2015-07-19

A Strategic Approach for Cyber Defence part I

How, in duel of two long chains intertwined with each other and with environment, one may gain any advantage over the other?

Abstract

This paper is describing one approach for strategic analysis and planning to gain advantage in confrontations within Cyber Environment. A constructive research method is used where solution is built by combining systems thinking with variation of models from business strategy (Supply Chain Strategies and Enterprise Information Strategies) to classical decision making (Nash Equilibrium). Theoretical relevance is assessed by using ENISA’s method for assessing Cyber Strategies in EU.

Introduction

Extension to other strategic approaches
This paper extends the theory of usage or threat of use of organized force for political purposes  within man-made Cyber Environment. Besides Clarke & Knape’s (2010)  defensive triad of backbone network protection – power grid hardening – defence countermeasures and Granova & Slaviero’s (2013)  four perspectives of Offence – Defence – Technical – Legal, there are not many strategic approaches for confrontations in Cyber Environment among the numerous technical and tactical studies. This paper is not analysing cyberwar as there are no international policies  to define war in cyber environment solely. Confrontation and conflict  are used to describe the interaction between hostile parties within cyber Environment.

Cyber Space or Cyber Environment is understood in this paper as sum of Globe’s communication links and computational nodes where information is being processed and distributed benefitting both humans and machines.

There are no single or isolated strategies in Cyber Environment since strategy is combination of all forces in every dimension directed to deliver the effect to the opponent’s Center of Gravity in decisive point. Operations is cyber space are part of wider Information Operations, which should be a part of greater strategy to achieve political goals. Thus this paper uses phrase strategic approach.

Strategic options
Defence and offence are traditional strategic options in other dimensions of utilizing force. China has been one of the earliest adaptor in offensive cyber means since 1995 with their Information Warfare plan.  More recently there are for example USA, North Korea and Russia that have wielded their offensive force in cyber environment. USA has allegedly supressed the Uranium enrichment facilities in Iran by Stuxnet worm 2010. North Korea has allegedly frozen computers in South Korea by using DarkSeoul malware 2013. Russian has allegedly utilized Distributed Denial of Service attacks against Estonian government 2007, against Georgia 2008 and against Ukraine 2014.

There have been reactional defensive actions in all above mentioned situations and nations have been defining their cyber defence strategies since 2001 . Defence in cyber environment may consist of Deception, Separation, Diversity, Consistency, Depth, Discretion, Collection, Correlation, Awareness and Response.


Besides the traditional strategies Mattila (2014)  has defined also Isolation and Habituation as strategic approaches for confrontation in cyber environment. Isolation means that entity is trying to isolate its cyber structure from global network thus protecting it by filtration (Chinese Great Fire Wall) or isolation by air cap (most military and industry systems until recently).

Habituation is more networked method of accepting dependencies and vulnerabilities, but exposing all three bases of nation’s power to every day malevolent effects, thus habituating all instances to endure or shelter when facing attacks. It includes also building relationships to extend defensive network in all aspects of international co-operation. Mattila (2014) gives Sweden as an example for utilizing this strategy. There is also a military strategic approach which is claiming that preparation for everything is not feasible in postmodern conflicts but flexibility, adaptation, recovery and capability to continue after surprise is more valid line of strategy.  The four strategic options are depicted in figure 1.

Figure 1: Four strategic options defined in Cyber Environment

Assets and vulnerabilities in cyber environment
As information and communications technology has not yet stopped its invasion to all sectors of mankind, it has become both the greatest enabler and the most dangerous vulnerability. In military this was recognized by Milan Vego (2009) when he wrote that:

"This evolution in the [cyber] characteristics of the strategic center of gravity
will create quite an anomalous situation, in which one’s center of gravity will
be the single greatest source of both critical strength and critical weakness,
simultaneously. Thus, protection of one’s strategic center of gravity will be a
much more difficult task than it is today. At the same time, computer
networks … do not have the ability to physically destroy or neutralize the
enemy’s strategic center of gravity."
Information is the greatest asset to enable building trust between stake holders and a network of specialized nodes is always more effective than any monolithic structure. With further digitized and digitalized business, the ICT-systems (=cyber) become the biggest leverage that any organization or network may utilize. This system model is described in Figure 2 left hand side of drawing.

