The Cyber Conflict Studies Association (CCSA) is a 501(c)3 non-profit organization dedicated to promoting and leading a diversified research agenda in the field of cyber conflict. CCSA’s vision is to be the premier thought leader in the field by fostering dialogue, leading research, and developing academic programs focused on the implications of cyber conflict.

To achieve this, CCSA promotes and leads international intellectual development efforts to advance the field of cyber conflict research. These activities include workshops that bring together professionals from industry, academia and government to discuss strategic issues surrounding cyber conflict and the publication of insightful research articles and position papers in its Journal of Cyber Conflict Studies.

The CCSA is collaborating with others in the community to establish a history writing contest. Please help us spread the word. Details are below:

The Cyber Conflict Studies Association (CCSA), AFCEA International, and the Atlantic Council have collaborated to create a cyber conflict history case studies contest. The contest comprises three entrant categories: university students, military service members and professionals, with six prizes of up to $1,000 to be awarded for the best submissions. The deadline for entering the competition is June 1, 2012. The full call for papers is posted here.

Entries that meet editorial criteria will be considered for inclusion in future CCSA journals or an upcoming Comprehensive History of Cyber Conflict publication. In addition, they may be selected for presentation at a future cyber conflict history conference. Authors of the winning papers automatically will be considered for an internship or employment at the Atlantic Council or the CCSA.

Additional information about the competition, including the list of case studies and complete competition rules, can be found in the official call for papers posted online. More information about CCSA and research resources is available on the CCSA website. Participants should email entries or questions to Karl Grindal, writing competition project manager.  Please help CCSA advertise the contest through your social network of colleagues and friends.

You may also like -

What is the Cyber Conflict Studies Association?If You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...Some Thoughts on the Iranian Cyber Army and what they mean to CyberStuxnet: An important change in the national security landscapePros and Cons: Cyber CommandFurthering the Field: A Comprehensive Program for Cyber Conflict StudiesDevost.NetDARPA’s Cyber Fast Track Adds Agility to Research FundingCrucialPointLLCPresident Mentions Cyber-Threats in State of the Union AddressCrucialPointLLCTrust, Enterprise Security, and Autonomous TechnologyCrucialPointLLCNaval Academy Expands on Cyber SecurityCrucialPointLLC

Opinion: the most mature research agenda on the topic of cyber security is the one established by our nation’s Department of Homeland Security.

I’m keeping an open mind, and would love to learn of other cyber security research agenda’s that might be as well defined. But I have to tell you I have seen research programs associated with cyber for years and this one is impressive.

The details of the topic areas of this research activity are embedded in a Broad Area Announcement (BAA) posted on FedBizOpps. The PDF of the announcement is located here: http://ctovision.com/wp-content/uploads/2011/02/Cyber_Security_BAA_11-02-2.pdf

You can also find info on this research agenda at:

https://baa2.st.dhs.gov/portal/BAA/

A summary of the agenda is pasted below for your review, but please visit review the details on the DHS site and at FedBizOpps for more info. And, if you know of any researcher who has an ability to contribute to the cyber mission needs outlined in this BAA, please get word of the BAA to the researcher. Our nation needs research into these topics, and it looks like DHS may be making some funding available for research into these topics.

I’d also recommend the DHS S&T Topics for Cyber Research by reviewed by computer science students and teachers.  They should also be considered by IT firms large and small, even if the firms are not planning on responding to the DHS announcement.  Anyone doing any research on cyber anywhere would benefit from a review of this agenda, I believe.

Summary from the DHS S&T website:

Summaries of these task areas:

Related articles

• Attend FedScoop CyberSecurity Summit (ctovision.com)
• Federal Cyber Security: Missions, Initiatives, Opportunities and Risks (ctovision.com)
• Ponemon Institute Cost of Cyber Crime Study (ctovision.com)
• DHS To Invest $40 Million On Cybersecurity Research (informationweek.com)
• DHS Offers $40M For Top Cybersecurity Research (yro.slashdot.org)
• ENISA smartphone cyber security report (marienfeldt.wordpress.com)

You may also like -

Mature Models for Healthy and Resilient Cyber SystemsWhat is the Cyber Conflict Studies Association?GovSec conference is March 29-31 2011The FedCyber.com Cyber Security SummitDeputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is DefensiveDARPA’s Cyber Fast Track Adds Agility to Research FundingCrucialPointLLCCyber Conflict Studies Association History ContestCrucialPointLLCEvolving Approaches to Cyber ThreatsBob GourleyFormer W.H. Official: In the Event of a Cyberwar, Don’t Call DHSCrucialPointLLCZafesoft: Next Generation Content SecurityCTOvision.com

Siemens provides the SIMATIC PCS 7 with "everything you need to completely and safely automate your entire production process."

There are some important strategic changes occurring in the national security landscape.

A new kind of cyber attack has been noted, one that involves use of malicious code to attack infrastructure.  There are some important points in this attack that should be understood by national security decision-makers.

With the launch of the code the security community calls Stuxnet, an attack was made against a programmable logic controller (PLC) that runs a physical system.  This is a new degree of bad in cyber attacks.

This code is potentially (probably?) nation-state sponsored.  We might never know which country, but a review of the geo-political situation today can lead to some informed speculation.

Below is some Stuxnet context:

Background: A piece of malicious code called Stuxnet was discovered over the summer.  It was highlighted by security experts like Steve Bellovin in July 2010. Steve pointed out that the use of zero day attacks and the targeting of a SCADA system was of note.

