 rerouting to restore connection after several cable cuts.


Figure 13: Example of survivable ICT infrastructure

Access service is providing one layer of routing, roaming and accessing over several access networks. This is possible by using mobile IP and IPSEC VPN’s. Access networks should include both fixed, wireless accessed and mobile mediums that are used together to provide versatility and availability. For example to provide mobile access one may use WIFI-access within camp, larger cell access within normal patrolling area and SATCOM access in extreme terrain. Military access service provider should strive to maintain three possible accesses services available to client to provide required availability.

Fixed and sheltered data centres are distributed in the area of operation and connected with Core WAN. Together data centres create cloud computing infrastructure that allows replication of both data and process instances. There needs to be storage level distribution of data, data base level replication of data and possibly data item level of addressing and semantic driven distribution of data. Business logic should be divided to several virtual platforms so that there is possible to create both presentation domain and processing domain.

End devices are as thin as possible and from end user point of view zero configuration. There should be no major end user functions required when device roams between different access networks or user is transferring from fixed network to wireless accesses. End devices should be configured as terminals and all processing, storing and communication should be done within cloud. This restricts the area of vulnerability, lessens the host control and supports expendable user devices.

System operators and administrators should be identified at least with 3 separate factors. They should always access to role management level before allowing enter to actual applications level. Their work should be monitored and main tasks should be following process, where at least two persons are needed in sequence in order to execute task.

ICT system management and security management systems should be built to highest survivability and security level since they are essential for changes, business continuation and cyber defence thus main targets to opponent’s attacks.

4. BUILDING REQUIRED COMPETENCE AND SKILLS


Key competence and skills of Signals and C4I organizations

Following picture is describing a learning orientation model for Command, Control, Communications, Computers and Information (C4I) skills and understanding.


Figure 14: One orientation model for C4I understanding and skills training

Training of C4I soldiers starts always from individual. Training utilizes different pedagogical approaches adapted to individual learning styles and types of personality. Training has clear orientation structure that defines WHY coming skills and competence is needed. Deductive orientation also includes iterative introduction to features and countermeasures in C4I area of operation. Training for skills and understanding advance parallel and progressively providing possibilities for feedback, revisiting, extending further, digging deeper, room for innovation and mirroring with mentor.

C4I skills are learned mainly by team training with progressive challenges tailored to each team. Repetition is a discipline as a part of bigger system, but utilization of skills in different situations and environment is a driver for successful execution in progressively challenging environment. Although team is a unit in learning, individual support is very important during the first phases of instruction. According to individual maturity, support should be lessening as competence, innovation and teamwork are improving.

Training of C4I understanding is following Gartwright’s (2008) lines of educating soldiers rather how to think than what to think.  This means introducing a combination of three thinking methods: systems thinking, creative thinking and critical thinking. These thinking tools should be utilized along individually tailored path of learning towards C4I understanding. This learning path is a spiral with feedback from subordinates, peers and instructors. Spiral curve is accelerated by windows of opportunity to utilize innovative solutions but by providing safe environment for mistakes. Experimentation is main driver and pedagogical method in training for long lasting understanding of C4I tasks, systems and area of operation.

Learning C4I skills

C4I training should provide optimal support to learn team skills in a disciplinary way to ensure that fighting system of systems is operating effectively and persistently. C4I skills include:

  • Individual ability to operate and admin C4I devices, while sustaining in area of operation;
  • Team ability to accomplish more together as a part of C4I system when operating in C4I area of operation;
  • Co-operation ability of teams to provide services in disciplined way with complex C4I-system of systems in volatile and harsh environment.


To ensure individual and team function ability as a part of bigger entity and mainly in supportive position, training should be executed to standard. C4I standards should be defined from operations and exercises where fighting system of systems is being deployed. Mission-essential task list for C4I capabilities should be defined and systematically  projected to each C4I functions of individuals, teams and systems. This adjustment spiral should continuously analyse level of troops and balancing requirements coming from ever extending spectrum of operations. Analytical adjustment spiral  should provide C4I organizations with right cognitive framework and tangible measures, which have direct Impact on mission .

As any other military service or branch, C4I organizations should train as they fight. This means that training is done in team collective as soon as individual level is achieved. C4I troops operate the same system of systems but geographically separated. Co-operation in virtual world created by their C4I-system should be introduced early in their training. C4I teams work together with systems and other teams to provide services by following processes and driven by need of support of other arms and troops. C4I organizations should train always with some service to be provided to supportee in order to comprehend their interdependent role and be able to get pride from doing their support job well.

Since C4I organizations face opponent's effect directly in full spectrum of arsenal, their training conditions should include variants of environment, effects of opponent and changes of their supportee’s as gradually increased demands and problems closer resemblance of real world C4I area of operations includes. This demands skilful use of new training support methods like emulation, simulation and extended reality.
C4I teams should be trained to sustain spiritually, technically and functionally in harsh conditions, geographically separated from other troops, often attacked simultaneously by airborne weapons, electromagnetic waves and cyber measures. Spiritual sustenance requires team integrity that is built by close proximity with team members over 4 months of overcoming shared hardship, enjoying with shared achievements and sharing real world time with joys and sorrows.  Technical sustenance requires soldiers to feel responsibility of their systems, maintain, supply and update them in order to keep services available. This is achieved by delegating the technical ownership of their systems, signal sites and vehicles to each team. Technical sustenance should be measured throughout training and not only during short exercises.

Functional sustenance requires fulfilling the individual and team role in larger system of systems. This needs habitual and reasoned obedience expressed in virtual collective like signals platoon, company or battalion. It also requires responsibility to fulfil one's role while facing lethal environment without capability to counter it any other way but indirectly by providing C4I services to other troops.  To build this kind of discipline  and culture from inside rather than outside needs mentoring, historical role models, appreciation and direct rewarding when appearing. When sole human being is weak in facing fears of battle, these collective codes of conduct come to support and make soldiers to fulfil their duty.

Training should be gradually more demanding driving towards set standards. C4I organization may structure their training in incremental sprints  that consists learning phases  as follows:

  1. Orientation and basics,
  2. Function as system with repetition,
  3. Function as system of systems.

These sprints should be laminated over each other to ensure that mainstream training is based on increasingly familiar things. So each new subject or skill should be introduced via a sprint but in a coherent orientation framework. There should be different possibilities within sprint for each type of learning and personality to achieve most suitable learning path. Main exercise effort should be in application of C4I skills in different situations of facing effects of different variants of environment and opponent.