Figure 2: Center of Gravity and Systems analysis of Cyber Assets

Adversary sees this socio-technical structure as very potential waypoint to project different malevolent means to effect at political, economic, social or security areas. With classical Center of Gravity analysis method adversary may define that networks is the single source of power they should aim to eliminate. The right hand side of Figure 2 is showing the causality of flow in disintegrating networks by cutting the relationships with implementing distrust between people, information and connectivity. The disintegration means are available to offender since there are more malevolent software created than ever before.  Existing ICT-systems have known failures that take long time to remedy thus attackers have plenty of time to exploit them. Human being remains the most vulnerable part of socio-technical systems with his weaknesses. Offender has advantage over defence since the cyber system has so many vulnerabilities and it has disseminated to all parts of living, business and security.


THERE ARE NO CLEAR LINES OF CONFRONTATION IN CYBER ENVIRONMENT


Estonian situation 2007
Estonia had built its economy and civilian life accelerated with modern IC-technology after gaining independence when Soviet Union collapsed. It was a fresh member of NATO and one of the most wired nations when it was attacked with cyber means in April 2007. Three weeks it faced a massive Distributed Denial of Service attacks that were targeted to suppress the national network of governmental services, main political parties, biggest news organizations, biggest banks and telecommunications providers. Attack game from botnets (remotely controlled robot network of breached computers i.e. zombies) all over the Internet so there was no one source of attack to be defined.  

Since this event happened at same time as there was dispute between Estonia and Russia about II WW memorial displacement, Russia was approached. They claimed that it has nothing to do with Russian state, but may be initiated by some individuals and non-state connected groups. Estonian government requested help from NATO based on the Article 5 : “The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all”.

Estonian defended their cyber environment by coordinated effort from other regional Internet Operators, private companies and public agencies by filtering out foreign IP-requests.  There were major concerns risen amongst the citizens and government of Estonia but no crucial loss of trust was observed. 

The other members of NATO did not see armed attack, anyone being hurt or major damages happening. Agreements and Legislation did not include bullying in cyber space. The NATO ended up sending some cyber experts to Estonia only after assessing the situation for few weeks.    NATO was surprised by Russia at strategic level as it has been since in Georgian 2008 and Ukrainian 2014 operations.

As of 2008 one person with Russian origins living in the capital of Estonia has been found guilty in attacking the web page of one of the Estonian Parties. Russian authorities have denied all investigation cooperation with Estonian law enforcements agencies. Later the Head of Russian Military Forecasting Center, Colonel Anatoly Tsyganok stated: "These attacks have been quite successful, and today the alliance had nothing to oppose Russia's virtual attacks". 

Ukrainian situation 2014
As political crisis in Ukraine heated up more infections of “Snake” virus was reported from Ukraine during fall 2014. BAE Systems had identified 22 infections from Ukrainian government and its embassies.  This is major part of total 56 reported infections worldwide mainly targeting former Soviet Union countries but not Russian. Snake is a platform that allows outsider to gain access to infected computer and it can also carry autonomous malevolent features to computer.  Snake is considered to be strategic “sleeping cell” that is injected to several high value targets and only activated when need occurs.

This malevolent software was traced back to 2008 discovered “Agent.BTZ” when it was used successfully breaching information systems in Pentagon. Later there has been findings of several variants of this family as “Uroburos”, “Sengoku” and “Snark”. Some features in programming are directing to Moscow and level of professionalism is telling of major resources behind the development.  The fact that it was so clearly found activated in Ukraine during the conflict in eastern parts of country, is pinpointing Russia as a source.

Generalization of features of conflict in cyber environment as based on these two scenarios
Some basic features of confrontation in cyber environment are illustrated in Figure 3 as:

