SvenSvensonov
PROFESSIONAL
- Joined
- Oct 15, 2014
- Messages
- 1,617
- Reaction score
- 207
- Country
- Location
*As always, references are on the last page, figures have been omitted as they don't translate well from Microsoft Word.
ORGANIZATION OF DOD COMPUTER NETWORK DEFENSE, EXPLOITATION, AND ATTACK FORCES
Whether in sports, business, or government, adversaries seek to gain advantage over their opponents. As the Department of Defense (DoD) has formidable conventional power, adversaries often avoid conventional conflict. With the advent of the Internet and other interconnected networks, adversaries suddenly have the potential to access Department of Defense information that would formerly have required insider access to obtain. Further, they may be able to access DoD systems, such as e-mail and logistics systems, to influence DoD operations. Much of the activity to gain access can be low risk because it is done remotely and perpetrators can employ many concealment techniques. DoD efforts to prevent adversary access to DoD systems and information include the field of computer network defense (CND). In addition, the DoD has computer network exploitation (CNE), and computer network attack (CNA) capabilities it employs against adversaries. As will be shown, the CNE and CNA fields are closely related and should be organized together. On the other hand, as CND forces exist throughout the DoD, the DoD has created complicated command and control (C2) relationships that can be greatly simplified by making use of the power of the Secretary of Defense (SECDEF).
Background
Although the DoD consistently states it is under constant cyber attack, like many companies the DoD rarely discloses specific breaches of computer security and theft of information. Investigative journalists have tracked down and reported alleged details of some of these attacks, such as those detailed in the 2005 Time article by Elaine Shannon, The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop
Them. In this article, Shannon details the volume of information stolen from across the DoD and other entities such as the World Bank. Unnamed government analysts rank the group behind these attacks “among the most pervasive cyberespionage threats that U.S. computer networks have ever faced.”1 Shannon's sources attribute the technical source of the attacks as originating from behind network routers in China. However, despite the title of the article, sources would only speculate that the group is Chinese government sponsored because of the sophistication and magnitude of the effort. Whether state sponsored or not, the lesson is that the DoD faces determined adversaries with the technical means to access our networks and exfiltrate information.
Clearly, the DoD needs effective security and counterintelligence capabilities to manage the threat to its networks. All DoD personnel with access to networks have a role to play in security. End users need to abide by the rules and, for instance, not open attachments from un-trusted sources that may compromise information systems. Administrators must configure systems in accordance with security rules. Network defenders must analyze intrusion alarms, investigate, and report incidents. Counterintelligence and law-enforcement officers must screen these incidents for trends, categorize them, and prioritize them for investigation, exploitation, or prosecution. Given the magnitude of the effort, and the fact that all DoD personnel and organizations are affected, there are related organizational and authority issues. As the Services procure and operate installation networks mostly independently, should they also handle CND mostly independently? Alternatively, since service forces ultimately exist for assignment to or support of combatant commands, is a joint approach more appropriate? How should the DoD CND relate to other departments and entities of the USG?
But the DoD is not just on the defensive. It also has capabilities in the form of intelligence gathering and, if necessary, attack. Traditional areas of intelligence and operations that are now included in the cyber realm are still very relevant today, such as intercepting and jamming signals and conventional attacks on infrastructure. However, there are newer aspects of the cyber realm, such as using computer networks to “hack” into target systems and extract information or conduct an attack. The DoD grew its force to conduct these missions. But given the infancy of the field, is it properly organized? Where should these specialists work, in a central agency, out in the field, or a mixture of both? How should these forces be assigned to combatant commands?
According to the DoD, cyberspace is “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”2 Most readers are probably familiar with some of the general-purpose sub-domains of cyberspace such as the Internet, the DoD
Non-Secure Internet Protocol Router Network (NIPRNET), the DoD Secret Internet Protocol Router Network (SIPRNET), and the Defense Switched Network (DSN). Less familiar may be more specialized sub-domains such as tactical data links used by military forces to, among other things, exchange friendly and enemy positional data.
Just as DoD cyberspace can be divided into sub-domains, so can global cyberspace.
