While rummaging through old files on my hard drive I encountered a piece I wrote in June 2002 which captured in writing something I had been briefing for several years. I had been briefing "Principles" which I had observed/learned while the J2 of DoD's JTF-CND and then later J2 of JTF-CNO. My theory was that just as Admiral Bill Studeman has helped intelligence professionals understand their craft better by articulating principles, I could help build understanding of the new field of cyber conflict by generating dialog on principles.
I can't take credit for any of these principles. I really just wrote them down. Many are things I observed or heard from others in the JTF at that time, like Marc Sachs, John Owens, Jay Healey and Michele Iverson. There are also many common themes I learned from Rick Forno, Dan Kuehl and Matt Devost and others.
Now about a decade after I started briefing these principles I just reviewed them and think they still meet key requirements you would expect true principles to hold. They still ring true and they still have insights relevant to operational decision-making, and, although they are definitely general in nature, I believe they still have a role in helping orient people to the missions of computer network defense (CND), computer network exploitation (CNE) and computer network attack (CNA).
Please give these a glance, and if you know a cyber warrior somewhere who you think would appreciate them please route them on.
One of these days I'll re-write this to update the acronyms and get rid of the reference to the ancient US Space Command. So please let me know if you think I've missed something that should be captured as a principle, or if you think I have put any of these in the wrong context.
Twelve Principles of Computer Network Operations
A growing number of uniformed military and government civilians practice the new military discipline of Computer Network Operations (CNO). CNO in the Department of Defense (DoD) consists of two specific yet complementary mission areas: Computer Network Defense (CND) and Computer Network Attack (CNA).
The CND mission is to protect and defend DoD computer networks, systems and the data that resides in them any unauthorized event whether it be a probe, scan, virus incident, or intrusion.1 The CNA mission is to coordinate, support and conduct, at the direction of the National Command Authority (NCA), computer network attack operations in support of regional and national objectives. CNA operations are designed to disrupt, deny, degrade or destroy adversary information resident in computers and computer networks.2
Operational lead for the DoD's CNO efforts is USSPACECOM's Joint Task Force for Computer Network Operations (JTF-CNO). But increasingly, traditional military forces are being called upon to conduct CNO operations by enhancing the defensive posture of networks under their control, by taking action against attacks, or by participating in attack planning or operations.
In most other warfare areas, Commanders can rely on established military doctrine to guide them in implementing and executing their missions. 3 The CNO mission is new, however, and little formal joint doctrine exists in this mission area.
This article provides firsthand observations on twelve key principles of CNO. I believe these observations can provide other CNO practitioners with a critical foundation required for successful CNO. These principles will also be of use to officers who whish to engage in the ongoing national security and policy discussions concerning CNO. After further examination and feedback from the field and the fleet, we expect them to become cornerstones of a new joint doctrine for CNO. Until then, I offer, Twelve Principles of CNO. They are:
#1 The Chain
#2 The Perimeter
#4 The Laundry
#5 Prior Planning Prevents Poor Performance
#6 Know the Enemy
#7 Experience Counts
#8 Users Need Help
#10 One Basket?
#11 Unintended Consequences
#12 The Beauty of Attack
A bit more on all of the above is provided below:
#1 The Principle of the Chain. CNO is a chain; it's only as strong as the weakest link. Like most of the rest of the principles outlined here, this sounds intuitive. But it is very important to stress this concept in the CNO world. Inattention to detail will ruin your CNO plans, whether for defense or offense. Two short illustrations:
- You fortify and protect an enclave by putting firewalls and IDS's on gateways and hardening workstation software. But there are so many configuration choices for your IDS and firewall, and so many other settings you must make to ensure your enclave is secure. Did you overlook anything? Are your users trained? Do you have a response policy in place? Are you running the most up to date anti-virus software on your mail server? Should it be on individual workstations? These and many other questions must be considered by security professionals or any one could be the link that breaks the security chain.
- The chain for attack will also have weak links. This is easy for military professionals from any discipline to understand. All combat actions in any warfare area have potential weak links that can frustrate your attack or even lead to exploitation of your own forces. In the CNO realm the weak link may be the ability of an adversary to repair a patch in an application or the ability of an adversary to re-boot a router.
How do you protect against the weakest link? Attention to detail.
#2 The Principle of the Perimeter. Defenders must protect against every vulnerability. Attackers must only find one security flaw. A rough analogy is the requirement to continuously defend an Aircraft Carrier Battle Group in a high threat environment where attacks might come from below the sea or from the air or even from land. This principle calls for constant vigilance along every potential avenue of approach. CNO defenses must be robust and mobile.
#3 The Interconnection Principle. CNO is a multi-faceted discipline that includes military, civil, foreign, domestic, offense, defense, technology and human factor issues. It is an observable fact that we are all interconnected in this business. Decisions made in one area frequently have impacts in the other areas. That makes coordination between stakeholders and leaders in those areas an important goal that will result in better community-wide solutions. However, if taken to the extreme, this coordination can be a recipe for paralysis. Sometimes unilateral decisions must be made.
