Cyber Defence is More than Cybersecurity - At least from a Military Viewpoint

 Intro

In the model for state-level actions within the cyber environment in scenarios from confrontation to conflict, the military recognises techniques, tactics, operations and strategies, which all execute the political interests as I described in the 2022 paper published in Military University of Portugal in Figure 1. As with other legacy domains, the tactical, operational, and strategic levels are also feasible in the cyber domain, which is gradually taking over the information sphere in the military impact structure. Adversaries (RED) currently use the cyber domain to impact the physical sphere by combining kinetic and cyber strikes to target the defenders' (BLUE) physical systems. Simultaneously, RED uses kinetic and cyber strikes to create fear and confusion in BLUE's cognitive and social spheres. So, with the introduction of the cyber environment, the military faces a more complex theatre than the traditional physical sphere where space, air, land and maritime operations take place. 

Unfortunately, information security promotes only some controls and procedures (e.g., ISO 27 000 or NIST 800 series), and cybersecurity provides some processes or management models (e.g., NIST Cybersecurity Framework, ITIL, COBIT, ISO 38500). These leave the military short at higher levels of confrontation. Therefore, the paper aims to define cybersecurity at military tactical, operational and strategic levels and provides some examples in cyber defence.

Figure 1: A Model for State Cyber Power

Tactical-level Cyber Defence

Model: Military tactics encompass "the art of organising and employing fighting forces on or near the battlefield."   When this is applied in defence of the cyber environment, it may include establishing a doctrine that would nullify the adversary's most probable attack tactics (IT- architecture), preparation of the area of operation (artificial cyberspace), digging the defensive positions (defence-in-depth) and defining the areas of fire (sandboxes, honey pots), setting the tripwires and reconnaissance (vulnerability hunting, monitoring and threat intelligence), preparing the alternative positions (continuation and recovery) and exercise the fire and position changes drill in day and night (incident, problem, change management and red teams).

Principles for cyber defence tactics may include the following:

• Construct BLUE domain defence against RED attack vectors (e.g., MITRE Att@ck) based on the posture of information security
• Prepare the BLUE domain using the dimensions of depth in Figure 2
• Establish kill zones with honey pots and abilities to create sandboxes within the domain
• Stabilise BLUE baseline of protocols and behavioural patterns to improve the probability of detecting anomalies
• Establish 24/7 monitoring, use AI to enhance pattern recognition and automate some of the basic response actions
• Establish security at least at emission, transmission, communications and session levels in the OSI structure
• Test the domain integrity continuously with penetration testing, black box testing, and vulnerability hunting
• Configure the recovery of processing, storage and data to meet the operational availability requirements
• Exercise BLUE detection, response and recovery with red teaming in live domains.

Examples:

BLUE cyber defence observes the following incidents on their monitors: 

• SIEM in SOC is not receiving log data from several servers, firewalls, IDS, switches and routers.
• The network management system in NOC indicates that it has lost connection to several servers, switches and routers.
• The physical security monitor has lost all video and sensor feeds from Data Center A.

BLUE defenders may take the following actions:

• Confirm the possible loss of an entire Data Centre from other sources 
• Assess the gravity of the situation and draft Courses of Action (CoA) for remedy and communicate them to Operation Control 
• Monitor the process of automated recovery of data and services and launch possible manual remedies 
• Get recovery priorities and decide on CoA from Operation Control 
• Launch required additional remedies to recover and restore data and services based on agreed CoA and priorities.  
• Inform Operation Control and end users of the recovery progress.

BLUE threat intelligence receives information that a software development vendor has been breached and their latest application update may be compromised. The BLUE cyber defence may resolve the situation with the following options:

• Network Operation Centre (NOC) isolates systems running the possibly compromised application 
• Cybersecurity Operation Centre (SOC) sandboxes the infected area and investigates the situation 
• IT security patches the software if the vendor has fixes available 
• SOC deploys additional security controls and focus monitoring to prevent exploitation 
• SOC detects a variation in standard behavioural patterns in one site running the possible compromised application. NOC kills the ill-behaving computing process that normalises the situation. 
• SOC observes the malevolent behaviour in the honey bot and checks how automated sandboxing prevents the malware's spread.

