Lorem, ipsum

1

Protecting Americans from a Major Cyber Attack Draft Chapter for DSB Study on “Re-imagining the Department of Defense” Robert Schmidle The threat to America from a major cyber-attack is one for which DOD is not

well organized or fully prepared. The cyber domain is uniquely one in which the

traditional geographical boundaries between nations are increasingly irrelevant in

identifying, attributing and mitigating cyber-attacks. Geography is the default

construct for characterizing the legal and policy implications of current and

emerging cyber capabilities. It is however a constraint for which a technical (i.e.

machine) cyber capability and /or an unprincipled actor has no regard.

Understanding the cyber threat begins with an appropriate knowledge of the

working of the Internet and associated computer systems. Without this knowledge,

it is difficult to appreciate the limitations of the geographical world- view and its

affect on 21st century cyber capabilities and operations. Fundamentally the speed of

the Internet has enabled the near simultaneity of a decision to act and the act itself.

The global architecture of nation states, which for so many years enabled time for

reflection on events and affirmed a delay between decisions and actions, has shrunk

to insignificance. The operating logic of a geographic world-view – the logic of space

has been replaced by the operating logics of speed. No longer is the analogy of a

home game and an away game relevant, in fact succumbing to that analogy keeps us

from understanding the true nature of cyber operations – that there is only ‘the

game.’

2

Another consideration when characterizing the cyber threat is the diffuse and

distributed nature of potential threats. There are now three major categories into

which threat actors can be placed. First, there are those adversary actors that are

clearly part of a national government structure such as the FSB units in Russia or

the PLA units in China. Second, there are adversary actors who are in the employ of

foreign governments but are meant to appear to be separate from those

governments; the Russian Patriotic Hactivists are an example. Third, there are cyber

actors not affiliated with a nation state but aligned with known terrorist

organizations such as ISIL or Al Qaeda.

The one group among these three that is most threatening, in terms of its ability

to conduct a major cyber-attack, is the one that is connected with and directed by a

peer or near peer power, such as China or Russia. These are nations that have the

potential to conduct a massive high-level unwarned attack against, for example a

power grid, that could have ‘kinetic like’ effects lasting for days, weeks, or even

months. This is why the priority of effort for the Department of Defense should be

on preventing a significant cyber-attack by a major power against the critical

infrastructure of the U.S.

In spite of the concern about a massive cyber-attack the Department should not

lose sight of the risk from the ‘death by a thousand cuts’ scenario whereby a threat

actor(s) continuously conducts multiple low-level cyber-attacks. These actions

could be part of a strategy designed to acculturate our defensive posture to

accepting numerous, multiple intrusions as the ‘new normal.’ The intent of these

attacks would be to anesthetize public opinion and cause senior decision-makers to

3

become even less inclined to take the necessary preventive actions to adequately

defend against a massive cyber-attack. Even though this incremental cyber threat

may not be of the obvious magnitude of a nuclear detonation, the insidious nature of

these intrusions over time makes it a potential risk to our way of life.

There are three fundamental missions the Department of Defense must consider

in developing cyber capabilities to protect Americans from a major attack. Those

capabilities can be binned into in three areas for ease of characterizing these

missions. The first capability is a credible deterrence, the second is a robust defense

and the third is a capable offense. The important thing to keep in mind is that the

capabilities inherent in these three areas are all interrelated. One cannot develop a

coherent set of capabilities in any of these areas without acknowledging the role

they play in the other two areas. For example, a credible deterrent is one whose

effectiveness is evident in the behavior of the person(s) attempting to be deterred.

Affecting an adversaries behavior requires both offensive and defensive weapons.

While the concept of deterrence is inexorably tied to the perceived will of one party

to use a set of weapons against another, the actual development of appropriate

weapons (in this case cyber) is clearly part of any deterrence strategy.

