Author: Steven P. Winterfeld, SANS
“The United State is in the best possible position to win on the digital battlefield, but the revers is also true; the US is the most vulnerable country in the world to cyber attack.”
In this article, Steven Winterfeld of SANS addresses the need for the US military to apply Intelligence Preparation of the Battlefield to the cyber space. The four main segments of the IPB process that Winterfeld defines as important include: defining the battlefield environment, defining the battlefield effects, evaluating the threat of the enemy, and determining threat courses of action. In cyberspace, threats come from a range of sources with different boundaries, protocols, and liberties than that of traditional military operations. Winterfeld explains the different types of threats brought on by the emergence of cyber warfare. These threats include asymmetrical threats and asynchronous threats. Asymmetrical threats include those that use dissimilar weapons to offset a superior military. We’ve recently seen asymmetrical threats from countries such as Iran. Asynchronous threats are that’s that don’t require orchestration or timing but rely more on circumstance and personality. We’ve recently fallen victim to asynchronous attacks by the influence of Russian hackers on our 2016 Presidential Elections.
To help mitigate these threats, Winterfeld suggests adapting the traditional military IPB to suit cyberspace environment. He explains that the processes are the same in conventional war as they are in cyber war. The difference lies in understanding the nuances of the battlefield. In cyberspace, defining the battlefield environment process includes: identifying the classification of the network, understanding the baseline activity of the network, exploring the architecture of the database, operating systems and services, and identifying intelligence gaps. In cyber space, defining the battlefield effects process includes: analyzing the confidentiality, integrity, and availability of information in services and networks as well as identifying current security, auditing procedures and backup systems. In cyber space, evaluating the threat process includes: locating all assets, identifying the most likely COAs and most dangerous COAs by establishing threat capabilities. Evaluating and prioritizing each threat COA is important in creating policy and doctrines involving rules of engagement for information assurance, computer network defense, and computer network attack.
Although this recommendation by SANS is a bit dated (2002), the idea has never been more relevant than today, where asynchronous warfare, specifically in cyber space, is the de facto method of aggression. What makes this issue even more urgent is that although this recommendation came out in 2002, there is no literature in either the 2018 U.S. Department of Homeland Security Cybersecurity Strategy or the 2018 ODNI’s Worldwide Threat Assessment that indicates the use of IPB in cyber space. SANS and George Washington and a slew of other famous people have said “the best defense is a good offense.” I would agree that adapting the IPB process to suit cyberspace will only help increase the robustness of our nation’s cyber defense strategy by “finding the flaws before the bad guys do.”
Aside from these four main segments being important in uncovering potential chinks in our defense’s armor, the findings produced by the IPB could have the potential to influence policy: identifying the possible threats will allow policymakers for form a conversation around retaliatory actions in cyberspace as well as what kinds of actions in cyber space constitute punishment and to what degree. IPB It’s also important to note that the process of formulating an IPB or IPOE in any asynchronous game, although unconventional, will only increase understanding of the environment in which one is performing in by, at the very least, becoming acclimated to the surroundings and at best to form almost a tree of possible actions and subsequent outcomes of the actions. Winterfeld writes that the bottom line is “IPB must be timely, accurate, usable, complete, and relevant to be useful.” There is not a more relevant time than now to create a usable IPB for cyberspace.