Learning Signals understanding

Signals understanding is leader’s and administrator’s ability to perceive their space of operation, teams and systems, other combat supporters, supportees and opponent as huge system where different parts interact with each other and with environment. It requires C4I soldiers to achieve synthesis  when processing towards understanding of this phenomena. C4I soldiers should reach the level of insight and foresight to be able to innovate and create best ways to deploy and operate one's C4I-system as interdependent part of fighting system of systems. Creativity is not enough since human behavioural weaknesses, but must be balanced with critical thinking and timely decision making. This understanding is needed from team leader level to highest C4I system, Chief Information Officer, Signals Commander or Head of J6 levels. Figure 15 tries to capture some features in Signals area of operation.


Figure 15: Signals and other C4I organization as part of bigger fighting system of systems in confrontation with similar chain of opponent's military force system.

Systems thinking  in Signals and C4I means soldiers ability to identify their signal system as structure of technical and human social subsystems that are interrelated with each other while supporting greater fighting system of systems when confronting opponent's effects and system of systems. Soldiers should be able to explain the behaviour and interrelations between the parts of C4I system and cause-effect interactions with environment. Soldiers should be able to explain their C4I system behaviour and interaction within fighting system of systems and when effected by opponent's fighting system. Learning this needs individually optimized teaching environment, team thinking and reflection. Since interrelationships are costly to experiment in real world, new training support methods may provide major increase in impact on mission. When teaching systems thinking one should be aware of the following human features:

  • Human being has tendency of thinking self-delusional and wishful while avoiding real world friction and unpleasant issues
  • One should focus on the purpose for which a system was created more than only processes and procedures of the system.
  • Simple use cases are not enough to achieve insight. One must experiment over time in seeking patterns and feedback loops to find rules of dynamics of a complex system.
  • Thinking should be focusing on synthesis over analysis – understanding whole over parts.
  • Leaders have a tendency to neglect systems thinking when in hurry, when they are focusing short-time goals or when their self-perception is too strong.
  • Technically oriented leaders have tendency to focus only technical system interrelations where as human oriented leaders might be more focused on social interrelations. Both approaches are needed in understanding C4I system of systems in its space of operation.

Creative thinking comes to use after capturing synthesis from systems thinking. There are many saying that creativity is not tolerated in hierarchical and paternalistic command and control system where constraints, discipline and supervision is typical. This is extremely distort perception of military leadership in Signals that is following guidelines of:

  • Approaching problem always from different scenarios and war gaming their possible out-come before deciding, which course of action should be taken as a best option to succeed in mission.
  • Including technical specialists and military generalists into planning process for better synthesis of whole situation and tactical options for signals
  • Learning continuously from lessons identified and especially capturing applicable ideas from those outside Signals business.
  • Making timely decision and bearing the responsibility of action in face of troops, commander, supportees and oneself.
  • Giving order in form of missions rather than tasks to give room for subordinate’s creativity, although securing that everyone dependent on synchronization is aware of changes.
  • Always thinking from opponent's point of view and not being unnecessarily evident in signals or C4I tactics.
  • Understanding that opponent's commanders are also creative beings and strive for surprise, capturing initiative and shaking their opponent's system of systems.

Creative thinking for Signals soldiers is best trained by solving a number of live world problems in simulated system of systems environment in co-operation with live stake holders. Virtual world should support collaboration between stake holders and these war game exercises should include different roles and role games to teach utilizing the diversity of people.

Critical thinking is supporting both systems and creative thinking tools in quest for Signals understanding. Every decision is based on assumptions – either known or non-aware. These assumptions must be recognised and critically studied, while implementing current decision. A side with implementing a plan, parallel optional plans should be produced to accelerate Command and Control process. When environment or opponent is not behaving in assumed way, leader must be able to reconsider earlier decisions and either adjust ongoing plan or replace it with more suitable plan. Here leaders should be aware of their natural tendency to have egocentric memory that forgets information that does not support adapted intent. Human being tends also to narrow one's thinking point of view with time and stress. As self-esteem improves there appears a tendency to feel superior based on own belief's rather than real world incidents. In the end human decision maker has a tendency not to notice facts or evidence contradicting one's beliefs or values.

Critical thinking skills are best developed in training by:

  • Providing knowledge from a multidisciplinary perspective about critical thinking skills by providing legends of different tactical decisions and their outcomes,
  • Practicing the recognition of assumptions in C4I and Signals context and environment
  • Reflecting situation in every debriefing from egocentric approach in dialogue  with peers or with instructor that may play role of “devil’s advocate”.

Together with C4I understanding leaders should have ability for timely decision making. There are many disadvantages in leaders, but major faults have been lack of decisiveness or integrity and inability to communicate.  Signals leader should first formulate an intention of how C4I services will be supporting other troops and fighting system of systems. This intention should be communicated to all service providers within the value chain of signals as well as to supportees. Signals intention serves as a guide line for mission command, a reason for team’s efforts and a promise of service for supported troops. Other fragmentation decisions and orders may follow this initial decision, when needed to synchronize C4I system of systems operation.

Decision making is trained by making decisions and reflecting their outcomes. Taylor and Gollwitzer   (1995) discovered that even in temporarily state of neuroticism, low sense of control or pessimism, it is better to make any decision and start implementing it. This will produce feeling of confidence and capability which further improves humans feeling of decisiveness. Similar approach for timely made decision was utilized in German officer training before WW II.

Decision making exercises should include trial – error – learning loops that enable leaders and soldiers to understand the causality of their decisions and give opportunities to learn from them. A sign of high level signals leader is that he learns from his mistakes, owns his failures and their outcomes, remedies and rectifies unwanted outcomes and puts safeguards in place to prevent their recurrence.

Continuous improvement
Since all Signals and C4I organizations skills and understanding is relative to opponent’s capabilities and depends on changing environment, technology and supportees, there are no fixed goals but continuous learning of new skills and understanding within C4I organizations. This is achieved by following LEAN principles of continuous improvement and Capability Maturity Model (CMM) to define performance of processes through organizations.

LEAN  development is developed by Taiichi Ohno in Toyota to get rid of muda, ‘waste’ that any human activity has tendency to build around functions within time. This waste absorbs resources but creates no value. Lean thinking requires to define value, stream, flow, pull and establish continuous perfection. Value is reason for existence. It is the information and services Signals is producing to other services. Then one has to understand the value stream, which is a set of specific actions required to produce C4I service. Flow includes all necessary functions and organization that is needed to produce C4I services. There is a pull of need coming from actual end users and supported organizations. Lastly there is the continuous perfection, where users pull value as continuous flow through the whole value stream. Measures should be attached along this model to give direct feedback both for operators and leaders to improve their production, protection and maintenance of C4I services.

