Toward the latter part of the 20th century, the range ring became the most common representation of naval threats. Missiles, radars, and attack aircraft—all threats to naval platforms—are depicted in terms of circles emanating from some ominous center.
Range rings have long been a feature of virtually every daily operational intelligence brief for Navy commanders. From the first day of training, every intelligence officer is required to memorize ranges of adversary sensors and weapons along with the endurance and speeds of adversary naval platforms. This effort ensures that even the most junior officer can readily draw these “circles of death” on a chart of any location in the world. The ubiquity and elegance of this vernacular means that range often becomes a Navy commanding officer’s overriding concern. As the saying goes, “Inside the circle there is danger; outside the circle we are safe.”
It is no surprise then, that threats not readily explained by range rings are often not front-of-mind for most naval officers. Threats best explained as a function of time are not as tangible and thus more easily overlooked. For example, cyber warfare threats—which usually lack explosions, are irrespective of geography, and increase in risk over time—often fail to be taken as seriously by commanders, logisticians, and operational planners.
Cyber warfare threats and capabilities are best measured and understood in temporal terms. In the commercial sector, cybersecurity professionals typically reach for their stopwatches rather than their maps. Naval officers must start doing the same. Here are five temporal cyber metrics that every naval officer should understand:
Breakout Time
The cybersecurity firm Crowdstrike first defined cyber breakout time as “the time taken by an adversary to move laterally, from an initially compromised host to (an)other host(s) within the victim environment.”1 To use a modern piracy analogy, this is the time it takes for the pirates to get to the pilothouse and take control of the ship starting from when they first anchor their grappling hook to the bulwark. As a matter of threat intelligence, this measurement is critical to understanding the danger that particular threat actors pose to platforms, commands, and operations alike. According to Crowdstrike, in 2018 among those able to conduct full cyber intrusions, Russian actors demonstrated the fastest average breakout time (gaining initial access, escalating privileges, and gaining control over key systems and information on a target network) in 18 minutes and 49 seconds. North Korean actors were second, at 2 hours, 20 minutes, and 14 seconds; and Chinese actors third, at 4 hours and 26 seconds.2 Breakout times continue to shrink as adversaries advance their tools and tradecraft, requiring defensive teams to adopt more automation and 24/7 operational postures.
Mean Time to Detect
Mean time to detect (MTTD) is breakout time’s defensive counterpart. It measures the time network defenders require to identify a cyber breach of a defended network, not that an attack is defeated. If an adversary’s breakout time is faster than a defender’s MTTD, the adversary is allowed unobserved, undefended actions against a platform or network for the length of time between the two measures. If MTTD is less than an adversary’s breakout time, then attempts at further compromising high-value network assets and systems, data destruction, or harm to physical systems might be stopped.
Mean Time to Patch
Mean time to patch (MTTP) is how long it takes, on average, to update systems with patches that have been publicly released. MTTP is threat agnostic and primarily a measure of an organization’s baseline defensive cyber agility. While sophisticated or well-resourced actors can find novel vulnerabilities in systems for which patches do not yet exist (typically referred to as “zero-day vulnerabilities”), threat actors of all levels of sophistication exploit the lag between the announcement of a patched vulnerability and application of the patch.
Mandiant published an analysis in 2021 that indicated 39 percent of vulnerabilities are still exploited after patches are publicly released, with the vast majority of observed cyber intrusions employing vulnerabilities for which patches are available but unapplied.3
Masters of civilian vessels and commanding officers of Navy warships often rely on off-ship service providers to protect their vessels before malicious network traffic reaches them. While this is not generally the same type of cyber defense as patching vulnerable systems on a vessel, the temporal metrics are similar. Most off-ship defenses will rely on publicly known vulnerabilities and threat information that allow defensive rules to be put into place that block incoming messages to ships that match malicious profiles. The amount of time it takes for a vulnerability or a specific adversary tactic to be identified, reported, and translated into defensive rule sets, and then to put into place follows the same dynamics as MTTP. Adversaries that attack only known vulnerabilities can still be faster than off-ship cybersecurity service providers.
