The advent of the information age and the cyber domain has greatly impacted our ability to maintain situational awareness and conduct command and control (C2) for national security. These discussions focus on the ability to analyze those impacts for current operations and potential future systems.
–Background Discussion
We need to add some summaries of Dr. Alberts and other
www.dodccrp.org books here. Note: references for the books are on the frontpage since some books may be cited in more than one section.
Insert additional background or other discussion here:
–
Issues
–
Insert issues here:
Here are a list of topics we plan to discuss in the C2 and SA Track at the Workshop.
This is also available in a downloadable file at: 
Topics to Discuss ver3.doc
Feel free to add topics that wwe may ahve missed that need to be discussed.
Patrick Allen, co-Chair
Context: In the cyber Support to Command and Control (C2) and Situation Awareness (SA) track, we will be investigating:
· Options and trends for C2 and SA
· Cyber support to these trends and desired capabilities, and
· Analytic support to cyber support issues for SA and C2
Potential Discussion Topics:
I. Broad Issues
A. Scalability and Applicability
1. Domain and Echelon of focus matters for C2 and SA cyber support
2. Scalability: solutions for one echelon often do not scale well to other echelons
3. Applicability: Ditto for differences between domains and their specific needs and preferences.
B. What can we say about analysis of cyber support to C2 and SA?
1. What are SA and C2 trying to provide the decision-maker?
2. What cyber support can do for SA and C2
3. Analytic issues to address about cyber support
4. Techniques and tools to analyze selected issues
· What are the useful mental models or categorizations to address these four points?
C. Definitions or Taxonomy: For example, Latency vs. timeliness: Latency is an objective measure of delay. Timeliness is an objective or subjective measure of the time of arrival compared to some threshold, usually a decision threshold. The thresholds may be hard (any delay past the threshold is of zero value) or soft (the greater the delay past the threshold, the less value the arrival of the information).
D. Other broad issue topics
II. C2 and SA provision by Domain
A. Allegiance
1. Blue SA (military, civilian)
Coalition SA and classification
2. Red SA (Blue’s view of Red, and our guess at Red’s view of us)
3. Neutral SA including NGOs and IGOs
4. Shifting allegiances SA
5. Environmental SA (including human terrain, key actor powerbases, civilian infrastructure—not just physical terrain and weather any more)
B. Instruments of National Power (DIME and PMESII SA)
(Diplomatic, Information, Military, Economic; Political, Military, Economic, social, information, and infrastructure)
1. Military instrument of national power
Ground, Air, Sea, Space, SOF
(Space and SOF SA often classified)
2. Information instrument of national power
Intelligence, Strategic Communications, Public Affairs, etc.
(Intel SA often classified)
Competing in the Idea Battlespace—the Conflict of Ideas
Note: Military often has capabilities in Information Sphere as well
3. Interagency
DHS, including Coast Guard, FEMA, etc.
First responder SA
SA for Mil Spt to civ ops
State Department SA
C. Timeframes
1. Snapshot vs. timeline and trend SA
For example, raw data vs. moving averages
2. Predictive SA (PBA, RAID, IED examples)
Status vs. intent
Friendly, enemy, and neutral and shifting allegiances
Intent to shift, belief shift will occur, reliance on shift to occur
3. Planned vs. actual status comparisons
Whether and when to replan
D. Other Domain topics
III. Technical Topics of Analysis of Cyber Support to C2 and SA
A. Connectivity (GIG, WIN-T) (Warfighter Info Net - Tactical)
1. Bandwidth matters; trend over time from fixed to mobile nodes
C2 at the halt vs. while on the move
Ad Hoc mobile networks
How much can you put on a PDA? Should you put?