Several key sub-domains of cyberspace include DoD, U.S. non-DoD, and foreign cyberspace. DoD cyberspace refers to that portion of cyberspace with DoD infrastructure, such as the NIPRNET. In all three sub-domains the DoD has an interest in strategic communications, effectively conveying its messages to audiences around the world. In addition to this overarching interest, the DoD has separate interests in each of the sub-domains. DoD interests in DoD and foreign cyberspace are straightforward. Within DoD cyberspace, DoD responsibilities are information assurance and counterintelligence. In other words, the DoD desires to protect its networks, detect intrusions, learn from the techniques employed by the intruders, and perform counterintelligence. Within the foreign sub-domain, DoD and other members of the Intelligence Community are naturally interested in collecting intelligence. The DoD also has an interest in network attack as stated in the mission of U.S. Strategic Command’s (USSTRATCOM) Joint Functional Component Command for Network Warfare (JFCCNW) which reads “plans, and when directed, executes operations in and through cyberspace to assure U.S. and allied freedom of action, denying adversaries' freedom of action, and enabling effects beyond the cyber domain.”3 DoD interests in U.S. non-
DoD cyberspace, however, are less clear and warrant more detailed explanation.
The DoD is but one of several entities with interests in U.S. non-DoD cyberspace. With respect to defending this sub-domain, it is interesting to note that according to The National Strategy to Secure Cyberspace, “in general, the private sector is best equipped and structured to respond to an evolving cyber threat.”4 In other words, just as individuals and businesses can invest in their own physical security with guards, alarms, locks, and the like, they can also invest in cyber security. However, with respect to the U.S. Government (USG), several federal departments have responsibilities, including the Department of Homeland Security (DHS), the Department of Justice, and the DoD. The DHS National Cyber Security Division (NCSD) “works collaboratively with public, private, and international entities to secure cyberspace.”5 The
NCSD oversees the National Cyber Response System including the National Cyber
Response Coordination Group, of which the DoD is one of 13 federal agency members. The FBI leads the investigation and prosecution of cyber-crime.6 Just as other USG entities have defined their roles in U.S. non-DoD cyberspace, so has the DoD.
The DoD has two roles in U.S. non-DoD cyberspace stemming from the same roles it has in non-cyberspace, defense of the nation and national incident response.7 The National Military Strategy for Cyberspace Operations states with respect to defense of the nation, “DoD will execute the full range of military operations in and through cyberspace to defeat, dissuade, and deter threats against U.S. interests.”8 It also states with respect to national incident response DoD will provide military support to civil authorities. There can be tensions between the defense mission and the support mission, such as a choice between quickly terminating an attack versus collecting evidence for prosecution. The Strategy for Cyberspace Operations addresses this issue by saying defense of vital interests take precedence over other missions.
Organization of Computer Network Exploitation and Attack Forces
As the cyber domain intersects with the physical world, there are a variety of ways to attack it. For instance, if you want to deny an enemy the use of their more secure, internal e-mail system and hopefully divert them to a less secure, external email system you can physically destroy their e-mail servers using conventional military forces. Unlike physical destruction, covert remote access is much more flexible. With covert remote access, agents can collect information as well as conduct offensive operations such as editing or planting information or denying use of information. This distinction is at the heart of perceiving the cyber domain as a separate domain; it is possible to operate completely within cyberspace in ways different from other domains.
There are several methods of collecting information in cyberspace, most notably open-source intelligence (OSINT) as well as traditional and CNE types of signals intelligence (SIGINT). OSINT is gathering information from publically available sources, such as an extremist web site, analyzing it, and producing intelligence. Traditional SIGINT is a broad field that, for instance, involves obtaining a signal by intercepting transmissions or tapping cables, decrypting it, processing it, and hearing or reading raw private communications. Traditional SIGINT is the historical role of the National Security Agency (NSA). CNE refers to secretly infiltrating a network or information system and obtaining private information. Technical expertise is essential for all collection disciplines. OSINT may require, for instance, automation to conduct searches as well as obscure the identity of collectors, because hundreds of government agents reading a particular forum might cause an unwanted change in behavior of the participants. Traditional SIGINT and CNE differ in that the former requires expertise in signal processing and cryptography while the latter requires network and computer intrusion expertise. This intrusion expertise required for CNE relates to the similar expertise required for CNA.
In addition to operating in cyberspace by gathering information, the DoD also operates by conducting CNA. With respect to both intelligence and attack forces that operate within the cyber domain, the ability to collect private information and the ability to affect information and systems are both greatly enhanced by privileged system access, access that outsiders would not normally have. Note that enhanced access enables both information gathering as well as attack. For example, if an agent can remotely retrieve a user’s private e-mail, he most likely has access to modify or disable e-mail. In order to conduct such an operation, an agent must reconnoiter target systems, evade intrusion detection systems, compromise target system defenses, establish covert communications, conceal the intrusion, and retain system access while protecting vital access techniques from discovery. Once those steps are completed an agent can collect information or conduct an attack. Clearly, the more difficult phase of the operation is gaining access as opposed to exploiting it. Because gaining access is specialized and crucial to both intelligence and attack, intelligence and attack forces are discussed concurrently. Although little public information on specific USG foreign computer network infiltration capabilities exists, it is possible to make general recommendations on organization of DoD CNE/CNA forces based on high-level USG organization, DoD doctrine, and analysis of functions.
