Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

7 Strategic Planning for Future Cyber Warfare

"In preparing for battle I have always found that plans are useless, but planning is indispensable."

― Dwight D. Eisenhower

General Eisenhower, one of the finest tacticians and strategists in the history of American military leadership, and some might say in world history, makes an interesting point in the preceding quotation. He states that in preparing for battle plans are useless, but planning is indispensable. What does he mean by this? It seems counterintuitive to even contemplate that point, but he must have known what he was talking about, right? What he means is that it is impossible to plan perfectly for a battle that will be wrought with change, failures, maneuvering, and dynamism; yet, it is useful beyond measure to think about the realities of what is likely to take place and plan as thoroughly as possible in response. One should plan based on the realities of what will occur, align resources to counter potential outcomes, and act – but act intelligently, with a constant evaluation of how effective the actions one is taking are, in relation to the expected end goal.

With that in mind, in this chapter we'll consider the following:

How can physical and kinetic warfare tactics and strategies be applied in cyber warfare?
What techniques do and do not translate?
What can we learn from observing past physical warfare actions as part of the cyber spectrum?

First, let's begin by looking at some corollaries between physical warfare and the digital combat space.

Everyone has a plan until they get punched in the mouth

At the start of this chapter, we considered a well-known quotation from General Eisenhower. Another famous quotation that could be applied in the context of strategy comes from Mike Tyson, the former world heavyweight champion: "Everyone has a plan until they get punched in the mouth." In other words, there is a benefit to having a plan, and there is merit to preparation, but ultimately it comes down to how you respond once you take that first vicious hit. In cyber warfare, this is just as true. Through the massive data breaches and nation state compromises in recent history, we have all been collectively punched in the mouth, and in many instances, knocked to the canvas. What matters now is how we leverage the knowledge we gained from getting smashed and respond intelligently to try and fix the problem. In boxing terms, we need to learn to dodge and counter.

As has been discussed, past approaches to cyber security were mainly in the form of technical fixes. These "fixes" have been in response to what is now increasingly becoming an almost unsolvable problem, and thus such approaches are proving to be woefully ineffective.

In order to have any real hope of being better prepared for the coming onslaught of cyber security attacks, it is imperative that those in power, both at the government and commercial levels, change the way we do business. We can no longer continue to attempt to string together technical solutions that are point fixes for a problem that requires a broader approach. A broader approach that is not anchored in just technical solutions and best-of-breed solutions provided by vendors that are, in most instances, more concerned with growing their businesses' bottom line than they are with the broader implications of fixing security for the masses.

The nature of cyberspace is not solely for commerce and global information exchange. It is a warfighting domain. A digital battlefield where every nation on the planet; every criminal organization; every user, device, and network; and a myriad of other technologies interact and exchange bits in an endless state of change. It is also the only place in the world and throughout history where rogue nations and impoverished countries – often so poor they can barely feed their own populace – can take aim at the superpowers of the world, and do so with efficacy.

If that is the reality, and if our systems are built on a house-of-cards perimeter-based model that is inherently flawed – as has been discussed in previous chapters – then there should be a realization that we must change our approach to fixing these issues. But that fix cannot be one of simply more technology. We cannot continue to "Frankenstein" our way forward and hope that eventually, with enough technology applied, we can ultimately fix the issues we collectively face. It is time to apply strategy, and specifically a focused strategy, to this issue so that we might be able to finally gain some ground and take back the high ground from the enemy.

What type of strategy?

If one understands and really accepts the reality of the cyberspace being a warfighting domain, an active digital battlefield, then the application of any strategy outside of one founded in a military-related strategy is clearly an exercise in futility.

But there is significant nuance in this space that requires a level of malleability for the strategy that an organization chooses to put in place. While cyberspace is a warfighting domain, it is also the new hub for business and enterprise for the foreseeable future. It is the conduit for nearly all business on the planet, and cyberspace is the most prolific avenue for information exchange the world has ever seen. Therefore the nuance that must be noted is that any strategy that is applied must be based on the tenets of effective counter actions in cyber security warfighting principles, but must be open enough to allow for business to thrive and for information to flow where it is needed. This is a difficult problem to solve.

The purpose of a strategic plan for security is to provide management and leadership with the information necessary to make informed decisions about specific investments in the security space. A strategic plan will link the security function with the business direction. Because cyberspace is a warfighting domain and a domain that is of extreme importance to businesses, the strategy must also present a business case to leadership. That business case must be one that describes key business benefits and outcomes related to security.

The best strategies for security will help achieve business objectives by identifying and addressing security requirements in business functions and initiatives and providing infrastructure, people, and processes that help secure those requirements. Although driven by requirements that may not be specific to business items, a good strategy must consider other factors that may impact on the achievement of those outcomes. The strategies must be revised periodically to allow for changes in business direction, technology changes, and new constraining factors or legalities.

As has been discussed and detailed in prior chapters, the old model of a perimeter-based security strategy has categorically failed and is no longer considered effective.