Figure 3: Nature of conflict in Cyber Environment

  • There are national stake holders, non-national groups and millions of Internet connected computers that might be used in attack. States can hide behind anonymous groups. Individual people may join into conflict.
  • There are no frontlines in Cyber Environment. The adversary might be attacking abroad, within the country or within organization by using any breached computer or manipulated people to launch malevolent measures.
  • There is no affirmative way of identifying the actual adversary that initiates attacks. The source may be found only after re-engineering the means of attack.
  • There is no international legislation or agreements that include cyber-attacks and enables the cooperation of law enforcement.
  • Advanced Cyber Adversaries do inject malevolent software in the systems of their opponents and activate them if need arises.
  • Attacker seems to have advantage in current cyber environment as Defender is not able to prepare against all possible threats. It remains on Defenders reactional proficiency of how quickly he is able to recuperate.
  • Race in developing Advanced Persistent means of cyber-attack require skilled teams and professional resources otherwise they may remain the copycat level of usual malevolent software. 2014 these mass variants were produced about one million a day. 
  • Cooperation between many Service Providers both private and public ensures quickest recovery from massive attack. There is seldom situation that organization alone can effectively deter cyber-attack.
  • Air gap isolation has been breached various times with attack vectors using “sneaker network”, contractor network or individual compromised users.
  • It is an advantage for adversary if he is able to collect information from his opponent’s cyber structure and behaviour of end users as it makes easier to produce an Advanced Persistence attack or Spearhead Trojans.

STRATEGIC DECISION MAKING IN CYBER CONFLICTS

Explains strategic options of defensive, offensive, isolation and habituation in confrontation situation
Information has become a major enabler for any socio-technical system to gain further productivity, wealth and performance. Information used whether digitized or digitalized is strategic asset i.e. Center of Gravity. Information as a Center of Gravity is both major enabler and severe vulnerability in Global cyber environment.

Offensive is an aggressive approach in using forces as a whole, combining all resources available for effecting the Centers of Gravity in a way that would fundamentally alter the relational posture of confronting parties in information utilization. Offensive may appear as aggressive infiltration in cyber space, intelligence gathering, denial of service or destroying information assets. USA may be appearing in taking this option.

Defence a set of cyber activities used for the purpose of deterring, resisting and repelling a strategic offensive, conducted as either a cyber space invasion, or an isolation from global cyber space, or a destruction of information assets. Strategic defensive does not need to be passive in nature but may involve deception, propaganda and psychological warfare, as well as pre-emptive or retaliation attacks. Defence normally requires cooperation within wider group of stake holders than military only. European Union seems to be following these strategic lines.

Isolation is following more traditional methods of defining borders of sovereign space in all dimensions and building ability to shut all avenues from foreign force projection with filtering or protecting gateways like customs, monetary hubs, governmental monopolies, firewalls, etc. China seems to be following this strategy as their “Great Fire Wall” is isolating national cyber space from global.

Habituation is more networked method of accepting dependencies and vulnerabilities, but exposing Government agencies, Armed Forces and private citizens of a nation to every day effects of malevolent behaviour, thus habituating all stake holders to endure through attack and quickly recover from its effects. It includes also building relationships to extend defensive network in all aspects of international co-operation. Sweden seems to take steps towards this strategic option.

The four strategic options or their combinations are available to each side of confrontation. In order to study the strategic decision making, the game theory called “Nash Equilibrium” is used in modelling two scenarios in simultaneous decision making of mixed strategies between duelling parties.  As the confrontation in cyber environment is not fulfilling all the requirements of pure Nash equilibrium, the outcome of this study is only conceptual. Scenarios are 1. Nation against Nation and 2. Nation against non-Nation. 

Blue and Red are players with 4 equally available options: Offence, Isolation, Defence and Habituation. Gained value from conflict varies between 1-5, where 1 means total loss and 5 means total win. Rules for game are as follows:
  • Both parties are trying to optimize the value of their cyber space as it multiplies their other functions.
  • Defence beats Isolation since isolation means that one is not gaining the full value of networking with others.
  • Offence beats Isolation 5 to 1 as Isolation often leaves the cyber area within the “Wall” very vulnerable and attacker has many ways to infiltrate within the “Fortress”.
  • Offence beats Defence only 5 to 3 since advantage is on attackers side, but defender is able to protect some of its assets and possible quickly recuperate after attack.
  • Offence beats also Habituation 5 to 3 as surprise gives advantage to attacker, but habituation has hardened the other side to sustain under attack. The quick recovery is also on habituates advantage.
Nation against nation
As both sides are nations that are logically striving to improve their economics and living by utilizing information in cyber environment, the loss of cyber capability is counted as loss of value. This logic is applied when both Blue and Red choose to attack the other. Outcome will be lose-lose as both parties are assumed able to destroy the information capabilities of the other side.

