According to James Clapper, Director of National Intelligence, for the first time in history cyber-attacks are the No. 1 threat to the United States above terrorism, weapons of mass destruction, and transnational crime.
-- Statement for the Record on the Worldwide Threat Assessment of the US Intelligence Community, Senate Select Committee on Intelligence. Washington, D.C.: Office of the Director of National Intelligence, 2014.
Rhetoric reaches an all-time high in the wake of a Russian annexation of another neighboring state. NATO is mobilizing troops in Lithuania and Belarus to surround Latvia and prevent the continued spread of Russian forces into Europe. Hundreds die and millions of dollars are lost as merchant shipping, commercial airplanes, and cars throughout the United States and Europe continue to malfunction. World markets are chaotic, as the New York and European stock exchanges remain frozen after debilitating cyber-attacks from suspected Russian irregular forces.
The United States President stated these cyber-attacks are paramount to war and asks Congress to invoke the War Power Act.
Some hope with a formal declaration of war, the executive branch will finally have enough control to correct national authorities for cyberspace. A few have begun to ask, could some of these cyber-attacks have been avoided? Why wasn’t the United States ready for a blended cyber and conventional war?
This scenario, while fictional is a reason the United States must act to develop and refine a policy framework for cyber operations.
A 2009 Cyber Policy Review from the White House stated, “Responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way… Effectively addressing the fragmentary and diverse nature of the technical, economic, legal, and policy challenges [of cyberspace] will require a leadership and coordination framework that can stitch this patchwork together into an integrated whole.”
This White House report is seven years-old, and yet the United States government still does not have a coherent strategic framework that coordinates and integrates the whole of cyberspace.
More recently, the Department of Defense Cyber Strategy listed the need to develop a cyber-operations and cyber-security policy framework.
This article will describe a three-dimensional cyber-framework that will help leaders break down cyberspace into smaller more manageable subsets. The framework will allow the U.S. to maximize its use of limited resources, manage risk, and develop an effective and coherent national cyber-strategy.
Defining the Cyber Domain
The cyberspace domain is extremely complicated because it is partially physical, and at the same time, a construct that can only be imagined. However, the domain can be divided into three main areas: physical, virtual and cognitive.
The physical realm consists of equipment and transmission media that connect the different networks, industrial control systems, data, information and ideas together.
The second area consists of the software, operating systems, databases, and the information stored, displayed, manipulated and transferred in cyberspace.
The last area is the cognitive, which is where either autonomous systems and/or humans make sense of the data/information and make decisions. The cognitive area of the cyber domain is an essential idea; ultimately, this is real people, artificial intelligence or automated processes that change behavior because of information or conditions in cyberspace.
Cyber Lines of Effort
Building upon already created doctrine helps to clarify current thought without having to reinvent the wheel. It is important to note that like other domains (air, land and sea) actions and efforts are not just limited to activities in cyberspace, but responses can and should range across the whole of the government and DoD.
Developing an effective coordinating framework is exactly what a 2013 Government Accountability Office report, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, says needs to be fixed.
Joint Publication 5.0, Joint Operational Planning, is the doctrine for joint military interagency and multinational forces operations. Joint Publication 5.0 synchronizes activities across multiple agencies/organizations using a term called Lines of Effort (LOE). LOE are used when there is “logic of purpose” and focuses on a set of operational and strategic conditions necessary to meet the desired end state.
Lines of Effort coordinate long-term goals across multiple organizations and potential competing priorities. The four LOE are Business, Defense, Intelligence, and Offense.
The Business Line of Effort encapsulates not only the running of the network, but also the acquisition and life cycle management of cyber systems. The Defensive LOE is the ability to identify, protect, react to and restore information and systems from threats across the cyberspace domain. The Intelligence LOE bridges actions in both defense and offense to include international partners, law enforcement, DoD, and other agencies and departments. While, the Offensive LOE is our capacity to deny, degrade, disrupt or destroy an adversary’s ability to operate in cyberspace.
Cyber Analysis
In his book, Man, the State, and War; a Theoretical Analysis, Kenneth Waltz describes a framework for dealing with complex policy issues involving multiple countries. His approach is often called levels of analysis. He identified three levels to analyze causes for conflict: “with man, within the structure of different states, and within the state system.”
For the purposes of the cyber framework, the levels of analysis become: individual, internal system, and external system. Individuals can be specific adversarial decision-makers or as specific as a machine. Generically, an individual is the target for the action. Internal systems are the technical, economic, legal, political, bureaucratic and operational environments within the U.S. government. Finally, the external system is the environment in which our adversaries and international partners must work.
Putting It All Together
When combined, strategists get a three-dimensional volume that describes all the actions taken in and through cyberspace. With this volume defined, policymakers will be able to evaluate the effectiveness of the current strategy, identify gaps/seams, and areas for improvement.
