December 2001
Author: Steven P. Winterfeld, SANS
https://cyber-defense.sans.org/resources/papers/gsec/cyber-ipb-103147
Summary:
“The United State is in the best possible position to win on
the digital battlefield, but the revers is also true; the US is the most
vulnerable country in the world to cyber attack.”
In this article, Steven Winterfeld of SANS addresses the
need for the US military to apply Intelligence Preparation of the Battlefield
to the cyber space. The four main
segments of the IPB process that Winterfeld defines as important include: defining the battlefield environment, defining
the battlefield effects, evaluating the threat of the enemy, and determining
threat courses of action. In
cyberspace, threats come from a range of sources with different boundaries,
protocols, and liberties than that of traditional military operations. Winterfeld
explains the different types of threats brought on by the emergence of cyber
warfare. These threats include
asymmetrical threats and asynchronous threats.
Asymmetrical threats include those that use dissimilar weapons to offset
a superior military. We’ve recently seen
asymmetrical threats from countries such as Iran. Asynchronous threats are that’s that don’t require
orchestration or timing but rely more on circumstance and personality. We’ve recently fallen victim to asynchronous attacks
by the influence of Russian hackers on our 2016 Presidential Elections.
To help mitigate these threats, Winterfeld suggests adapting
the traditional military IPB to suit cyberspace environment. He explains that the processes are the same
in conventional war as they are in cyber war.
The difference lies in understanding the nuances of the battlefield. In cyberspace, defining the battlefield
environment process includes: identifying the classification of the network,
understanding the baseline activity of the network, exploring the architecture
of the database, operating systems and services, and identifying intelligence
gaps. In cyber space, defining the
battlefield effects process includes: analyzing the confidentiality, integrity,
and availability of information in services and networks as well as identifying
current security, auditing procedures and backup systems. In cyber space, evaluating the threat process
includes: locating all assets, identifying the most likely COAs and most
dangerous COAs by establishing threat capabilities. Evaluating and prioritizing each threat COA is
important in creating policy and doctrines involving rules of engagement for
information assurance, computer network defense, and computer network attack.
Critique:
Although this recommendation by SANS is a bit dated (2002),
the idea has never been more relevant than today, where asynchronous warfare,
specifically in cyber space, is the de facto method of aggression. What makes this issue even more urgent is that
although this recommendation came out in 2002, there is no literature in either
the 2018 U.S. Department of Homeland Security Cybersecurity Strategy or the
2018 ODNI’s Worldwide Threat Assessment that indicates the use of IPB in cyber
space. SANS and George Washington and a
slew of other famous people have said “the best defense is a good offense.” I
would agree that adapting the IPB process to suit cyberspace will only help
increase the robustness of our nation’s cyber defense strategy by “finding the
flaws before the bad guys do.”
Aside from these four main segments being important in
uncovering potential chinks in our defense’s armor, the findings produced by
the IPB could have the potential to influence policy: identifying the possible
threats will allow policymakers for form a conversation around retaliatory
actions in cyberspace as well as what kinds of actions in cyber space
constitute punishment and to what degree. IPB It’s also important to note that
the process of formulating an IPB or IPOE in any asynchronous game, although
unconventional, will only increase understanding of the environment in which
one is performing in by, at the very least, becoming acclimated to the
surroundings and at best to form almost a tree of possible actions and
subsequent outcomes of the actions. Winterfeld
writes that the bottom line is “IPB must be timely, accurate, usable, complete,
and relevant to be useful.” There is not a more relevant time than now to create
a usable IPB for cyberspace.
Posts
This is a cool concept-- thanks for sharing it! To add to your point about a tree-like map of possible actions and weak points, that also allows for a mental model pointing analysts in the direction of where our collections efforts ought to focus. I think IPB is an excellent way to orient yourself in an environment with which you might not have a deep understanding or familiarity. Do you think the practical terminology e.g. go, slow-go, no-go, key terrain, etc. would have to change for us to move IPB into cyberspace? I wonder if the concept transfers smoothly, but in practice the traditional understanding leads to some disconnect.
ReplyDeleteGood question. I'd need to have a better understanding of networks to understand how that terminology would fit into cyber IPBs, but my initial guess would be that they would have at least some tangential relevance to identifying areas that need patched/updated.
DeleteYou mention an important point about IPB driving policy regarding retaliation to cyber attacks. I think it is important for analysts and decision makers to understand how the enemy views the United States not just from a cyber defense standpoint, but from a retaliatory stance. The enemy's understanding of how the U.S. responds to a cyber attack/espionage, will likely play a role in their courses of action.
ReplyDeleteAgreed - which ties in with my last post on consistency in game theory. I think it would strengthen US defense to have clear offensive responses in place.
DeleteReading this article I find myself thinking that the one big issue with a Cyber IPB is that it requires intimate knowledge of how your adversaries networks are constructed, both digitally and physically (because there is an inherent non-digital element to computer networks that can give a decision advantage in warfare). In order to get that information, the system defenders would have to have access to the full depths of adversary networks which infers that defenders and attackers are coordinating their efforts. Penetrating networks can be difficult and eluding detection is especially problematic. I feel like this aspect, in my mind, adds complicating factors that will impact the development cyber IPBs. The difference here is that finding information about users is far easier so this aspect, identifying the structure of forces is a far easier task to accomplish.
ReplyDeleteThis article explains the benefits of creating cyber IPBs for your own network as a way to identify where breaches may occur.
DeleteHowever, I think your interpretation as to how to conduct a cyber IPB with an offensive mindset can also be explored. Remaining undetected in cyber reconnaissance is tricky but, as we've seen, not impossible. Even when a nation state is caught conducting reconnaissance on an adversary (or ally), one can argue the penalties are well worth the information gained about adversarial networks to be included in an IPB.
Bryant, I really liked your post! The idea of using IPB in cyberspace is fascinating. My article talked about the struggle to use IPB in a unpredictable situation. I think the battlefield of cyberspace is very unpredictable. Is there a methodology that you think could be combined with IPB to make it more accurate in cyberspace?
ReplyDelete