The strategy that can make a difference is one that focuses on the controls being applied where the threat is most active. Namely, one that extends the controls from an internally secured network or infrastructure outward toward the "Edge" of the control plane, applying controls based on strategic initiatives like host-based segmentation, multi-factor authentication, and a variety of others, for example. A strategy that recognizes that the network is not much more than an area of contested space that constitutes the most difficult area to gain command of requires a change in thinking.

In reality, the greatest and most exploitable entities on any infrastructure are the users and their devices, followed by the applications and cloud assets that the enterprise leverages to conduct and grow the business or to simply do their work, depending on whether the infrastructure is of a governmental or commercial nature.

An interesting corollary in how the demands of the battlefield require a change in the strategies that leaders employ to "win the war" can be taken from a brief analysis of the Iraqi conflict, which we'll discuss in the following section.

When the nature of combat demands a change in strategy

In 2003, the US military deployed its combined might – all of it – to invade and "liberate" the nation of Iraq. The goal was to remove the dictator Saddam Hussein from power and eliminate the Ba'ath party that had dominated the country for decades. While the veracity of the claims that motivated this offensive, and potential ulterior intents, will be debated for years, the fact remains that there was a war effort launched to enter a sovereign nation, remove its leadership, and transition the populace to a new and different way of living.

In April of that year, the US and its allied forces launched an all-out offensive to invade Iraq. As had been done for the last 100 years or more of US military engagements, the Army mobilized on the ground after a selective bombardment had taken place and the airspace over the country had been dominated. In less than a week, nearly the entire armored division of the US Army, along with coalition partners and the US Marines, had made their way from the Iraqi border to Baghdad. The invasion was complete, and the thinking at the time was that this was another victory that could be chalked up to the dominance of the American military machine and the US leadership's strategy having defeated the enemy.

We could not have been more wrong.

Infiltration does not equal dominance

While the Army and the coalition had done its job of dominating the enemy and infiltrating the country, what had happened was that the speed and effectiveness of the attack caused the Iraqi Army and its leadership to implode. The Republican Guard dissolved, and thousands of fighters literally dropped their uniforms and melted into the populace. The strategy of taking the grand objective, Baghdad, had tossed the Iraqi National Army and its affiliate operators and actors into turmoil and sent them scattering into their homes and neighborhoods.

Fast-forward roughly 90 to 120 days after the fall of Baghdad. Insurgents, either ex-Iraqi Army personnel or terrorist actors from a variety of organizations, began to exact a heavy toll on US and coalition forces; this toll primarily took the form of limited skirmishes within small sectors of urban areas, or via the use of Improvised Explosive Devices (IEDs). In these attacks, the insurgents adopted tactics that had perplexed and confounded US military personnel during the Vietnam war, but they also escalated the perplexing nature of those attacks by ensuring that the combat took place in areas that were heavy with potential collateral damage.

The insurgents adopted the basic tactics that the Viet Cong had used with efficacy in the remote jungles of Vietnam, but adopted them in a jungle of concrete and structures instead. This change in tactics meant that the insurgents and terrorists had the upper hand. The insurgents were also bound by no rules of engagement and had no restrictions on the ways in which they could innovate and exact their attacks on enemy targets. The insurgency could strike any time against any target, and use any tactics that they found would degrade coalition and US forces. The balance of power in this case was in their favor.

Meanwhile, American and coalition forces were mired by using tools and tactics that had worked in the past – World War 2 to be exact – but were not successful in engaging this new type of threat. In truth, those tactics did not work well in Vietnam, but between Vietnam and the Iraqi conflict there was the Gulf War, where most of the most senior leaders in the US military had cut their teeth with those old large-unit tactics and strategies. Having entire battalions rapidly enter an area covered from the air and led by huge groups of tanks is an example of that archaic approach. Because of that exposure and the quick victory in the Gulf War – the 100-Hour War, as it was known – those same American leaders were now running the entire campaign of this new offensive and were confounded, as there was no quick victory. Where previously the enemy was smashed utterly through the shock and awe of US military might, this time the enemy had scattered, only for those shards to come back and strike independently, inflicting hundreds of small cuts upon the allied forces. This was a situation that the Gulf War veterans were entirely unfamiliar with.

The grand strategic approach of obliterating the enemy technically at a large scale, as had been done in the Gulf War, and systematically moving into an area and imposing the American military's will, did not work. The insurgency thrived on sniper attacks, cheap bombs, mortar attacks, and quick singular engagements. Added to this frustration for the American and coalition forces were the restrictions that were imposed upon them as part of their rules of engagement.

Those extremely restrictive orders mandated that the Americans and their coalition counterparts did not risk engaging with the enemy unless first fired upon, or if there was a high possibility of collateral damage, the likelihood of which was extremely high as the engagements often occurred in the middle of a city full of civilians.

The combination of those restrictions and the insurgents' ability to innovate meant that for a number of years the costs to the US and coalition forces would be high; thousands would make the ultimate sacrifice and even more Iraqi civilians would be affected, as what was thought to be a quick victory wore on and on for over a decade.

In cyber warfare, this relates to the reality that in most instances and infrastructures compromise has already taken place in some way. Most infrastructures have some open backdoor somewhere, and it is highly likely the enemy has already established a foothold in the network. Because of this beachhead inside of the defended perimeter, it is not possible to simply "dominate" the enemy and keep them out. No firewall at the perimeter is a high enough wall when the adversary is already inside. And using heavy-handed tactics to try and ferret the enemy out will likely only result in the degradation of network components and technology utilization.

