Understanding Cyberspace Through Cyber Situational Awareness

This paper provides discussion around commonly used, but often misunderstood, concepts of Cyber Situational Awareness (Cyber SA), relating relevant UK military doctrine to the widely recognised Endsley [1] model of situation awareness (SA). The key finding is that, in the context of UK military, Cyber SA is important but not sufficient. Furthermore that the concept of SA has evolved and been developed for more traditional military operational environments as opposed to the ethereal and more complex Socio-Technical System of Systems(STSOS) environments that define cyberspace, often referred to as the 5 battlespace [2]. This has led to divergent technical views between those who use the Endsley model (e.g. Academia and Industry) and those governed by military doctrine, and supporting models, such as the armed forces. To close this gap, arguments are provided in the paper to highlight the critical importance of Situational Understanding. That cyberspace ‘understanding’ is required to support decision making, and ‘understanding’ is underpinned by SA. There is a need for the community to shift its language and approach to move from a desire to achieve Cyber SA to a desire to achieve (and apply) true cyberspace Understanding within the context of complex STSOS. Rationale for this approach and current technical thinking is articulated in this paper. It details the challenges facing UK Ministry of Defence (MOD) in understanding cyberspace and developing understanding to operate in (or through) cyberspace. 1.0 BACKGROUND This paper is not intended to provide a lengthy debate on what may be meant by ‘cyberspace’ – this is available elsewhere [3]. In many cases the term cyberspace has become a conventional means to describe anything associated with the internet and internet culture; with the advent of wide range of internet enabled consumer technologies cyberspace is, unknowingly to consumers in some cases, growing not only in breadth and diversity, but also in socio-technical complexity. The following definitions are used by UK MOD [5]: Cyber To operate and project power in and from cyberspace to influence the behaviour of people or the course of events. Cyberspace An operating environment consisting of the interdependent network of digital technology infrastructures (including platforms, the Internet, telecommunications networks, computer systems, as well as embedded processors and controllers), and the data therein spanning the physical, virtual and cognitive domains. Understanding Cyberspace Through Cyber Situational Awareness 1 2 STO-MP-IST-148 Importantly, the MOD definition for cyberspace intentionally includes more than just the internet and associated Information and Communications Technology (ICT) and networking, and as such mirrors diversity in consumer/industrial technology to include control and management systems, such as building management systems (e.g. heating, ventilation, and air conditioning (HVAC) control systems). Additionally, this definition includes the data hosted on such systems. Cyberspace is, therefore, a complex SocioTechnical System of Systems (STSOS) with the connective threads and information fabric enabling and shaping the modern world, its societies, cultures, economies, technologies and industries. It comprises physical, logical and cognitive elements, the digital assets that connect functions and direct data/information/decision flows (see Figure 1) [2]. Unconstrained by borders or geography, cyberspace is omnipresent, it permeates most, if not all, civil and military sectors and is difficult, if not impossible, to regulate and impose national authority on. It is ethereal and complex offering a diversity of opportunities to do good as well as bad. The most serious of which is cyberattack compromising nation’s security and defences by exploiting vulnerabilities of people, processes and technologies enabling its digital enterprise (i.e. the STSOS) [2]. Hence in 2015, UK reaffirmed cyber threat as one of the highest level risks (Tier 1) [4] to the security of the UK, and UK MOD treats cyberspace as the fifth operating environment in addition to the land, maritime, air and space environments [5]. As such, MOD aims to preserve its freedom of action and manoeuvre in, or through, cyberspace; prioritising effort and accepting risk where necessary. In order to achieve this it must be able to understand cyberspace and make effective decisions relating to its own, or an adversary’s, use of cyberspace. This understanding of the STSOS and its many attributes, see Figure 1, underpins and is critical to decisions and actions. Figure 1: Layered view of cyberspace. 