Knowledge of the operational environment is the precursor to all effective action, whether in the information or physical domain. Knowledge about the operational environment requires aggressive and continuous surveillance and reconnaissance to acquire information. Information collected from multiple sources and analyzed becomes intelligence that provides answers to commanders’ information requirements concerning the enemy and other adversaries, climate, weather, terrain, and population. In the military, developing this is the function of Intelligence, Reconnaissance and Surveillance. This is an activity that synchronizes and integrates the planning and operation of sensors, assets, and processing, exploitation, and dissemination systems in direct support of current and future operations. This is an integrated intelligence and operations function. For US forces, this activity is a combined arms operation that focuses on priority intelligence requirements while answering the commander’s critical information requirements. The collection of basic information is the first step in preparing for cyber war. Once you have the information, it is reasonable to assume that you are going to use it against those who would hurt you. The question is, do you know who is going to hurt you? At first, you may think that you know all of your adversaries. How do you account for the unknown activist group that wants to make a name for itself by conducting a cyber attack against the 800 pound gorilla? Generally, collection agencies maintain a list of potential targets. From this targeting list, analysts will construct various scenarios they believe are most likely for an attack venue. These various scenarios try to look at all possible avenues of attack and those analysts will develop counter attack scenarios. Often, extremely sophisticated computer simulations (war games) are developed to test the analyst’s assumptions. These simulations often revolve around the protection of network assets and critical infrastructure. The depth of the simulation can range from localized critical infrastructure and operations to global scope and impact. In general, the more vulnerable the target is, the more simulations are needed. Prior to the development of a national cyber security command, this type of work was done on an ad hoc basis, was not integrated with other parts of the government, and, in general, failed miserably. Once all the simulations have been developed, the next step is trying to determine when to pull the trigger when a cyber attack is detected. Without identifying what the potential trigger for response is, it is almost impossible in a cyber environment to respond in a timely manner. If you have to turn around and ask what should be done, you are already doomed. The importance of identifying response triggers cannot be overstated. Identification of conditions associated with an attack and the ability to define in advance the manner in which we respond determines who the victor in a cyber warfare scenario will be. Presumably, those in charge of our new cyber command are trying to figure this problem out. While it sounds simple enough, the ability to fingerprint and attack, predefine the trigger for a response, and execute that response without human intervention is not an easy task. Simply granting a general officer the authority to respond in such a manner is also not easy for elected officials to do. An act of aggression in the Cyber Theater of operations requires a different way of thinking than the conventional warfare doctrine of being attacked and then formally declaring war. Long gone are days where you have time to think about responding. If you haven't thought about it before it occurs, and if you are not prepared to respond as it is happening, you are doomed. In order to see cyber attacks coming, you must be vigilant. This requires continuous monitoring of network traffic on a global scale. Again, this is not an easy task. How do you orchestrate with your allied nation-states the real time reporting of information? What information is necessary to collect and report? What information tells you that an attack is occurring? This scenario is not unlike submarine warfare in that sensors are deployed an environment you cannot exist in and in that environment, the enemy moves invisibly. With cyber warfare, your enemy is invisible, remotely deployed and without some means of detecting their presence on the network, completely immune to any actions you may take. The most difficult part for cyber warfare strategists is trying to figure out what kind of sensors are necessary to detect and respond to cyber attacks. The important thing to note here is that absolute identification and attribution of a target is an absolute must before you can pull the trigger and launch a counterattack. This makes it extremely difficult to automate a scenario of response without a high degree of certainty you are responding to the appropriate target. If you cannot be certain in the identification of your target, why would your leaders give you the ability to attack? That is the conundrum our military leaders face when we talk about being able to respond in a cyber warfare scenario. Today, security engineers analyze traffic traversing the networks, trying to see if there is a way to identify patterns of traffic and associate them with previous attacks. While this may sound like a convoluted process, it is, at the moment, the only reasonable approach we have. The authority to respond will be limited until we can figure out how to obtain positive attribution of an attack. Once we obtain the ability to identify the true enemies, it is easy to grant the authority to take counter offensive measures to stop the attackers. Assuming we solve the problems of attribution and identification discussed above, commanders should have the ability to execute attack plans on a moments notice. Those attack plans, in order to be executed in matters of milliseconds, must be predefined. This process requires analysts to determine the vulnerabilities of all potential targets of interest, develop scenarios to exploit any or all of those weaknesses, automate scripts and programs to begin the exploitation and infiltration process instantly.
|