Comparison matrix shows that isolation will not become preferred strategy to either of parties since it ends up losing value in all variations thus it is eliminated. Both Blue and Red are preferring Defence and Habituation options since they create equilibrium in all variations, if neither of parties are aware of what the other is going to choose. The whole comparison and equilibrium analysis is shown in Figure 4.

Figure 4: Cyber duelling between two national parties

Situation alters if there is a foresight of the doctrinal tendency.  RED might choose offensive since it will give total win if BLUE is known to withhold the defensive posture. Because of multitude of cyber weapons and vastness of the vulnerable surface of cyber space, there is always advantage for attacker. BLUE may compensate the advantage of attacker with means executed in other dimensions of struggle (air, land, sea, space, electromagnetic) or building a deterring capability for cyber-attack. USA has ongoing program for improving their cyber defence within HomeLand Defence Initiative but also is pursuing after cyber space dominance with offensive means.    Early 2000 Russia declared in their doctrine for defence that any tampering of their cyber space will be countered with nuclear retaliation. 

As with conventional and nuclear arms there is also possibility between nations to agree on armistice or non-offense. Russia and China agreed on May 2015 not to conduct cyber-attacks against each other. They also agreed to jointly counteract technology that may “destabilize the internal political and socio-economic atmosphere,” ”disturb public order” or “interfere with the internal affairs of the state.” 

There is a special situation with North Korea, who has been able to keep isolated from cyber space by denying digital communications and computing within country. They are using this strategic advantage and wielding cyber-attacks against other countries by using global cyber space. 

Nation against non-nation
When nation is confronted with non-nation, there might not be balanced motivation since non-nation does not necessarily have goal to improving its cyber based governance, economics and social living. RED might be using cyber environment for exploitation only and does not have to worry about investments. Also isolation is eliminated from RED’s options since non-nation does not necessary have control over any cyber structure. Confrontation between nation and non-nation is analysed in Figure 5.

Figure 5: Cyber duelling between nation and non-nation

Since RED is enjoying the advantage of non-value, it is logical for it to choose offensive strategy over other alternatives. Defence or habituation does not bring any value to non-nation without cyber infrastructure. BLUE nation chooses logical defence or habituation strategy since the outcome is always better than from isolation or plain offence. 

Because of anonymity techniques and vast network of stake holders, there is difficult in cyber space to identify your opponent. Thus many nations are using their non-nation networks, rented botnets or employed experts globally to attack their counterpart. This has been the case in Russian operations against Estonia 2007, Georgia 2008 and Ukraine 2014.  

Cyber confrontations between nations and non-nations as well as between numerous non-nation stake holders are normal in contemporary cyber environment. There are several on-line sensors that are providing information on attack vectors at IP-level and email level. Cyber threat analysis company Norse  for example is providing visual views.

Majority of the normal targets are domain names in USA or .mil and .gov. Attackers are using botnets or breached computers that are quite often in China, United States, India or Russia. Partially this is because the level of cyber literacy has not improved the same pace of proliferation of Internet and it is easier to breach the computers of novice users. Breached computers are injected with “zombie” malware that makes computer to obey orders of botnet commanders often without owner’s knowledge. Recently seized “Beebone” botnet in US and Europe was using polymorphic malware that changed its fingerprints about 19 times a day to avoid detection. 

TOGETHER OR ALONE

Defending BLUE might ask in their strategic analysis, is it better remain alone or create coalition against unavoidable cyber-attacks. The basic rules of value of connected nodes states that N nodes connected together will provide value of N x log N. This is also called Metcalfe’s law but it assumes that connection between all nodes is available and the quality of connection and nodes is about same level. Principle is depicted in Figure 6. 

Figure 6: Connected to other equally good one is more than just sum of nodes

Connected network of stake holders does provide more amber source for innovation together with more explicit and implicit knowledge. There is also a level of quality of transactions that is achieved when cultivated in working together. Connections provide different variations to be exploited so operational freedom might be better with network, especially for defence where both width and depth is required if dynamic defence is implemented.

Negative effect appears if some of the nodes or connections in network are lower level of quality. These weak links may be exploited by attacker. There is also human cognitive features that does not follow the linear behaviour expectations of technical nodes and connections. Or as Kevin Mitnick says, the most vulnerable piece of any information system is one credulous human being.  

This concludes part I of this draft article. Part II will be available later this month.

No comments:

Post a Comment