B. Content and Measures (Information, databases, retrieval, predictive content)
1. Bandwidth matters; trend over time to fixed and mobile (stationary and moving) nodes
2. Conventional and asymmetric capabilities and information demands and usage
3. War among the people, human terrain
4. Automatic and manual data collection
5. What are the criteria for success?
C. Visualization (all kinds, from strategic wall screens to tactical PDAs)
1. Accounting for shifting allegiances
2. War among the people
3. Viewing uncertainty
4. Annotated reality displays
5. Ways to view many interrelated dimensions
6. Displaying data at different levels of security
7. Avoiding Info overload
D. Security (IA, CIA, etc.) (confidentiality, integrity, availability)
1. Information assurance (from hostile and non-hostile threats)
Threat definitions and attack trees
Defeating scatterable jammers
Inherent anti-jamming capabilities
“Invisible” network (one the enemy can’t see or see well)
2. Info CIA (confidentiality, integrity, availability)
Reliance on commercial software and hardware
Reliance on Commercial links
Encryption and Authentication issues
Smart radios and enhanced waveforms
Improved protocols and network management, SOA and IPV6
Policy based defenses
Agent-based defenses
E. Tools
1. Architecture definition and design
2. Modeling and simulation
3. Test and evaluation, and post fielding data collection and evaluation
4. How do you design the test to ensure the criteria are met?
M&S in support of T&E (State of the art?)
Build test build, model test model…
F. Other technical topics
IV. Other Cyber Support to C2 and SA Topics
Current Analysis Approaches
Insert current or proposed analytical approaches here:
–
Potential Enhancements or Alternative Analytical Approaches
The Need for Actionable Cyber Incident Mission Impact Assessment
Aug 11, 2008
by Michael R. Grimaila, Center for Cyberspace Research
Despite our best efforts to secure our cyberspace, we inevitably experience incidents in the cyber domain which result in the loss of the confidentiality, integrity, availability, non-repudiation, or authenticity of an information resource. When a cyber incident occurs, we must quickly and accurately estimate and report the resulting negative impact, not only in terms of the infrastructure damage, but also in terms of the mission impact experienced by all affected organizations. Unfortunately, existing methods for mission impact assessment are hindered by the lack of standardization in the way that we identify, value, track, document, and report critical information resources. The purpose of the Cyber Incident Mission Impact Assessment (CIMIA) project is to overcome these limitations to improve the accuracy and timeliness of the mission impact assessment. CIMIA is a joint research effort between AFIT, AFRL's Human Effectiveness Directorate, AFRL's Information Directorate, and Texas A&M University.
Motivation
Information is a critical asset to all modern organizations, but especially so for the military which uses information to conduct all aspects of its operations. Information is collected, processed, analyzed, distributed, and aggregated to support situational awareness, operations planning, intelligence, and command decision making. The need to incorporate information technology to reduce response time and to increase decision quality is a direct consequence of the nature of modern warfare which is technology enhanced, fast-paced, with high-intensity conflicts. Commanders are tasked with making critical decisions in short time frames based upon limited information. Since the quality, conciseness, and timeliness of the information used in the decision making process dramatically impacts the quality of command decisions, the recognition, quantification, and documentation of these information dependencies is essential to provide accurate and timely damage and mission impact assessment. Further, recently amended military joint guidance requires commanders to ensure operational impact assessment is accomplished following a cyber incident. In short, commanders must be kept aware of how a cyber incident affects their mission operations from the instant it is discovered until the time it is fully remediated. Unfortunately, our existing approach to impact assessment uses technical measures (loss of availability and man hours required to remediate) rather than addressing the more difficult question of mission impact.
Information is THE Asset in Cyberspace
We live in the information age, yet our cyber defense strategies tend focus on the infrastructure rather than the information contained within the infrastructure. The attractiveness of the approach is that it does not require the resources required to conduct a formal risk assessment or maintain critical asset documentation. However, the assumption that technology is an equitable substitute for information is a dangerous assumption and follows a proven path of failure. While infrastructure elements are used to store, retrieve, process, and transport data, the intrinsic value of the data is dominated by the value in the timely and accurate delivery to end users as information. Information is the center of gravity for daily operations because it holds relevance and value as knowledge to decision makers in the organization. Information, not data, should be the focus when valuing cyber resources.