Leaders need to have their "boots on the ground"

Another issue that plagued the strategy and ability to win decisively in the Iraq War was the fact that the ability to manage the response to the threats from the insurgency was relegated almost entirely to the most senior command leadership. This left officers on the ground unable to adapt to the evolving threats they were faced with. As had been the common practice in past wars, the ultimate decisions for actions at the grand scale were managed by the Generals and Admirals, who were often far removed from the battlefield.

This practice worked in World War 2, and in some instances was effective in general terms in Vietnam, but in a combat space that was as dynamic as the Iraqi theater, this method hindered the ability of those soldiers on the ground to respond. Other than in the case of very limited special operations groups who had more autonomy and specific directives to respond proactively to threats, such as Navy SEALs and Army Delta or Rangers, the legacy command infrastructure retained its stranglehold of control over the actions of those who were fighting the war.

In cyber warfare and cyber operations, there is a very real need for the leaders in the organization to be willing to "get dirty" with their troops. Often there are teams of technically oriented operators that are far removed from the higher echelons of command that are actually doing the work. If those troops do not really understand why their actions matter and how they are part of the survivability and prosperity of the organization, they will suffer from disenchantment. For effective command and control to be leveraged, the leaders in cyber warfare need to be ready to dive in and sit next to their operators and learn from "on-keyboard" actions. There is no better exposure that they can get than helping their cyber warriors execute the mission.

The environment determines what works, not the equipment

Even the tools and assets used by the US and coalition forces weren't prepared for the changes that were demanded of them in this new theater of war. In past engagements, the ability to move on the ground on the battlefield was best supported by lighter armored vehicles, Humvees, Jeeps, and military trucks led by heavily armored tanks and "up-armored" vehicles.

That approach works when the battlefield is open and the streets are wide. However, when the area where the fight takes place is in some of the oldest cities on the planet where buildings are close enough that the average human can reach out and span the entire alleyway, the benefit of those assets is limited at best.

Coupled with this, the light armor of the Humvees and Jeeps, which afforded them their mobility, made them perfect targets for the devastation that IEDs and roadside bombs could bring to bear.

C:UserscunniAppDataLocalMicrosoftWindowsINetCacheContent.MSO576375C6.tmp

Figure 1: Lightly armored Humvees were great assets for past engagements

Figure 2: The damage that a Humvee sustains from an IED thanks to its light armor

Helicopters and tanks had jet-powered engines that relied on sucking in and compressing air to function. In an area with fine particulate sand and dust, those same engines were afflicted with a constant need for cleaning and maintenance, which often grounded air support or hampered the ability of tank groups to support US forces engaged in combat. Everything in the area was essentially customized to limit the power that those assets would have had if they were in another area of operation.

Figure 3: Sand and fine particulate dust or dirt impacted engines and hindered operations

This same reality exists in cyber warfare spaces. Often the defenders are working with what they have been told is the "best of breed" or the most advanced solution, only to find out that they still end up with a breach. Billions of dollars have been spent on the sexiest, most advanced cyber security solutions that the industry has to offer, but the defenders still suffer failure and infrastructures are still compromised. While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.

Intelligence and "Intel" may not be the same thing

The intelligence life cycle in the Iraqi war was also vastly different than what US or coalition forces were prepared for. In past engagements, including Vietnam in many instances, the enemy was large enough and aligned with a significant enough political motivation or group for intelligence collectors and analysts to decipher their actions and plan accordingly.

Even in the earlier Gulf War with the Iraqi Army, the intelligence apparatus was well set to monitor and react to the coordinated forces of hundreds of thousands of Iraqi Army soldiers and large tank battalions. Satellite coverage and the large backend decision-making matrix that drives the outcomes in the intelligence machine for US forces were able to keep pace with the slower-moving advances or retreats during that conflict. When that same intelligence capability was needed to intercept and cover small units, hundreds of politically different threat groups, more covert communications mediums, and a myriad of new avenues of attack all confused and impacted the US and coalitions intelligence efforts.

There was no time for long-term analysis of tactics and then plotting counteroffensives to combat the threat. Often by the time an action or potential attack could be discovered, it had already occurred or the insurgents were aware of the impending response and their plans had therefore changed. There was no means of using intelligence to influence vast groups of the population as the entire country had politically fragmented into hundreds of individually affiliated factions, each with its own motivations.

There were no large points of infrastructure to collect specifically military-related information or intelligence as in this theater of war every user on every phone and in every internet café was potentially a member of an attack team. Everything had to be gathered, analyzed, deciphered, and leveraged to have any potential benefit for intelligence operations.

While the ability to communicate via technical avenues had vastly increased over the half century since World War 2, the reality was that ground commanders would often have to ask for permission to operate or engage the enemy from commanders that were thousands of miles away. Meanwhile, insurgents could ask for guidance from their leaders who were either on-site or nearby, meaning that the insurgency was faster and more proactive at command and control than the vaunted US and coalition forces. While the counteroffensives were able to adapt to actions on the ground in near real time and maneuver or manipulate their force planning and positioning, the US and coalition forces were often restricted in their ability to respond in kind.