With Capability Maturity Model  Signals and C4I organizations are understanding how their service providing and managing processes are maturing step by step. Since Signals and other C4I organizations are producing value mainly with processes, it is important to understand how the culture of man-machine-process system matures through following steps:

  1. “Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.
  2. Repeatable - the process is at least documented in way that repeating the same steps may be attempted.
  3. Defined - the process is defined/confirmed as a standard business process, and decomposed to levels 0, 1 and 2 (the last being Work Instructions).
  4. Managed - the process is quantitatively managed in accordance with agreed-upon metrics.
  5. Optimizing - process management includes deliberate process optimization/improvement.” 

Together with understanding of process culture maturity and of continuous improvement of value creating, Signals and C4I organizations keep up with opponent’s countermeasures, changing environment and demanding client.

Continuous exercising of BLUE – RED struggle
Since military C4I structures are mainly isolated from every day attacks of Internet, they are living in peace behind high perimeter Firewalls and air gaps. Within their digital fortifications there are only well behaving end users and very clandestine opponents. Signals and C4I service production organizations do not get practice enough to improve their skills and understanding. Thus cyber exercises are normal routine in digital environment. Opponent’s behaviour and deeds are simulated by Red teams  that execute advanced attacks, physical destruction and electromagnetic effects. These controlled event provide C4I personnel needed stimulus to cooperate and learn to achieve better in difficult situations.

Since no one can defend successfully alone for long in digital environment, national exercises should be introduced to improve cooperation between organizations security operations, national CERT agencies, information service providers, application service providers and communication service providers. These exercises should be executed both as wargaming and practical domain defence way.

National exercises are not enough, but C4I crews are to participate also International exercises, where, in cooperation with other nations, sharing of experiences and practicing innovative attacks and improving defensive tactics happens. These exercises are for example:

  • Multinational Experiment (MNE) which is both operations and C4I concept development experimentation to improve international peace and stability operations capabilities. 
  • NATO Coalition Warrior Interoperability exploration, experimentation, examination exercise (CWIX) is annual exercise where multinational C4I systems, processes and competence is exercised as larger entity including cyber attack and defence. 
  • USEUCOM/NATO Combined Endeavour (CE) is the largest command, control, communications and computers interoperability event in the world. In event hundreds of C4I professionals conduct series of operationally-focused interoperability tests to achieve multinational interoperability required in ongoing and future operations.  There is also Cyber Endeavour which is professional seminar in tactical level cyber defence and offence.
  • NATO Cooperative Cyber Defence, Centre of Excellence arranges annual Locked Shields real-time network defence exercise. 


Conclusion

Although military often has several separate ICT domains that are even separated from each other with air gap at network level, there are other means for avenues of attacks. Insiders, social networks, electricity, conduction of electromagnetic fields, kinetic effect in physical dimension, supply of SW or HW, etc.  This exposes military ICT structures to three classical vulnerabilities of fortifications: enemy is already inside, enemy is beating you by destroying your logistics or adversary is using dimension that is outside of defenders imagination.

When planning and preparing for confrontation in digitized environment, one should see beyond systems and cyber to whole digitized global entity with strong social networks and several other connections that opponent may use as avenue of attack.

In military operations, cyber is only a part of whole picture although one of the newest dimensions in area of operations. Focusing mainly to cyber dimension and contemporary crises, one may reach only partial or narrow conclusions.

To be able to defend oneself successfully, one needs to understand opponent’s strategy, operational possibilities and tactical means. Defence is always defined to protect valuable assets against most threatening attacks. Otherwise there is a tendency to try to protect everything and end up protecting nothing, since defence is spread too thinly.

If threat in public Internet has evolved from experimental hackering of early days to professional criminals trying to steal valuable information and states and large organizations to gain advantages, military rationale is to wage information operations, prepare for other means of attacks and shock and awe in the very beginning of operation.

Human being and its trust is still main target for opponent that is planning cost-effective operations. Analysing owns trust-structure will expose most valuable targets of one’s opponent but also center of gravity that should be protected. Planning attack is also part of planning defence.

In military digital environment method of protecting and securing assets is evolving from building domain perimeter security measures towards installing firewalls on every host in domain and monitoring all behaviour between hosts. Successful defence demands quick reaction forces to take down malevolent processes, which means tighter integration between all ICT service provider organizations and their support chain.
As complexity, velocity and volume of digital domains increases, it becomes hard to detect anomalies. Depth of defence is built by improving intelligence, building multilevel protection and adding depth between possible avenues of advance and most valued assets.

Even though big data analysis is improving sense making, there is a need to be a part of society of other defenders to learn quicker from other’s mistakes and experiences. Versatility of attacks is increasing and it is impossible for any one organization to be sufficient at all levels of technology and their possible malevolent exploitation.

Reactive defence does not produce advantage over attacker, but more proactive measures must be utilized. This may begin with vulnerability testing and hardening but go further to design more defendable ICT system structures. There are also self-healing functions and software defined security available to modify digital environment friendlier for defence.

Since command and control of security and ICT operations become essential for defence, it also becomes one of the main targets for opponent. Management system is attacked both cyber, physical, electromagnetic and psychological means. Protection against these measures should be defined according mission and space of operation specific analysis.

If one builds defence capabilities mainly based on programmed automatic executed by machines, it becomes itself a vulnerability that opponent may exploit. There is a need of high skilled and knowledgeable people and processes that integrate people’s deeds together in defence of digitalized environment. As automated machines also automated people are vulnerability so focus should be also in understanding and situational based behaviour.

It takes lot of training and exercises to build mature skills and understanding. It also requires to enable people to confront different situations and different ideas to continuously improve their skills. Defence capability in digitalized environment is relative to opponents capabilities thus right intelligence and scenario analyses is needed to build protection to sufficient level.

2014-06-07

Part A: Host Based Information Security and Security Operations in Military Digitized Environment

This is two fold paper on how to analyze defensive tactics in Global Digitized Environment. In this part A is introduced the military confrontation in digitized environment and aspects on improving host based ICT security.

Part B will include description of survivable management system structure and describe learning, training and exercising of Security Operation skills and understanding.

Introduction

Despite of high walls of defence (air gap, cross domain gateways, domain control, and physical access control) on the perimeters of digital structures, military is facing increasing challenges inside their ICT system of systems.  The opponent is increasingly breaching walls and effecting inside the fortifications via insiders (Manning), sub-providers (Snowden), air-gap-leaping viruses (Russia) and ‘waterholeing’, spearheading and phishing normal users. Militaries are defending their digital fortresses with more flexible defence, which requires continuous surveillance (monitoring), intelligent detection of incidents, eliminating unrelated events and rapid action in countering detected threats. Magnificent physical fortresses like Maginot-line or Atlantic Wall were breached or by-passed in history. Today military engineers of digital fortresses are building more flexible defence both within their digital walls. This is to gain more time to react and enable more variations of defence with modern defence-in-depth concept.