Piece of Stuxnet Code as analyzed by Ralph Langner

Many other security researchers discussed this code but one of the better technical write-ups is captured by Ralph Langner in his report titled “Stuxnet is a directed attack– ‘hack of the century’”

Key points made by Ralph Langner are that:

• This was a directed attack, aimed at sabotage vice espionage or privacy attacks.
• The full effect of the package only occurs at places where are targeted piece of equipment is located. This means knowledge of a specific target was used in designing this weapon.
• Many other features point to heavy insider knowledge.
• Although smart use of zero day attacks was used, the real expertise was with the specific control system. This was not some hacker or group of hackers. This is a group with knowledge of the target.

Some great analysis also comes from Gary McCraw of in a post at InformIT titled “Software [In]security: How to p0wn a Control System with Stuxnet.”

Gary McGraw makes the points that:

• Stuxnet seems to be proof of a sophisticated, narrowly targeted collection of malware controlled by a well resourced entity.
• It was discovered accidently  by anti-virus researchers in June 2010, but may have been in the wild since early 2009.
• Gary underscores that the delivery means is not what is key here.  An almost infinite number of delivery means could have been used, unfortunately. There is a deep well of zero day attacks waiting to be discovered.  The key thing is the ability of Stuxnet to inject code into a running control system.
• Gary also clarifies that this attacks is NOT against the SCADA.  It is against the programmable logic controller (PLC) which runs the physical system directly.  This makes this attack much more sinister.

Some analysis and recommendations:

I should mention a disclaimer: I don’t have a clue about how hard it would be to write this code or insert it.  I don’t have any insider knowledge about this or have any idea who did it.  And, although I am certainly a student of technology my personal coding skills are so weak I could not offer any personal opinions that come close to those of McGraw, Bellovin or Langner.  Those guys are masters I hold in high regard, and they and many other experts are convincing me that this is unique.

• It is possible that the code could have been written by one very smart coder, but it is more likely the result of a team.
• The smart use of well prepared, unknown exploits makes this sophisticated, but that is just the delivery means.  The key point is the weapon- the piece that changes how a control system operates.
• This, to me, points to a historical first. I believe, this is the first publicly available evidence of a piece of weaponized code being delivered to have an impact on a SCADA system.
• This does not seem to have been designed, at all, to provide data out.  It is not built for espionage.  It is built to impact infrastructure.
• And it is built to impact a very specific infrastructure, not all infrastructure.  It is targeted.
• We are all put in the awkward position of being tempted to blame Israel for this attack.  If the code does what it seems to do, and if it was targeted against centrifuges at Natanz, then it is logical to assume Israel could benefit from this.  But in the cyber world it can be very hard to prove who is behind an attack. We should all be on guard for reports that claim to know where this came from (scrutinize any reporting so you know what the facts are).
• If a country sponsors an attack against another country, is it an act of war?  Well, if a country bombs another country’s nuclear weapons program, is that an act of war?  Seems like this is an issue worth additional study.
• If a country launches a weapon like this, does it mean they are ready for the “blow back” when other country’s launch weapons like that against them?  I don’t know of any country that is protected (or protectable) against these sorts of threats.  So why would any country launch an attack like this?

My recommendations:

• If you are not already studying cyber issues, seems like now would be a good time to start.  There are many venue available for you to study cyber conflict.  One of my recommended places is the Cyber Conflict Studies Association (CCSA), but there are many other ways to get involved and get up to speed on these many dynamics of cyber conflict.  Depending on your interest and abilities you can join and learn from and advance the cyber conflict thinking at: SANS, AFCEA, INSA, IEEE, ACM, AAFS , CFR, and/or many others.  One thing I’m certain about is that we will need contributions from a wide range of experiences and viewpoints as we move forward into the future, so find your path and dive in.
• I also recommend that you do what you know you need to do in your own enterprise.  Ensure you are mounting a vigorous defense in depth.
• Oh, and don’t let anyone in your organization tell you that your SCADA systems are protected because they are not directly connected to the Internet. If they can be reached by any network or USB drive or other media, they are not isolated.

And a closing thought:

I think once again it is an important question for you to ask yourself:  Can you trust your toaster? More later.

Related articles

• Did a U.S. Government Lab Help Israel Develop Stuxnet? (wired.com)
• Stuxnet Worm Was Weapon, Report Says (pcworld.com)
• Stuxnet and the Uncertain Future of the Internet of Things (gearfuse.com)
• Evidence builds that Stuxnet worm was aimed at averting war over Iran’s nuclear weapons (venturebeat.com)
• Israel accused of launching Stuxnet attack on Iran (v3.co.uk)
• Stuxnet attacks on Iran creating a backlash – Pakistan Patriot (news.google.com)
• Iran’s nuclear program and a new era of cyber war – Los Angeles Times (news.google.com)
• Development and testing of the Stuxnet worm (nytimes.com)

You may also like -

Defending Against Stuxnet Type Threats

The Cyber Conflict Studies Association (CCSA) is a non-profit organization formed to promote and lead a diversified research agenda in the field of cyber conflict.  The group was formed as a means to foster dialogue, lead research and develop academic programs focused on the implications of cyber conflict.

To meet these goals, CCSA promotes and leads international intellectual development efforts like workshops and conferences that bring together professionals from industry, academia and government to discuss strategic issues surrounding cyber conflict.

The CCSA also serves as a resource for national security decision-makers.  The CCSA contributes to framing issues promoting national cyber conflict policy.