Again, it is possible to see how this relates to cyber security and cyber warfare. Organizations including the US DoD and civilian agencies try constantly to find valuable intelligence to enable them to respond better to threat actors and nation states. But the adversary knows this and works constantly to subvert those actions. Fake attacks, bogus domains, stolen exploitation tooling, and a variety of other tactics hinder cyber intelligence collection and its use. Adding in the explosion of data that is present on contemporary networks thanks to device and account proliferation and the ability to find useful data for intelligence-based cyber actions is even more difficult.

Too much may be too much

Another confounding issue for the leadership and soldiers on the ground in the Iraqi conflict was the massive sprawl of projects that were necessary for the conflict to have any semblance of victory. Thanks to decades of sanctions and restrictions combined with the corrupt nature of the ruling Ba'ath party and their mismanagement of the infrastructure of the country, essentially everything the populace needed for basics was either in disarray or non-existent.

Other than the roads, which were mostly usable, the infrastructure of the country was in a state of woeful neglect. Thousands of civilians had no water, electricity, or the logistical support necessary for dependable food access. The banking system was eviscerated during the sanctions and the invasion, and the political stability of the country was tossed into a state of flux as the ruling party was ousted following the invasion. The entirety of the country was teetering on the brink of total collapse.

Because of those issues, the US and coalition forces had to try and respond to everything all at once. Yes, there were obviously more pressing matters at each step of the process of improving the country's ability to rebound, but the reality was that it was a massive undertaking, one that was too large for a force even as large as the US Army and a coalition of many other countries.

The approach of trying to solve all of the nation's problems at once, with many moving parts that were all intricately interwoven, added to the quagmire and led to increasingly long delays and the bifurcation of projects. Because of this, delays in promises and projects lagged on and on for years, and in some cases decades.

Those delays helped add to the frustration of the populace and were likely at least influential in adding to the strife and following continued violence in the area.

In cyber warfare and defensive cyber operations, we see the relationship here as well. Most times when one looks at the defensive planning and operational focus of a larger organization, the approach is one of "solve everything now." And while that makes sense as there is certainly urgency needed, taking on too many projects simultaneously is an error. This only leaves pieces of the infrastructure reaching a completed state of security and often hinders defensive planning and execution. To achieve efficacy, one project must be completed before another one is undertaken, or at the very least projects and planning must be "piggybacked" so they get done in rapid succession. Only having 90 percent of a multi-factor technology deployed means 10 percent of the organization is still under threat. Projects must reach completion before they are considered finished.

Big walls can mean big problems

A final aspect of the conflict in the Iraqi theater that perplexed US and coalition forces and helped the insurgents continually inflict damage was related to the use of the civilian city infrastructure itself as the arena for combat. In many instances in past wars, the civilian population had either vacated the combat zone or had been somehow relegated to areas that were at least away from the most heated areas of engagement. This often occurred because in those past wars things were slow to move, and the actual fighting typically took place in areas where there had been enough significant conflict to indicate to the civilians in the area that for their own safety it was imperative that they vacate the area. In the Iraq War, this was not usually the case.

The US and coalition forces had invaded so quickly and disbanded the Iraqi army so fast that it was literally within days that the spidering of skirmishes had begun as the now unemployed Iraqi soldiers corroborated with outside insurgents to attack the US invaders. Those insurgents knew that the invading forces were unprepared to move house to house and street to street to take back ceded ground from the enemy. The insurgents lay in wait inside the pivotal areas in Iraqi cities and slowly took control of entire city states as they overtook civilian areas and either killed or intimidated the local leaders in the area.

In doing this, the insurgents were able to "dig in" to the area and make any attack by the US and coalition forces ineffective unless they were willing to engage in almost singular combat and retake the area brick by brick. The longer the US took to realize this and stop the insurgents from continuing to move laterally and spread through the network of city streets and homes, the deeper in they were dug.

The US initially thought they could cordon off areas of high threat and contain the spread of the insurgency, as had been effective in the German theater during World War 2, but all that did was increase the insurgents' ability to defend the area and allow them time to figure out new ways to outflank US forces.

Those walls also actually aided the insurgency by further isolating and frustrating the average innocent civilian, who in many instances went to bed and woke up the next morning with concrete barriers now isolating them from their neighbors.

Those walls and the increase in isolation and "security" control points in what were once just streets in a city were then seen as hindering and confounding to daily life and would alienate and drive more civilians to join in the conflict against the invading US forces. Added to that, those innocent civilians who were unfortunate enough to be caught inside those cordoned-off areas were trapped inside a kill zone.

Large infrastructure segmentation based on legacy firewall approaches is very emblematic of what is described in the preceding illustration. Threat actors' and hackers' greatest victory is not in gaining access to a system; it is when they can dive deeper into a network and find areas to set up future operations. Their aim is long-term access and cross-domain maneuverability. Using those big segments may seem like correct segmentation, but it is only a piece of the larger need. Host-based segmentation and the granular enforcement of access controls and the elimination of any possibility of lateral movement are what make the threat from those types of hacker actions minimized.

