Cyber Situational Awareness: TechNet Augusta 2015

Approved for Public Release


Cyber Situational AwarenessAFCEA Technet

25 August, 2015

Mr. Malcolm MartinUS Army Cyber Center of Excellence

Chief, Cyber Support Element-Ft. Leavenworth, KS.



Purpose

Provide discussion of Army Cyber Situational Awareness (Cyber SA): “what it is, who uses it, and how Cyber SA may be applied”, today and in the future, for Unified Land Operations (ULO).

– What has changed? Conflicts and Impacts of Cyber.– The Cyber Domain - How is it defined?– Constant threat and actors– Cyber SA Concept and Operational framework– Cyber SA Impact as holistic aspect of ULO– Army Cyber SA applied– Culture change



2007: Syria – Israel

• September 2007 – Israeli Air Force attacks suspected nuclear facility under construction in Syria.

• First large-scale example of combined cyber and electromagnetic means – believed that Israelis used EW to deliver a cyber attack/network control capability to the Syrian radar which executed the code on receipt.

• Prior to attack, Syrian IADS along ingress/egress routes could not ‘see’, allowing IAF planes to fly undetected by radar into Syria and attack the site unimpeded.

• Overall result was disruption of Syrian IADS by an electronic/cyber attack that enabled kinetic strike of nuclear site.



Georgia-Russia 2008

• August 2008 – Russian troops cross into South Ossetia w/ stated intent to defend their “Russian compatriots”.

• Combined Arms assault was preceded and enabled by a multifaceted cyber attack against Georgian gov’t and military infrastructure and defacement of web sites

• Distributed denial of service (DDoS) attacks combined with EW jamming disrupted and denied comms simultaneous to an integrated propaganda (MISO and MILDEC) campaign

• Overall operation should be considered the first large scale ‘hybrid’ combined arms operation (air, land, cyber).



Ukraine-Russia 2015

Russia’s battle with Ukraine is being fought partly in cyberspace where it may have greater room for escalation because nations increasingly accept covert cyber attack as a valid form of international pressure when more

traditional options are too violent – or too visible.

The rule of thumb for seeing disruptive cyber attacks before they happen is that “physical conflicts beget cyber conflicts.”

The current cyber battle also could spread if the overall strategic confrontation deepens, say toward a second Cold War. Such a stand-off, pitting Russia against the United States, NATO, and Ukraine

“The Russian occupation of Ukraine in 2014 was carried out with a military show of force – informed and supported by a

coordinated cyber-spying campaign”.• The situation in Ukraine has seen relations between Russia and the West

deteriorate to almost Cold War levels



Cyberspace Domain

CYBERSPACE: Cyberspace is a global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers (JP 1-02).

Characteristics:• Manmade domain…ever changing• Physical, functional, cognitive, logical/virtual and social• Programming code and protocols define rules of the domain• Environment and TTPs evolve at speed of code• Constant presence – Phase 0 on-going• Unlimited, instantaneous (operational) reach

Success in this domain means being smarter, more creative, faster, and stealthier than your opponent



Back Up Slides

UNCLASSIFIED7

The Growth of the Cyber Domain

Everyone, including the adversary, uses the Internet

Size of the Internet1.2 Zetta bytes

Size of the Internet16 Exabytes

Size of the Internet1 Exabytes

DECEMBER 199516 million Internet users

MARCH 2001458 million Internet users

March 20142.5 billion Internet users



Cyber Adversary Tactics, Techniques, and Procedures

Hostile Actor

Planning / Scanning

Web Server/Webpages

Users

Exploitation Lateral Movement Adversary Intent / Exfiltration

ReconnaissanceEspionage

Destructive Malware

?Email

Target System

- Users/decision-makers

- Their devices and associated IP addresses

- Data, databases, and websites

- Network infrastructure

- Physical locations

Cyberspace Threats



Cyber Situational Awareness Defined

JP 3-12 Cyberspace Operations (CO) • Cyberspace SA is the requisite current and predictive knowledge of

cyberspace and the OE upon which CO depend, including all factors affecting friendly and adversary cyberspace forces.

• DODIN operations activities are the foundation of cyberspace SA, therefore, DODIN operations are fundamental to the commander’s SA of the OE.

• Accurate and comprehensive SA is critical for rapid decision making in a constantly changing OE and engaging an elusive adaptive adversary.”

• SA of friendly cyberspace is provided today by the Services and agencies operating their portions of the DODIN. DISA does this through the theater NETOPS centers to the CCMD theater/global NETOPS control centers, USCYBERCOM Joint Operations Center, Joint Functional Component Command for Space’s Joint Space Operations Center and their Service/agency leadership. They coordinate with each other as required to ensure operational effectiveness.