For example, start with a strategic goal: Ensure national information systems are protected from a nation-state attack. This leads to several questions that need to be evaluated using the Figure 1 cube.
For the sake of brevity, we will list only a few questions; however, they could deal with legal authorities, risk management, diplomatic options, etc. Do current acquisition processes allow for the proper defense of national information systems (Physical/Business/Individual)? Can the U.S. defend and recover from a cyber-attack (Physical/Defense/Internal)? Can the U.S. determine a nation-state’s actions before they happen (Physical/Intelligence/Internal)?
If not, what can the U.S. do to slow the decision-making process of the nation-state (COG/Offense/Internal)?
This strategic goal touches every area displayed in the cube and leads to many more questions.
A good framework allows strategists and policy-makers to ask questions and assess issues before needing to take action. Once the questions are identified, strategists can start to look for shortcomings and prioritize actions to improve the end state.
Now, let’s talk about a real-world example and how this framework might have worked.
Stuxnet was the first-recorded cyber-weapon to cause physical damage. Ralph Langer and his security group found and identified Stuxnet and its capabilities. In a TED Talk given March 2011, "Cracking Stuxnet, a 21st-century Cyber Weapon," he describes his findings.
The cyber-weapon’s creator was able to physically destroy Iranian nuclear centrifuges needed to make weapons-grade uranium. Because of the complex code and target, Langer believes the weapon originated from the U.S., Israel — or both. For the sake of this article let’s assume the weapon was created by the U.S. government. What would the goal have been?
Goal: Prevent/delay Iranian nuclear weapon’s program. In the framework, this cyber weapon would be classified as a physical attack against a particular target, which makes it fall within the (Physical/Offensive/Individual) space of the framework shown in Figure 1. This leads U.S. strategists to ask several questions. Can a cyber-attack degrade Iran’s nuclear program (Cognitive/Intelligence/Individual)? Can the operating system of the centrifuges be compromised (Virtual/Intelligence/Individual)? Does Iran have the ability to detect the attack (Cognitive/Intelligence/External)? Does the Intelligence Community (IC) have a way to watch Iran’s reaction (Cognitive/Intelligence/Internal)? Does the U.S. have proper sensors in place to detect a cyber-attack from Iran (Virtual/Defense/Internal)?
If not, can the U.S. get something in place before the operation (Business/Physical/Internal)? Will using this weapon risk other ongoing intelligence operations or U.S. systems (Cognitive/Intelligence/Internal)? Does the IC have sufficient understanding of Iran’s expected reactions (Cognitive/Intelligence/External)? Have the users and defenders of U.S. information systems been adequately prepared for potential blowback (Physical and Virtual and Cognitive/Defense/ Individual)?
These questions lead to more refined questions which eventually lead to specific actions. Ultimately, the goal to prevent or delay the Iranian nuclear weapons program leads to proactive steps that could have been taken to prevent Iran’s counter-attack.
Reporter Nicole Perlroth of the New York Times discussed Iranian cyber-activity in her article, "Report Says Cyberattacks Originated Inside Iran." She wrote: “Since the discovery of Stuxnet in 2010, Iran has unleashed its own series of attacks, including a destructive attack at Saudi Aramco in which hackers destroyed data on 30,000 Aramco computers, replacing their contents with the image of a burning American flag.”
Likewise, Sean Gallagher, of Ars Technica, reported in his article, "Iranians Hacked Navy Network for Four Months? Not a Surprise," that the Iranian cyber-attack on an unclassified Navy network cost over $10 million to remove and repair.
If a national cyber framework, like the one discussed in this article, would have been used; could the U.S. Navy and other private and public organizations have been better prepared for Iran's reaction? Will leaders of this nation be reactive in policy and strategic guidance or will they choose to take control of cyberspace?
Conclusion
The cyber framework is simple yet comprehensive. It encompasses the entire cyber domain, synchronizes efforts across the whole of government and allows decision makers to analyze the effectiveness of policy in terms of expected and actual outcomes. This cyber framework gives the United States a proactive and efficient tool to deal with cyber challenges and opportunities in the 21st century.
Cyberspace is complex by its very nature and coordinating actions across the whole of government can be daunting. The United States government needs this cyber framework to create a coherent, effective national strategic policy.
Like the old joke goes: How do you eat a cyber-elephant? Answer: One byte at a time. Having a single complete framework will improve communication between the many organizations and actors that operate in and through cyberspace as the U.S. begins to improve its cyber strategy.
Cmdr. Kristian Kearton is the Chief Staff Officer, Naval Computer and Telecommunications Area Master Station Atlantic.
The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States government.