Cyber Situational Awareness: TechNet Augusta 2015

Approved for Public Release
Cyber Situational Awareness
AFCEA Technet
25 August, 2015
Mr. Malcolm Martin
US Army Cyber Center of Excellence
Chief, Cyber Support Element-Ft. Leavenworth, KS.

Purpose
Provide discussion of Army Cyber Situational
Awareness (Cyber SA): “what it is, who uses it, and
how Cyber SA may be applied”, today and in the
future, for Unified Land Operations (ULO).
– What has changed? Conflicts and Impacts of Cyber.
– The Cyber Domain - How is it defined?
– Constant threat and actors
– Cyber SA Concept and Operational framework
– Cyber SA Impact as holistic aspect of ULO
– Army Cyber SA applied
– Culture change

2007: Syria – Israel
• September 2007 – Israeli Air Force
attacks suspected nuclear facility under
construction in Syria.
• First large-scale example of combined
cyber and electromagnetic means –
believed that Israelis used EW to deliver
a cyber attack/network control
capability to the Syrian radar which
executed the code on receipt.
• Prior to attack, Syrian IADS along
ingress/egress routes could not ‘see’,
allowing IAF planes to fly undetected by
radar into Syria and attack the site
unimpeded.
• Overall result was disruption of Syrian
IADS by an electronic/cyber attack
that enabled kinetic strike of nuclear
site.

Georgia-Russia 2008
• August 2008 – Russian troops
cross into South Ossetia w/
stated intent to defend their
“Russian compatriots”.
• Combined Arms assault was
preceded and enabled by a
multifaceted cyber attack
against Georgian gov’t and
military infrastructure and
defacement of web sites
• Distributed denial of service
(DDoS) attacks combined with
EW jamming disrupted and
denied comms simultaneous to
an integrated propaganda
(MISO and MILDEC) campaign
• Overall operation should be
considered the first large scale
‘hybrid’ combined arms
operation (air, land, cyber).

Ukraine-Russia 2015
Russia’s battle with Ukraine is being fought partly in cyberspace where it may have greater room for escalation
because nations increasingly accept covert cyber attack as a valid form of international pressure when more
traditional options are too violent – or too visible.
The rule of thumb for seeing disruptive cyber attacks before they happen
is that “physical conflicts beget cyber conflicts.”
The current cyber battle also could spread if the overall strategic
confrontation deepens, say toward a second Cold War. Such a stand-off,
pitting Russia against the United States, NATO, and Ukraine
“The Russian occupation of Ukraine in 2014 was carried out with a
military show of force – informed and supported by a coordinated cyber-
spying campaign”.
• The situation in Ukraine has seen relations between Russia and the West deteriorate
to almost Cold War levels

Cyberspace Domain
CYBERSPACE: Cyberspace is a global
domain within the information environment
consisting of the interdependent network of
information technology infrastructures and
resident data, including the Internet,
telecommunications networks, computer
systems, and embedded processors and
controllers (JP 1-02).
Characteristics:
• Manmade domain…ever changing
• Physical, functional, cognitive, logical/virtual and social
• Programming code and protocols define rules of the domain
• Environment and TTPs evolve at speed of code
• Constant presence – Phase 0 on-going
• Unlimited, instantaneous (operational) reach
Success in this domain means being smarter, more creative, faster,
and stealthier than your opponent

Back Up Slides
UNCLASSIFIED
7
The Growth of the Cyber Domain
Everyone, including the adversary, uses the Internet
Size of the Internet
1.2 Zetta bytes
16 Exabytes
1 Exabytes
DECEMBER 1995
16 million Internet users
MARCH 2001
458 million Internet users
March 2014
2.5 billion Internet users

Cyber Adversary Tactics, Techniques, and Procedures
Hostile Actor
Planning /
Scanning
Web Server/
Webpages
Users
Exploitation Lateral Movement Adversary Intent /
Exfiltration
Reconnaissance
Espionage
Destructive Malware
Email
Target System
- Users/decision-makers
- Their devices
and associated
IP addresses
- Data, databases,
and websites
- Network infrastructure
- Physical locations
Cyberspace Threats

Cyber Situational Awareness Defined
JP 3-12 Cyberspace Operations (CO)
• Cyberspace SA is the requisite current and predictive knowledge of
cyberspace and the OE upon which CO depend, including all factors affecting
friendly and adversary cyberspace forces.
• DODIN operations activities are the foundation of cyberspace SA, therefore,
DODIN operations are fundamental to the commander’s SA of the OE.
• Accurate and comprehensive SA is critical for rapid decision making in a
constantly changing OE and engaging an elusive adaptive adversary.”
• SA of friendly cyberspace is provided today by the Services and agencies
operating their portions of the DODIN. DISA does this through the theater
NETOPS centers to the CCMD theater/global NETOPS control centers,
USCYBERCOM Joint Operations Center, Joint Functional Component
Command for Space’s Joint Space Operations Center and their
Service/agency leadership. They coordinate with each other as required to
ensure operational effectiveness.