The foundation of any credible deterrence posture must include a balanced set

of defensive and offensive capabilities employable in a deliberate and predictable

manner across numerous scenarios. Those capabilities are most effective in

supporting a deterrence strategy if they are expressions of different sources of

power; economic, conventional military, nuclear, cyber, but interleaved in their

application. Essentially, all means of power at the disposal of the national command

4

authorities should be coherently interconnected when developing a deterrence

strategy.

An effective cyber deterrent first requires credible offensive capabilities,

across all domains of power that threaten an adversary’s leadership by undermining

their ability to maintain power. Second, it requires a high level of confidence in

attribution of the origin of the attack and in identification of the person(s) who

made the decision to launch the attack. In the realm of nuclear or conventional

warfare potential attribution as part of a deterrence strategy is generally

straightforward and usually points clearly to the leadership of a particular nation. In

the domain of cyber attribution of an attack is neither straightforward in a technical

sense because of the myriad paths that an attack can follow, nor is the decision to

launch and conduct an attack the sole privilege of a nations leadership.

Another capability necessary for a credible cyber deterrence posture is the

ability to ‘fight through’ a massive cyber-attack while retaining a survivable second

strike capability with nuclear, conventional and/or cyber weapons. This would

entail having forces with those capabilities that are ‘cyber trustworthy’, forces that

could be relied on to provide a credible, if not devastating, counter attack in the face

of a concerted cyber assault by a belligerent adversary. Along with the requirement

for a robust counter force capability made up of nuclear, conventional and cyber

forces is the ability to continue operating the nations critical infrastructure while

under attack, thereby minimizing the societal impact. Additionally, and increasingly

important is a credible capability to affect an adversaries’ financial and economic

well-being, while protecting our own networks and systems.

5

One of the fundamental contributors to any credible deterrence, second only to

the perception of will in the eyes of those targeted to be deterred, is a

demonstration of weapons capabilities. When the U.S. was developing its nuclear

deterrence posture there were already a number of evident explosions of nuclear

weapons to inform any discussion about the destructive capability of those weapons

and over time, the effects of radiation. Perhaps a similar demonstration of offensive

(and defensive) cyber capabilities will be necessary in order to present a credible

cyber deterrence posture.

A final thing to consider when developing a credible deterrence strategy is the

speed of a potential cyber-attack and the subsequent lack of time to reflect on an

appropriate response since the ‘time of flight’ of a weapon is simultaneous (or near

simultaneous) with its launch initiation. The implications of this time compression

is the need to leverage the speed and potential autonomy of machine-to-machine

interaction. We do this in order to create a ‘left of boom’ capability designed to

render adversary offensive weapons inert before they are launched.

The next foundational capability the Department of Defense must possess and

an integral part of any deterrence equation is the capability to defend (protect) the

nation’s critical infrastructure from a massive cyber-attack. This begins by

establishing common standards for protection of networks and applications. These

standards would address the foundational technical and procedural measures

necessary to achieve the highest level of network security. These measures include

such things as continuous penetration testing and patching of applications and

operating systems. While it is impractical to believe that all possible cyber

6

vulnerabilities can be mitigated, the adherence to critical security standards is

necessary to deny the adversary easy access to our networks. Protection from a

massive cyber-attack begins with basic and simple operational security measures.

Denying an adversary even the most rudimentary access to critical systems and

networks is the first step in an effective cyber defense.

Integral to these measures is having visibility of threat activity across all critical

networks to include .mil, .gov, and even, .com. In order to realize a credible cyber

defense of critical infrastructure it is necessary to have continuous awareness of an

adversary’s cyber presence in all parts of that infrastructure. This visibility, leading

to increased situational awareness across the enterprise must also be available to all

friendly actors in the enterprise not just to one or two government agencies or

departments.

Along with this situational awareness of threat activity in our networks comes

the need to provide real time warning of potential or impending attacks. Warning

can come from various sources, most notably from deep penetration into enemy

networks and systems. This penetration provides an understanding of an

adversary’s technical capability including insights into attack methods and

practices. It could also provide indications and warnings of potential attacks. Today,

most of this information comes from traditional intelligence agencies. The

intelligence gathering priorities of those agencies however, may not always align

with supporting a DOD mission of infrastructure defense. In this case, the new DOD

should have dedicated resources to ensure that it has the required visibility into

7

threat activities in order to best execute the Department’s mission of protecting the

nations critical infrastructure.

