Both the National Security Strategy of the United States of America and National Defense Strategy of the United States of America recognize the Information Environment (IE) as central in warfare, although both documents emphasize the use of information in contexts short of open warfare or in the digital realm. The U.S. Department of Defense (DoD) defines the IE as “the aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information.”(RAND 2021)
We Are Already ThereThe interweaving of cognitive, physical, and virtual space is at work even now. In June of 2021, Mark Zuckerberg, CEO of Meta (formerly known as Facebook) announced their newest initiative – the metavavers. While not a new term or concept – Science Fiction author Neil Stephenson famously coined the term in 1992’s Snow Crash. Also, witness Nintendo’s Animal Crossing or Linden Labs Second Life as but two online gaming exemplars – it is seeing a resurgence with all the vast resources a company like Meta can bring. It is to be taken seriously.
Risk Allocation and Strategy
This becomes an interesting conversation when CIOs, CSOs, CROs, and cybersecurity leaders at all levels assign risk and align resources accordingly. This new view on the operational business environment and its attendant security paradigm offers both promise and peril. The rich tapestry that is the layered cyberspace landscape offers near limitless connective tissue, while at the same time increasing the attack surface area by many orders of magnitude. The risk aperture and security lens are now at their widest. It’s time to posture our strategy accordingly.
Looking to DoD
In this area, commercial sector equities can look to the current work going on within the U.S. government (USG) – and specifically the Department of Defense (DoD) via Cyber Command. Cyber Command looks at the cyberspace landscape as three interconnected and interlaced domains: the cognitive space, the physical space, and the virtual space. It’s time the serious cybersecurity practitioner starts doing the same.
Thinking of “cyber” as merely a conversation on boxes, devices, and data flows is myopic and dangerous. Unlike other domains – i.e., air, land, sea, space – cyber is ephemeral and dynamic, the landscape constantly changing (i.e., dynamic IP addresses vs. static ports) and the associated attack surface moves with it. Indeed, the attack surface as presented to an adversary must now be looked at as much more than a simple network topology. Or, perhaps more important – the cyber-physical attack surface must now include the human (cognitive) dimension.
Information Environment – The Three Dimensions
The cognitive space represents the humane dimension of thoughts, ideas, and memories. In essence, the human mind becomes the attack surface and point of exploitation and/or access. Sometimes it is the target and sometimes it’s merely a transition point to another dimension – i.e., virtual or physical or another human. These are the so-called “cognitive effects”.
The physical space contains all the boxes, wires, cables and normal associated “real world” things an IT Department would consider relevant. This includes the ever-expanding OT, or Operational Technology, landscape…much bigger than most know. Indeed, some would argue it is truly unknowable.
The virtual space then represents the ephemeral flow of information and data – the packets and so-called “trons” or electrons constantly moving around us every day.
It Was Never “Just” About “The Box”
Within the USG, efforts like “Defend Forward” and “Persistent Engagement” and “Constant Contact” are currently in use and critical to understanding adversary intent and capability across the cognitive, physical, and virtual “cyber” space. While the DoD is starting to think this way, commercial sector CIOs, CISOs, CSOs, CROs, and boardrooms may not be.
However, commercial sector cybersecurity professionals do have access to many – if not all – of the capabilities and strategies used by DoD and USG to enable network resiliency, maintain connectivity, and enable information assurance. This article asks that we consider five key capabilities that when taken together should inform the larger cybersecurity posture and strategy.
Know Your Enemy
In order to move away from a purely reactive security posture and begin to regain control, retain the initiative, and start having a real conversation about resiliency of the network and data/information flows, we need to begin understanding the “what” and “where” of the adversary’s “how”. In a word: “sense”.
Leaders at U.S. Army Cyber Command have an acronym for this. Building off former U.S. Air Force Colonel and Fighter Pilot John Boyd’s seminal OODA Loop research (Observe, Orient, Decide, Act) and U.S. Special Operations Command’s F3EA approach to actionable intelligence and fusion cell operational work (Find, Fix, Finish, Exploit, Analyze), Army Cyber has developed the SUDAA Loop (Sense, Understand, Decide, Analyze, Act) more aligned to cyber domain(s).
Note how they lead with “sense”. All too often, in a security incident – especially one in a crisis or contingency mode – we act before understanding what is going on, wasting perishable and finite time and resources – all the while bleeding data and allowing further adversary intrusion and maneuver across the network.
New Tools for a New FightArtificial Intelligence (AI), Big Data (BD), Machine Learning (ML), and Natural Language Processing (NLP) are readily available tools that will help with “sensing”. These tools are available today to the commercial sector – indeed, commercial sector is taking the lead in developing the capabilities (witness work ongoing at Google, Amazon, Netflix, Alphabet, and Meta – the so-called FAANG companies). It’s not “just” about intelligence – sensing is the secret sauce that will amply and inform true information advantage and decision dominance – both in the commercial space as well as government, across all three cyber layers.
The roles played by AI, ML, BD, and novel techniques such as NLP offer an ability to move past “just” intelligence, merely informing and reacting…they offer potential for truly sensing adversarial intent and movement. Both are seen as key to reducing scale and scope of attack.
While capabilities such as AI, ML, and Big Data may be familiar, Natural Language Processing is relatively unknown, yet its effects are felt daily in everything we do online. Natural Language Processing (NLP) and its associated capabilities such as Natural Language Understanding (NLU) and Natural Language AI (NLAI) offer a powerful addition to the security practitioners toolbox. NLP/NLU enable an understanding of sentiment, entity analysis, and syntax analysis. When we start to look at cybersecurity as more than just boxes and devices, and weave in the cognitive layer(s), this becomes critical to unpacking and understanding adversary intent.
As but one example of this for the commercial sector – who lack the unique extra-legal access, authorities, and manpower possessed by the U.S. government: Leveraging the ability to pull in various threat intel streams that are produced by the U.S. National Security apparatus (i.e., CISA, FBI, InfraGard, etc.), which represents a huge treasure trove of actionable data (much of it in the native language of the adversary) and, in turn, NLP/NLU and NLAI can assist with. The text hidden deep within code are the very signatures and keys to helping understand the “who’s who in the adversary zoo”, and via AI, patterns can begin to emerge…history then becomes the future (i.e., predictive analytics).
Mitigating and Enabling StrategiesOne particular strategy that is gaining momentum within USG in general and DoD in particular is Zero Trust. So-called Zero Trust methodologies are designed to ensure least common access and privileges and are uniquely postured for the coming information environment fight. Indeed – the Department of Defense has gone so far as to formally announce the creation of an Office of Zero Trust to help secure the world’s largest network – the Defense Industrial Base (DIB) and its supporting network infrastructure.
ConclusionMitigating and enabling strategies such as “Zero Trust” and capabilities such as Artificial Intelligence, Machine Learning, Big Data, and National Language Processing offer unique and novel ways to capture the inherent possibilities of “connecting all the things, in all the dimensions” while at the same time affording security professional options and armaments to reinforce and extend security within, and across, all three dimensions.
As capabilities such as AI, Big Data, ML, and NLP are refined and mature, they represent the future of cybersecurity in a world of multi-dimensional information and data flows, while “sensing” offers truly game changing capability to those who understand the landscape and are willing to embrace its potential.
Taking stock of Rand’s research about the information environment. RAND Corporation. (n.d.). Retrieved December 2, 2021, from https://www.rand.org/ard/topics/information-environment.html