Mean Time to Contain
Mean time to contain (MTTC) is the time it takes from detection until either on-site or remote defensive forces can respond to the malicious activity. MTTC describes how long it takes the response effort to contain the attacker’s attempts at further actions or exploiting additional systems. Combined with MTTD, these times to respond and/or contain a threat describe the amount of time a notional adversary has until a given attack can be stopped.
Mean Time to Recover
Mean time to recover (MTTR) is the average time it takes for an organization to recover from a successful cyberattack. For example, a ship whose computers and control systems were completely crippled by ransomware will require all the affected systems to be wiped, restored, replaced, or repaired, as well as the assistance of cybersecurity professionals to identify and fix the root cause(s) of the ransomware infestation.
While recovery from cyberattacks varies based on the nature of the affected organization (e.g., geographically dispersed organizations often require teams to travel to each affected site for recovery) and the nature of the disruption, recovery timelines currently tend to be measured in weeks to months for most commercial and industrial organizations. Maersk, for example, took nine days to partially recover from the NotPetya attack in 2017, but full recovery took months. Speaking two years after the attack, Maersk’s chief information security officer stated that the company was now building the internal capability to recover from a similar attack in 24 hours.4
How Fast Is Fast Enough?
Crowdstrike currently defines companies as “top performing” cyber organizations if they can meet the “1-10-60 Rule”: detecting an intrusion within 1 minute, investigating within 10 minutes, and containing or remediating the problem within 60 minutes. When adversaries are allowed to engage in unchecked lateral movement over a protracted period, the likelihood of adversary success goes up significantly.5 CPO Magazine, citing statistics from Mandiant, notes that most organizations are not anywhere near “top performing.” “The average containment time in 2017 was five days for network intrusions. However, that is the containment time after detection. The average time to detection was a staggering 66 days.”6 In other words, the average organization could be compromised for more than 5,000 times longer than it would take a Russian cyber team to complete its objectives before a defensive cyber response would begin.
In nonmaritime civilian enterprises, “acceptable” cyber metrics are determined by the business and/or sector-specific requirements governing the fiscal and commercial viability of that company. While an airline might be able to recover from a days-long denial-of-service attack on its ticketing system, for example, a month-long outage would likely collapse most commercial carriers. Thus, an acceptable MTTC is determined by the fiscal realities of the business, not cyber capabilities.
For civilian fleets, determining the acceptable time largely follows the economic contours of other civilian enterprises, with two additional maritime-specific factors. First, any inability to get assets into port at scale takes on an immediate fiscal urgency for shipping fleets. Infamously, Hanjin Shipping lasted only three days between receivership preventing Hanjin ships from entering ports and its bankruptcy. Similarly, a fleetwide cyber disruption to shipping operations could result in existential fiscal effects on commercial fleets in a matter of days, with crippling second-order global economic effects.
Second, cyber disruptions to ships in restricted-maneuvering situations could be catastrophic. A cyber-physical disruption that prevents normal maneuvering of a ship quickly becomes dangerous when paired with extreme weather or unfavorable wind and currents in a restricted passageway. The Ever Given grounding in the Suez Canal, for example, was a result of high winds and what was reportedly a loss of steering lasting only a few seconds.
For naval fleets, an acceptable MTTC requires conforming to theater-level, wartime operational timelines. For example, an operational plan may require moving a group of ships from San Diego to the eastern approaches to Honshu, Japan, where they will be expected to engage in contingency operations. If the transit time of such a group is 10 days, then an acceptable MTTC might be approximately 239 hours and, therefore, MTTR some fraction of that time.
“Fast enough” for navies is therefore the operational agility sufficient to recover from a cyberattack or mitigate critical cyber vulnerabilities within a relevant timeframe. In other words, the ability to recover cyber-degraded platforms while they are en route to their operational objective determines the agility baseline. Fleet-supporting cyber forces should be manned, trained, and equipped to support sealift, fleet movements, and combat operations at a pace set by the operations of the platforms.
What if the cyberattack occurs at the opening moments of combat? Depending on the nature of the cyber effects employed, the MTTC is greater than the engagement timeline of the kinetic weapons that might also be used against that platform. If a platform has detected a breach/attack, prudence suggests that combat situations be avoided until containment and recovery have been achieved.