Assuming that we have first mitigated, as best we can, the identified network

and system vulnerabilities and second that we have the requisite intelligence about,

and visibility of, threatening enemy activity, the next step is to understand the

considerations for responding to cyber-attacks. Because of the speed at which these

attacks can occur, when warning may be measured in milliseconds, it is necessary to

rethink the traditional decision-making processes. No longer will decision-makers

have the luxury, in all cases, of being able to carefully analyze all options and then

make a deliberate and reasoned decision about a response to an attack.

The window of time for the decision process has effectively been reduced to

near zero. The simultaneity of the decision to attack, the execution of the attack and

the effect of the attack has now become the new reality. This means that we must

leverage machine level speed of response in both the active and passive domains of

defense in order to disable attacks before they are launched. Exploiting machine

level speed means enabling man made algorithms to respond to cyber intrusions

and attacks. Special attention therefore must be paid to the development of these

algorithms since they will determine (within predetermined parameters and system

logic) the type of response and the magnitude of the response to cyber-attacks.

Clinging to historical command directed decision matrices only adds additional time

and therefore increases the vulnerability of the already fragile defensive posture of

our critical infrastructure.

8

Another consideration when determining the roles and responsibilities of DOD

for the cyber protection of critical infrastructure is identifying the agents

responsible for reconstitution. Those agents could be government, commercial or a

combination but they should be identified before the need for reconstitution after

an attack. The reconstitution of critical capabilities is as important as the initial

defense of those capabilities. Any effort to mitigate a debilitating cyber-attack

necessarily begins with the restoration of software and hardware functionality of

the system or network that was affected. Prior identification of responsibilities is

critical.

The next capability essential for a robust and credible cyber defense is an

equally robust and credible offensive cyber capability. Integral to conducting

offensive cyber operations is the ability to gather intelligence about the adversary.

This requires access to adversary networks and systems in order to understand the

architecture of those networks and to be positioned to act immediately on the

indications and warnings of a potential attack. These accesses are also necessary to

be able to expose and exploit an enemy’s existing or emerging cyber capabilities.

Importantly, this means access to all the networks and systems of a potential

enemy’s critical infrastructure, including financial, power, water, etc.

The new DOD should possess a variety of offensive capabilities beginning with

brute force denial of service attacks to overwhelm and render inoperable systems

and infrastructure. In addition, DOD must possess exquisite tools that target specific

vulnerabilities in an adversary system. Another attribute that the new DOD should

have is the ability to conduct a credible counter attack with cyber survivable

9

second-strike forces. Among other things this requires trustworthy networks to

confidently protect critical data, whether it is at rest or in motion. These cyber

capabilities should not be considered in isolation, i.e. in just the cyber domain.

Instead they need to be understood as part of an integrated national strategy. Cyber

weapons are not technological silver bullets.

Along with the development of offensive cyber capabilities is the need to

understand and address the various legal and policy impediments to employment of

those capabilities. This becomes especially important when dealing with

adversaries such as Russia and China who see the Internet as a legitimate extension

of sovereign state power and not as an autonomous entity with its own normative

structure. In many cases it is not the lack of U.S. offensive capabilities but the

constraints, either real or imagined, of law, policy and cultural norms that restrict

the employment of those cyber capabilities.

When considering the employment of cyber capabilities, we should think of

them in the same way that we consider the employment of conventional military

capabilities – as part of a unified whole of government strategy. We should also

continue to always consider conducting operations with our allies. As we develop

concepts for employment of cyber capabilities we remember that cyber is neither a

home game nor an away game – it is just ‘the game.’ The seamless nature of the

cyber battlespace informs the development of cyber capabilities that are at once

both offensive and defensive, both of which contribute to an effective deterrence

posture.

