2014 Information Dominance Essay Contest Second-Place Winner, Sponsored by HP
In the 16th century, renowned chess player Ruy López de Segura advised to “place the board so that the sun is in your opponent's eyes.” In cyberspace, why do we not position our “chessboard” accordingly? The Department of Defense’s current approach to cyber defense cedes the perpetual, strategic advantage to intruders, while significantly disadvantaging our own defenders. Our defense-in-depth methodology, when accurately, thoroughly, and consistently applied, can provide an arguably sufficient protection against most unsophisticated hackers and known exploit techniques, but it is an unsustainable strategy of attrition warfare against more advanced and persistent cyber actors. Even a well-instrumented, continuously monitored network with seasoned defenders who rapidly deploy countermeasures and mitigation tactics eventually will fail to repel the most knowledgeable attackers. This inevitable defeat occurs because calculating hackers take the time to study the static defense-in-depth architecture of their targets.
Ostensibly, the proposed Joint Information Environment (JIE) promises to be part of the DOD's future cyber-security solution by providing jointly managed secure email and data access to enable warfighters’ operation of approved devices anywhere, anytime. It aspires to maximize use of existing technologies such as cloud computing, data center consolidation, public key infrastructure, and cryptography to reduce user anonymity on the network. These measures should help the DOD to make significant progress toward evolving information reliability and improving basic security. However, despite noble intentions, if the JIE simply employs our traditional, static cyber-defense strategy, it will likely fall short.
For the military services and the Defense Information Systems Agency to effectively establish, sustain, and operate securely, the DOD will need to be intentional about integrating into our defensive cyber-operations strategy the warfare principle of maneuver. The concept of defensive cyber maneuver (DCM) suggests the need for a rapidly agile and dynamically interactive cyber-security posture to complement our traditional layered, static defense-in-depth approach.
We need to embrace and invest in a more comprehensive, maneuver warfare-minded approach to cyber defense. In the hopes of spurring DOD information-dominance stakeholders to do this, this article presents the DCM concept and its foundational assumptions, followed by six different categories of potential defensive cyber maneuvers that the DOD might employ to more effectively defend the JIE’s key cyber terrain.
A Unique Terrain
It is common for many in the DOD to borrow from traditional warfare analogies to describe cyberspace operations. Often these comparisons are useful, but they may also inhibit our thinking. Based on analogous constructs in the physical world, we may think of building defensive bastions to guard key cyber terrain. But in cyber, we have the means to do much more because it is manmade. Instead of just defending, we have the ability to change the cyber terrain—in fundamental ways beyond simply altering the network topology.1
Suppose we could adjust the depth, speed, and direction of currents and waves, or the temperature of the seas, to affect maritime warfare. Imagine changing the winds and gravity to help with air warfare, or the density of the forest, the size of deserts, or the steepness or size of a mountain to affect land warfare. It is completely in the realm of the possible for us to dynamically manipulate the physics of exactly who, what, where, when, how often, how fast or slow, for how long, and many other variables in our portion of cyberspace.
Defensive cyber maneuver is the next, necessary step in the evolution to cyber warfare. A critical component of survival and eventual victory, it is a fundamental principle of warfare. The opponent who outmaneuvers his foe to gain and maintain the more advantageous position is best postured to win the fight.2
The concept of DCM is based on four primary assumptions:
- Cyberspace is a manmade domain, and its virtual rules can be manipulated by man.
- Cyber-security vulnerabilities will continue to be used to exploit cyber networks.
- Cyber network defenders can expect routine unauthorized visitors to their networks.
- Within their portion of this vulnerable, manmade, man-manipulated warfare domain, defenders can shape the experience of unwelcome visitors.
Working with these assumptions, cyber network defenders can leverage a comprehensive DCM strategy to actively defend their networks. A successful methodology begins with thinking how to best make use of the unique virtual characteristics of cyberspace. Then corresponding tactics, techniques, and procedures should be developed to gain and maintain the strategic defensive advantage through maneuver warfare.