This means that superior cyber capabilities can notionally render a navy operationally and strategically ineffective. Devastating cyberattacks can result in a fait accompli within viable MTTC times—for example, if China can successfully overwhelm Taiwan within 48 hours, a successful cyber breach and attack effectively immobilizing all U.S. Pacific Fleet ships for more than 48 hours creates conditions for victory. If a fait accompli timeline such as this can be identified, it should be used as the MTTC threshold for research and development, new operational paradigms, and the expert employment of technologies so such conditions never occur.
The Need to Understand
Commanders and fleet operators should understand their respective mean times to detect, patch, contain, and recover even when relying on outside service providers for one or all defensive capabilities. Absent organic capabilities to recover lost systems or networks following an attack, a destroyer commander should know his or her ship’s likely MTTR timelines to better manage the subsequent risks to the ship and crew through the duration of the degradation.
At the ship squadron level and above—and assuming a limited capacity for cyber response and recovery—commanders and staff should understand how cyber effects against multiple units will affect MTTC/MTTR timelines, including operational go/no-go criteria for affected and unaffected forces alike. Likewise, staff intelligence officers and information technology managers should ensure commanders are aware of adversary cyber breakout times in their areas of operations and MTTD/MTTP of the forces assigned. Even if a commander does not have the organic capability to effect either defensive capability, an awareness of the latent cyber-operational risks is fundamental to a 21st-century naval commander’s overall risk calculus.
Revenge of the Range Rings
For fleets operating globally, there is the additional challenge of responding to geographically dispersed cyber incidents. A single cyber response team cannot respond to shipboard casualties in both the Atlantic and Indian Oceans at the same time, even if they are caused by the same underlying system vulnerabilities and/or adversary action. Consequently, the number and forward prepositioning of cyber-response forces requires careful consideration. More cyber forces are better, to be sure, but “minimally sufficient” will be determined by a combination of ranges, speeds, and operational timelines of shore-to-ship and ship-to-ship movements via aircraft, tenders, and rendezvous timelines that partially consider MTTR efforts. And, yes, these elements will lend themselves to being charted on maps.
A foundational concern for naval planners and logisticians is establishing and preserving the ability to scale and mobilize cyber incident containment and recovery to affected platforms inside of acceptable timelines. At present, it does not appear it is possible to train, hire, and retain enough cybersecurity professionals to field expert cyber teams on every platform. The more viable construct is the rapid mobilization of cyber response-and-recovery teams from a central hub but close enough to operational ingress and egress routes to quickly reach affected units while in transit or retreat.
“War is a business of positions,” wrote Alfred Thayer Mahan.7 These five cyber metrics suggest the physical distribution of naval cyber forces is a matter deserving increased attention and deliberation. Positioning forces for speed of response is not a foreign matter to naval commanders, but in the 21st century the positioning of naval cyber forces is a matter of operational naval capability. The Navy has precious little time to get this right.
1. From “The Myth of Part-Time Threat Hunting, Part 1: The Race Against Ever-Diminishing Breakout Times,” Crowdstrike, 25 June 2021: “Lateral movement refers to the techniques that a cyber attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools. Lateral movement allows a threat actor to avoid detection and retain access, even if discovered on the machine that was first infected. And with a protracted dwell time, data theft might not occur until weeks or even months after the original breach.”
2. Adam Meyers, “First-Ever Adversary Report Highlights the Importance of Speed,” Crowdstrike, 19 February 2019.
3. Kathleen Metrick, Jared Semrau, and Shambavi Sadayappan, “Disclosure, Patch Release, and Vulnerability Exploitation—Intelligence for Vulnerability Management, Part Two,” Mandiant, 29 October 2021.
4. Dan Swinhoe, “Rebuilding After NotPetya: How Maersk Moved Forward,” CSO United States, 9 October 2019.
5. “Lateral Movement,” Crowdstrike, 17 April 2023.
6. Scott Ikeda, “Hacks Are Happening Faster: How Much Do Cyber Response Times Need to Improve?” CPO Magazine, 6 March 2019.
7. Alfred Thayer Mahan, “Considerations Governing the Disposition of Navies,” from CDR Benjamin Armstrong, USN, ed., 21st Century Mahan (Annapolis, MD: Naval Institute Press, 2013).