How do you engage with CCSA?  If you are involved in academic research or studies in the domain, or if you are a policy-maker or thought leader in the community, engaging the CCSA is easy.  The first step is to visit the website at http://cyberconflict.org If you believe you can contribute to or benefit from the dialog please sign up for our low volume e-mail distro list. We use that to announce our workshops and conferences.

Another thing you can do is engage directly with the many writers/thinkers/thought leaders that are helping to move the cyber conflict agenda forward.  How you do that is a matter of personal and professional choice, of course.   But I hope one of the ways to engage with CCSA thought leaders is to read the blogs of CCSA members.  Some to check out:

• Halt of the Spear: http://www.haftofthespear.com Mike Tanji writes from experience in and out of government and his blog belongs on the reading list of anyone studying cyber conflict.
• Devost.net: http://www.devost.net/blog Matt Devost provides insights in issues of cyber security, counterterror and modern IT.
• Selil.com:  http://selil.com This is the site of professors Sam and Sydney Liles. They write on cyber warfare, privacy, computer security and more.
• CTOvision.com: http://ctovision.com The point and purpose of this blog is more about enterprise technology and disruptive IT, things enterprise CTOs need to track and prepare for. But the background of the blog’s founder and editor causes it to hit on cyber conflict matters as well.

Pulling together that quick list makes me think of another service the CCSA can provide the cyber conflict community.  We should probably ask the CCSA to establish a list of good cyber conflict blogs and twitter feeds.  As a start to that list, can you tell me please what your favorite cyber conflict blogs are?  Do you write a blog on that topic yourself?

You may also like -

Cyber Conflict Studies Association History ContestIf You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...Some Thoughts on the Iranian Cyber Army and what they mean to CyberStuxnet: An important change in the national security landscapeFedCyber.com Cybersecurity Summit on Wednesday, September 28Furthering the Field: A Comprehensive Program for Cyber Conflict StudiesDevost.NetDARPA’s Cyber Fast Track Adds Agility to Research FundingCrucialPointLLCTrust, Enterprise Security, and Autonomous TechnologyCrucialPointLLCThe FedCyber.com Cyber Security SummitCTOvision.comCalling All Federal Cybersecurity Practitioners: Contribute ideas and actions ...CTOvision.com

On June 10, 2010, the US Senate Homeland Security and Governmental Affairs Committee (HSGAC) unveiled a major cybersecurity bill designed to modernize, strengthen, and coordinate US Cyber defenses.

Senators Collins, Carper and Lieberman introduced this bill with the clear articulation to defend not just federal networks but the Internet itself.  As portion of the announcement recorded by TalkRadioNews is below:

The bill itself is named the “Protecting Cyberspace as a National Asset Act of 2010.”

It creates an Office of Cyber Policy in the White House with a director accountable to the public to lead all federal cyberspace efforts and devise national cyberspace strategy.  A National Center for Cybersecurity and Communications within the Department of Homeland Security, also led by a director accountable to the public, to enforce cybersecurity policies through the government and even the private sector.

Some key aspects of this Bill, from the site of the HSGAC:

1. Creation of an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director, who will advise the President on all cybersecurity matters. The Director will lead and harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic.  The Director will oversee all related federal cyberspace activities to ensure efficiency and coordination.
2. Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cyber security capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks.  The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
4. Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cyber security for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
5. Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks.  The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them.  The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
6. Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
7. Requiring the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cyber security effort and protect its own networks.

Now some analysis:

1. By ensuring the White House will have a Senate-confirmed Director, it will help underscore for the executive branch that this issue should be taken a bit more serious.  Sounds like a prudent thing for the Congress to do.
2. Creating a National Center for Cybersecurity and Communications (NCCC) in DHS with a leader also confirmed by the Senate sends a similar message, but it also empowers an individual and group to do something that no one has been authorized to do before (at least no one under the rank of President). This office will have authority to lead across government.  As a CTO with enterprise experience I respect this kind of position.  I am convinced you cannot defend large enterprises without the smart application of both central authority and decentralized action.  If you try with either of those missing you fail.  I am not worried about too much technical authority being drawn into one location, there are too many forces at play to keep that power from being abused and, if the person and staff are picked carefully, they will avoid making decisions that impact missions in a negative way.  Notice I have caveated my opinion here.  The nation must choose wisely and put a very smart technology leader in this position.  Someone who can enforce the right standards and give direction when required but can back off and let agency IT leaders run things when required and that person must be smart enough to know when and how to decide what to decide about.
3. Updating FISMA is long overdue.  Moving towards real-time monitoring is GREAT!  It is the only way I know of to move towards enhancing both security and functionality at the same time.
4. Naming the NCCC as the focal point for coordination with the federal sector is also a solid move.  It goes without saying, but the NCCC should be staffed and led by very savvy, very social, very action-oriented people.  Without social leaders with high emotional intelligence we stand the risk of getting what we have always gotten here.
5. As a CTO, I applaud the measures this Bill describes for removing artificial impediments to information sharing.  Government and industry need trust-based relationships and unfortunately too many laws and behaviors that flow from those laws, like FOIA, have damaged those relationships.  Addressing them head on is the right thing to do.  Technologically there are few issues here.  Issues are in policy and the Bill seems to do a good job at addressing some big ones.
6. Development of a comprehensive supply chain management strategy is another great goal I am glad to see.  There has been a great deal of action lately in establishing coordination mechanisms with senior IT leadership in the country and I believe this will serve as a good foundation for development of a strategy like this.
7. The human side of technology is one that also needs significant attention and it is good seeing the Bill address this head-on by requiring OPM to reform the way the government leads cyber security personnel.