10

The final part of this chapter highlights the recommendations for posturing the

new DOD to protect America from a major cyber-attack. The most pressing need in

creating an effective defense against an all-out cyber-attack is to establish a clear

unity of command. We need to identify a clear set of command relations to ensure

focused intent, centralized planning and intentional resource allocation. Simply

delineating boundaries for actions between individual agencies is not enough.

Unity of command also enables the most effective use of available resources by

enabling one responsible person or organization to consolidate duplicitous capacity

and to direct resources to relevant capabilities and away from irrelevant ones. The

first step in designing a unified command architecture is to clarify the roles and

missions in cyberspace of OSD, the Joint Staff, StratCom, CyberCom and the

intelligence agencies in DOD. The next step would be to do that same thing across

the rest of the government.

In addition, we need to wholly integrate the development and use of offensive

and defensive capabilities across Title 10, Title 50 Title 32, etc. The goal here is to

gather intelligence on all adversary systems and networks, to include critical

infrastructure - power grids, finance, water, etc. with the intent of holding those

networks at risk. We also need to create an incentive structure that encourages the

support of these capabilities within DOD and the rest of government. An appropriate

incentive structure would allow for the establishment of standards for defense.

Those standards should be evaluated on the effectiveness of the applications riding

on networks (output metrics) and not simply in the context of their incorporation in

the applications riding on networks (input metrics).

11

Along with establishing these cyber standards comes the need to share

information about threat activity across government and civilian critical

infrastructure. The goal here is to enable real time visibility of all threat activity

across all these networks. Once there is this common situational awareness,

initiatives such as a “cyber civil defense force” or a “neighborhood watch” in

network enclaves become possible.

In order to accomplish these initiatives, we should change our current model for

defense, which relies too heavily on a passive ‘Maginot line’ of sensors to focus on

actively ‘hunting’ for adversaries already inside our networks. Along with a shift in

focus is the imperative to develop more automated tools for active defense of

network and systems infrastructure and to extend the use of those tools across the

rest of government and into the critical infrastructure. The nature of the cyber

threat drives the need for automation of defensive actions; both passive and active,

in order to enable timely response to intrusions. Automation will also minimize

required resources and potential for errors in execution. Traditional man-in-the-

loop decision architectures, which rely on historic, geographical models of

sovereignty for policy and legal context will not keep pace with the speed of

adversary cyber-attacks.

Another consideration related to the need to change our current design for

cyber defense is leveraging commercial capabilities and capacity. The cyber defense

of America’s critical infrastructure is beyond DOD’s capacity and capability and

therefore demands coordinated action across government and private sectors to

prevent catastrophic cyber-attacks. We can no longer rely solely on increasingly

12

scarce military and civilian manpower, which may or may not have kept up with

commercial best practices, to conduct cyber defense. The most effective way to

defend networks and systems at scale is to go outside the government to contract

additional defense of networks and infrastructure. Leveraging commercial

capabilities also has the added benefit of freeing up government personnel

especially military personnel, to focus on the offensive mission.

In summary, the most effective way for the new DOD to protect Americans from

a massive cyber-attack is a combination of organizational and technical innovations.

These initiatives begin by codifying a unity of command across DOD that will in turn

also enable government and private sector partnerships to realize the goal of a unity

of effort. This unity of effort will result in widespread information sharing about

threat activity and is the foundation for coordinated actions, essential to an

adequate defense. The impediments to information sharing are mostly cultural,

reinforced by the lack of an incentive structure that encourages sharing of threat

information. In some cases, such as between the government and the private sector,

information sharing may also be complicated by policy and legal constraints.

Protecting Americans from a massive cyber-attack begins with an

organizational design based on unity of command that incentivizes information

sharing and privileges transparency of threat activity across public and private

sectors of the critical infrastructure. Concurrently we must continue to develop and

refine the technical capabilities, employable in appropriate defensive and offensive

actions, which also contribute to an effective deterrence.