This paper is explaining current trends in implementation of host based security within digital military environment. The paper is also presenting means to improve understanding of interrelationships within ICT System of systems. The host based information security and flexible cyber defence is studied in environment of national territorial military defence. The strategic confrontational situation defined so that defender may achieve only partial dominance in any dimension of space of operations. The opponent is assumed to own abilities and to follow the art of operation typical to 2nd and 3rd generation of war  – industrial mass attraction or manoeuvrable forces enabled by network. Operations with other nature like peacekeeping, occupying or expeditionary and their possible 4th generation opponent  should have their own specific analysis.

This study is first defining confrontation in digitized environment to possible agendas of cyber offensive, targeting and vulnerabilities of defended System of systems. Secondly paper is describing implementation of a host based IT security.  Thirdly study is presenting a survivable structure for both physical and logical layers of security operations architecture. Fourthly there is definition of learning and training of human competence and skills to keep ahead of possible opponent.


1.Military Mission in Digital Environment


Military Confrontation

Military mission occurs most often when two or more parties of confrontation have drifted to conflict.  A simple model may be design to analyse basic interactions between parties and their environment as illustrated in figure 1.


Figure 1: A Simple model for analysing conflict between two military entities in digitized environment

Digitized environment is creating one additional dimension to normal military dimensions of land, air, sea and space. Digitized environment is creating complex interconnection between main opponents, their supporters and neutral parties. Digitized environment is making space of operation flat and global while reducing boundaries between crises and normal time and between fighting forces and other people. In digitized environment it is normal to use all possible means and avenues available to affect opponent. Friendly connected computers can be turned into attacking assets by turning them to remote controlled robots i.e. botnets. Opponent may utilize separate stake holders such as enthusiast, pro-movements or hired hackers to cover real sources of force. Russia was using their patriotic movement as a cover when attacking against Estonian governmental information assets.  Opponent may steal critical personnel and logistics information. They may jump over air gaps and block or change the situation awareness picture. Opponent may attack critical industries to block critical supplies. They may even do as simple as send emails to commanders to lessen trust to technology and reveal the weakness of military network.

Both parties are structuring their military force by utilizing System of systems enabled capabilities. These capabilities are using connections between different nodes to gain better situation awareness, quicker reaction, tailored effect and more sustained operation. System of systems at best is producing exponentially multiplied military effect  but at worst it may expose military to exponential or overconnectivity  vulnerability.
Military force is resembling the society that has provided it. Current 2nd and 3rd generation forces are connected to a large body of nonmilitary support. This logistic chain is essential to sustain force in operation. There are both information service providers, software developers and technical component providers for military information and communications technology systems. This important value chain might be utilized by the opponent to either gain access into military domain or to affect its role.


Issues of Offence

Potential opponent has wider variety of means in his reach in modern digitised environment than before, when he is facing a military force with system of systems structure. There are different targeting strategies shown in U.S. Gulf operation (Wardens  targeting strategy) and Russian operations in Estonia, Georgia and Ukraine. Here is an example from Russian strategy  of effect and operations with 2nd and 3rd generation force as depicted in figure 2.


Figure 2: An example of phasing of military operation evolved from Russian origins

Following Russian strategy there may be three overlapping phases of operation:
1. Projecting soft power and preparing for further measures,
Since using force does not mean waging war, there are many alternatives to project power and change both public, governmental and military behaviour before escalation to an armed conflict. Digitised environment provides number of means and avenues to collect information, to analyse structures of trust, to create targeting lists, to prepare space of operation and to effect on individual and collective opinion. This means destroying human trust in governance, public media and other people. In this phase more focused opponents have the luxury of persistence. They may operate with long goals, lessening risk of being detected and maximising effect when capturing valuable information and not bulk data. Recent sensation of NSA open-source intelligence gathering capabilities is just a proof that all nations are yielding digital sources.  Military Intelligence in Israel declared that they are under sustained cyber-attack. According to Maj.Gen Kochavi the cyber means are "the biggest revolution in warfare, more than gunpowder and the air power during the past century" . It took about one year from global society to discover STUXNET. One should wonder, how many malevolent software based advanced attacks or information gathering operations there are currently that has not been detected. Undetected attacks are the most dangerous in digitised military environment. There are no fingerprints, signature or behaviour that can be configured to intrusion detection systems.

2. Achieving strategic or operational surprise
Electronic shock means that opponent is using all avenues and means available to achieve strategic surprise by suppressing opponents System of systems function in early phase of conflict. Means to achieve this might include anything between high burst electromagnetic pulse to triggering planted worms to deny electrical utility services. The United States has been doing this but with kinetic means when they are operating with ‘Shock and Awe’ style to gain rapid dominance. The main aim of this style of operation is to deny all network enabled capabilities and force multipliers and destroy both cohesion of forces and their systems. The center of gravity of this offensive is the human trust to his systems and information. This happened when thousands of Iraqi commanders painfully learnt that their "closed-loop" private network was compromised. They received emails by the internal system from US Central Command demanding to leave tanks and armoured vehicles in formation and abandon them.

3. Destroying forces and their base.
Conventional tactics is using kinetic means to destroy both opponent’s force and their base for support to gain dominance for example at political level. This phase includes isolating physical area of operation from global network and focus effect on public opinions and behaviour. Kinetic effect means that missiles, special operation forces and land component are used to destroy key targets. Main aim is to suppress opponent’s control over his forces and destroy enough assets that force is shattered to dysfunctional components. Electronic warfare is used widely at tactical level during this phase.
The opponent is using means that are available in time and politics, penetrable through defence and effective in target. In digitised environment these means include electromagnetic, cyber, physical, insider, man-in-the-middle and psychological tools. Rational opponent is preparing his space of operation and trying to detect vulnerabilities from System of system of opposite side. These preparations will provide fast delivery of force and gain initiative by surprise, which is a main goal in any military operation.
Targeting

Rational opponent is analysing the System of systems of their possible adversary with operational and system analysis tools. Opponent seeks vulnerable relationships from interrelated structure such as trust between humans, information exchange, complex processing and physical buildings of key resources. This is illustrated in figure 3.