#4 The Principle of the Laundry. CNO is a continual process (like laundry, something always needs cleaning). Vulnerabilities in old software are discovered daily and new software is continually being produced and integrated into our architectures. All indications are that new software is just as buggy and has just as many vulnerabilities as old software, so we can expect the continued stream of vulnerability announcements to continue. Vulnerabilities that must be cleaned up and repaired as they are discovered. This is a never ending process.
#5 The Principle of Prior Planning. CNO must be pre-planned; you don't just do it at the last minute and expect it to be done well. Too frequently the developers of systems and networks pay too little attention to security when they design their systems. We have found out the hard way that tacking it on the end just doesn't work. This adage applies to users as well. If an organization does not think through the policies its users must adhere to, and does not train its users to be secure till it is too late, then the result will be poor security. The same thoughts hold true in the offensive sides to CNO. CNA requires extensive planning and coordination in advance.
#6 Know the Enemy. You must know your enemy better than your enemy knows you. This is easy to say but in practice very hard to accomplish, especially in the interconnected world of the Internet, where adversaries can take steps to hide their identify. But steps can be taken that let you make reasonable assumptions about your adversary before you know exactly who it is. These assumptions, combined with a continual study of threat actors will lead to a better ability to prevent, detect, react and defeat adversary activity.
You can and should also take steps to hide key information from your adversaries. All DoD unclassified networks should be under the umbrella of the NIPRNET, which affords some obscurity and protection from enumeration by an adversary. Enclaves should be configured to deny as much information as possible to potential adversaries. There is no reason why we should make the attacker's job easier.
#7 The Principle of Professional Experience. Inexperienced CNO professionals are not CNO professionals. It is so easy in this business to find pseudo experts who can give a great brief or can market a CNO concept but have no first hand knowledge of how networks work or how to defend them. How do you tell a pseudo expert from a real expert? Be skeptical of anyone in this field till they have proven themselves to you. Ask for credentials, certifications, degrees or what their on the job experience is. Don't be afraid to quiz them. No matter how polished they look, you want experience in this business.
- An important corollary for Commanders is that like in every other warfighting area, your people are paramount. Commanders must take responsibility to ensure that their CNO operators are trained and ready for the tasks that will face them.
#8 The Principle of User Faith. Users have no good way of comparing the security or vulnerability of systems. How can an individual user really tell that a system is secure? Is PKI secure? Is DMS secure? Who and what should a user trust? The current answer in DoD is that users must trust the systems managers in their organization, and those leaders must in turn trust accrediting authorities and program managers. We hope the corollary to this adage becomes "Trust, but verify."
#9 The Principle of CNO Relativity. CNO is relative; no system will ever be 100% secure. This truism was realized long ago by the greats of the information security business, and has been witnessed again and again in DoD's efforts.
- This truism is especially important in DoD, where we face some very sophisticated adversaries. Since no system can ever be 100% secure, if you want to be 100% certain that your information is protected, do not store it in any computer system anywhere. Of course this is unrealistic. But the point is that owners of information should weigh the risks vs. rewards of storing information in a computer system, and should take appropriate steps to protect computers and networks storing sensitive information.
#10 The Principle of the Single Basket. Never rely on technology (or anything else) as your only line of defense. This principle should seem intuitive to any operational military professional. No defender in combat would try to mount a defense with only one type of weapon, tool or technique. This is just as important in the CNO world, where true hackers will never give up, and where more sophisticated adversaries will try attacking through paths we may not have even considered yet.
#11 The Principle of Unintended Consequences. This applies to all aspects of the art of CNO, both offense and defense. Keep in mind that no matter how much you think these things through, there will age some risks of unintended consequences.
#12 The Principle of the Beauty of Attack. Sometimes you must take the fight to the enemy. To the military this frequently means the ability to use force on a battlefield to compel an enemy to do our will. But this principle is meant to bring to mind far more than that. In some cases, the US Government will have an ability to carry the fight to an adversary by attacking their computers. Individuals and individual units cannot do this, of course. This is a response reserved for decision-makers at the highest levels of government. But there are means for individuals and individual units to take action against attackers. Action can be taken by collecting detailed logs of the attacks and contacting law enforcement officials at the earliest possible moment.
The principles presented here are meant to explain the workings of a well-functioning computer network operations effort. They will be of use to any military professional struggling with the best ways to implement successful CNO in their organizations.
Are there other principles of CNO? Almost certainly. The disciplines of Computer Network Defense and Computer Network Attack are still new ones, and as they spread throughout the combat forces of DoD more principles, best practices and even doctrine will arise to help guide us as we prepare for combat. Consider the list above a start. It contains basic generalizations that I hold as true, that I propose to you as a starting point as you reason through your role in this mission.
1 Joint Publication 1-02, "DOD Dictionary of Military and Associated Terms." Available online at: http://www.dtic.mil/doctrine/jel/doddict/
2 Joint Publication 1-02, "DOD Dictionary of Military and Associated Terms." Available online at: http://www.dtic.mil/doctrine/jel/doddict/
3 Doctrine is the "Fundamental principles by which the military forces or elements thereof guide their actions in support of national objectives. It is authoritative but requires judgment in application." Joint Publication 1-02, "DOD Dictionary of Military and Associated Terms." Available online at: http://www.dtic.mil/doctrine/jel/doddict/
Track the latest on cyber war and conflict at the CTOvision Cyberwar Site.