Defending the Terrain
DCM, a concept that has been discussed in several forums and is also referred to in terms such as active defense, is not new.3 Prototype tactics, technologies, and techniques have been developed, tested in network laboratories, and deployed to networks. But not much appears to have been written about comprehensive strategies that employ a suite of DCM tactics, techniques, and procedures to successfully defend the DOD’s cyber networks. While by no means intended the be all-inclusive, the following six suggested maneuvers, listed in order of increasing sophistication and cost, could be part of a comprehensive DCM strategy to optimally defend the JIE’s key cyber terrain:
- Restrict: It is common practice for owners of large cyber networks to permit many system administrators to have the maximum allowable global privileges across their entire networks at unlimited times and from unlimited locations, including remote access. While this strategy provides excellent convenience for responsive troubleshooting and management, it also presents a serious operational risk to network defenders. The hacker in possession of compromised, highly privileged system administrator credentials has gained the significant cyberspace “high ground” within maneuver warfare. In little time, a hacker with escalated privileges will be able to laterally navigate and learn the internal network. He may also be capable of creating entirely new credentials and establishing multiple footholds to secure persistent access, thus facilitating future visits.
To decrease the operational risk, network owners should implement the basic principle of providing the absolute minimum privileged access exclusively to those who truly require it, and only precisely what they need, when, why, where, and how they need it. This inconvenience will likely be unpopular among network administrators, but it will greatly reduce operational risk and assist defenders to rapidly identify and isolate unauthorized activity that differs from approved times, locations, and methods.
- Reduce: Somewhat similar to restricting the adversary's potential maneuver space using compromised credentials is cutting down on cross-network maneuverability through an intentional reduction in the total number of external network gateways and boundary access points. Once again, this suggestion is not sophisticated in concept. However, organizations may often choose not to implement it because of the upfront cost of redesigning a legacy network topology. Just as limiting military-base security gates or creating maritime chokepoints for ship inspections provides physical security, reducing critical gateways at concentric locations allows network defenders to more intensely focus analytical efforts against alert and log data from fewer boundary access points.
Similarly to how DOD installations implement force protection conditions for heightened threat levels and specific threats, network defenders should develop and frequently exercise dynamic rerouting of traffic through alternate routes. They should also temporarily reduce access points in response to cyber force protection conditions and specific cyber threats. Having a well-practiced plan in place to respond in real time to active network intruders is foundational tactics, techniques, and procedures within the arsenal of the comprehensive DCM strategist.
- Replicate: Slightly more sophisticated than simply restricting and reducing intruder maneuverability within an organization's internal cyber network is the facilitation of dynamic replication in order to build network resilience against cyber attackers. The relevant warfare principles here include speed of action and agility of defensive maneuver.
Within cyber warfare speed is everything, even more so than in air warfare. Aircraft can move faster than the speed of sound, but cyberspace actions occur instantaneously at the speed of light. Executing with speed and agility in this domain requires advanced preparation of built-in, dynamic redundancies throughout the network —especially for assets considered vital terrain. Defenders should procure, deploy, and routinely use multiple “hot stand-by” secondary and tertiary physical and virtual instances of their critical network assets. The advent of virtual machines and cloud-based storage technologies has lowered the cost and ease of implementing asset and data replication. In some instances, virtual machines can replace hardware, allowing for portions of a defender's network to be auto-replicated for rapid recovery upon detection of a network emergency or attacker.
As in traditional warfare areas, fail-safe redundancies should be intentionally built in to defense tactics and equipment for resilience. Furthermore, the virtual world of computer gaming facilitates perpetual resiliency: nothing or no one ever really dies, they just “re-spawn.”4 Why should this concept not be applied in cyber defense? Critical network assets considered to be the defender's key terrain should be intentionally constructed with fail-safe redundancies for warfare resiliency. The physical destruction of data and even equipment can occur in cyber warfare, but the time and cost to replicate or renew assets are less because of their virtual natures. Used in combination with well-rehearsed restriction and reduction defense maneuvers, network defenders can maximize the advantages of cyberspace's virtually resilient environment to employ replication maneuvers to detect, isolate, or redirect an attacker while simultaneously defending key assets.