Some concluding thoughts:

• I wish I would have raised another issue with the staffers.  I feel bad about this, but I have something I would like to add to the Bill.  I guess I’m too late, but maybe I can get my input to the SSCI or HPSCI instead.  I want to suggest that the US Intelligence Community be tasked with providing a detailed yearly cyber intelligence threat assessment  for unclassified dissemination. The IC does a good job of providing some counterintelligence assessments and frequently mentions cyber in open fora like Congressional Testimony, but I believe this issue deserves a focused, NIE-like report dedicated to this topic.  Of course the IC should also be tasked with support to the NCCC.
• I found the Bill was full of smart information coordination and information sharing language and constructs.
• The great work of folks at NSA, Cyber Command (including legacy organizations like JTF-GNO and JFCC-NW), STRATCOM, DHS, NCICC, US CERT, FBI, DC3 and many others must continue and I believe the language in this bill is very respectful of the great work that these groups have been doing.
• I wonder who the first CTO of the NCCC will be?  That is going to be one cool job!

You may also like -

SINET Showcase 27 October 2010FedCyber.com Cybersecurity Summit on Wednesday, September 28Calling All Federal Cybersecurity Practitioners: Contribute ideas and actions ...Security Innovation Network Announces the 2011 SINET Showcase InnovatorsUS Cyber Command Conducts Tactical Cyber ExerciseHomeland Security Committee Unveils Cybersecurity BillBob GourleyDodaro: Key challenges remain for DHS in cybersecurity missionCrucialPointLLCHouse Panel Approves Cybersecurity BillCrucialPointLLCPresident Mentions Cyber-Threats in State of the Union AddressCrucialPointLLCChain LinksCrucialPointLLC

Carahsoft is a unique, trusted firm that helps government find and rapidly acquire the right technologies and helps high tech firms successfully interact with government (which has famously onerous processes for businesses that want to serve the federal mission).  Carahsoft is a client of my firm and one of the things I’m particularly proud about is their sponsorship of venues where government and industry tech leaders can interact together.  One venue of note is a series they coordinate called the Intelligence Community Executive Forum.

This periodic event focuses on executives from the IC and the industry companies around the IC.  Today’s session of the ICEF focused on industry and commercial technologies addressing the Comprehensive National Cybersecurity Initiative.

It is hard to capture the content of a venue like this.  Its true value comes from the dynamic interactions and high data rate conversations that take place throughout.  But I thought I should try to provide some gist of what happened so you can determine whether or not you should participate in future venues like this. Give the agenda below a quick glance then I’ll add some additional context:

Agenda:

During breaks several sponsors were providing demos and additional information on their technology including:

A quick gist:

Don Boian of Cyber Command provided great context and a good kickoff to dialog.  Then throughout the event, cyber thought leaders in and out of government discussed the state of current technologies and current mission needs in cyber-focused organizations.  Some of these mission needs are truly enduring.  For example, the need for defense in depth as a strategy and approach vice just point solutions.  But today, defense in depth is not enough.  Adversaries always find a way in and defenders must continuously monitor and prepare for remedial action.  With the incredibly high volumes of data and information around those intrusions new means must be found to gain insights into what is occurring and then determine the appropriate action to take.  This must be done so fast new operational constructs around “dynamic defense” are required.  Defenders require capabilities that can increase the speed of good guy decision-making.  There must be speed in vulnerability detection, speed in intrusion detection, speed in decision-making and speed in execution.  Cyber Command defenders use the phrase “operate at network speeds.”

Another common theme throughout the event was a call for enhanced situational awareness in the cyber domain. The bad news is that call has been made for decades now.  There has been movement in enhancing situational awareness, but nothing yet fills the need.  More work is required.

Another theme was the need to enable humans to interact with data in far better, far faster ways.  Cyber data needs to be rapidly run through automated tools that can enable not just search but discovery using tools like Endeca.

Collaboration for cyber related commands and organization is another area where many enhancements have been made lately.  In a very good trend, it seems most organizations working cyber defense/cyber operations now know of each other and have frequent interactions.  There is more need for enhanced human to human collaboration and even enterprise grade social networking/social media around cyber defense as an aide to bringing the right understanding to situations.  A capability to watch here is Jive.

It is not only network defenders that need collaborative capabilities.  Developers of software and those that lead/manage/interact with them, including users, need ways to collaborate.  The ICEF was treated to an overview of a very positive capability to do that, the DISA led Forge.mil .  In my opinion, the positive disruptions from this activity have just begun, far more goodness will come from this project as more and more developers make use of it.  It is speeding development of new capabilities and is also laying the foundation of what may be the biggest positive improvement in the security and testing environment in years.

The security aspects of Cloud Computing were discussed in detail.  A general statement: If security is engineered into cloud computing capabilities, cloud concepts can significantly enhance the security of enterprises.  However, the reverse is also true.  If security is neglected in cloud constructs it can doom us all!

The ICEF was treated to an interaction with Tony Sager, one of the nation’s greatest thinkers in cyber security. Tony’s ability to express technological concepts in ways we can all understand is always appreciated.  A key conclusion from Tony: we are entering a phase in cyber defense that will require enhanced information management.   Note:  Tony provided us all with context on some very important concepts that all network defenders should be tracking, SCAP, NDV and FDCC.   My personal sense from the interaction was that most in the venue who work closely with security technology new of these constructs, however, it is getting to the point where all IT professionals and all leaders in an out of government need to know these capabilities, even if you are not a security professional.  So, a recommendation:  accept it as your civic duty to study up on SCAP, NVD and FDCC.