2.0 SITUATIONAL UNDERSTANDING AND SITUATIONAL AWARENESS Situational Awareness (SA) is the perception of a particular area of interest, problem or situation bounded by time and space in the context of a mission or task. It provides the ability to identify what has happened and what is happening, but not necessarily why it has happened [6]. Typically SA usually supports military decision makers in relation to knowing about the state of an operating environment and relevant entities within it. For example SA may be described as having three main components, with the additional attributes, as shown in the columns of Table 1. Understanding Cyberspace Through Cyber Situational Awareness STO-MP-IST-148 1 3 Table 1: Components of SA. Operating Environment Awareness Adversary Awareness Mission / Business Awareness • Own Position • Environmental Factors, Landscape & Geography • Location of Other Entities • Adversary Position • Adversary Capability • Adversary Posture • Indicators & Warnings • Status of Desired Outcome or Mission Objective • Progress Against Desired Outcome or Mission Objective Cyber SA, as a concept, typically tries to apply these traditional SA concepts in the context of cyberspace and operating in cyberspace. There are several complex challenges surrounding SA relating to cyberspace. Not all of these challenges are unique to SA in cyberspace but, if the challenge is not unique, the nature of cyberspace often confounds the issue because of the complexity of STSOS. SA challenges in cyberspace include: • Complex cyberspace STSOS architecture:the socio-technical architecture includes intangible artefacts that are relevant in understanding the cyberspace operating environment. How easy is it, for example, to observe and make sense of what is fundamentally a stream of formatted units of data, bits or symbols within digital transmission; • Persistence and pervasiveness:with many technologies directly or indirectly connected, on a continual or intermittent basis, to the networked world the result is unknown/poorly understood relationships between physical, cognitive and virtual entities (a characteristic that adversaries with malicious intent will consistently aim to exploit). In addition, cyberspace is not just the wired and wireless connection environment but also includes digital interaction through the Electromagnetic Environment (EME). It will become increasingly important to understand both cyberspace and the EME as they have intrinsic and pervasive touch points and system relationships; • ‘Big data’:the volume, velocity, variety of data generated in cyberspace often overwhelms the ability to analyse it in depth and therefore truly understand; • Geospatial and temporal aspects:relating cyberspace activities to physical geography at commensurate spatial and temporal scales is required. The physical area of operation is just one of the important layers in cyberspace, and a small subset of it (see Figure 1). The persistent, pervasive and borderless nature of cyber activities allows both simultaneous global and local operations and effects; • Speed of effect:whilst the propagation speed of transmission in cyberspace is dependent on the physical medium used, suffice it to say that effects in cyber systems can be rapid and real-time, at the ‘speed of light’, and propagate through the system almost instantaneously. This requires operators and decision makers across the enterprise to be able to direct, coordinate, authorise and execute action in a timely manner to exploit opportunity and manage threat. This drives a pace of decision making at all levels that could challenge current operational tempo and associated command assumptions; • Attribution:cyber activity is notoriously difficult to trace and, despite technological developments, many cyber incidents are likely to be deniable and some untraceable. Whilst in some cases an adversary may specifically want their effect to be overt and ‘flagged’ as originating from a certain geographical region or threat actor, in other cases effects will be combined with efforts to obfuscate and/or deceive in order to manipulate the cognitive domain decision making; and 1 Number of V’s is often debated, with Doug Laney often given credit for originally describing Big Data challenges relating to Volume, Velocity & Variety. Other V’s, such as Veracity and Variability are sometimes included. https://blogs.gartner.com/ doug-laney/files/2012/01/ad949-3D-Data-Management-Controlling-Data-Volume-Velocity-and-Variety.pdf Understanding Cyberspace Through Cyber Situational Awareness 1 4 STO-MP-IST-148 • Operational effect:recognising the reach, speed, and impact of propagation, cyber capabilities may be seen to be flattening traditional hierarchy of strategic, operational and tactical actions, with local and tactical actions given global reach and potentially strategic impact. Cyber SA therefore requires broad integration of awareness at all STSOS layers, systems scales, spatial and temporal scales, and operational levels. 3.0 SA IN DECISION MAKING The above challenges need to be considered with respect to current UK Military doctrine as defined in MOD’s Joint Doctrine Publication 04, JDP 04, [6]. In UK military, decision-making at all levels comprises several basic steps: direction; consultation; consideration; decision; and execution. Extracted from JDP 04 [6], these steps and the utility of knowledge and information in this process can be graphically represented [Figure 2].