March 15, 2021 — The following book review explores the content and insights of Dr. Herbert Lin and Dr. Amy Zegart’s Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations. Initially published in 2018, the book is omposed of a collection of works by prominent cyber scholars, practitioners, and professionals on the strategic uses of offensive cyber operations. MORE
|
November 18, 2020 — Welcome to The Cyber Defense Review (CDR) Fall 2020 edition. As the new Director for the Army Cyber Institute (ACI), I am honored to be joining the CDR team and very excited about this most recent issue of the journal. The CDR plays a critical role in expanding the discussion within the cyber community, from tactical units to national leadership to industry partners to academia. The quality of articles from a diverse group of leaders and thinkers within the community, coupled with an extensive reach that includes foreign allies, partners, and international educational institutes, is a testament to the impact of this journal. The CDR is truly adding to the body of knowledge in the cyberspace domain. MORE
|
November 18, 2020 — In 2018, the United States (US) Department of Defense (DoD) published the 2018 Cyber Strategy summary featuring a new strategic concept for the cyber domain: defend forward. It states DoD will, “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”[1] This reflects an important shift in DoD’s strategic posture, compared to the 2015 Cyber Strategy, in two key ways.[2] First, defend forward rests on the premise that to deter and defeat adversary threats to national security, the US could not solely rely on responding to malicious behavior after the fact. Rather, the DoD should be proactive in maneuvering outside of US cyberspace to observe and understand evolving adversary organizations and, when authorized, conduct operations to disrupt, deny, or degrade their capabilities and infrastructure before they reach the intended targets. Implied, but not explicitly stated, in the 2018 strategy summary is the role of information operations, and the relationship between cyberspace and the information environment. According to US doctrine, the former is a subset of the latter.[3] This article builds on our work as members of the US Cyberspace Solarium Commission to offer a conceptual framework and policy recommendations for integrating information operations in the context of defend forward. Many of the Commission’s 82 recommendations are slated to pass in the Fiscal Year 2021 National Defense Authorization Act (NDAA). MORE
|
November 18, 2020 — According to the Department of Homeland Security (DHS), municipal critical infrastructure has become an ideal target for a range of cyber threat actors including near-peer competitors seeking geopolitical gains and decentralized cyber criminals attempting to hold cities captive for monetary gain. With municipalities predominantly partnering with the private sector for operation of national critical infrastructure as defined in Presidential Policy Directive (PPD) 21, cities, states, and industry entities find themselves on the front lines—possibly the first line of defense—against a perpetual barrage of attacks in cyberspace. Accordingly, a dynamic shift from traditional conflict in the physical world to a homeland defense posture in cyberspace reveals several potential gaps with regard to handling emergency situations, coordinating response efforts, and restoring basic services for citizens.[3] This article seeks to highlight this dynamic environment, and the inherent gaps that exist in bolstering critical infrastructure resilience. Accordingly, the Jack Voltaic® (JV) research framework discussed in this article explores the interconnections among municipal, state, and federal response efforts during a cyber emergency scenario, with added emphasis on critical findings and themes from its Jack Voltaic® 2.5 workshop series. This effort brought together key regional stakeholders from across various levels of governance, the private sector, and academia to discuss the
findings of previous JV exercises, lessons learned, and how similar efforts can strengthen critical infrastructure, community resilience, and a whole-of-nation approach to handling cyber threats.[4] This article will highlight common findings and themes from multiple exercises and workshops that further reinforce current JV research and the Jack Voltaic® 3.0 Legal and Policy Tabletop Exercise (TTX). Finally, this article concludes with a detailed discussion about JV 3.0, which is scheduled to execute in September 2020. MORE
|
November 18, 2020 — The Cyberspace Solarium Commission (CSC) published its report in March 2020 offering emphatic, far-reaching recommendations in the cybersecurity domain. This report highlights the rapidly growing importance of public-private partnership (P3) in this domain as a national security cornerstone, and significantly informs the debate over the public-private balance in the cybersecurity system of governance in the United States. While important questions remain as to the best ways to safeguard public law values, the report strongly supports arguments for informed P3 collaboration, and further discourages the notion that cybersecurity should exclusively be an inherently governmental function. A legal analysis of partnering in the cyber domain suggests the risks of violating existing inherently governmental function rules are low, and navigable. Indeed, the CSC’s strong, bipartisan report accepts this as a given point of departure from the ad hoc P3 system we have today, and recommends concrete steps to advance national security and other public law values such as accountability, transparency, fairness, and privacy. Like legislation that set the stage for the NASA-SpaceX partnership, the CSC’s unequivocal embrace of P3 in the cybersecurity realm has great potential to guide legislation and other steps to reshape and adapt “defense-of-nation” Cyber domain efforts. MORE
