The conceptual approach is to focus on cyber-defender decision-making. Winning or losing in the cyber-battlefield is dependent on defender action—but any defender action should be based on a careful analysis of the totality of the relevant environment, risks, and potential future states. Practically speaking, the goal is to enable defenders to answer the subtly complex question, “Given a security and environmental state, what cyber-maneuvers best mitigate attacker actions and enable operation success?” Note that this is not a discrete and momentary analysis, but one that must be continuous and adaptive within evolving situational awareness and mission goals. Like its physical counterpart in traditional kinetic warfare, the waging of cyber-warfare requires constant reevaluation of threats via reconnaissance, interpretation of adversarial intent and capability, and adjustments to strategy and resource use.
The Cyber CRA envisions future operational environments in which models of operations, users, defenders, and attackers guide the reconfiguration of highly diverse security and network infrastructure on a continuous basis. Operation survivability is achieved by altering the security configuration and network capabilities in response to detected adversarial operations and situational needs of users and resources and tools available to defenders. Cost and risk metrics are used to select optimal strategies and configurations that maximize operation success probabilities while mitigating adversarial actions. Models of user, defender, and attacker actions and needs are used to derive the operation state, as well as to identify those configurations that increase the probability of operation success. A simplified view of this conceptual framework is as follows:
In pursuing such a vision, it is important to remember that decisions cannot be made solely based on an understanding of cyber systems—one must factor in the needs and motivations of the people, i.e., users, defenders, and adversaries. Here, efforts in the Cyber CRA Cross-Cutting Research Area (CCRI) reasons about situational factors that may substantially alter user, defender, or attacker performance. For example, we have explored how to best present environmentally relevant information to defenders under times of stress to elicit the best outcome, i.e., what are the best details and formats to present a defender about potentially multiple simultaneous attacks. We are developing models of attackers to gauge intent and to identify countermeasures that will mitigate their impact on operation outcomes. By understanding how an attacker, user or defender is acting (or will act in response to a stimulus), we can predict the actions they will take. The vision is to estimate the type of attack, the goals of an attack, and the expected response taken by a user or defender, and thus estimate risk and predict future behavior. Ultimately, we will use these predictions to influence and control cyber-operation evolution and adversarial action.
This article describes the vision and current results of the Cyber CRA research focusing on elements of this vision including the operational model, risk, detection, and agility research areas. We begin in the next section by presenting a motivating cyber-mission used throughout the article.
Example Mission
Military networks present unique challenges. The diversity of strategic and tactical networks and the wired and wireless media over which operations are performed introduce diverse requirements on a science of security. The resources, configuration, and attack surface of tactical networks change from moment to moment, requiring agility to be responsive to shifting trends and goals. Such tactical networks may afford more restrictive security policy and configurations. Conversely, strategic “enterprise” military networks tend to be like traditional non-military wired networks in that they are static but heterogeneous in terms of size, topology, services and devices.
Consider an operation in a tactical network environment in which data are collected from vehicle-mounted cameras. This data is captured at regular intervals (every few seconds) as enabled by the driver and sent back to an intelligence-gathering facility several continents away (in the U.S.). The data is transmitted from the vehicle across a battlefield, to a regional operations center, and finally to the United States. The requirements of the operation are that it (a) reliably and (b) securely deliver the data from the battlefield to the intelligence facility in (c) a timely matter. In this setting, securely means that data confidentiality and integrity are retained (an adversary cannot obtain the image, nor can they alter it).