Figure 4: A picture of the author taken during the invasion phase, April 2003, of Operation Iraqi Freedom

Figure 5: An image of US President George HW Bush showing the "MISSION ACCOMPLISHED" banner. This was in May 2003; the war in Iraq raged on for over another decade

The mission was not accomplished…

It wasn't until US and coalition forces scaled down full combat operations in the Iraq theater roughly in 2016 that the losses to the American and coalition forces started to significantly decline. The position of power in the Iraqi warfare domain remained in the hands of the insurgency because they were better able to operate outside the bounds of any rules that would have hamstrung them, whereas the US and coalition forces were never able to adapt enough or to be dynamic enough to overrun or beat the insurgency outright.

This entire scenario can be used as a parallel for the problem that we continue to see in cyberspace. The adversary is in the position of power and has the authority and ability to operate at will. Cyber security "insurgents" engage with the defenders at will and employ tactics that are deviant from what cyber security defenders are prepared for. The insurgents in this space use what were thought to be points of strength for networks and infrastructure to dig deeper into systems and circumvent the controls those tools offered. Just as with the insurgents in the Iraq War, the adversary in this digital space knows that they have the initiative and capacity to dictate where and when engagements happen.

While cyber security defenders typically seek perfection, or very high levels of certainty, to try and react or to respond tactically to the adversary, the adversary is staying two steps ahead. There are no rules of engagement for the "insurgency" in this digital battlespace and the threat actors know that. They thrive on their ability to operate outside of any rules or restrictions. The insurgents in this space knowingly and willfully maneuver and manipulate command and control infrastructures for their nefarious purposes. Hackers and enemy nation states are not bound by compliance regulations nor are they hindered by budgets or keeping business applications operational.

Even when one thinks about the response and reaction of the US and coalition forces to try and cordon off insurgents into "controllable" areas, one is reminded of a network or digital infrastructure being segmented. In the case of the Iraqi campaign, the US Army literally built giant walls around entire neighborhoods to try and contain threats. This is eerily like the way a network engineer firewalls off segments of networks to contain digital threats. And in truth, this basically fails just as the army's strategy did. In the Iraq War, the insurgents learned very quickly that either they could simply have someone with validated paperwork operate clandestinely for them and move beyond the walls, or in other cases they simply climbed over the structures in the dark. Either way eliminated the benefit of the segmentation that was being offered. In the digital space, the moment an enemy recognizes that if they can move laterally they can further infect an enterprise – and in most cases all that is needed is an administrator password or network share to do so – the control or power that a segmented network offers is rendered moot.

Figure 6: An example of a "firewall" for street-level areas of operations in the Iraqi theater

When one considers the intelligence life cycle that is so pervasive as an offering from cyber security vendors and compares that process to the one that plagued US and coalition fighters in the Iraq War, the same issues apply. In the Iraq War, quick decisions were needed to act decisively on combat threats. Often the archaic intelligence life cycle combined with a multitude of forces needing and sharing that information, also known as threat intel, added to the time that would be needed to process that information. This would result in casualties at worst or often operational losses at least. In the digital space, this appears when one considers how threat intelligence can be beneficial, for sure; but when the speed of the digital space and the intricacies of that dynamic space become intertwined with business demands and operational requirements, things become muddied very quickly. Additionally, in the digital or cyberspace, Security Information and Event Management (SIEM) solutions (tools for analysis and visibility in infrastructure) have been touted as the "single pane of glass" but have typically not lived up to that billing.

In a battlespace with so many hidden and dark corners and no established baseline, how does any tool ever actually know when an anomaly occurs? Just as in the Iraq War, where there was oversight and analytics being combined with threat intelligence and data points, but there was no way to truly know what "normal" looked like, the possibility of predictively determining a necessary action is difficult at best in cyberspace.

Pointing to the issues that affected the decision makers in the Iraq War and led to severe difficulties in making progress and subduing the enemy in that area can be correlated with issues of a similar nature in cyberspace. Often in cyber security, the leaders that are in charge of or tasked with defending the enterprise are limited in their authority to implement change in the infrastructure.

It was not until the last 18 months that the first Chief Information Security Officers (CISOs) in cyberspace became broadly accepted as "critical" leaders in many organizations. In many cases today, CISOs report up the chain of command to a Chief Information Officer (CIO) or another executive as part of their hierarchical command structure.

This can be problematic when, in many cases, the folks that the CISOs report to have little if any knowledge of cyber warfare operations or technologies and can be far removed from the "action on the ground." Just as in the Iraq War, the lack of insight and familiarity with what is needed to respond to threats and the enemy in this space is dynamic and requires command authority to make an impact. Those organizations that subscribe to this older methodology and command structure enable confusion and a lack of decisiveness that is so critical to victory in any warfighting domain, especially a digital one.

As with the assets in the Iraq War – the helicopters, tanks, Humvees, and Jeeps – the assets we use in cyberspace have inherent flaws as well. In cyberspace, businesses now rely on applications to generate revenue and act as the interface with the customer base. Those same applications are also reliant on regular patching and secure code development processes to ensure that they remain safe. Often the very nature of the speed of business and the need for uptime for those applications makes them "unpatchable" or keeps them operating for years, in some instances decades, without necessary patches or updates being applied.