Figure 3: Interrelated System of systems as a target structure

Individual key people, human to human relationship and human trust to technology are the weakest links in information intensive System of systems structure. These links are opponent’s main targets.
1. Individual key people has following weaknesses that might be utilised by opponent:

  • Human being is egocentric in his thinking. People forget information or avoid to notice facts that do not support the adopted line of thinking or contradicts profound beliefs and values. Most famous example of this was the landing in Normandy, when German leadership was prone to expect landing in Calais, thus kept reserve forces at place too long to be effective.
  • People has also tendency to choose the path of least resistance. Information seeking individual uses the most convenient search method. The information seeking behaviour stops as soon as minimally acceptable results are found. People also have tendency to bypass any security control if that is the least effort way. 

2. Trust between people is also a fruitful target

  • It is hard to build trust between people, who do not know one another and are not working in closeness. Haphazardly organised task force or multinational, multiagency coalition has major challenges to align to one vision and cooperate with units they are not familiar with. This has been a major obstacle in NATO effort to reach Comprehensive Approach in ISAF operation.
  • Trust is lost easily in stress and it is impossible to renew in short time. Only shared awareness, persistence in practise and overcome difficulties in exercises may prepare people and their relations for these kind of challenges. Overemphasized unity of command will be one of the first targets for opponent to try to break up.

3. Information is being processed, stored and exchanged in digital format.

  • Information systems are so complex today, that it is difficult for individual or one control to define which action is normal (i.e. belongs to white list) and which is anomaly. Military information structure is volatile in time of crises. It needs special measures to be able to define between friendly and hostile.
  • Planted data gatherers may be passive and give only weak signs when they are sending captured information to their masters. Worms may change content in databases so incrementally that it does not show in daily queries or periodic reports. Only systematic comparison will reveal changes. The ability to run correlations through masses of information in one hand and high velocity of information in other hand are problem for military security operations.

4. Synchronised processing and presenting functions are special targets

  • Conventional multisensory tracking is suppressed by disabling synchronisation at datalink layer.
  • Manipulating of network timing will destroy the integrity of inputs and prevent monitoring based on time series analyses. 
  • Changing the thickness of processor circuit will degrade quality of pseudo-random generator thus weakening encryption algorithms. 
  • Injecting backdoors to whole fleet of network switches will enable to take down entire transport layer with one trigger signal that gets through perimeter defence. Only thorough testing of all installed devices and strategic distribution of sources will minimize these risks.

Most conventional way to disintegrate System of systems is to destroy them physically. This can be done by using both kinetic, explosive and non-kinetic warheads. A bullet through cable or antenna connection will cut transmission. One ordinary ballistic missile hit within 500 meters (CEP 500 m and warhead 800 kg) from unhardened communications facilities will destroy commercial of the shelf (COTS) devices. High powered electromagnetic pulse generated within couple of hundreds of meters from unshielded datacentre will destroy all integrated circuits. A special operation troop may breach and destroy a target per day and keep this pace up for two weeks behind enemy lines. Taking down general electricity or water distribution may disable whole digital infrastructure when normal backup services run out.

Topology of networked system is one of the main focus when analysing vulnerabilities. The aim is not to destroy all detected targets but those who give best disintegration as depicted in figure 4.


Figure 4: Topology as target

The rational opponent is not taking down targets as they appear in their sights but aim for more valuable attractions. For infantry these valued targets are leaders, antennas, engines, heavy weapon platforms, etc. Opponent is trying to disintegrate networked System of systems to pieces that are no more functional separately. One may think that 10 nodes of distribution and relatively good connectivity is enough to sustain services. If opponent understands the system structure, has means of effect available and can deliver them to targets, only four hits is needed to break the example network apart and most probably prevent service providing. Target list is even smaller if opponent can determine sensitive parts from ICT structure like synchronization hub, network management hub, network operation centres, access directories, home directories, database replication masters or master key managers. The center of gravity in network is not the number of nodes but centralised intelligence, logic and control of system.

A Sense of the Enemy

Empathy is intellectual identification i.e. ability to think like other human being. Sun Tzu said that if you know yourself but not the enemy, for every victory gained you will also suffer a defeat.   How does military gain knowledge of its potential opponents in digital environment?

The main task of Military Intelligence is to gather information of opponent’s resources, weapons, training, procedures, troops’ spirits and leaders’ behaviour. Intelligence is also gathering information of how opponent operates its forces in real situation. All this information is fused, analysed and used to build a model of opponent’s most probable behaviour in operation. This model is used as a basis for all enemy assessment, a skeleton for their force structure and a basis for anticipating their next movement. This legacy military intelligence process  is trying to define the most probable future ‘modi operandi’  of the opponent by collecting large quantity of information from past actions and then projecting it to situation in hand. In physical world major enablers or constraints are troop skills, level of gear, fighting spirit and culture of their leaders. Thus force cannot execute operation that is beyond its unified competence, strength of command and control and culture.

This is not necessary the case when opponent is operating in digitized environment. Troops are rather small teams that can learn quicker and change their method faster than massed forces. There is no direct fear of death involved so troop unity is not important. Even low level organization culture can produce major effects, if there are competent and motivated individuals within teams. Cyber attacking weapons are as good as their users are skilled to build them thus there is a race to harness most potential and motivated individuals to defend their national cyber structure. Only simple spamming, virus producing or Distributed Denial of Service (DDoS) attacks do not require long experience or advanced skills.

One way to understand and possibly anticipate opponent is to assume all the possible actions as he may be able to execute in area of operation. Knowing how to attack is a knowledge base for defensive operations. Thus two-sided exercises (BLUE – RED) in real or near-real structure are imperative. Rotation of personnel between RED and BLUE crews should also be systematic. The other way is to shape the area of operations and design it so that opponent has only limited courses of action to choose. One has to create digital pits, honeypots and obstacles to capture attacker’s behavioural pattern. After pattern recognition one has to seek pattern breaks that might tell about attacker’s weaknesses, intentions or base of force. Exploiting these will give defender an advantage or asymmetric position in confrontation.
A generic list of cyber-attack examples in military digitized environment is presented in Annex 1. 

2. TRUST BASED ON MONITORING AND REACTION CAPABILITIES FOR MILITARY ICT SECURITY


Concept of host based security

Military security architecture has been evolving from physical site based structure to domain based and from there to host based security.  Since number of interconnected domains became too big, trust relations too long and the size of singular domains reached tens of thousands users, it became evident that perimeter based IT security fortifications were not sufficient. There was something to be done behind high walls of domain perimeters to control security and react when malevolent incidents were detected. This remains of basic military tactics to survey larger space of operation and react with tactically positioned rapid reaction forces to counter any detected insurgency.

