Cyberwarfare on a Personal Level

CYBR650 Week 6

The supreme art of war is to subdue the enemy without fighting.
Sun Tzu

Ten soldiers wisely led will beat a hundred without a head.
Euripides

Cyberwarfare is Internet-based conflict involving politically motivated attacks on information and information systems. Cyberwarfare attacks can disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems -- among many other possibilities.

In 2009 the Secretary of Defense established the United States Cyber Command.  They have a threefold mission; Defending the Department of Defense (DoD) Information Network; support military commanders for execution of their missions around the world, and strengthening our nation’s ability to withstand and respond to a cyberattack.  So how is the Cyber Command doing in its three fold mission seven years later? 

1.  Defend the DoD Information Network – One of the first actions the Cyber Command took was to consolidate all the IT systems from the entire DoD – three branches, four uniformed services and nine unified commands (over 7 million devices) into a single unified architecture.  Very soon, the entire military will be linked through one command-and-control structure.  They’ve modernized the equipment and streamlined operations. There are some potential weaknesses created by this, but it seems to be outweighed by centralized monitoring, easy updating and quick response to attacks.

2.  Support Military Commanders - One of the biggest advantages of the unification is being able to provide a unified response to any attack from all services and from air, land or sea.

3.  Defend our nation against a cyberattack – While not perfect, defenses are getting stronger through a series of initiatives.  The DoD experiences 41 mission scans, probes and attacks each month.  The penetrations that were detected have all been quickly dealt with.  One of the biggest weaknesses in all of the breaches has been the human factor.  And believe it or not, the Cyber Command is doing better in fixing the human factor weaknesses than most private sector companies using a concept called high reliability organization or HRO.  These are systems that can’t afford to learn from mistakes such as nuclear power plants, air traffic control systems and high-speed rail, they have to correct deviations before they become problems.

How they did it – If any of you have experience with the US military, you will recognize they got a lot of work done in 7 years.  The Cyber Command modeled its operation on the US Navy’s nuclear propulsion program which has arguably the best safety record.  The nuclear program has built a culture on six principles that limit the impact of human error.

Integrity – strongly held convictions that eliminate deliberate departures from clear protocol.  Everyone reports mistakes immediately.  The standard is set very high and there are no second chances.  Everyone is accountable and held accountable for their actions.  The result is minor problems are reported and fixed quickly.

Depth of knowledge – training is thorough and broad.  The system is fully understood, including weaknesses.  Close supervision, testing and drills are common.

Procedural compliance – operational procedures are followed to the letter.  There is an extensive inspection system including simulated emergencies.

Forceful backup – Everyone who performs a high risk action is backed up with another fully qualified person so all risky tasks are performed by two people.  Everyone is authorized to stop a process when a problem arises.

Questioning attitude – operators are trained to question any anomalies that are detected and they must be corrected.

Formal communications – Directions are clearly stated in a formal, prescribed manner and repeated back verbatim.  Small talk is discouraged.

What we can learn – What are the lessons cyber professionals can learn from Cyber Command and the nuclear program?  Pretty much every human factor that leads to a breach is a violation of at least one of the principles.  Is it possible for your organization to operate at such a high standard?  Most likely it’s not possible, but everyone can build these concepts into their daily practices.  Training goes a long way in recognizing when something isn’t right.  Document processes and then follow them.  Always have a backout plan.  Communicate clearly.  Empower everyone on the team to speak up when they aren’t sure or don’t understand.  Strong leadership is critical to build this kind of environment.  If you don’t have a leader like this that you can follow, lead from where you are by enforcing these principles on yourself and those you can influence.  Be a high reliability employee in your cyberwarfare.