Why do we need Cyber SA?

• The Internet was originally designed as an open system to allow scientists and researchers to send data to one another quickly, rather than with built in security measures.• Without stronger investments in cyber security and cyber defenses, data systems across the world remain open and susceptible to exploitation and attack.• Malicious actors use cyberspace to steal data and intellectual property for their own economic or political goals.• The increased use of cyber attacks as a political instrument reflects a dangerous trend for international relations.• Therefore, the U.S. assumes that potential adversaries will seek to target U.S. or allied critical infrastructure and military networks to gain a strategic advantage.

Source: THE DEPARTMENT OF DEFENSE CYBER STRATEGY, April 2015



The Operational Framework

“The inclusion of the cyberspace domain and the EMS greatly expands and complicates the operational framework transforming a limited physical battlefield to a global battlefield.” – FM 3-38

FM 3-12 (TBP)/FM 3-38: Operate in the Cyberspace Domain / Electromagnetic

Spectrum

xx

xx

xxxx

x

x

xx

x

x

x

xDIV

xSUST

ADRP 3-0: Operate in the Land Domain

“The operational framework provides Army leaders with basic conceptual options for visualizing and describing operations.” – ADRP 3-0



Cyber SA Functional Elements

(U) TRADOC Pamphlet (TP) 525-3-0, The Army Capstone Concept (ACC), asserts that future Army requires the capability to provide leaders and Soldiers that understand how and when adversaries employ CO and cyberspace capabilities, how to mitigate adversary actions, and how to respond to gain and maintain the cyberspace advantage within the OE in support of ULO



Army Cyber SA CONOPS

13

Cyber SA Functional Delineation

Data Collection

Data Store

User Defined Operational

Picture

Big Data Network View

Cyber Mission ForcesDODIN, DCO and OCO

CONUS and Expeditionary

JIE, COE, LWN

Corps, Division and BCT Commanders & Staffs

Home Station and Deployed

Command Post Computing Environment

Contextualizes three interrelated

“Awareness” outputs: Threat, Network, and Mission;

And the ability to plan operations!

xxxCEM

x

xxCEM

CEM

e.g.Big Data Analytics/ Dagger-

like

e.g. GoogleEarth-like

Cyber Analytics (Big Data)

JIMIndustry Commercial

JTF-L

“What is needed to achieve Cyber SA; how will Cyber SA be integrated into the COP; and how will Cyber SA be used to plan, prepare, execute, and assess operations?”

JTF-C



Depicting Cyber in ULO

Cyber SA utilizes standard geospatial reference map displays resident in future command post computing environment. Overlay creation tools available and provide export/sharing of displayed data directly to the Common Operational Picture (COP).

Standard geospatial reference maps

Web application accessibility through future computing environment

14



Aspects of Cyber SA

• Cyber SIGACTS

• Display Active Emitters

• Filters: 3G, 4G, WiFi, Radar

• Cyber actors & activity

15

• Should be able to select actors by multiple functions or entities*

* Entity refers to operational units & organizations w/n AOR



Unified Land/Cyber Ops & Planning

• CEMA Running Estimate

• Mission Analysis, COA Development, Wargaming

16



“Changing your organizational culture is the toughest task you will ever take on. Your organizational culture was formed over years of interaction between the participants in the organization. Changing the accepted organizational culture can feel like rolling rocks uphill.”

“How to Change Your Culture: Organizational Culture Change”Susan M. Heathfield

Management and Organization Development

“The most important area for transformation is the space "between our warfighters' ears," said the chairman of the Joint Chiefs of Staff. "If you don't try, and you stay locked in the doctrine that brought you there, you're going to fail. You've got to adapt." “Changing military culture key to transformation”

General Richard B. MyersChairman, Joint Chiefs of Staff

“Transforming the Army means more of a mindset change, as opposed to just changing wiring diagrams or equipment. Transformation is a journey, not a destination.”

Army Chief of Staff Gen. George W. Casey Jr.

Change in Cultural Thinking

http://humanresources.about.com/od/organizationalculture/a/culture.htm



Mr. Malcolm W. “Mack” MartinUS Army Cyber Center of Excellence

Chief, Cyber Support Element – Fort Leavenworth, [email protected]

Office: (913) 684-4600Mobile: (913) 991-3505

Questions?

Government & Nonprofit

Cyber Situational Awareness: TechNet Augusta 2015