With respect to organization of cyber intelligence and attack forces, there are many alternatives. Agents need expertise in many areas for successful operations. As discussed above, gaining privileged access is one area of expertise. Others include target system expertise, such as the ability to retrieve or plant e-mails; information expertise, such as the ability to search through information relative to an operation; and effects expertise, the ability to translate operational goals into concrete attacks. The first two roles, gaining access and expertly manipulating a system, are common across many potential operations. Agents in these roles are directly accessing target systems. The last two roles direct the activities of the first two. The information expert is the detective or analyst. This expert knows which e-mail accounts are important and what key words to search with. The expertise in effects is provided by an offensive planner, such as a combatant command planner.
Although it is possible for one individual to perform all of these roles, it is more likely individuals will specialize, and this is what we frequently find today. The first two roles become the technicians, performing the exacting work of gaining access and manipulating systems, as directed by the intelligence analyst and the operations planner. There are many alternative organizations of the technicians. In current practice, the 2008 Unified Command Plan, which assigns missions and areas of responsibility to commanders, gives a cyberspace mission to USSTRATCOM which it executes through its subordinate commands, JFCC-NW and Joint Task Force for Global Network Operations (JTF-GNO). 9 Given the global nature of cyberspace, this coincides with other global missions given to USSTRATCOM and executed through subordinate commands, such as Joint Functional Component Command for Global Strike and Joint Functional Component Command for Space. Information on JFCC-NW is limited, but according to USSTRATCOM public information, JFCC-NW plans and executes cyber attacks.10 The JFCC-NW commander is currently dual-hatted as the Director of the NSA and is stationed at the home of the NSA, Fort Meade, Maryland. Additionally, the JFCCNW deputy commander is also stationed at Fort Meade. By surface appearance, core CNE and CNA expertise is resident within NSA and some of that expertise is under the command or direction of USSTRATCOM. Although the Unified Command Plan (UCP) gives USSTRATCOM a cyberspace mission, it is not that of complete ownership of CNE or CNA. As joint doctrine reminds us, all combatant commands must coordinate, plan, and execute information operations.11 As multiple combatant commands are involved in CNE and CNA, there are a variety of organizational structures that support these missions.
ORGANIZATION OF DOD COMPUTER NETWORK DEFENSE, EXPLOITATION, AND ATTACK FORCES
Whether in sports, business, or government, adversaries seek to gain advantage over their opponents. As the Department of Defense (DoD) has formidable conventional power, adversaries often avoid conventional conflict. With the advent of the Internet and other interconnected networks, adversaries suddenly have the potential to access Department of Defense information that would formerly have required insider access to obtain. Further, they may be able to access DoD systems, such as e-mail and logistics systems, to influence DoD operations. Much of the activity to gain access can be low risk because it is done remotely and perpetrators can employ many concealment techniques. DoD efforts to prevent adversary access to DoD systems and information include the field of computer network defense (CND). In addition, the DoD has computer network exploitation (CNE), and computer network attack (CNA) capabilities it employs against adversaries. As will be shown, the CNE and CNA fields are closely related and should be organized together. On the other hand, as CND forces exist throughout the DoD, the DoD has created complicated command and control (C2) relationships that can be greatly simplified by making use of the power of the Secretary of Defense (SECDEF).
Background
Although the DoD consistently states it is under constant cyber attack, like many companies the DoD rarely discloses specific breaches of computer security and theft of information. Investigative journalists have tracked down and reported alleged details of some of these attacks, such as those detailed in the 2005 Time article by Elaine Shannon, The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop
Them. In this article, Shannon details the volume of information stolen from across the DoD and other entities such as the World Bank. Unnamed government analysts rank the group behind these attacks “among the most pervasive cyberespionage threats that U.S. computer networks have ever faced.”1 Shannon's sources attribute the technical source of the attacks as originating from behind network routers in China. However, despite the title of the article, sources would only speculate that the group is Chinese government sponsored because of the sophistication and magnitude of the effort. Whether state sponsored or not, the lesson is that the DoD faces determined adversaries with the technical means to access our networks and exfiltrate information.