- Randomize: Scott Applegate describes randomization as the use of “technical mechanisms to constantly shift certain aspects of targeted systems to make it much more difficult for an attacker to be able to identify, target and successfully attack a target."5 Some methods of implementation may include “system level address space layout randomization (ASLR) or constantly moving virtual resources in cloud-based infrastructure.”6 Prototypes have been under development; for example, the U.S. Army recently awarded a defense contract to develop a capability called the MORPHINATOR, for “morphing network assets to restrict adversarial reconnaissance.” The overall concept is a bit analogous to applying the technology of radio frequency hopping to the Internet Protocol address space in a defender's internal network topology, where address names change rapidly over time according to a pseudo-random code shared among network destination points. In addition to helping raise hackers’ investment costs and planning efforts, randomization also introduces uncertainty into their maneuver capabilities, potentially frustrating them to the point of making “noisy” missteps that could expose them to detection, or causing them to move elsewhere to softer targets.
The maneuver warfare benefit of randomization can be more fully realized if it is also coupled with additional routine changes to internal network traffic routing, web server domain names, data file names, and user credentials. Changing a network's topology, address space, naming conventions, and user credentials becomes especially important after confirmation that it has been compromised. When an organization chooses not to “shuffle the deck” after it has been the known victim of a significant cyber intrusion, it keeps the investment cost of hackers low and risks the likely eventual return of attackers who now have considerable knowledge of the static network terrain.
But one of the complex challenges of randomization and frequent network changes is that it can also introduce confusion to valid users, system administrators, and network defenders. Preventing unintended disorder requires considerable organization; but once implemented and exercised often, the effective employment of network randomization can become a valuable component of a DCM strategy.
- Ruse: Military deception is as old as war itself. Due to its manmade and virtual nature, cyberspace is a domain rich with opportunity for deception. The use of fake files and servers, also known as canary files and honey pots, are common forms of cyber “lures” used to entice hackers to visit them so researchers and defenders can learn their methodologies and potentially discover attribution.
The applicable maneuver warfare principle here is introducing the “fog of war” to the adversary, so that he pursues the wrong objective, repeats steps, wastes time, or performs other missteps that expose weaknesses. Applegate calls this deceptive defense: “The use of these types of systems can allow a defender to regain the initiative by stalling an attack, giving the defender time to gather information on the attack methodology and then adjusting other defensive systems to account for the attacker’s tactics, techniques and procedures.”7 While the concept of honey pots is well known, using them as a deception tactic in a comprehensive DCM strategy requires sophistication, investment, and routine maintenance to entice hackers to view them as valuable, relevant, and current targets of interest.
For example, a passive alert from an accessed canary file or honey-pot server might be used to dynamically trigger one or more of the other defensive cyber maneuvers to record, limit, or otherwise shape the network actions of the attacker. More sophisticated ruse objectives may include developing entire virtual honey-pot networks and enclaves to disorient the adversary and force him to waste time and effort revalidating his target.
- Redesign: This involves the most sophisticated, expensive, and permanent defensive cyber maneuver away from the use of international computer standards that facilitate universal compatibility and network system interoperability toward unique, non-standard, proprietary protocols, software, and hardware. The OSI or TCP/IP models of networking are key examples of the DOD’s overdependence on international commodity standards in support of system interoperability, an efficiency-based decision that induces significant security risk. Internal computer architecture and operating systems all contain the same fundamental components working in similar ways so that things function together, creating a commodity-based ecosystem that drives efficiencies and lowers costs and the barrier to entry.8
For example, if an entrepreneur wishes to develop a computer program to do something, he does not need to know the specifics of computer process management, inter-process communication, system synchronization, or scheduling; all this has been addressed and is well documented, no matter the operating system. This same interoperability and documentation applies to the network layer. These are all well-known things; known to all computer scientists, technicians, developers, tinkerers, and hackers. This compatibility and interoperability shared with attackers in the cyber domain is akin to identical weapons platforms in traditional warfare domains. The only real discriminators among opponents in cyber warfare are the resources of time, technical talent, and the finances to build increasingly advanced capabilities.
