July 31, 2018 — Practically all military actions have the potential to result in undesirable collateral damage. Laws and international treaties mandate the minimization of civilian casualties and damage to civilian property. To enforce this, the military developed methods and tools to help predict the collateral damage that may result from the employment of specific weapon systems under various conditions. These processes have been refined over time, and are now very effective for the planning of kinetic operations. MORE
|
July 31, 2018 — Today, United States superiority in any domain is no longer a guarantee. The continued low barriers to entry and use of relatively inexpensive cyberspace technologies may create advantages across any domain as well as the human dimension. Domination in any domain no longer makes for a successful military operation. Instead, leveraging multiple domains at specific points of opportunity creates the competitive advantage required to defeat adversaries on future battlefields. Recognizing this new paradigm, the Army and Marine Corps developed the Multi-Domain Battle Concept to deter and defeat enemies. [1] MORE
|
July 31, 2018 — Mission assurance is the primary responsibility of all within the Department of Defense (DoD) and ultimately is Commander’s business. It is imperative in today’s rapidly changing information environment that Commanders understand how each of their primary missions is dependent on the operational platform for information for mission success. Having a comprehensive operational understanding of the cybersecurity readiness and capabilities of their information networks; including their ability to identify vulnerabilities and protect against threats, is as essential as understanding physical terrain in a kinetic operation. This involves a complete, end-to-end analysis of the information environment with an understanding of its technology, processes, and people. With that perspective, operational commanders can make informed choices on risk to their missions and implement means to continue operations in the face of an adversary determined to disrupt them. MORE
|
July 31, 2018 — Cyber defense is on an unsustainable trajectory. Thanks to freely distributed and automated attack tools, cheap labor in countries from which attacks are launched, and stolen computing resources assembled into botnets, the cost of cyber-attack is estimated to be one-tenth to one-one hundredth the total cost of cyber defense.
MORE
|
July 31, 2018 — In this article, we discuss the threat component of the risk to information systems. We review traditional cyber threat models, then present a technical characterization of the cyber threat along ten dimensions. We cross-reference an industry analysis of the Stuxnet threat to illustrate our thinking and conclude with an outline of the threat model application to the development of Cyber Red Books™. MORE
|
July 31, 2018 — Cyberspace threats are real and growing. Worldwide cybersecurity trends and implications support these assertions: 97% of organizations analyzed in 63 countries have experienced a cyber breach; 98% of applications tested across 15 countries were vulnerable; in 2014, threat groups were present on a victim’s network a median of 205 days before detection; $7.7M was the mean annualized cost of cyber crime across 252 global, benchmarked organizations in 2015; and 60% of enterprises globally spend more time and money on reactive measures versus proactive risk management.[1][2][3][4][5] “Every conflict in the world has a cyber dimension,” testified ADM Michael Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency, before the House Armed Services Committee in March 2015.[6] These facts, and the increasing acknowledgement regarding the importance of cyberspace on operations, place organizational leaders under immense pressure to make sound cybersecurity investment choices. Cybersecurity has truly become a political, military, economic, social, information, infrastructure, physical environment, and time concern for senior leaders. MORE
|
July 31, 2018 — This paper presents a disciplined approach to cyber risk assessment in distributed information systems. It emphasizes cyber vulnerability assessment in the architecture, specification and implementation—the knowledge of us—as a vital first step in estimating the consequence of information compromise in critical national security systems. A systematic methodology that combines information flow analysis and Byzantine failure analysis allows assessing the effects of information integrity compromises and the development of a Blue Book to guide cooperative Blue Team testing. The analysis of system vulnerability extends to cyber threats—the knowledge of them—leading to the development of a Red Book to inform adversarial Red Team testing. The paper concludes with a notional case study that illustrates this approach. MORE
|
July 31, 2018 — This paper focuses on how the dynamic speed of change and the compression of time in cybersecurity move individuals and organizations out of their comfort zones. This often results in forcing faulty decision-making generated by an enhanced dependence on untested assumptions. The counterbalance to this behavior begins by recognizing a key truism: within every decision lies an assumption. Equipping your cyber team with the mechanisms and tools to identify and properly challenge these assumptions drives better decision-making and new opportunities to successfully defend, attack, and adapt in the cyber battleground. MORE
|
July 31, 2018 — The current path to national cybersecurity hides a fatal design flaw. Resident within the current national approach is the assumption that we can continue business as usual with limited sharing between the public and the private sector, the creation of information sharing and analysis centers, the National Cybersecurity and Communications Integration Center, and a range of ad hoc local, state and federal organizations each addressing a slice of a complex and highly interconnected environment. The result is a lack of integrated coordination, continued hacks, and a public increasingly weary of all things cyber. We are approaching the current challenge as if we are living in August of 2001, ignorant and oblivious to the tragedies just over the horizon. All the while the private sector treats each incident in isolation, highly focused on their slice of a broader digital ecosystem. MORE
|
July 31, 2018 — In the early 1990s, a then-nascent al-Qaeda took steps to redefine both the nature of conflict and the nature of ideological foundations for waging war. The United States military deployment to the Middle East following the Iraqi invasion of Kuwait drove Osama bin Laden to deviate from both defined Islamic theology and fiqh (Islamic jurisprudence) and take a more ‘guerilla’ approach to combating what he saw as US aggression. Bin Laden deviated from both religion and traditional conventions of war to declare US Troops, supporting contractors, Arab troops, and even fellow Muslims and non-combatant villagers as enemies of al-Qaeda—should they prove to be obstacles to al-Qaeda’s goals of regional control and hegemony. MORE
|