Other speakers, including Dr. Ted Kirscher, Chief Architect of the NSA Threat Operations Center, underscored again the need for new means to conduct highspeed assessment of the right data from defensive devices.  Ted, like everyone else who spoke, also ensured we all knew the collaborative nature of the work in front of us all.

For the many people I heard from this was a day well spent, a time to reflect on progress and to think through the next priorities to address.  There are some huge challenges that confront cyber defenders, but with new organizational constructs and new focus being placed on the mission these challenges are certainly achievable.  Some might still look impossible, but hey, like Walt Disney said, “It’s kind of fun to do the impossible.”

You may also like -

Technology Firms at the DoDIIS WorldwideSymantec Government Technology Summit 16 March 2011How is the DoDIIS Conference Going?SINET Showcase 27 October 2010Federal Government Deduplication Strategies Worth DuplicatingFDCCI Preparation with Virtual Instruments and CarahsoftCrucialPointLLCCloudera and Carahsoft Webinar: Big Data Success in Government 19 Jan 2012CrucialPointLLCJoin Cloudera and Carahsoft for Big Data Success in GovernmentBob GourleyGovernment Big Data Forum 2011CTOvision.comCTOlabs.com Survey Finds Data Deduplication Aids in Managing Data Growth in F ...CTOvision.com

While rummaging through old files on my hard drive I encountered a piece I wrote in June 2002 which captured in writing something I had been briefing for several years.  I had been briefing “Principles” which I had observed/learned while the J2 of DoD’s JTF-CND and then later J2 of JTF-CNO.   My theory was that just as Admiral Bill Studeman has helped intelligence professionals understand their craft better by articulating principles, I could help build understanding of the new field of cyber conflict by generating dialog on principles.

I can’t take credit for any of these principles.  I really just wrote them down.  Many are things I observed or heard from others in the JTF at that time, like Marc Sachs, John Owens, Jay Healey and Michele Iverson.  There are also many common themes I learned from Rick Forno, Dan Kuehl and Matt Devost and others.

Now about a decade after I started briefing these principles I just reviewed them and think they still meet key requirements you would expect true principles to hold.  They still ring true and they still have insights relevant to operational decision-making, and, although they are definitely general in nature, I believe they still have a role in helping orient people to the missions of computer network defense (CND), computer network exploitation (CNE) and computer network attack (CNA).

Please give these a glance, and if you know a cyber warrior somewhere who you think would appreciate them please route them on.

One of these days I’ll re-write this to update the acronyms and get rid of the reference to the ancient US Space Command. So please let me know if you think I’ve missed something that should be captured as a principle, or if you think I have put any of these in the wrong context.

Twelve Principles of Computer Network Operations
June 2002
Bob Gourley

A growing number of uniformed military and government civilians practice the new military discipline of Computer Network Operations (CNO). CNO in the Department of Defense (DoD) consists of two specific yet complementary mission areas: Computer Network Defense (CND) and Computer Network Attack (CNA).

The CND mission is to protect and defend DoD computer networks, systems and the data that resides in them any unauthorized event whether it be a probe, scan, virus incident, or intrusion.¹ The CNA mission is to coordinate, support and conduct, at the direction of the National Command Authority (NCA), computer network attack operations in support of regional and national objectives. CNA operations are designed to disrupt, deny, degrade or destroy adversary information resident in computers and computer networks.²

Operational lead for the DoD’s CNO efforts is USSPACECOM’s Joint Task Force for Computer Network Operations (JTF-CNO). But increasingly, traditional military forces are being called upon to conduct CNO operations by enhancing the defensive posture of networks under their control, by taking action against attacks, or by participating in attack planning or operations.

In most other warfare areas, Commanders can rely on established military doctrine to guide them in implementing and executing their missions. ³ The CNO mission is new, however, and little formal joint doctrine exists in this mission area.

This article provides firsthand observations on twelve key principles of CNO. I believe these observations can provide other CNO practitioners with a critical foundation required for successful CNO. These principles will also be of use to officers who whish to engage in the ongoing national security and policy discussions concerning CNO. After further examination and feedback from the field and the fleet, we expect them to become cornerstones of a new joint doctrine for CNO. Until then, I offer, Twelve Principles of CNO. They are:

#1 The Chain

#2 The Perimeter

#3 Interconnection

#4 The Laundry

#5 Prior Planning Prevents Poor Performance

#6 Know the Enemy

#7 Experience Counts

#8 Users Need Help

#9 Relativity

#10 One Basket?

#11 Unintended Consequences

#12 The Beauty of Attack

A bit more on all of the above is provided below:

#1 The Principle of the Chain. CNO is a chain; it’s only as strong as the weakest link. Like most of the rest of the principles outlined here, this sounds intuitive. But it is very important to stress this concept in the CNO world. Inattention to detail will ruin your CNO plans, whether for defense or offense. Two short illustrations:

- You fortify and protect an enclave by putting firewalls and IDS’s on gateways and hardening workstation software. But there are so many configuration choices for your IDS and firewall, and so many other settings you must make to ensure your enclave is secure. Did you overlook anything? Are your users trained? Do you have a response policy in place? Are you running the most up to date anti-virus software on your mail server? Should it be on individual workstations? These and many other questions must be considered by security professionals or any one could be the link that breaks the security chain.

- The chain for attack will also have weak links. This is easy for military professionals from any discipline to understand. All combat actions in any warfare area have potential weak links that can frustrate your attack or even lead to exploitation of your own forces. In the CNO realm the weak link may be the ability of an adversary to repair a patch in an application or the ability of an adversary to re-boot a router.