The devices that we all use to access those applications have embedded flaws, installed backdoors, logic programming errors, excessive network capabilities, and default credentials that hinder their security posture. They are manufactured in countries that are openly hostile to the US and allied nations or have at least a known clandestine program that targets our collective interests. Developers and code builders introduce threats to these applications and devices as well.

Many times, developers for applications and devices are working for reduced pay bands in countries that have noted criminal syndicates and organizations with ties to less than reputable entities. All that is needed to introduce backdoors and flaws into those applications or devices is for a backdoor payment to be made to an underpaid developer and a hardcoded, deeply embedded flaw into a system can be introduced. Even the nature of the user can be an issue for these assets.

Enterprises and governments have increasingly moved to a BYOD approach to enterprise IT. But as that approach proliferates and more users have more devices, with more bad security management, passwords, and often questionable online interactions, the possibility that threats will be introduced increases exponentially.

Standard network security practices can also be an interesting corollary when compared to the failures in the Iraqi theater. In the Iraq War, the US Army sought to isolate and control areas of potentially higher threats by physically segmenting cities and neighborhoods. While this helped to isolate and limit civilian interactions and deaths in past wars, in Iraq it only helped to alienate the populace and generate more insurgent agents.

In cyberspace, by simply applying old firewall rulesets and broadly limiting traffic at certain points, the network becomes a less optimal avenue for commerce. More and more firewall rules are continually applied and in some instances, millions of rules are piled into the network that ultimately hamper throughput and limit security analytics and response. By just trying to firewall off sections of the environment based on "best practices" and legacy thinking, the network can become far more vulnerable than it was previously.

Tying into this issue is the general application of security tooling to the user population. Often, security tools like Data Loss Prevention (DLP), password management, encryption, and other security solutions negatively impact users. As soon as a user has a negative experience with one of the restrictive actions of those tools, they will attempt to circumvent it. This negates the benefit of the security control and degrades the overall security posture of the environment. In other words, broadly applying misaligned and highly restrictive security tooling to users, networks, devices, and the variety of other assets in cyberspace can help cause security problems.

The political points for or against the Iraqi conflict aside, the point of the discussion in this section is to show that while an older strategy might have been effective in past engagement, even massively so in the case of World War II, the demands of new battlefields and enemy tactics can negate the benefits that came from what was a winning strategy.

All the points that made that past grand strategy so effective were what doomed that same strategy when applied to a new battlefield with different adversaries in the Iraq War. Those outdated approaches combined with an insurgency that did not play by or even recognize any of the "standard" rules of engagement were so problematic for the US and the coalition that there really was no true victory. Everything from communications to logistics, intelligence operations, command and control, and even the very assets employed by commanders to try and win the war were not strategically viable based on the intricacies of the battlespace.

The high ground in the digital battlefield will remain firmly in the control of the enemy if defenders continue to subscribe to failed strategic approaches that are outdated and do not deal with the reality of the threat space.

What does an effective strategy in cyberspace look like?

New threats and a new era of realization that the majority of the infrastructure that is currently supporting federal and commercial infrastructures is built on a failed perimeter-based security model has prompted the industry to move toward a new cyber strategy. The new strategy that must be adopted is one that enables better responses to new threats, reduces vulnerabilities, deters adversaries, and secures systems with a focus on what is most practically achievable. In order to have any hope of better securing cyberspace, there is a fundamental thing to realize, which is that part of this new strategy will require technical advancements and managerial and administrative change to take place across the federal government and the private sector. We cannot collectively continue to do the same thing and expect a different outcome.

Changing strategic concepts

Those leaders who are in place to implement change should also recognize that a purely technocratic approach to attempt to remedy the larger strategic issues in cyberspace are insufficient to address the nature of the new problems we will face in the coming decade and beyond. Leadership cannot subscribe solely to a focus on "checking the box for compliance" and think they have achieved any real level of security. If that strategy of compliance chasing worked, we would never have had a single Payment Card Industry (PCI)-related breach, or an HIPAA (a healthcare compliance standard)-related breach, as those compliance mandates have been in place for a decade or more.

Securing information and systems against the full spectrum of threats and expecting a zero-sum output of no compromises or exploits ever is an exercise in futility. In order for that to work, an organization would be required to be perfect all the time on every bit and byte and never have a single flaw in any system. This is an impossibility. Instead, what should be the intelligent approach is to enable the use of multiple, intersecting protection solutions that address the components of what makes up functional infrastructure: namely people, technology, and operational or business assets of information systems.

It is a fact that no single system will ever be "unhackable," and it is also true that no system cannot be secured unless any and all interconnecting systems that touch or access that infrastructure are also secured. Therefore, logic suggests that to be effective, an organization must use multiple, overlapping protection solutions that work in tandem. In doing so, the failure or circumvention of any individual protection approach does not compromise the entirety of the infrastructure.

The correct strategic approach in this space is one that recognizes that in order to best counter a threat, organizations must focus their efforts and align their technologies to counter the threat at the correct intersections within the technology ecosystem.