Why should the DOD agree to the international compatibility and system interoperability standards of cyberspace for what it values as key cyber terrain? Suppose we developed secure operating systems and networks based on our own desired protocols. If the DOD truly values certain portions of our cyberspace domain as key terrain, shouldn't we resource the protection of it on par with other warfare areas, especially since the systems in every other traditional warfare area are significantly dependent on it?
The DOD could build environments in which an adversary couldn't operate, at least not without an extreme resource investment. What if we didn't use IP addresses for our most important systems? In fact, for critical or special applications, why use any of the existing OSI layers at all? Imagine an attacker's frustration when he can't enumerate an IP range because there isn't one to enumerate. He would be lost in a foreign land. Even the physical and data link layers could be changed, if needed, based on the requirement and the resource investment allocated. The DOD could extend this thinking to the operating system and applications, writ large.9
Some systems may most need this development of proprietary, highly secure operating systems from the ground up. The DOD should commit to using the type of secure, proprietary technology where it makes the most sense, and to smartly designing networks with security principles included as a fundamental system requirement, not tacked on after the fact. Deviating from universal compatibility standards will create tradeoffs with usability and flexibility, and it will require increased development costs.
It's a real challenge, but the investment in cyber defense may be worth it in some critical areas relating to DOD weapon-system vulnerabilities. Why would we build a multimillion-dollar critical weapon or logistics system and then interconnect it to a globally shared commodity operating system that depends on universal protocols wrought with vulnerabilities known to everyone, even potential adversaries? This is the primary means the world uses to read email, conduct financial transactions, surf the web, and play computer games. The reason is likely that in most cases, our warfare support systems were designed with cost and functionality, not security, as primary drivers. This approach may be strategically short-sighted. Perhaps there's a better way.
To complement and evolve our traditional cyber defense-in-depth approach, the DOD should employ a comprehensive DCM strategy using the six maneuvers of restrict, reduce, replicate, randomize, ruse, and redesign. Through these efforts, we will begin gradually to mature our cyber defense capabilities in line with traditional warfare areas. By doing so, we will be wisely investing in strategies that reposition the cyberspace chess board.
1. Lt. Cdr. Paige Adams, department head, Threat Analysis and Network Forensics, Navy Cyber Defense Operations Command, personal communication with author, 20 March 2014.
2. Rob Boshonek, technical director, Navy Cyber Defense Operations Command, personal communication with author, 19 March 2014.
3. Ibid.
4. Ibid.
5. Scott Applegate, “The Principle of Maneuver in Cyber Operations,” Fourth International Conference on Cyber Conflict, C. Czosseck, R. Ottis, and K. Ziolkowski, eds. (Tallinn: NATO CCD COE Publications, 2012), 8.
6. Russ McRee, “MORPHINATOR and Cyber Maneuver As a Defense Tactic,” HollisticInfoSec blog, 18 July 2012.
7. Applegate, “The Principle of Maneuver in Cyber Operations.”
8. Lt. Cdr. Adams communication with author, 20 March 2014.
9. Ibid.
Captain Powers commands Navy Cyber Defense Operations Command and Task Force 1020, Suffolk, Virginia. He previously commanded Navy Information Operation Command, Whidbey Island, Washington. Captain Powers served on board many Navy ships, submarines, aircraft, and in shore commands around the world. A veteran of several conflicts, he holds master’s degrees in electrical engineering and national-security resource strategy.