How do you protect against the weakest link? Attention to detail.

#2 The Principle of the Perimeter. Defenders must protect against every vulnerability. Attackers must only find one security flaw. A rough analogy is the requirement to continuously defend an Aircraft Carrier Battle Group in a high threat environment where attacks might come from below the sea or from the air or even from land. This principle calls for constant vigilance along every potential avenue of approach. CNO defenses must be robust and mobile.

#3 The Interconnection Principle. CNO is a multi-faceted discipline that includes military, civil, foreign, domestic, offense, defense, technology and human factor issues. It is an observable fact that we are all interconnected in this business. Decisions made in one area frequently have impacts in the other areas. That makes coordination between stakeholders and leaders in those areas an important goal that will result in better community-wide solutions. However, if taken to the extreme, this coordination can be a recipe for paralysis. Sometimes unilateral decisions must be made.

#4 The Principle of the Laundry. CNO is a continual process (like laundry, something always needs cleaning). Vulnerabilities in old software are discovered daily and new software is continually being produced and integrated into our architectures. All indications are that new software is just as buggy and has just as many vulnerabilities as old software, so we can expect the continued stream of vulnerability announcements to continue. Vulnerabilities that must be cleaned up and repaired as they are discovered. This is a never ending process.

#5 The Principle of Prior Planning. CNO must be pre-planned; you don’t just do it at the last minute and expect it to be done well. Too frequently the developers of systems and networks pay too little attention to security when they design their systems. We have found out the hard way that tacking it on the end just doesn’t work. This adage applies to users as well. If an organization does not think through the policies its users must adhere to, and does not train its users to be secure till it is too late, then the result will be poor security. The same thoughts hold true in the offensive sides to CNO. CNA requires extensive planning and coordination in advance.

#6 Know the Enemy. You must know your enemy better than your enemy knows you. This is easy to say but in practice very hard to accomplish, especially in the interconnected world of the Internet, where adversaries can take steps to hide their identify. But steps can be taken that let you make reasonable assumptions about your adversary before you know exactly who it is. These assumptions, combined with a continual study of threat actors will lead to a better ability to prevent, detect, react and defeat adversary activity.

You can and should also take steps to hide key information from your adversaries. All DoD unclassified networks should be under the umbrella of the NIPRNET, which affords some obscurity and protection from enumeration by an adversary. Enclaves should be configured to deny as much information as possible to potential adversaries. There is no reason why we should make the attacker’s job easier.

#7 The Principle of Professional Experience. Inexperienced CNO professionals are not CNO professionals. It is so easy in this business to find pseudo experts who can give a great brief or can market a CNO concept but have no first hand knowledge of how networks work or how to defend them. How do you tell a pseudo expert from a real expert? Be skeptical of anyone in this field till they have proven themselves to you. Ask for credentials, certifications, degrees or what their on the job experience is. Don’t be afraid to quiz them. No matter how polished they look, you want experience in this business.

- An important corollary for Commanders is that like in every other warfighting area, your people are paramount. Commanders must take responsibility to ensure that their CNO operators are trained and ready for the tasks that will face them.

#8 The Principle of User Faith. Users have no good way of comparing the security or vulnerability of systems. How can an individual user really tell that a system is secure? Is PKI secure? Is DMS secure? Who and what should a user trust? The current answer in DoD is that users must trust the systems managers in their organization, and those leaders must in turn trust accrediting authorities and program managers. We hope the corollary to this adage becomes “Trust, but verify.”

#9 The Principle of CNO Relativity. CNO is relative; no system will ever be 100% secure. This truism was realized long ago by the greats of the information security business, and has been witnessed again and again in DoD’s efforts.

- This truism is especially important in DoD, where we face some very sophisticated adversaries. Since no system can ever be 100% secure, if you want to be 100% certain that your information is protected, do not store it in any computer system anywhere. Of course this is unrealistic. But the point is that owners of information should weigh the risks vs. rewards of storing information in a computer system, and should take appropriate steps to protect computers and networks storing sensitive information.

#10 The Principle of the Single Basket. Never rely on technology (or anything else) as your only line of defense. This principle should seem intuitive to any operational military professional. No defender in combat would try to mount a defense with only one type of weapon, tool or technique. This is just as important in the CNO world, where true hackers will never give up, and where more sophisticated adversaries will try attacking through paths we may not have even considered yet.

#11 The Principle of Unintended Consequences. This applies to all aspects of the art of CNO, both offense and defense. Keep in mind that no matter how much you think these things through, there will age some risks of unintended consequences.

#12 The Principle of the Beauty of Attack. Sometimes you must take the fight to the enemy. To the military this frequently means the ability to use force on a battlefield to compel an enemy to do our will. But this principle is meant to bring to mind far more than that. In some cases, the US Government will have an ability to carry the fight to an adversary by attacking their computers. Individuals and individual units cannot do this, of course. This is a response reserved for decision-makers at the highest levels of government. But there are means for individuals and individual units to take action against attackers. Action can be taken by collecting detailed logs of the attacks and contacting law enforcement officials at the earliest possible moment.

The principles presented here are meant to explain the workings of a well-functioning computer network operations effort. They will be of use to any military professional struggling with the best ways to implement successful CNO in their organizations.

Are there other principles of CNO? Almost certainly. The disciplines of Computer Network Defense and Computer Network Attack are still new ones, and as they spread throughout the combat forces of DoD more principles, best practices and even doctrine will arise to help guide us as we prepare for combat. Consider the list above a start. It contains basic generalizations that I hold as true, that I propose to you as a starting point as you reason through your role in this mission.