This is done correctly by applying a strategic approach that focuses on gaining control of user-enabled devices and systems, secures data wherever possible, and leverages the power of the cloud as often as possible. Additionally, a key aspect of this strategy is to consider every network, device, user, account, access, or other related item compromised until proven otherwise. Everything is a threat, all the time. Nothing should be allowed to operate by default and any and all access must be explicitly proven valid before it can take place.

Lastly, for this strategy to be effective, the leadership in place must realize that the network is always a contested space. The network is where the battle is being fought and also the most dynamic area of threat; whether the "network" is cloud-based or on-premises does not matter. For this approach to be effective, there must be a focus on using a control that can be offered at key control points as part of that network in order to gain insight into the operational situation in the system; but this point of control is always going to be tenuous.

There are many current terms for what this strategic approach should be coined, but for the purposes of this book, we shall term the strategy Edge and Entity Security (EES).

Strategically defending the "Edge"

What most leaders and management in the cyber security space tend to forget, or at least fail to recognize, is that we all follow a "leader" as we work to better secure our systems. That leader is the US DoD, or "the Fed" as it is often called in cyber security circles. The reason for this is that it is (and was) the US DoD that was "first to market" with the clear delineation on what threats were taking place in cyberspace, and especially cyber warfare. It was (and still is) the US DoD that possesses the largest singularly aligned effort to actively counter cyber threats. Therefore, it makes sense to leverage the tenets of the US DoD's strategy that are in sync with EES.

The seminal document that is guiding the DoD toward this strategy is NIST 800-207, otherwise titled "Zero Trust Architecture." NIST, or the National Institute of Standards and Technology, is a science laboratory and is a non-regulatory agency of the United States Department of Commerce. Within NIST is the Information Technology Laboratory (ITL).

According to the NIST website, the ITL "develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of [data] other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL's research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations."

Figure 7: A sample access model from NIST 800-207

It is the ITL that is most directly responsible for the 800-207 document that is being used to help align different DoD agencies toward the strategic approach of enabling a zero trust architecture, or as noted here EES.

In an EES strategy, the focus is not on the defense of any perimeter or large area network, as that has proven indefensible. EES mandates that the focus for security should be on the "Entities" and how they access or touch the "Edge" of the infrastructure. There are very specific points to understand about this concept.

When detailing what an "Entity" is, the simple way to detail this is by taking a position that every user, device, application, or asset that might have access to vital data should be considered an Entity and must have granular security controls applied to it.

Figure 8: Sample core components from NIST 800-207

The "Edge" is different than the perimeter. Whereas the perimeter concept essentially states that far at the boundaries of the network there is a defensive "wall" that borders the infrastructure and keeps the enemy at bay, the "Edge" concept states that the edges of the infrastructure travel and move with the entities and therefore must also have controls bound to the fabric of the medium that the Entity will use to gain access to critical data.

As part of an EES strategy, it is paramount that those involved in the future migration of the infrastructure accept that, because a typical infrastructure has now grown increasingly complex and possesses no real defensive wall, that their security strategies singularly defend that network's perimeter. Any system in use today will likely operate several, if not hundreds, of networks and subnets, each with their own local infrastructure, user base, data repositories, and cloud services. The complexity that is so prevalent in today's infrastructure means that there is no single perimeter for the enterprise.

The very nature of the way that systems function today and the means by which those systems and users "do their jobs" entails that differing approaches to securing what matters most be part of the overall strategy.

Often, when considering the implementation of a strategy in cyber warfare, users and leaders ask the question, "What is the one thing we should focus on first?" This is a valid question, but a more well-aligned version of that same question would be, "How do we fail the most first?" In other words, when engaging in a new strategic plan like EES, those in charge of engaging in this effort should not try and come up with a singular "thing" to complete first. Instead, they should look at the chance to implement a new strategy with an eye toward fixing first those items that would be most damaging to the organization when, not if, an attack occurs. What is the most important point in the infrastructure that, were it to be the victim of a cyber attack, would cause the most detriment to the organization? That asset, item, database, or whatever it may be is what should be addressed first.

Eat the elephant

Another point to be aware of as one considers how to engage in an EES-focused strategic plan is that there is a process to engaging in a strategy. It is not a strategy to try and solve everything at the same time. It does not work in warfare, as noted in the section on the Iraq War, and it is not advisable in strategic endeavors for any federal or commercial cyber-related endeavors. The process for EES mandates that each Entity be fully secured and programmatically completed before another piece of the strategic plan is undertaken. This helps to eliminate parallel work threads and reduces the likelihood of too many items being processed at any one time. In many instances, this is a key point of failure for organizations in the cyber warfare space. In a variety of studies, the impact of the non-completion of specific tasks before another action is undertaken in cyber security projects can be as high as 30%.

If that is the reality, one can easily see how having multiple project items all running in parallel streams in an infrastructure that may include millions of Entities and a dynamic Edge can lead to non-completion of important items that ultimately lead to a breach or exploit.

Just as in real warfare, a key component for a winning EES strategy is to gain visibility into the battlespace. As noted in the section When the nature of combat demands a change in strategy, on the issues that plagued the Iraqi conflict, the intelligence life cycle is only as good as the collection and analysis capabilities of the assets that need to leverage that telemetry data for intelligence purposes. In conventional warfare, the best visibility comes from taking the high ground, being on a hill, or having satellite imagery of an area of conflict.