Host Based Security System , HBSS was created in US DISA originally with McAfee and BAE Systems, who were given the contract to implement first monitor agents to all hosts in network. Hosts that either process data or store it are provided with firewall and application level blocking. After creating these mini fortifications from each host, DISA went to install set of agents or equal function that are installed to hosts and communication nodes to monitor events and produce required surveillance data to be forwarded to Security Operation Centre (SOC). SOC has control over IT Operations change management and configuration management and can quickly change system configuration, when malicious behaviour is detected from information environment as illustrated in figure 5.


Figure 5 an example of Host Based Security concept

As in physical space of operation this creates a continuous competition of measure – countermeasure – counter-countermeasure. This symmetric confrontation is not end state for military operational art but asymmetry is required.

Detection of anomalies

The first basic principle was to define ‘red list’ of known malevolent events that were configured into detectors to give alert when detected. Later the number of possible anomalies become too big to follow and ‘whitelist’ was created to baseline the authorized events in hosts and networks. Everything deviating from ‘whitelist’ was categorized as security incident. Then opponent become more professional and had time to be more persistent – Advanced Persistent Threats, APT . Detecting anomalies was done by comparing existing events either to baseline of authorized behaviour or to vectors of know malevolent attacks. This required capturing more events (Full Packet Capture) and storing them for longer periods (Big Data). Then complex task of correlating different events with time series, graphical presentation or statistical analysis methods was executed. Actual sense making requires highly skilled, motivated and experience individuals, which are expensive to train (min. 5 years) and hard to keep (current hype in cyber defence markets) within military forces. Collecting data for longer periods created a big data problem, which is being solved by virtualized information management and utilizing for example HADOOP  data-set processing structure. Some examples of setting threshold are illustrated in following figure 6.


Figure 6: Examples of setting threshold to detect different attack vectors

One may define normal baseline, set detection of anything outside of this content, protocol, size, time or user behaviour. One may also assess vulnerabilities after patching and set threshold to detect anything that is trying to exploit the remaining vulnerabilities. One may define normal behaviour between clients, network, application server and database server. Threshold is set to detect any anomaly outside this behaviour. A continuous tuning cycle was created when new threat was introduced, secure design was found by testing, configuration changes of ICT structure was implemented and detection thresholds were reset. This struggle is coming less and less effective to defender since within first quarter 2014 only there was record high 15 million new samples of malware created.  More than 160 000 new malicious specimens per day like trojans, worms, viruses and adware are overwhelming any security organization if detection is based on analysed fingerprints of each version.

To meet this velocity and versatility of threat in digital environment, defenders have initiated following measures:

  • Ecosystems has been created around detecting malevolent software threats, there are both private and public laboratories that are sharing information of both fingerprints of malware and signatures of attackers.
  • National CERT or Cyber Defence Centres have created networks to share information on vulnerabilities, attacks and malevolent tools. European Network and Information Security Agency, ENISA has collected European Union national CERTs to share technical information. 
  • There are some taxonomy work ongoing between governments and cyber defence industry to help structuring information and sharing it. U.S. Department of Homeland Security sponsored Structured Threat Information eXpression (STIX)  and its exchange format TAXII are widely developed and used. ITU-T is promoting their CYBEX standardization work.  IETF has two standards called IODEF and RID to support the exchange of information.
  • With collected big data one may improve analyses and gain ability to detect more advanced and persistent attack vectors, behavioural anomalies of possible insiders, etc.
  • With strategic system management military organization may achieve multilayer approach to malware detection. Desktop based detection is done with one product based for example fingerprints. Server based detection is done with second product also based on fingerprints but independently created from first vendor. Gateway level protection is done with third product, which might be more heuristic based detection. Heuristic may be based for example on run time sandboxing, file and function analyses or virus DNA detection. 



Reaction measures

When anomaly is detected, alert is forwarded to SOC, which creates security incident and starts executing countermeasures. Countermeasures include several configuration changes in IT Operations thus the process integration between security and Information Technology Service Management, ITSM is imperative for speed of reaction. Within military Network Operation Centre it is an advantage if security, communications and IT-services operation processes are as integrated as possible to ensure better awareness, quick reaction and integrity of information over all administrators. Thus it is normal that there is only one incident management process for all incidents to get widest awareness and quickest reaction for each incident. Change management is also integrated between ITSM and security operations since any change in ICT structure might also require change in thresholds and white lists. Service support (HelpDesk) is used to deliver information on effects of incident to users to further the recovery with backup services. Figure 7 is depicting this process integration. Reactive approach is further integrated for example by Booz and Co who call their integration as Dynamic Defence Approach to Cybersecurity.


Figure 7: Example of Security and ITSM processes integration in military NOC

Proactive measures

Since reactive defence is always weaker than attack, a proactive arm was created. Security engineers are using Sandbox environment (referred as REFNET in figure 7) to maintain small copy of operational ICT system. Within this reference environment engineers are testing vulnerabilities of each ICT component, subsystem and System of systems. Testing includes scanning known vulnerabilities, penetration testing with variety of tools, fuzz testing  to find unknown zero-day  vulnerabilities and red team attacking against whole System of systems with variety of attack vectors.

ICT components are patched and hardened before they are delivered to operations environment (MILNET) by IT Operations change, configuration and release management processes (see figure 7). This ongoing process keeps Operational ICT up-to-date and as sustainable as possible. In ICT systems, there are always known vulnerabilities, which cannot be remedied. To compensate these vulnerabilities, special thresholds could be installed around most vulnerable components to detect any attempts of exploitation as explained in figure 6.

Normally this proactive arm is integrated with risk management or presently in concept of Governance, Risk management and Compliance (GRC) processes. In military environment these processes are amalgamated to operation security processes of 3 branch, military intelligence processes of 2 branch and C5I processes of 6 branch for example in US DoD structure. These processes may present orientation to tactical SOC and NOC processes like:

  • Value of assets to current mission by OPSEC
  • Information requirements by MI
  • Service protection requirements by C4ISR and
  • Information Operation tasks by Cyber.



Intelligence in Cyber space

To avoid the syndrome of island defence and to extend information gathering to further area of interest, there is a need for even an isolated intranet defence to be connected to global world of Internet. Internet can host “honey pots”, which lure possible adversaries reconnoitre actions and exploitation attempts. Honey pots are used to capture first-hand attack vectors and malevolent behavioural features as depicted in figure 8.


