Enable breadcrumbs token at /includes/pageheader.html.twig

Chasing a Moving Cyber Target

Designing weapon system resilience for success on the battlefield.

This Air Cavalry unmanned vehicle potentially could be manned by a Moscow-based adversary if designed without the right features in mind. The highest risk would be an attack on the same crew that maintains it. Credit: Staff Sgt. Christopher Calvert, 1st Air Cavalry Brigade, 1st Cavalry Division Public Affairs

If you’re designing an unmanned device, like a UAV, you need to ensure that the system can operate without the adversary taking it over and using it against you,” said Steve Pitcher, a senior cyber survivability analyst at the Department of Defense (DoD).

This principle was articulated in 2016 after a report for the previous fiscal year by the DoD’s Operational Test and Evaluation office handed down a stern verdict on how various agencies were dealing with principles beyond strict cyber defense.

“When deficiencies were first identified in 2012, there was time to make early corrections and avoid, or at least significantly reduce, the risk that is now at hand. Instead, due to the failure of leadership, the opposite has occurred,” reads the report.

The document introduced a mindset change. “We focused for years in cybersecurity and compliance without looking for resilience,” Pitcher said. “The resilience piece is what we have completely missed in the past,” he added.

In previous years, mitigation and repair were the key concepts underpinning new technologies. This is akin to engineers’ training, but the change was necessary at the softest software level: culture. Thus, survivability became a new design trait.

“A systems engineer is not trained and leaning towards survivability,” said Tom Andress, cyber survivability analyst at the DoD.

And given the wide array of interlocking systems combatant commanders use, standardizing criteria to factor in increasing cyber threats included many moving parts. The first one was threat assessment, and naming the threat was no small part.

“We can now say Russia; before, we had to wink,” Pitcher said.

This change happened as a result of another shift.

Last summer, the National Security Agency, Department of Justice, Cybersecurity and Infrastructure Security Agency, and the FBI came out with actionable statements, Pitcher explained. These agencies called cyber threats by name, concentrating on China and Russia. This contributed another element to building resilience criteria; designers now can create systems that will withstand a specific attack.

The result of these shifts was the creation of a risk-managed approach to cyber survivability, which, according to unclassified DoD documents SIGNAL accessed, includes the following steps:

Step one: Select the system’s mission type.
Step two: Select the adversary threat tier expected to be facing the system.
Step three: Select the cyber dependence level of the system.
Step four: Select the impact level of system compromise or loss.
Step five: Determine the cyber survivability risk category.

“Survivability needs to be designed and tested throughout. You can’t compartmentalize it,” Andress said.

Each step breaks down into a series of definitions. Therefore, a mission type’s lower tiers are more permissive and start where a degradation by an attack represents a low risk to achieving objectives. An example of such a system is one dealing with accounting, according to unclassified Joint Staff documents.

The top level is where strategic nuclear capabilities required to maintain deterrence could be compromised—for example, nuclear submarines.
Between these two mission types are munitions, command and control capabilities and logistics systems.

In step two, the adversary threat tier is where names are given.

The DoD defines the Russian Foreign Intelligence Service, known as the SVR, as the most dangerous organization in terms of cyber espionage and as a potential disruptor.

“SVR cyber operators are capable adversaries,” said the Cybersecurity and Infrastructure Security Agency in a 2021 report.

At this level, the SVR “uses a range of initial exploitation techniques that vary in sophistication, coupled with ‘stealthy’ intrusion tradecraft to cause denial, degradation, deception, disruption and destruction of mission capabilities,” according to the document.

In second place for dangerous organizations is another of Moscow’s tentacles, the Main Intelligence Directorate, more commonly known as the GRU. This is followed by China. These actors can conduct “complex, long-term cyber-attack operations combining multiple intelligence sources to obtain access to high-value networks,” states the same material.

Below podium-level threats there’s an array of privates and privateers, with varying levels of sophistication, as described by the DoD.

With a variety of actors intending to disrupt the ability to move, shoot and communicate in a system, each one needs survivability DNA. This means that to “prevent, mitigate, recover from and adapt to adverse cyber events that could impact mission-related functions” is the key to performing above the capacity of an enemy ready to disrupt functionality, if possible, up to complete neutralization.

And the battle implementing these traits isn’t against an enemy. “Looking at all those things, systems engineers’ heads start to spin,” Andress recalled after having countless meetings with potential suppliers.

Weapons that can endure countermeasures must have a different kind of engineering woven into their fabric, starting at square one. “If, when designing a system, it isn’t built with survivability, the system falls through the cracks,” Andress added.

Innovations have to effectively show they meet three basic contingencies. “We’re talking about things that have to go into design to prevent, mitigate and recover” from adversaries’ attacks, Pitcher explained.

Nevertheless, each innovation is unique. Setting the same standards for a rocket launcher and an unmanned vehicle is impossible.

“We’re trying to give you a prescription for success without being detailed,” Andress explained.

Combatants could be left shooting in the dark if resilience and survivability standards aren’t adequately adopted by weapons systems designers. Credit: Cpl. Anna Albrecht, 15th Marine Expeditionary Unit

The five steps defining how a system succeeds in completing a mission despite contingencies are set by the supplier taking into account each threat level and understanding the resources adversaries may invest in disrupting its ability to achieve the desired outcome.

This increases costs, but according to the analysts, if this process is included in early stages its final impact on deadlines and the bottom line is minimized.

Conscientious use of these criteria is “setting themselves up for success for future design,” Andress said.

And ultimately, the bottom line is only positively impacted by contracts that are fulfilled.

Another point to consider is the consequence on an array of potential purchases, as these criteria seek results beyond the obvious targets. “Many or most of our critical systems are hard to attack, but support systems are more vulnerable,” Pitcher said, and structures that cross services are paid special attention.

But if all this is planned and executed as prescribed, there are other benefits that create a virtuous circle.

A design chain is created that accounts for why certain features go in, which ones are left out and which ones come next, with resilience and survivability already in the process from the outset.

“If you’re trading things off for the right reasons, it’s important to document and communicate. All have to be informed, as sometimes the biggest epiphanies come from conversations explaining why something was left out,” Andress said.

In a design where costs must be observed and deadlines achieved, a new workflow adds more considerations, but new opportunities also may be created.

The analysts expect builders to come out of this process with two takeaway questions: why was something left out, and, just as important, which features can be added in future updates?

Some of the future planning will be a part of competitive adjustments by adversaries, shortening lead times for future innovation. Another aspect of future planning comes with updated requirements from operating commanders, as they look at the combined set of abilities new innovations put within their reach.

Beyond design, one opinion overrules everyone else’s in this process.
“The guy who’s actually fighting the war is the guy whose opinion takes the day,” Pitcher said. “A combatant commander looking across all capabilities, he looks at what needs to be mitigated or remediated.”

In cases where possible mitigations have already received consideration or are already in more advanced stages as a result of following these standards, the effectiveness of the engineering team will be noted. If the opposite happens, this team knows a few of the telltale signs.

“When we see the attributes copied word-by-word, we worry,” Andress explained. In some cases, documentation merely repeated the language in the recommendations coming from the DoD. This suggests designers were not asking the right questions during the process or didn’t believe it was applicable to their work, according to the analyst.

In these cases, beyond the obvious consequence of increasing the chances of their proposals failing, designers are also missing the boat—as the overall intention of this work is to move toward a paradigm that anticipates instead of one that follows.

Pitcher explained that under the old mindset, they were chasing a moving target from behind, like a dog barking at the ‘passing car of cybersecurity.’ “Now that we caught the car, we define a threshold performance.”