Wavell Room
Image default
Concepts and Doctrine Cyber / Information Long Read

Beyond cyber security – Integrated Defensive Cyberspace Operations

Experimental Feature: Audio Read Version

Introduction

Recent events in the Ukraine have highlighted the role that digital capabilities, information and Cyber Operations (CO) play as part of orchestrated strategic, operational and tactical campaigns.  CO deny, disrupt and dislocate the understanding and decision making of a nation and their defence organisation and are a significant contributor to the Freedom of Action military organisations require to isolate and prosecute their strategic, operational, and tactical aims.  Despite mounting evidence that the cyber domain represents a combat capability that can create decisive effects, it remains the realm of information and cyber technologists and intelligence and security organisations.

This is constraining the adoption and normalisation of both CO and Defensive Cyber Operations (DCO), and related informational capabilities, into operational planning and actions.  Commanders at all levels will need to develop a deep understanding of the cyber and informational capabilities that they can employ as part of a coherent joint and multi-domain contest, and the opportunities and constraints that these capabilities will generate.  This paper considers some of the issues and opportunities that Defence could address in order that CO and DCO can shape and drive operational outcomes instead of simply supporting them.

Firstly, DCO must be designed to deliver cyber domain capability as part of an orchestrated and integrated joint and multi-domain activity.  There must also be a cultural shift that recognises planning and delivering DCO capabilities requires both ‘generalist’ expertise, adept in the application of digital and cyber capabilities in the planning and execution of operations, and the broadening of specialist skills beyond cyber into the broader digital space of for example IT, Artificial Intelligence (AI) and data.  Finally, defence will only gain resilience through adoption of cloud, dynamic and adaptive security capabilities.

More of the same will not suffice – rethinking is no good without action

Many defence and academic papers and publications continue to emphasise how states have been adapting their force structures and approaches to embrace and apply cyber and information capabilities.  Today’s strategic context is a continuous struggle where non-military and military instruments are used without any distinction between peace and war.  There is an increasing focus on the contest to disrupt, paralyse, or destroy strategic and operational capability, and engage the adversary‘s operational system; variously described as Information ConfrontationSystems Confrontation and System Destruction Warfare.

In this operating environment, advantage in cyberspace is now a critical enabler for adversaries who wish to gain and maintain their influence and power over one another across the Diplomatic, Information, Military and Economic (DIME) arena.  Cyberspace  must be contested at all levels through the coherent and determined orchestration of national strategic and military effects.

What is missing in this narrative is any pragmatic evidence that other nations have grasped the centrality of cyber capabilities, electronic warfare, and algorithmic warfare as part of the modern multi domain capability set.  They are failing to implement the organisational, cultural and capability changes required to contest this new domain of operations.

Established military cultures continue to dominate a change process that is risk averse and incremental.  The shortcomings of this approach are amplified by poor acquisition policies which continue to fail.  These approaches are even less suited for today’s informational contest.

Critical to this operating environment is the ability to defend the cyber domain to support and enable operations across each of the other domains.  Building on a solid base of cyber awareness and cyber security, effective and orchestrated DCO are now a key element of all operational planning and activity and must be embraced and enabled through transformative change in defence organization and culture.

‘Important as bombs and missiles are, the synchronised and constant manipulation of all forms of communication: political, diplomatic, state, commercial and social media; paid-for influence; and expert cyber intrusion is now a daily part of how states compete and confront and conflict’

General Sir Richard Barrons, October 2017

DCO is not just about IT and networks

Defence invariably struggles to take advantage of the transformative opportunities offered through this constantly changing technological miasma.  It is especially important to recognise that the digital and informational battle space goes beyond simply IT systems and networks.  Commanders will only be able to effectively execute operations when the entire range of their networks, sensors, Command and Control (C2), logistic and weapon systems have been designed, built, configured, secured, operated, maintained and sustained with this in mind.

This System of Systems (SoS) is increasingly the focus of belligerents seeking asymmetric and often inconspicuous opportunities to conduct espionage, and to disrupt and destroy the ability of their adversaries to plan and execute their operations with the confidence that their systems can perform as designed or intended.