If we accept the idea that information is an asset, we must develop standardized schemes for identifying, valuing, tracking, documenting, and reporting information assets. Existing methods for identification are manual, not standardized, and often contain outdated information. Automated, scalable methods are needed to identify and track information assets throughout their lifecycle. Determining the value of information is a complex task, due to its inherent intangible qualities. The value of information is dynamic and changes from one organization to the next. The complexity of context has confounded many attempts at developing models to account for and definitively measure the value of an information asset. This is because information value is always relative to some goal(s). Since each organization has its own mission, any impact must be reported it terms of its own frame of reference. Any attempt to aggregate the impact across multiple organizations would first require developing a canonical value system across all organizations. To complicate valuation further, the value of an information resource is a time dependent variable and a function of where you are in the mission plan. The mission may require a given resource at one critical point of time in support of its mission, while at other times it may not require it at all. If the resource is inaccessible at the critical point and there is no other source for the information, the result may be inability to complete the mission. Conversely, the resource may be needed continuously throughout the mission. If the resource is inaccessible, the mission may still be able to proceed but at a greater risk of failure or increased harm to friendly forces.
Perhaps most importantly, the identification and valuation of the information assets needs to be formally estimated and documented before an incident occurs. Documentation is required to insure that the estimation of the value can be refined over time, provides transparency, reduces the time required to understand the impact of the loss of a resource, and reduces the variances in loss estimation. Far too many organizations neglect to create and maintain this important documentation. This is not due to ignorance but is often due to the difficulties in obtaining the required information, lack of personnel to collect and record the information, and fear that if the loss estimation is not properly secured it may be used as a targeting map by an adversary. Each of these impediments can be overcome if we dedicate the necessary resources. These problems must be resolved in order to supply meaningful mission impact assessment, develop a timely understanding of adversarial intent, and to enable accurate predictive situational awareness.
Unintended Consequences
What are the consequences of accepting the status quo? Each day, we are the target of multiple attacks by adversarial forces in cyberspace. Even if we are successful at detecting, containing, and remediating a cyber incident in a timely manner, the failure to immediately assess the damage and report the mission impact to commanders may result in other unforeseen higher order effects that may not be immediately apparent at the time of the incident. Consider the following hypothetical scenario:
A deployed military organization is conducting an active military operation on foreign soil. One element of the operation requires the periodic delivery of supplies between facilities located in different parts of the country via ground vehicles. The commander of the unit uses a logistics management program that stores the convoy routes and schedules in a database. A system administrator needs to upgrade the server containing the database, so he temporarily relocates it to an existing database server located in another organizational unit without formally documenting the change. In the meantime, access to our network is provided to a coalition partner to facilitate information sharing on an unrelated operation. Unfortunately, the coalition partner does not enforce stringent access control policies and as a result, an adversary breaches the coalition partner’s system and subsequently breaches the database server containing convoy routes and schedules. The incident is detected by Incident Response Team (IRT) who terminates the adversary’s access to the database and begins to investigate and remediate the breach. The problem is that there is no explicit documentation which identifies all of the entities who depend upon information stored in the database or how their mission would be impacted by a breach. Before the IRT can complete their investigation and notify the affected parties, a convoy listed in the database is ambushed resulting in a significant loss of life and resources. While the scenario presented is hypothetical, it demonstrates the dire consequences that can result from failing to properly track the status of critical information assets. We cannot allow this type of situation to occur when we have it within our power to correct deficiencies in the cyber mission impact assessment process.
Conclusion
While the need for effective cyber damage assessment was recognized more than a decade ago, little progress has been made to attain this objective. The explosive growth of cyber attacks combined with our increasing dependencies on cyberspace to conduct military operations has resulted in the realization that devastating real world consequences can occur resulting from a cyber breach. Commanders are now keenly aware of the shortcomings of existing cyber damage assessment and are expecting progress to be made to improve the situation. The recognition that information is THE asset in cyberspace means that we should focus our efforts on developing robust technology assisted information asset identification, valuation, tracking, documentation, and reporting capabilities. The Cyber Incident Mission Impact Assessment (CIMIA) project is dedicated to overcoming these limitations to improve the accuracy and timeliness of the mission impact assessment reporting. This paradigm shift is required to provide commanders with dominate battlespace knowledge in cyberspace, meet the joint requirements on reporting cyber damage assessment, and enable predictive situational awareness.
–
Recommendations to Improved Analytical Approaches
Comments (0)
You don't have permission to comment on this page.