Why do we need Cyber SA?
• The Internet was originally designed as an open system to allow scientists
and researchers to send data to one another quickly, rather than with built in
security measures.
• Without stronger investments in cyber security and cyber defenses, data
systems across the world remain open and susceptible to exploitation and
attack.
• Malicious actors use cyberspace to steal data and intellectual property for
their own economic or political goals.
• The increased use of cyber attacks as a political instrument reflects a
dangerous trend for international relations.
• Therefore, the U.S. assumes that potential adversaries will seek to target
U.S. or allied critical infrastructure and military networks to gain a strategic
advantage.
Source: THE DEPARTMENT OF DEFENSE CYBER STRATEGY, April 2015

The Operational Framework
“The inclusion of the cyberspace domain and the EMS greatly expands and complicates the
operational framework transforming a limited physical battlefield to a global battlefield.” – FM 3-38
FM 3-12 (TBP)/FM 3-38: Operate in the
Cyberspace Domain / Electromagnetic
Spectrum
xx
xx
x
x
x
x
x
DIV
x
SUST
ADRP 3-0: Operate in the Land Domain
“The operational framework provides Army leaders with basic conceptual
options for visualizing and describing operations.” – ADRP 3-0

Cyber SA Functional Elements
(U) TRADOC Pamphlet (TP) 525-3-0, The Army Capstone Concept (ACC), asserts
that future Army requires the capability to provide leaders and Soldiers that
understand how and when adversaries employ CO and cyberspace capabilities,
how to mitigate adversary actions, and how to respond to gain and maintain the
cyberspace advantage within the OE in support of ULO

Army Cyber SA CONOPS
13
Cyber SA Functional Delineation
Big Data Network View
Cyber Mission Forces
DODIN, DCO and OCO
CONUS and Expeditionary
JIE, COE, LWN
Corps, Division and BCT
Commanders & Staffs
Home Station and Deployed
Command Post Computing
Environment
Contextualizes three interrelated
“Awareness” outputs:
Threat, Network, and Mission;
And the ability to plan operations!
xxx
CEM
x
xx
CEM
CEM
e.g.Big Data
Analytics/ Dagger-like
e.g. GoogleEarth-like
Cyber Analytics (Big Data)
JIMIndustry Commercial
JTF-L
“What is needed to achieve Cyber SA; how will Cyber SA be integrated into the COP;
and how will Cyber SA be used to plan, prepare, execute, and assess operations?”
JTF-C

Depicting Cyber in ULO
Cyber SA utilizes standard geospatial reference map displays resident in future
command post computing environment. Overlay creation tools available and provide
export/sharing of displayed data directly to the Common Operational Picture (COP).
Standard geospatial
reference maps
Web application
accessibility through future
computing environment
1
4

Aspects of Cyber SA
• Cyber SIGACTS
• Display Active Emitters
• Filters: 3G, 4G, WiFi, Radar
• Cyber actors & activity
1
5
• Should be able to
select actors by
multiple functions or
entities*
* Entity refers to operational units &
organizations w/n AOR

Unified Land/Cyber Ops & Planning
• CEMA Running Estimate
• Mission Analysis, COA
Development, Wargaming
1
6

“Changing your organizational culture is the toughest task you will ever take on. Your
organizational culture was formed over years of interaction between the participants in the
organization. Changing the accepted organizational culture can feel like rolling rocks uphill.”
“How to Change Your Culture: Organizational Culture Change”
Susan M. Heathfield
Management and Organization Development
“The most important area for transformation is the space "between our
warfighters' ears," said the chairman of the Joint Chiefs of Staff. "If you don't
try, and you stay locked in the doctrine that brought you there, you're going
to fail. You've got to adapt." “Changing military culture key to transformation”
General Richard B. Myers
Chairman, Joint Chiefs of Staff
“Transforming the Army means more of a mindset change, as
opposed to just changing wiring diagrams or equipment.
Transformation is a journey, not a destination.”
Army Chief of Staff Gen. George W. Casey Jr.
Change in Cultural Thinking

Mr. Malcolm W. “Mack” Martin
US Army Cyber Center of Excellence
Chief, Cyber Support Element – Fort Leavenworth, KS.
malcolm.w.martin2.civ@mail.mil
Office: (913) 684-4600
Mobile: (913) 991-3505
Questions?

Cyber Situational Awareness: TechNet Augusta 2015

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Cyber Situational Awareness: TechNet Augusta 2015

Similar to Cyber Situational Awareness: TechNet Augusta 2015 (20)

More from AFCEA International

More from AFCEA International (20)

Recently uploaded

Recently uploaded (20)

Cyber Situational Awareness: TechNet Augusta 2015