The commercialisation of space is already accelerating and adding additional complexity to this ecosystem.  Traditionally, defence and security efforts in space have centred on Precision, Navigation and Timing (PNT) and velocity.  These must now be expanded as commercial and defence organisations embrace the opportunities in Intelligence, Surveillance and Reconnaissance (ISR), networking and weaponisation opportunities provided by the cyber domain.  These SoS now represent capabilities that generate asymmetric threats and opportunities which are already being tested and exploited.

Viewing space as a Centre of Gravity is asking too much of the domain but the US military certainly see space as key terrain for defence and national security: ‘cyber defense will be a principal focus area of the United States Space Force as we move forward.’  The ecosystem of networks and platforms must therefore be safeguarded against information theft, manipulation, damage, and destruction through determined and orchestrated DCO.

Key DCO Concepts

It is impossible to fully employ today’s joint force without leveraging cyberspace:  commanders must develop the same capability to direct operations in the cyber domain since mission success increasingly depends on Freedom of Manoeuvre (FoM) in cyberspace.  At the top level, CO centre on the planning and orchestration of activities, as part of multi-domain operations, in and through cyberspace to enable FoM to achieve national and military objectives (Figure 1).  These activities will include physical as well as non-physical actions that will both shape and support the relevant operational Courses of Action (CoA).  All CO are enabled through the appropriate and integrated application of Cyber, ISR, and Operational Preparation of the Environment.

A sub-set of CO, DCO seeks to deliver active and passive measures to preserve the ability of commanders to use cyberspace.  The purpose of DCO is to halt adversary offensive initiative, sustain or regain friendly initiative, and, if required, create conditions for a counteroffensive.  Passive defence activities in the form of Internal Defence Measures represent the range of threat specific defensive measures and activities that can be undertaken to create resilience by reducing the effectiveness of adversarial cyber activities within our own SoS ecosystem.  Active defence (Response Actions), on the other hand seeks to preserve FoM within cyberspace by disrupting hostile offensive cyber capabilities and operations generally beyond our own SoS ecosystem.

 

digital capabilities
Figure 1 – The Defensive Cyber Operations Landscape

A key precursor for successful DCO is the planning and integration of military deception.  Beyond simply creating ‘cyber honeypots’, deception comprises actions designed to deliberately mislead an adversary’s decision makers, causing them to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission.  DCO deception activities support the full range of operational actions, across the physical, virtual and cognitive dimensions of cyberspace, and must be planned accordingly.

Like airpower, control of cyberspace will not be a permanent state and constant activity is required to achieve it.  To gain and maintain the required advantage in cyberspace, DCO operations will be necessary to disrupt, degrade, deny, or destroy an adversary’s ability to challenge such control.  This will require the coherent coordination and synchronisation of Offensive Cyberspace Operations and DCO missions with other informational and physical capabilities across all Lines of Operation; these actions must be planned and fully integrated with those of other environments to deliver Mission Assurance.  DCO thus extends beyond the boundaries of the Defence enterprise and must consider external mission vulnerabilities delivered through transient dependencies on third party factors such as Critical National Infrastructure, the supply chain, partner nations, commercial logistics, and defence of the narrative and social support against disinformation.

A focus on resilience and Mission Assurance

A key assumption in DCO is the recognition that the adversary is already in your networks and in your SoS.  Any sense that you can stop your adversary accessing, manoeuvring through, and disrupting your ecosystem is nothing other than naïve; a focus on resilience will be of paramount importance.  DCO will be a persistent contest of covert and overt physical and non-physical proactive actions to secure and maintain advantage and consequently FoM.  These actions will be global, persistent, and generate multiple, simultaneous dilemmas.  This convergence of global reach and multiple challenges will be compounded by developments in hypersonics and AI; these will exacerbate already problematic cognitive and decision making dilemmas facing commanders who seek to gain advantage through the application of a manoeuvrist approach to operations.

Mission Command is the approach that underpins the manoeuvrist approach; it is based on the principle of centralised planning and decentralised execution that promotes maximum FoA and initiative.  It grants subordinate commanders freedom in the way they execute their missions.  The accelerating pace and complexity of the multiple-dilemmas that can be generated from the strategic to the tactical levels, exacerbated by the use of Machine Learning and AI, means that the effective enablement and application of the principles of Mission Command will be critical to effective DCO.