I enjoyed listening to the President today as he provided an update on where we are in our efforts to enhance our freedom of action in cyberspace.  All the details are on the White House website and I hope you visit there yourself to download the 60-day cyberspace policy review. Details are here: http://www.whitehouse.gov/CyberReview/

I have been reading the report already– and will also read all the papers and studies referenced there.

So far I have three comments:

1) I really enjoyed hearing the President reference Melissa Hathaway.  She has done an incredible job and to hear him praise her was music to my ears.  Melissa deserves the thanks of the nation.

2) A great deal of work remains to be done. The policy review provides a framework for action and guidance that will help prioritize activities, but don’t expect instant miracles.

3) Number one on the list of near term actions is to appoint a cybersecurity policy official. The President did not do that today.  That will be done in due time.  I should also point out that no one in government is using the term “Cyber Czar” for this position.  That term Czar is used by all the reporters and all the pundits.  It sounds cool.  It also brings lots of baggage.  The typical “Czar” in DC is a powerless position that has little or no effect.

To underscore that point I’d like to close with a little self-plagerization.  A reprint of a blog post I first wrote in January 2009 titled “We have a cyber czar, and he has spoken.“  In the post, now below, I try to make the point that if Putin can accomplish his objectives in our networks then he is our cyber czar.  I also hope to make the point that we should not be happy with him being in this position.

We Have A Cyber Czar, and He Has Spoken

A debate has been running for months both among government thought leaders and the technical literati on whether or not the US should appoint a “Cyber Czar” who can exert authority over IT security in the federal space or perhaps even aspects of the nation’s IT defenses.  This is a complex discussion that has had some of the greatest thinkers in and out of government involved.   A great snapshot of issues and the opinions of many well reasoned experts are expressed in the CSIS report “Securing Cyberspace for the 44th Presidency“   and other thoughts are here: The Future of Cyber Security and here: Threats In the Age of Obama .

Unfortunately for those who would like to still debate and discuss this issue, there is already a Cyber Czar who can accomplish most all his objectives in our networks.  His name is Russian Prime Minister Vladimir Putin.  This former KGB operative now controls Russia with an iron fist and has shown others again and again he will exert influence anywhere he needs to in order to accomplish his objectives.  He will use tanks when required and cyber when desired and combinations when it suits him.  There are indications his agents are also in our networks now.  If our objectives are to keep players like him out, we cannot say we are accomplishing them.  If his objectives are to get in, then we can say he is accomplishing them.  Till this situation changes, we need to confront then this new reality:  Vladimir Putin is the Cyber Czar.

We have our own great technologists and wizards of cyber, of course. And we have great hero entrepreneurs of technology who have built the cyber world we all use today.  One of those greats is Michael Dell, creator of an idea and corporation that develops, manufactures, sells and distributes personal computers we all depend on.

But he is someone who will now think twice before thinking he can interact as a peer to Cyber Czar Putin.  After listening to Putin’s speech at the World Economic Forum in Davos, Michael Dell praised Russia’s technical and scientific prowess and asked a nice, friendly question:  “How can we help.”  As a former govie CTO I would get asked that type of question all the time from industry and really appreciated it whenever a senior thought leader would ask that.  But not Czar Putin.  He did not appreciate that at all.   Putin was offended by the assertion that the mighty Russia might need help in anything Cyber. The exchange is captured here on YouTube:

Fortune: described the exchange this way:

“Putin’s withering reply to Dell: “We don’t need help. We are not invalids. We don’t have limited mental capacity.” The slapdown took many of the people in the audience by surprise. Putin then went on to outline some of the steps the Russian government has taken to wire up the country, including remote villages in Siberia. And, in a final dig at Dell, he talked about how Russian scientists were rightly respected not for their hardware, but for their software. The implication: Any old fool can build a PC outfit.”

Clearly cyber domination is personal with Putin.  He is the Cyber Czar.

I think I should end with a plea to all who care about cyber freedom and all who know the potential positive contributions of IT:  Please don’t be pleased with this current situation.  Please don’t just think the title of Cyber Czar I’ve now used to describe Putin is something we should be proud of.  It is not.  We should continue to act till we are able to assert that we are masters of our own networks.  Our nation’s intellectual property, including the intellectual property of all our companies and citizens, is too important to let it be given away without at least a cyber fight.

You may also like -

Interested in Cyber Security? Read (and support) the new Cybersecurity Legisl ...FedCyber.com Cybersecurity Summit on Wednesday, September 28Deputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is DefensiveCTO Perspectives on Cyber Security BillCalling All Federal Cybersecurity Practitioners: Contribute ideas and actions ...The U.S. International Strategy for CyberspaceCTOvision.comIf You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...CrucialPointLLCJTF-CND to JTF-CNO to JTF-GNO to CybercomCTOvision.comThe FedCyber.com Cyber Security SummitCTOvision.comCyber Conflict Studies Association History ContestBob Gourley

The DoDIIS Worldwide Conference will be held in Orlando Florida this year, at the Orlando World Center Marriott. I really like this conference.  It is filled with folks I like and centers around a hard enterprise mission that cries out for strong IT solutions.

The theme of this years conference is “Empowering Decision Advantage.”  The plenary speakers this year are GREAT! (as usual).  They include Grant Schneider, CIO for DIA, LTG Ron Burgess, Director of DIA, Sherrill Nicely, ODNI CIO, Pres Winter, Info Integration at ODNI, Major General John Custer of the Army Intelligence Center, and an incredible panel of all key IC CIOs.  This panel includes Grant Schneider, Al Tarasiuk (CIO CIA), Charles Barlow (CIO, NRO), Kelly Miller (CIO, NSA), Chad Fulgum (CIO FBI), Craig Kaucher (CIO DHS), Bobby Laurine, CIO NGA, Sherrill Nicely and Pres Winter.   This is going to be an awesome panel.  Really.