In cyber warfare, the "high ground" is taken when an organization can "see" everything. This means that all Entities and their interactions with Edge components and the infrastructure are all observable and provide useful data points that improve the defender's ability to respond. A key point is to make sure that the data and the analytics that are being provided enable an action or outcome.

Analytics and data, no matter how innovative, are effectively useless if they cannot be used to respond to an issue within the enterprise. What good would satellite coverage of an area be if the high-resolution imagery that the satellite provided was not able to be used to stop a convoy from driving over an IED? The answer is none. If the analytics and data that are provided by the intelligence collection apparatus are not used to actually fix the issues that are present, then they literally add to the problem by increasing the load on analysts and defenders.

EES as a strategy requires that analytics and data are used to improve intelligence and prompt action, not to simply "do analysis." In warfare, when analysis and data do not help the warfighter, it is known as "analysis paralysis" – this is not the desired state for EES.

Consider one version of a more optimally configured EES-focused security implementation. For this case, let's focus on the Entity that is most likely to cause an actual compromise of the infrastructure: the user. In order to secure a user – a notoriously difficult matter – there are a variety of steps and overlapping solutions that must be in place.

The point of a user trying to access an asset or portion of a network is always going to ultimately be to leverage some resource within that infrastructure. It might be an application, a piece of data, or some other asset, but certainly at some point the user is going to request access to "use something." Therefore, the user must be considered as a threat until they are validated as not being compromised and they have a valid and justified reason to be attempting to connect to the infrastructure.

A variety of controls could be put in place to enable this defensive position. Technologies like multi-factor authentication should be used to aid the validation of who the user is and to enact an out-of-band authentication request. In other words, a means of prompting the user who is requesting access to use an additional step to ensure that they are who they say they are before they are provided access to the requested asset. Multi-factor authentication tooling should be part of an overall Identity and Access Management (IAM) program that is built to enable smooth user access requests and eliminate overly complex access control issues.

The orchestration enables the strategy

Another part of this approach requires the use of orchestration and analytics to aid in controlling user access requests. Part of that orchestration and analytics should be that the user's device is checked for patch levels and is managed by the infrastructure for security purposes. The use of monitoring software can also be part of this EES approach – not in the legacy DLP method of blocking a user from accessing information or data by default, but in a manner that allows access based on the IAM controls and that logs and tracks the user as they access or leverage the assets they seek.

Analytics and the validation process should be applied to filesystem permissions as part of the EES process as well. Before the user is granted access to the asset, there should be logic in place that uses telemetry and analytics to make real-time decisions on the level and type of file access requested and to react should any of those parameters be outside the bounds of what is a normal valid request.

Some of the most basic tenets of this strategic approach to enabling EES for an organization can be succinctly stated as follows:

All data sources and computing services are considered Entities that must be secured.
All communication is secure regardless of its physical or virtual point of origin.
Access is granted only to singular resources based on a per-connection basis and is reliant on a time-based connection.
Technical policies must be applied to all Entities and be enforceable at the Edge of the system and should include behavioral attributes that are used to determine the validity of the transaction.
All systems are always maintained in the most secure state possible, and monitoring and analysis is used to ensure that that the infrastructure and all associated Entities remain in the most secure state possible.
Entity authentication is dynamic and strictly enforced before access is granted.
The infrastructure lives in a constant cycle of access control, analysis, scanning and assessing threats, limiting lateral movement, and continuously validating requests for access.
The network is contested space and is considered an area of constant threat.
Controls must be extended from the controlled space within the infrastructure and outward through the fabric of connectivity to the Edge of the system, and applied to the Entities of the enterprise.

In warfare, change is a necessity, as are strategy and tactics. Defending more effectively requires leaders and those in a position of influence to adapt their approach to one that deals with the current and near-future state of infrastructure. As noted previously, the "Edge" and the "Entity" can be better secured, along with the whole of the infrastructure, if the problems in that space are dealt with strategically.

Conclusion

This chapter's aim was to open the reader's mind to the intricacies of what warfare in the physical space looks like and to help frame the points around how the realities of new warfare tactics demand a change in strategy. There are many other potential warfare references throughout history that could be analyzed to provide similar insights into the failures or benefits of different strategies. Regardless of the specific engagement, the truth of the matter is that warfare by its very nature is ever-changing and is wrought with potential failure points. The Iraqi conflict is just one of the most recent examples and is well suited to showing how older winning strategies can fail when they are met with new variances in a combat environment.

The most important objective of this entire chapter is to help the reader understand that there is a need to change the approach at a grand level to strategically change the way we engage and interact with the enemy in cyberspace. To do anything other than adapt and modify our collective strategies in this space will only continue to enable breaches and exploits to succeed. It is incumbent upon practitioners and leaders in the space to plan for the long term and to focus on areas where ground can be gained and threats can be mitigated based on the realities that they require to function.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Strategic Planning for Future Cyber Warfare

Create new playlist

Sign In

Sign Up

7

Strategic Planning for Future Cyber Warfare