Achieving an enduring superiority or dominance in the information and decision-making terrain is just not possible.  A temporary advantage to enable military action, is a more realistic objective.  This must be delivered through an approach framed by the required operational outcomes and driven by a focus on prioritisation, collaboration, anticipation, resilience, and agility.  Adapting to changing complex environments, rather than seeking to control them, will be fundamental.  A constant focus must be on defending and maintaining those most critical capabilities and audiences across the dimensions of DIME required to deliver the assurance that the broader strategic and operational mission outcomes will be achieved.  As illustrated in Figure 2, this represents a complex ecosystem of economic, security and influence opportunities to any belligerent where the effective disruption of any combination of vectors represents the opportunity to disrupt our own operational outcomes.

Figure 2 – The DCO Ecosystem

This concept, referred to as Mission Assurance, is defined as a process to protect or ensure the continued function and resilience of capabilities and assets, including personnel, equipment, facilities, networks, information and information systems, and infrastructure and supply chains critical to the execution of mission-essential functions in any operating environment or condition.  Concentrating on the Tactics, Techniques and Procedures that orchestrate DCO to deliver Mission Assurance as part of this broader joint and multi-domain battle will frame the Mission, Task and Purpose of all operations through cyberspace.

Cyberspace Operations represent a combat arm – they create decisive effects

DCO will be conducted within the ‘operational framework’ which comprises shaping, decisive and sustaining actions underpinned throughout by continuous understanding.  Within this framework, cyber capabilities can deliver shaping and decisive effects across the other four domains of maritime, air, land and space.  This will require a shift in the skills and imagination of commanders who must now ensure that their planning processes recognise the need to build operational plans and potential CoAs that will be cyber and informational led as opposed to purely supporting or enabling activity.  To achieve this, commanders at all levels will need to develop a deep understanding of the cyber and informational capabilities that they can employ as part of a coherent joint and multi-domain contest, and the opportunities and constraints that these capabilities will generate.

This will require a fundamental review of the skills and training of both cyber specialists and the generalists across Defence; CO and DCO must be business and not technology led.  To date cyber has been the realm of information and cyber technologists and intelligence and security organisations.

DCO will require a fundamental review of the skills and training of both cyber specialists and the generalists across defence; DCO must be business outcome and not technology led.

IT services are, in the main, provided by specialist organisations and individuals whose training and education are outwith the J3, J35 and J5 combat and planning functions; their experience is largely requirement and response focused and quality of service driven using such frameworks as PACE and ITIL.  Similarly, the culture of intelligence organisations is framed around secrecy and the need to know.  This is all profoundly problematic in that the warfighters will only ever use that with which they are familiar and trust; in addition, ‘the need to share’ information is the foundational requirement of effective cyber security and DCO.

At the same time, the traditional warfighter communities have continued to protect themselves from the complexities and taxonomy of modern data, IT and cyber systems.  This community is failing to engage with a critical strategic, operational, and tactical capability and prefers to see this as a ‘supporting’ element that only appears in accompanying annexes of the Operational Order.  It is no different from the journey from horse to tank, and the recognition and integration of air capabilities; there are valuable lessons that can be drawn from history in this respect.

Where to begin – separating the wheat from the chaff

DCO presents a wide range of often conflicting opportunities to Defence; the challenge is to identify where to start.  Whilst it is tempting to grasp at some low hanging fruit, often in the form of technology or tactical organisational changes, such an approach will simply delay and confuse the delivery of a coherent, resilient, and relevant capability moving forwards.  Whilst there are several initiatives that will be required, there are three key actions which should be addressed as a priority.

Initiative 1: Agree a multi-domain DCO vision and outcomes and build the roadmap.

DCO must be designed to deliver cyber domain capability as part of an orchestrated and integrated joint and multi-domain activity.  Without an agreed vision and agreed outcomes to deliver this, even the boldest of ambition will struggle to build and maintain momentum, coherence, and purpose.  This vision must be operations focused but it must also be designed around a federated architecture and ecosystem that extends beyond defence to include other government departments and agencies, industry, and partners.  The vision and outcomes should be realised through a Cyber Defence Programme which has the appropriate levels of delegated governance and resourcing to enable agile and courageous capability development and delivery.  Ownership of this initiative should be at the highest level.