|
November 18, 2020 — This paper extends the work of the Lockheed Martin research team on intrusion kill chains (the identification and prevention of cyber intrusions) in 2010. The theory has languished in the network defender community not because it is not the right idea, but because most InfoSec teams do not have the resources to implement it. What has prevented the success of the intrusion kill chain strategy is a standard framework to collect the intelligence associated with specific adversaries, to share and consume that standardized intelligence with trusted partners, and then to automatically process that intelligence and distribute new prevention controls to the network defender’s security stack. The adversary playbook is that framework. MORE
|
November 18, 2020 — This article is intended to stimulate discussion among cyber warriors and others about an approach to cyber maneuvers at the operational level. Cyberspace is one domain in what is commonly called “Multi-Domain Operations,” while movement and maneuver is one of the warfighting functions in U.S. Army doctrine. This sets the context for a proposed approach to a concept for offensive and defensive cyber maneuver operations that starts with a goal or mission, and allows preparation of the commander’s intent via a scheme of maneuver. The scheme of maneuver includes a sequence of categories of maneuver, which in turn are accomplished by specific cyber (or non-cyber) maneuver actions or fires, thereby connecting the mission to the scheme and categories of maneuver, and then to specific actions and fires. Effectiveness of specific cyber actions and fires will change over time, but the categories of maneuver and their intent are much more enduring. Commanders using this approach do not need to be “techies” to define a cyber scheme of maneuver. So long as the commander has, or has been provided, sufficient understanding of operational-level tradeoffs and effects of offensive and defensive cyber maneuvers, the staff can provide the technical details. MORE
|
November 18, 2020 — Hardly a day goes by without a cyber-related news story coming across the wires, yet the International Relations (IR) subdiscipline of cyber conflict studies has yet to meaningfully impact a wider discourse. This article examines the impact of five recent scholarly works on the evolution of this subdiscipline that, while quite popular within the general population, remains largely ignored by the broader International Relations (IR) scholarly community. The article dissects the strengths and weaknesses of these works and their place in the evolving literature by a generation of scholars who are moving debates beyond hyperbole. By highlighting cyber conflict studies to date, this roadmap hopefully will help to advance the study of cyberspace within the IR cyber community. MORE
|
November 18, 2020 — In June 2017, during Ukraine’s multi-year undeclared war with Russia, the NotPetya worm hit Ukraine as part of a “scorched-earth testing ground for Russian cyberwar tactics.” Between 2015 and 2016, Kremlin-backed hackers known as Sandworm focused on Ukrainian government organizations and companies. In the NotPetya cyber-attack against Ukraine, this worm spread automatically, rapidly, and indiscriminately throughout thousands of computers worldwide, crippling multinational companies, including maritime shipping giant Maersk, pharmaceutical giant Merck, food producer Mondelēz International, and even Russia’s state-owned oil company, Rosneft. NotPetya is unlike other malware to date because its goal was purely destructive. It mimicked ransomware but was, in reality, more sinister since there was no amount of ransom that could be paid to decrypt a system’s data because no decryption key even existed. Damages associated with the 2017 NotPetya attack exceeded $10 billion. While there was no loss of life, former U.S. Department of Homeland Security advisor Tom Bossert equated NotPetya’s destructiveness to “using a nuclear bomb to achieve a small tactical victory.” MORE
|
November 18, 2020 — Smart City initiatives are multiplying at an accelerated pace. Hundreds of Smart City pilot projects are aiming to make urban dwelling more sustainable by leveraging automation, and digitizing interactions among technologies, people, and the physical environment. Each project is an ecosystem, with stakeholders ranging from government officials and technology firms with their near infinite supply chains to city residents. Many projects that began as experimental pilots are now integral to the way city government organizations deliver services to their constituents. An increasingly urbanized world, rapidly becoming more dependent upon sophisticated technologies, presents novel and substantial complexities to future military operations. MORE
|