Figure 8: An example of Security Operations Centre information management within Host Based Security

There is also a need to be connected with larger society of cyber experts that continuously monitor malevolent behaviour in networks, collaborate with them and make better sense out of incidents in networks. This is basic intelligence gathering from surrounding environment. There are number of societies that provide both vulnerability information (like CERT or NSA organizations), event data (like McAfee recent threats), attack profiles, vectors and signatures (like CyberISE) and information on attackers themselves (like SLIC threat feed, Arbor Networks, VeriSign iDefense). There is also major laboratories and SOC service companies that provide restricted services (like LocheedMartin, BAE Systems, Thales, Northrop Grumman, IBM, HP, RSA, Nokia, Ericsson). This information is analysed, modelled and transferred to scripts for anomaly detection agents in Operational Environment. Security Information and Event Management (SIEM)  is gathering all alerts and events from detection agents and logs, correlating them in near-real-time and presenting picture of possible malevolent events within IT Operations environment. This is typical multisensory information fusion based military surveillance function. Typical challenges are: what is normal and abnormal, are analysts able to detect all malevolent incidents from mass of anomaly events, what if opponent can model the fusion method and can bypass it, what if opponent attacks against monitoring system itself and how to normalize data from different sensors to be able to detect same target?

There are several ways to improve detection probability and minimize effects of overload. So called Business Intelligence and Big Data methods  are enabling correlation of information received from different sources.

  • One can combine both structured and unstructured data extracted from machine level transactions (like IP packets), actual content (like email writing), context information (like time, role, place), session information (relations between instances), process information (relations between functions). After combining and normalizing one should correlate data to first understand what is normal and then be able to detect abnormality. It requires complex data management to be able to correlate data from relational databases, nonSQL data stores, distributed HADOOP structures and HTML pages even near-real time.
  • After data has been retrieved, there comes the most vulnerable phase of data reduction, normalizing and classifying. This is creating the basement for analyses and also the very information opponent might be using against defence if allowed.
  • Big Data can be analysed with simple graphical tools at presentation layer that shows distribution of events from several dimensions, amount of events relative to other categories, amount of hits per time, tangents, integrals, curve fits and interpolations.
  • Statistical analysis can be done for example over two sets of samples: behavioural data from past and present. While comparing these datasets there is a possibility to detect change and that change can be defined either as anomaly or evolutionary change of normal behaviour.
  • Modelling is using some logical language to describe the behaviour of a defended system or offensive system. Modelling enables to play or simulate with different scenarios while changing variables. If model differs from real world, then it becomes master instead of slave like it has happened with financial models . There are several different algorithms and methods that can be used to model a phenomena. 
  • Predictive analysis is based on assumption that one observed behaviour is similar to another. There are algorithms like recommenders, classifiers and clusters that try to predict future based on probability. 
  • Clustering like k-means algorithm  takes large set of data sets, arranges them with different clustering techniques and shows visual similarities. More advance way is to use several dimensions in cluster model like Bearing Points HyperCube.
  • Classifier like k-nearest neighbour algorithm is assigning class to object whose class is unknown.  It is imperative to choose k tailored to each environment of data retrieved.
  • Recommender algorithm is measuring distances between two data items and recommending based on vicinity. Data objects that are closest to one another tend to have same preferences. 

As attacks are coming more advanced and persistent these analysis methods can be utilized to capture unknown attack profiles or detect silent signs of possible scenarios.

While number of hosts increases, their interrelated behaviour evolves faster, transmitted information increases or attacker’s skills improve, host based surveillance will produce more and more data. It will become more challenging to define malevolent events from this big data. This requires very skilled analysts that are committed to improve their skills indefinitely. There is a risk that attacker remains stronger in this confrontation, because he has time and tools in his side. Protected system and surveillance should provide more time to detect and react. To counter this basic military concept of defence in depth has been applied also in cyber space.

Defence in Depth

There is the basic strategy of defence in depth  that has been used in military operations and now it is being utilised also in ICT security and cyber defence . One can build depth in multitude ways:

  • By modelling opponent’s behaviour in particular space of operations, one can detect and prioritize countermeasures according to opponent’s lethality and aims. LocheedMartin defined their Kill Chain  concept and published it 2011. Since then and parallel many de facto practises have included similar profiles for advanced threats.
  • Information and Communications Technology provide multiple layers that can be utilized wither to tailor detection per layer or create defensive structure on one particular layer. In very basic model one can define four layers of endpoint, access, application and storage. ISO OSI layer structure provide model for both defence and attack  in cyber space. There are specific strategies like Moving Target Defense (MTD) by Coronado Group that is using Self-Cleaning Intrusion Tolerant (SCIT) technology. 
  • Protected system itself provides depth similar to the terrain for Land Component. Skilled defence modifies the structure of their protected system to better enable monitoring and executing of countermeasures. These domains may include surrounding domain that enables to monitor opponent in action. Access domain where all users (both friendly, neutral and unfriendly) are forced to security scrutiny. Presentation domain where all sessions are checked and identities are connected to roles. Process domain defence is tailored to manage the behaviour of transaction and service query. Storage domain is the final line of defence against losing integrity and availability of data. There data may be encrypted both while resting and being processed.

Following picture 9 is illustrating how combining these three depths of attack behaviour, technology and domain structure, defence can achieve a remarkable advantage over any attacker from both inside and outside.


Figure 9: An example of Defence in Depth concept in cyber space

Military cyber defence may have strong perimeter based defence (like Nato mission networks in Kosovo) or face world that interconnected systems are not any more separable (like Future Mission Networks). It is possible to build defensive perimeters inside each other by using both technical layers and domain layers of ICT structure that can be either self-cleaning or agile when implemented with Software Defined Infrastructure or Software Defined Security as defined by VMware salesmen . When this is combined with active intelligence, surveillance and active probing of surrounding domains, one can build agile defence with time to act and provide several means to counter attacks.

Air gap has been one of the most powerful domain perimeters. It is still preventing basic attacks but not advanced attacks that can hop over air gaps using for example traditional data media transfer, injected features or alternative communication means . Air gap is also creating a lot of human based data transfer which might be even more insecure that using well build and controlled cross domain gateway. Although military is using a lot of air gap isolation their security arm should extend their intelligence and surveillance far over these air gap cyber walls. Even Genghis khan’s nomadic force was able to take over well advanced Chinese fortification of Zhongdu (modern Beijing) in 1215.


1 Annex: Threat scenarios


Estimated threat scenarios

With security operation functions implemented protected intrasystem should be able to stand following threat scenarios without availability loss more than 99%, maintain integrity of data with 95% of data asset and prevent higher classified information breaches totally.