Initiative 2: Transform the workforce. 

Without the right skills and culture, DCO will simply be a portfolio of constantly changing and disconnected technologies and activities that will leave gaps that the sophisticated adversaries of today will exploit with ease.  Cyber is just one component of the broader digital transformation that impacts the full spectrum of defence capabilities that includes weapons platforms, administrative systems, C4ISR systems and logistics systems and the supply chain.  Planning and delivering DCO capabilities require a combination of transformed ‘generalist’ expertise adept and confident in the application of digital and cyber capabilities in the planning and execution of operations.  It also requires the broadening of specialist skills beyond cyber into the broader digital space of for example IT, AI and data.

Without addressing the generalist requirement, cyber will simply sit on the shelf and its potential will be underused.  Without broadening the specialist skilled individuals, defence will be unable to develop and retain the spectrum of DCO specialist and leadership skills that will be required to contest the digital battlespace.  Prioritising the cultural needs that will enable such a transformation will be pivotal to generating momentum.

Initiative 3: Resilient by design. 

The rapid pace of change in digital capabilities and technology, is creating new and complex challenges for how the MOD contests the modern digital centric Operating Environment across all domains, land, sea, air, space, and cyberspace.  These technologies, such as automation, data analytics, AI, Autonomous Vehicles, super and edge computing will transform Defence.  They rely on huge amounts of data and compute power, seamlessly accessed via the Cloud and secured in such a way that this data can be relied upon and trusted.

To successfully contest this complex space, defence must embrace concepts focused on enabling resilience through adoption of cloud, dynamic and adaptive security capabilities, and a Secure by Design approach:

  • The Cloud.  Cloud based services are required across the whole of the defence enterprise in support of the full portfolio of defence use cases; these range from management information, medical services, Open Source Information, logistics through to C4ISR, Joint Fires and C2.  Understanding the requirement to connect and enable the movement, Confidentiality, Integrity, and Availability and innovation of data across multiple and dynamic Cloud Communities of Interest will be pivotal to the architectural approach that will be needed to support any defence Cloud future demand.  Whilst a number of nations, such as the US and NATO, have embarked on this journey, the nature of the challenges and future design of such a capability for defence is still emergent.  In particular, the needs of Defence organisations place requirements that extend the current application of Cloud services in commercial organisations: defence organisations will have specific needs and challenges that will need to be understood and addressed in order to define and agree a target design architecture and implementation plan for its future Cloud needs.  The ability to seamlessly connect these different deployment instances, whether remote, tactical systems, national and regional data centres or Hybrid Cloud environments, into a common and resilient Data Fabric will be key.1

 

  • Dynamic and Adaptive Security.  The implication of cloud architectures and computing has fundamentally broken that traditional defence in depth models that championed a strong castle and moat philosophy where boundary defence and edge protection and air gapped designs were deemed sufficient to defend against cyber threats. The reality is that data has rarely been static and behind the firewall.  Defence entities must look beyond encryption and historical data protection and tactics.  Modern computing architectures must be designed to not only be adaptable, but also resilient in the face of the growing cyber threat capabilities that the DCO faces.   Concepts such as Zero Trust Architecture help ensure that data and services are resilient and protected from breach, service outage and data loss.  Zero Trust is a concept that upends the traditional defensive order which used trusted enclaves into a design that treats all users, devices, services, applications, and networks as untrusted.  This enables point to point protection through identity focused authentication and authorisation and micro segmentation of networks and services.  In this new paradigm, cloud architectures coupled with zero trust gives DCO an unparalleled ability to enable stronger and more resilient protections, but also enable more discrete monitoring and detection of unfolding threats.