I’ve been asked to speak at a breakout session and am honored to do that.  The presentation I’ve been working on is an updated version of a briefing I used to track the future of IT.  This briefing considers five “Mega Trends” in the IT world and then talks about some specific technologies that hold high potential of changing the IT landscape.  I’ll be presenting Tuesday at 1500.  If you are a CTO or other enterprise technologist I would really appreciate seeing you there.

A key thing I really like about this conference is the expo floor.  I’ve been known to roam around in there for hours, going from one technology demo to the next.  This is where America’s greatest technologies are demonstrated.  Every major IT firm will be there, and so will every IT savvy integrator.  Every great application developer and every great mashup capability will be there.   Companies like Carahsoft, Endeca, Adobe, Symantec, Sun, Cisco, Microsoft, Oracle, JackBe and many more will be there.  I can’t wait to catch up with all of them there.

For more on the conference please see:  http://ncsi.com.  NCSI always puts on a great event.

If you are going to be there and will be up on Twitter please drop me a note or connect to me on Twitter @bobgourley.  I’d like to track what you are putting out there.  I hope to be on twitter a bit myself there, but may be too excited to type.

You may also like -

How is the DoDIIS Conference Going?2011 DoDIIS Worldwide ConferenceDoDIIS Conference Agenda PublishedGeneral Dynamics Press Release on SITETechnology Firms at the DoDIIS WorldwideLatest DodgeRetort – GAO: Federal CIO’s need to focus more on information man ...CrucialPointLLCNominating Technologies For Review At CTOlabs.comCrucialPointLLCDoDIISTech.com is a new reference for DoDIIS technologistsCTOvision.com2010 DoDIIS Worldwide ConferenceCTOvision.comDoDIIS Technology: A need for better ways to understand and assessCTOvision.com

INSA, the Intelligence and National Security Alliance, is a group of professionals from academia, industry and government who seek to enhance innovation, discussion, debate and progress on key national security issues.  I’ve been involved as a member for years and get the pleasure of interacting with folks from a wide swath of the community.

One of the many services INSA provides the community is providing a venue for speakers and community leaders to interact.  INSA did that again just last night when their Distinguished Speaker Series featured Melissa Hathaway.  Melissa, who I have previously called the most effective and efficient senior executive in government today, spoke on the topic  of the White House Cyber Security 60-day review.

I watched Melissa’s RSA presentation, and for those who did or for those who have been engaged with her during this review, last nights presentation was in consonance with what we know of the hard task she has been working on (if you haven’t watched it yet, I’d recommend you take a look now, at:  http://media.omediaweb.com/rsa2009/keynote_catalog.htm )

A couple thoughts from a CTO perspective:

- Like so many other problems, tackling this one requires both a knowledge of technology and of people. Both technology and people must be influenced.

- When it comes to people, Melissa mentioned the book  Influencer: The Power to Change Anything .  I haven’t read it yet, but have just added it to my Amazon wish list and will be getting it soon. Melissa said the authors of the “Influencer” book say there is power in everyone to make a change and therefore everyone should get engaged, and in this cyber context she asked everyone at INSA to stay engaged.  She wants folks to continue to dive in and stay involved and form views and move out.

- One of the most important ways the federal government influences is through law.  Our great government flows from a great Constitution and, although it was not a civics lesson last night, Melissa did mention the incredible legal review that these many cyber issues have been through.  She said over 80 significant legal issues were reviewed.  The report, when it is released, will have a 150 page legal annex that captures some of the opinion of federal legal experts from across the government.   As for me, I intend on reading every page of the report, and will pay particular attention to this legal section.

- Now that I’ve had time to think about what Melissa said, I think we (the nation, and we humans everywhere) are going to need more work to be done on how we influence technology.   I’ve tried hard to think through this from a security perspective, and I know there are things we can do right now to improve things in this regard (and I’ve provided papers to Melissa’s study team on a couple significant constructs like enhancing security through smart use of cloud computing and through smart use of open source).  But there is still much much more work to be done in this area.   CTOs cannot rest on this topic, yet.  In fact, I am not comfortable with the state of technology leadership in this area and I think all of us technologists need to follow Melissa’s advice.  We all need to get engaged and get a view and move out.

Part of the event last night was a networking reception where INSA members from academia, industry and government could chat.  The gist of the conversations confirmed what I have long thought, everyone wants Melissa to succeed and a wide swath of people are lining up to follow her lead.  She has done a great job at building a broad team and we are all looking forward to her continued leadership on things cyber.

For more on this topic see:  http://ctovision.com/category/cyber-initiative/

You may also like -

Melissa Hathaway: Compelling action along a broad frontPrediction: BlueCat Networks is one you should watchDoDIIS Conference Agenda PublishedNew Boeing Intelligence Collaboration Center2010 DoDIIS Worldwide ConferenceHow Much Freedom Will You Give Up to Fight International Cybercrime?CrucialPointLLCUS needs to kick network security intelligence up a notchCrucialPointLLCA First For The Nation: NERC Completes First Grid Security ExerciseCrucialPointLLCFormer Head of National Counterterrorism Center, Michael Leiter, to Keynote C ...CrucialPointLLCSINET Showcase 27 October 2010CTOvision.com