Clearly, the DoD needs effective security and counterintelligence capabilities to manage the threat to its networks. All DoD personnel with access to networks have a role to play in security. End users need to abide by the rules and, for instance, not open attachments from un-trusted sources that may compromise information systems. Administrators must configure systems in accordance with security rules. Network defenders must analyze intrusion alarms, investigate, and report incidents. Counterintelligence and law-enforcement officers must screen these incidents for trends, categorize them, and prioritize them for investigation, exploitation, or prosecution. Given the magnitude of the effort, and the fact that all DoD personnel and organizations are affected, there are related organizational and authority issues. As the Services procure and operate installation networks mostly independently, should they also handle CND mostly independently? Alternatively, since service forces ultimately exist for assignment to or support of combatant commands, is a joint approach more appropriate? How should the DoD CND relate to other departments and entities of the USG?
But the DoD is not just on the defensive. It also has capabilities in the form of intelligence gathering and, if necessary, attack. Traditional areas of intelligence and operations that are now included in the cyber realm are still very relevant today, such as intercepting and jamming signals and conventional attacks on infrastructure. However, there are newer aspects of the cyber realm, such as using computer networks to “hack” into target systems and extract information or conduct an attack. The DoD grew its force to conduct these missions. But given the infancy of the field, is it properly organized? Where should these specialists work, in a central agency, out in the field, or a mixture of both? How should these forces be assigned to combatant commands?
According to the DoD, cyberspace is “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”2 Most readers are probably familiar with some of the general-purpose sub-domains of cyberspace such as the Internet, the DoD
Non-Secure Internet Protocol Router Network (NIPRNET), the DoD Secret Internet Protocol Router Network (SIPRNET), and the Defense Switched Network (DSN). Less familiar may be more specialized sub-domains such as tactical data links used by military forces to, among other things, exchange friendly and enemy positional data.
Just as DoD cyberspace can be divided into sub-domains, so can global cyberspace.
Several key sub-domains of cyberspace include DoD, U.S. non-DoD, and foreign cyberspace. DoD cyberspace refers to that portion of cyberspace with DoD infrastructure, such as the NIPRNET. In all three sub-domains the DoD has an interest in strategic communications, effectively conveying its messages to audiences around the world. In addition to this overarching interest, the DoD has separate interests in each of the sub-domains. DoD interests in DoD and foreign cyberspace are straightforward. Within DoD cyberspace, DoD responsibilities are information assurance and counterintelligence. In other words, the DoD desires to protect its networks, detect intrusions, learn from the techniques employed by the intruders, and perform counterintelligence. Within the foreign sub-domain, DoD and other members of the Intelligence Community are naturally interested in collecting intelligence. The DoD also has an interest in network attack as stated in the mission of U.S. Strategic Command’s (USSTRATCOM) Joint Functional Component Command for Network Warfare (JFCCNW) which reads “plans, and when directed, executes operations in and through cyberspace to assure U.S. and allied freedom of action, denying adversaries' freedom of action, and enabling effects beyond the cyber domain.”3 DoD interests in U.S. non-
DoD cyberspace, however, are less clear and warrant more detailed explanation.
The DoD is but one of several entities with interests in U.S. non-DoD cyberspace. With respect to defending this sub-domain, it is interesting to note that according to The National Strategy to Secure Cyberspace, “in general, the private sector is best equipped and structured to respond to an evolving cyber threat.”4 In other words, just as individuals and businesses can invest in their own physical security with guards, alarms, locks, and the like, they can also invest in cyber security. However, with respect to the U.S. Government (USG), several federal departments have responsibilities, including the Department of Homeland Security (DHS), the Department of Justice, and the DoD. The DHS National Cyber Security Division (NCSD) “works collaboratively with public, private, and international entities to secure cyberspace.”5 The
NCSD oversees the National Cyber Response System including the National Cyber
Response Coordination Group, of which the DoD is one of 13 federal agency members. The FBI leads the investigation and prosecution of cyber-crime.6 Just as other USG entities have defined their roles in U.S. non-DoD cyberspace, so has the DoD.
The DoD has two roles in U.S. non-DoD cyberspace stemming from the same roles it has in non-cyberspace, defense of the nation and national incident response.7 The National Military Strategy for Cyberspace Operations states with respect to defense of the nation, “DoD will execute the full range of military operations in and through cyberspace to defeat, dissuade, and deter threats against U.S. interests.”8 It also states with respect to national incident response DoD will provide military support to civil authorities. There can be tensions between the defense mission and the support mission, such as a choice between quickly terminating an attack versus collecting evidence for prosecution. The Strategy for Cyberspace Operations addresses this issue by saying defense of vital interests take precedence over other missions.