Figure 2: An example of a tactical-level view of Cyber Defence 

Operational-level Cyber Defence

Operational represents the level of command that connects the details of tactics with the strategy goals. Operational art may be based on Sun Tsu (know yourself and your enemy) and Clausewitz (Center of Gravity) models. BLUE recognises their power sources and considers them possible Centres of Gravity (CoG) for the RED. Each CoG needs to be assessed from the RED viewpoint, considering different Lines of Operation (LoO) for effecting the CoG and variation of Courses of Action (CoA) needed to achieve the impact in the most beneficial CoG. From all the feasible CoA variations, BLUE estimates the most probable to be considered from the RED viewpoint based on their doctrine, previous behaviour and available resources in a given situation. 

Principles for operational-level cyber defence may include:

• Recognising tempting CoGs in the BLUE system of systems: essential operations, critical data assets, critical sites as single points of failure, critical services that are not replaceable, critical gateways that will prevent information flows or suppresses systems that cyberspace is dependent (e.g., telecommunications, power distribution, cooling, fuel distribution, garbage collection)
• Innovating potential lines of operation to access the beneficial CoGs through humans, kinetic ways, cyber-attack vectors, supply chains, dependencies, and peripherals.
• Assessing each Center of Gravity against potential Line of Operation and trying to optimise available RED resources, cost of attack and benefit of the impact.
• Varying vulnerabilities, costs of attack, and possible benefits in different scenarios will provide probable courses of action available to the RED.
• Wargame scenarios to find the most probable CoAs RED would probably be executing a given situation.
• BLUE deploys different tactics to defend the potential CoGs and finds ways and means to prevent or nullify the RED CoAs until only the most probable remain. BLUE considers active and passive means and ways to address most RED CoAs. 
• Then BLUE arranges the critical assets' concealment, mock-ups, and hardening. Along the most probable attack vectors, BLUE sets digital sandboxes and honey pots together with physical engagement zones and counter agents. 
• BLUE establishes reconnaissance, anomaly pattern recognition, movement detectors, and thresholds to detect RED manoeuvre in physical, cyber, and information spheres.

Examples:

BLUE cyber intelligence indicates that RED has created a new hybrid attack vector to suppress 911 telephony service within a region or nation. The situation where people do not get help from 911 may create fear, terror, and panic, mainly when a large number of people gather for an occasion. BLUE operational planning may come up with the following preparations:

• prepare information distribution through broadcasts, flyers and messengers to ensure correct information and diminish rumours 
• prepare to switch from 911 SS7 signalling to other signalling options 
• prepare parallel ways to communicate and receive help like mobile apps, social media or portals 
• post a soldier with a radio at each crossroad and deploy more police patrols and ambulances on the streets.

BLUE information exchange and cooperation between government agencies are harassed by continuous spear-phishing through the Internet email system. After some dignitaries become victims of phishing and get their data wiped, users are afraid to open any attachments, even from known senders and are quickly losing their trust in the email system. BLUE Cyber Defence Operation planning may come up with the following means to mitigate the quickly escalating situation:

• Lessen the probability of opening malevolent attachments by encrypting all official emails and attached files. Only encrypted emails are safe.
• Replace email with a cloud-based digital workspace and establish users' access to this service through encrypted sessions.
• Bypass the Internet-based information exchange by extending and sharing existing intranet services between government agencies.

RED information operation trolls are spreading disinformation through common social media platforms, and malevolent bots are emphasising the flow of disinformation. BLUE Cyber Defence Operation planning may come up with the following means in support of BLUE Information Operations:

• Request social media platforms to terminate trolling accounts
• Request telecommunication operators to shut down connections to bots
• Plan and launch a distributed denial of service (DDOS) attack to suppress the troll factories connection to the Internet
• Plan and launch a cyber-attack to turn off the troll factories' power distribution
• Plan and launch joint fires to eliminate trolls and bot nodes.