 

  • Secure by Design.  A principle of Secure by Design delivered through approaches such as DevSecOps will combine key attributes of innovation with secure but rapid capability deployment.  To support this defence cybersecurity designs must incorporate Zero Trust principles to ensure protection closer to the data and include robust Identity, Credential, and Access Management to drive out anonymity and enable the secure sharing of information.  Zero Trust solutions must control user activity within emerging Cloud-enabled cyber terrain.  In coordination with the key national agencies, such as the NCA in the United States and the United Kingdom’s NCSC, they must also facilitate the deterrence, disruption, or the defeat of hostile red actors in cyberspace.  To expand use of Cloud, defence must transition from an extant periodic Authority to Operate approach towards one of continual monitoring and updating.  Security will need to be automated to the maximum extent possible and leverage advanced Cloud capabilities such as AI to provide high reliability and assurance without excessive cost or administrative burden.

Conclusion

Today’s Defence and Security environment is characterised by a continuous contest across the internet which has moved from a state of instability to stability as it has transformed into the modern powerhouse for digital commerce.  As a result, this global battlefield is now contiguous and the information across it is contagious.  The internet is the pre-eminent communications medium that underpins defence, security and commerce in an inter-twined, interconnected and interconnected but ungoverned ecosystem.  The internet is now vital ground for national prosperity and security: whoever manipulates it most effectively  gains advantage across the battlefield, even if this is temporal.

DCO represent the essential, pervasive, and decisive enabling activities and actions that are now critical to contest this key battlespace from the strategic to the tactical.  However, DCO progress is slow despite the increasing application and effectiveness of offensive cyber capabilities as part of a coherent multidomain activity, as evidenced in recent geopolitical tensions and conflicts.

Whilst advancement in technological cyber security capabilities is big business and is evolving at an accelerating pace, a continued failure to address the profound cultural and organisational issues that underpin effective multi-domain CO and DCO will continue to be a fundamental barrier to the effective integration and application of cyber as a warfighting domain of operations.

It is now essential that defence organisations reorganise to enable the conduct of effective DCO, and operational planners at all levels become familiar with, and confident in the integration and application of CO and DCO.  This requires a shift in design, culture, organization, education and training where cyber proficiency and success is recognised and military awards and medals are equally applicable to decisive and courageous informational and cyber actions as they are for physical combat.  Without this incentivisation  the war fighter will continue to focus on physical as opposed to informational career and professional development, and adversaries will increasingly dictate operational outcome.

 

Alan Mears

Alan Mears is a senior advisor with Deloitte Middle East with over 40 years of service as a Regular and Reserve officer in the Royal Artillery and the Royal Signals.  With a strong background in joint fires, cyber, targeting and C4ISR, Alan has over 30 years of experience in designing, delivering and executing joint fires C4ISR and cyber effects into operations. He was mobilised as SO1 Targets to IMEF for Operational Iraqi Freedom in 2003, and again to set up ISAF's Joint Fires and Targeting capability with HQ Allied Rapid Reaction Corps in 2006. Alan has an MSc in Cyberspace Operations from Cranfield University.

 

 

Wayne Loveless
Wayne Loveless
Cyber Risk Services Advisor at Deloitte

Wayne Loveless is a senior advisor at Deloitte Risk Advisory in the Cyber Risk Services practice for Deloitte ME.  He supports organisations improving their cyber  risk posture through security initiatives that integrate strategic risk, regulatory, and technology components.  Wayne has been leading projects on Cyber Security Strategy, Information Security Management Program, Risk Management, Security Assessment, Certifications ISO/IEC 27001, ISO 20000, and PCI, Implementation of Security Operations Center (SOC), CERT, Compliance, Data Loss Prevention, Digital Identity, Identity and Access Management, Business Continuity, and ICS Security

Footnotes

  1. A data fabric is an architecture and set of data services that provide consistent capabilities across a choice of endpoints spanning hybrid multiCloud environments.  It is a powerful architecture that standardises data management practices and practicalities across Cloud, on premises, and edge devices. Among the many advantages that a data fabric affords, data visibility and insights, data access and control, data protection, and security quickly rise to the top.

Related posts

How the “Gibraltar of the East” fell: A Historical Analysis of the Singapore Strategy up to WWII.

Andy Wong

Success Tomorrow Depends on Disruption Today

Steve B

Private Military and Security Companies

Jethro Norman