Normal malevolent intents and user mistakes

(1) End user brings malevolent software from other sources via memory or some other device with installed programs and information. Either end user connects memory to terminal PC via USB or Bluetooth or end user connects device directly to network. This may cause cases like antivirus failed to clean, excessive scan timeouts from antivirus, scanning or probing during unauthorized time window, anomaly in suspicious activity baselines, anomaly in network baselines, anomaly in application baselines, etc.
(2) End user inputs incorrect data or executes some operation that violates information integrity. This may cause cases like anomaly in network baselines, anomaly in application baselines, anomaly in database query baselines, multiple logins from one location, device out of compliance, etc.
(3) End user downloads information to attached medium/device and takes it away (classical Manning case). This may cause cases like anomaly in suspicious activity baselines, unauthorized user access to confidential data, unauthorized device on the network, etc. Manning case is classical example of this.
(4) Admin installs malevolent program or makes mistake in installation. This may cause cases like excessive traffic on network, process failed to work, service account denied, anomaly in suspicious activity baselines, anomaly in application baselines, logging source stopped logging, etc.
(5) Admin gives important information to outsiders or insiders to utilize in security breach. This may cause cases like logs deleted from source, excessive exploit traffic, excessive traffic inbound (if gateway), anomaly in network traffic baselines, anomaly in application baselines, etc. A Classical social engineering by Mitnick is an example.
(6) Outsider gains access through cross domain gateway and injects programs that either collects data or violates its integrity. This may be seen as SMTP traffic from unauthorized host, excessive http traffic outbound, excessive exploit from single source, etc. A basic advanced persistence threat (APT) is typical example.


Generic opponent in preconflict situation

Before actual conflict opponent is utilizing all time to collect useful information either to capture better understanding of military decision making, force and planned operations or to prepare attack against information assets and services. This information collection is done in utmost secrecy because becoming revealed ignites countermeasures at other lines of operation.
Opponent has long time to prepare and resources in use but secrecy requires utmost clandestine approach. Opponent is also preparing computer network attack against system by installing countermeasures either against data integrity or service availability.
(7) Most cost-effective way would be providing devices with already installed information collection services. These malevolent features are often installed in operation system level, storage-programs or printer/scanner programs because it is within their normal function. Connection outside may be arranged by wireless or utilizing electricity system. Best location for data collection would be in data center, where no one person often recognises all devices or connections. Best way to manage installation would be either via vendor support or paid administrator. This may be seen as anomaly in application baselines, anomaly in SQL baselines, anomaly in network traffic baselines, anomaly in maintenance procedures, caps in logging, underperformance in devices or it will appear in vulnerability or fuzz testing. Classical example is US claims that there is unwanted features in Huawei switches.
(8) Special data collectors may also be installed in system where for example relational database is easily reachable via unmonitored SQL-connection. Data retrieval may be arranged via regular maintenance visit to premises. This may be seen as anomaly in network baselines, anomaly in SQL baselines, changes in database content, anomaly in backup procedures, etc. Data collectors are like network tap  or packet analysers .
(9) If information systems have uncontrolled connections outside, a simple data collection software may be utilized. Flame was one of this kind intelligence gathering virus. This may be seen as excessive traffic outbound, service account access to outside, anomaly in network baselines, etc.
(10) Disposed storage mediums are classical data collection targets. It is almost impossible to wipe data out from electromagnetic disk or memory for ever. Collecting used disks, circuits and tapes is very cost-effective. Hard disks of printers tend to be most neglected items when disposed. This may be seen in audits.
(11) Attack preparations are done most effectively by leaving backdoors or installing triggered scripts to devices when they are being delivered to target system. Using these backdoors is another issue. This may be seen as abnormal performance difference, in vulnerability scanning and in reference testing with overload etc.
(12) Network worms and other programmable agents that migrate in networks and operation systems is another cost-effective way to prepare attack. They are easy to install in closed networks by paid end user or visiting maintenance. Triggering is another issue. This may be seen as anomaly in configuration baselines, anomaly in process baselines, anomaly in network baselines, problems in installations, etc. FLAME software is classical example of this.
(13) Preparing and manipulating key administrator of protected system is classical measure. Money and all vices are used to prepare person so that in the brink of attack he/she executes triggering or disables services within admin rights. This may be seen in security surveillance of personnel background, anomaly in social network, anomaly in email traffic, anomaly in physical access, etc. Classical infiltrations like Kim Philby, Ray Mawby or Vilho Pentikainen are examples for this.
(14) Normal user session downloads a malevolent application from Trojan web site. Malevolent application hides itself into MS server structure and starts capturing specific data. After collection is connecting to FTP-server or SMTP-server and sending out coded content in small portions. This may be seen as excessive traffic outbound, service account access to outside, anomaly in network baselines, etc. Spearfishing and waterhole attacks are classical examples.


Generic opponent in the brink of conflict

Just before attack or conflict is the best time to disable information systems or change data content massively. This creates a shock effect through all network users and people trust to information systems or their content is lost for long time. Digitized force may be paralyzed totally since their system of systems is not working any more. This happened example early in both Iraq operations, when centralized air defence system was disconnected as separate sensors and weapons unable to function together. Cyber-attack is also very possible in situation when disabling digitized force opens new possibilities for pressure at political level. Targets are usually amongst most important databases or registries, hubs of trust structures or management system.
(15) A script in ERM-system is triggered by paid admin and gradually changes all HR and Material information. This is seen as excessive DB activity, excessive application load, excessive network traffic, anomaly in storage load, anomaly in back up service, etc.
(16) Information in user registry is changed from root level downwards. This is especially effective in centralized trust structures of Single-Sign-On service. This may be seen as anomaly in any key registry, anomaly in replication procedure, anomaly in PKI service, anomaly in HR registry, etc.
(17) Erasing private keys from PKI root disables all related identification and encryption services. This is seen as denial of PKI service, anomalies in normal encryption services, widely noticed denial of access, etc,
(18) Uploading malevolent code within normal update of programs or even within fingerprint file for virus detection as is told to happen in first Gulf war to US troops. This may be seen as excessive scan timeouts from antivirus, tests in reference environment, etc.
(19) Management system is quite often least protected system since IT professionals do not want to restrict themselves. Disabling monitor system may be done either by emptying configuration items MIB’s or by destroying asset management information in both active and passive databases. Disabling often centralized control servers dismantles network operation center’s ability to do changes in coordination. This may be seen as loss of management connections, anomalies in management system performance, anomalies in management network traffic, excessive management traffic in-band, etc.
(20) As in any sensor system, opponent may also overload security monitors with number of cut’s in IT-systems and utilize this red screen time to do something more lethal in systems. This is seen as multiple alerts coming to both NOC and SOC monitors, electricity cuts, excessive booting activity, etc. A Classical Distributed Denial of Service (DDoS) creates overflow of security alerts. This is also happening in event of major power cut and major node destruction.