Figure 3: An example of an operational-level view of Cyber Defence 

Strategic-level Cyber Defence

Military strategy is "the art of distributing and applying military means to fulfil the ends of policy"  Policy in this context usually refers to national-level security strategy, which defines the main threat scenarios against the state, its sovereignty, and interests. The model for strategic thinking in a cyber environment is based on a technological approach among the five dimensions of military strategy defined by Atkeson . The technological approach to strategy assesses the technical innovation and ability to render obsolete adversary effectors. In a conflict of system of systems, the strategic advantage can be achieved in three ways:

1. The adversary achieves a strategic surprise by launching a strike at an unexpected time or place from the Defender's viewpoint. Unforeseen situations may occur when conflicting parties assess risks differently, the other side sees an opportunity for a knockout with the first strike, or the Defender's decision-making process fails. 
2. Systemic effects are "those indirect effects aimed at affecting or disrupting the operation of a specific system or set of systems".  In a cyber environment, the indirect effects may impact power distribution, shutting down electricity, which takes down the telecommunications networks and suppresses all digital communication and processing.
3. Strategic advantage may be achieved through technological innovation and deployment of capabilities multiplied by emerging technologies, providing strategic dominance over the other party.  The USA and China compete for strategic dominance, seeking advantages from artificial intelligence, big data, quantum computing, and integrated circuit manufacturing. 

Principles of strategic level cyber defence may include:

• An attacker has an advantage in their cyber environment and freedom of manoeuvre on the Internet. The Defender has an advantage in cyber environments under their control. Hence, Defender should focus on building technological advantage and maintaining dominance in their cyber environments.
• Defender's cyber architecture includes redundant and robust means for communications, computing, and storage, so even with 50% losses of infrastructure, the essential services and processes run sufficiently, and data remains accessible.
• Defender raises a threshold against cyber-attacks, declaring assured retaliation with weapons of mass destruction.
• Defender prepares to cut their domestic Internet domain from the international Internet to diminish vulnerable surfaces and minimise options for direct attack vectors.
• Defender builds their national Internet domain based on entirely different programming languages, communications protocols, and integrated circuits. It effectively filters all traffic in and out of their national domain.
• The Attacker builds and prepares strong offensive cyber capability against the weakly prepared Defender, which deters other power projections.
• Attacker sources their cyber warriors from industry or cyber-criminal gangs to accelerate offensive cyber capabilities and gain a possibility of strategic surprise.
• Defender advances the information security architecture (Domain-defined –> Service-defined –> Zero-trust –> Content-defined)  of her cyber environment, keeping the security controls and monitoring resistant against the potential adversary attack vectors.
• The Defender uses global dominance in economy, trade, science & technology, and cyber-physical manufacturing to slow Attacker's ability to build a more effective cyber arsenal.

Examples:

BLUE operates two domains for essential processes and functions that multiply the Forces Generation and Operation performance. Since both are under BLUE's control, he chooses to build computing performance, one based mainly on Microsoft technology and the other on Linux and Open-Source technology.

There are indications that RED aims to use artificial intelligence to automate and multiply its exploitation arms, achieving attack vectors that are ten times faster within the next ten years. BLUE may come up with the following options:

• Accelerate BLUE's development and innovation for a more resilient cyber environment and countermeasure tools
• Eliminate RED's ability to execute the disruptive leap in offensive capabilities
• Build BLUE's target acquisition and attacking tools and strike the strikers
• Change the architecture of BLUE's cyber environment so it will nullify the RED's higher performance
• Build a more robust and redundant cyber environment that could absorb ten times more Attacker's attempts.

BLUE plans to digitalise its forces to gain strategic advantage. With digitalised processes in Generate and Operate functions, the cyber environment extends the vulnerability surface. The estimations of digital transformation outcomes include 20x more lethal and 10x more cost-effective force. The extended vulnerability goes beyond BLUE's risk appetite. BLUE may come up with the following options to mitigate the risk:

• Accelerate the evolution of information security architecture and leap to Zero-Trust or Content-Based security models, which will diminish the vulnerability surface even if the digital realm grows much broader.
• Instead of building a joint information domain, BLUE creates several parallel domains that are not dependent on each other and can multiply force effectivity.
• Outsource their common information domain to global network and application service providers so big that RED cannot take them down. Then BLUE focuses resources on the anti-fragility of tactical and operational information spheres.

Figure 4: Strategic-level view of Cyber Defence