Organization of Computer Network Exploitation and Attack Forces
As the cyber domain intersects with the physical world, there are a variety of ways to attack it. For instance, if you want to deny an enemy the use of their more secure, internal e-mail system and hopefully divert them to a less secure, external email system you can physically destroy their e-mail servers using conventional military forces. Unlike physical destruction, covert remote access is much more flexible. With covert remote access, agents can collect information as well as conduct offensive operations such as editing or planting information or denying use of information. This distinction is at the heart of perceiving the cyber domain as a separate domain; it is possible to operate completely within cyberspace in ways different from other domains.
There are several methods of collecting information in cyberspace, most notably open-source intelligence (OSINT) as well as traditional and CNE types of signals intelligence (SIGINT). OSINT is gathering information from publically available sources, such as an extremist web site, analyzing it, and producing intelligence. Traditional SIGINT is a broad field that, for instance, involves obtaining a signal by intercepting transmissions or tapping cables, decrypting it, processing it, and hearing or reading raw private communications. Traditional SIGINT is the historical role of the National Security Agency (NSA). CNE refers to secretly infiltrating a network or information system and obtaining private information. Technical expertise is essential for all collection disciplines. OSINT may require, for instance, automation to conduct searches as well as obscure the identity of collectors, because hundreds of government agents reading a particular forum might cause an unwanted change in behavior of the participants. Traditional SIGINT and CNE differ in that the former requires expertise in signal processing and cryptography while the latter requires network and computer intrusion expertise. This intrusion expertise required for CNE relates to the similar expertise required for CNA.
In addition to operating in cyberspace by gathering information, the DoD also operates by conducting CNA. With respect to both intelligence and attack forces that operate within the cyber domain, the ability to collect private information and the ability to affect information and systems are both greatly enhanced by privileged system access, access that outsiders would not normally have. Note that enhanced access enables both information gathering as well as attack. For example, if an agent can remotely retrieve a user’s private e-mail, he most likely has access to modify or disable e-mail. In order to conduct such an operation, an agent must reconnoiter target systems, evade intrusion detection systems, compromise target system defenses, establish covert communications, conceal the intrusion, and retain system access while protecting vital access techniques from discovery. Once those steps are completed an agent can collect information or conduct an attack. Clearly, the more difficult phase of the operation is gaining access as opposed to exploiting it. Because gaining access is specialized and crucial to both intelligence and attack, intelligence and attack forces are discussed concurrently. Although little public information on specific USG foreign computer network infiltration capabilities exists, it is possible to make general recommendations on organization of DoD CNE/CNA forces based on high-level USG organization, DoD doctrine, and analysis of functions.
With respect to organization of cyber intelligence and attack forces, there are many alternatives. Agents need expertise in many areas for successful operations. As discussed above, gaining privileged access is one area of expertise. Others include target system expertise, such as the ability to retrieve or plant e-mails; information expertise, such as the ability to search through information relative to an operation; and effects expertise, the ability to translate operational goals into concrete attacks. The first two roles, gaining access and expertly manipulating a system, are common across many potential operations. Agents in these roles are directly accessing target systems. The last two roles direct the activities of the first two. The information expert is the detective or analyst. This expert knows which e-mail accounts are important and what key words to search with. The expertise in effects is provided by an offensive planner, such as a combatant command planner.
Although it is possible for one individual to perform all of these roles, it is more likely individuals will specialize, and this is what we frequently find today. The first two roles become the technicians, performing the exacting work of gaining access and manipulating systems, as directed by the intelligence analyst and the operations planner. There are many alternative organizations of the technicians. In current practice, the 2008 Unified Command Plan, which assigns missions and areas of responsibility to commanders, gives a cyberspace mission to USSTRATCOM which it executes through its subordinate commands, JFCC-NW and Joint Task Force for Global Network Operations (JTF-GNO). 9 Given the global nature of cyberspace, this coincides with other global missions given to USSTRATCOM and executed through subordinate commands, such as Joint Functional Component Command for Global Strike and Joint Functional Component Command for Space. Information on JFCC-NW is limited, but according to USSTRATCOM public information, JFCC-NW plans and executes cyber attacks.10 The JFCC-NW commander is currently dual-hatted as the Director of the NSA and is stationed at the home of the NSA, Fort Meade, Maryland. Additionally, the JFCCNW deputy commander is also stationed at Fort Meade. By surface appearance, core CNE and CNA expertise is resident within NSA and some of that expertise is under the command or direction of USSTRATCOM. Although the Unified Command Plan (UCP) gives USSTRATCOM a cyberspace mission, it is not that of complete ownership of CNE or CNA. As joint doctrine reminds us, all combatant commands must coordinate, plan, and execute information operations.11 As multiple combatant commands are involved in CNE and CNA, there are a variety of organizational structures that support these missions.
Last edited: