From the Winter 2022 Issue

Cybersecurity in the Information Environment

Jack Koons
Author |

Today’s cybersecurity is much more than simply a conversation about information technology, operational technology, and data protection. It’s a world of maneuver inside and across the cognitive, virtual, and physical space – the information environment. Today’s security professionals must become comfortable with operating and defending across all three layers, as well as the impact and enabling aspects of social media and data wrangling. This article posits that today’s cyber landscape is not one singular domain, but rather a rich tapestry of three. We will unpack and explore this landscape, with an eye towards protective strategies and capabilities to enable the organization.

Both the National Security Strategy of the United States of America and National Defense Strategy of the United States of America recognize the Information Environment (IE) as central in warfare, although both documents emphasize the use of information in contexts short of open warfare or in the digital realm. The U.S. Department of Defense (DoD) defines the IE as “the aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information.”(RAND 2021)

Here we posit that the cognitive domain should not be confused or conflated with the more command and familiar “cyber-personae” layer normally ascribed to by other authors and organizations. Where cyber-personae reflect the digital representation of an individual on the network (i.e., an avatar or profile, for example), the cognitive dimension is the mind space of the user as they negotiate the network – both online and off. This is the domain of cognitive effects, influence, and sensing. Think hacking the brain, vice hacking the box. And yet both the brain and network are connected and must be treated as such. It is both a source of access and enablement as well as exploitation.

We Are Already There

The interweaving of cognitive, physical, and virtual space is at work even now. In June of 2021, Mark Zuckerberg, CEO of Meta (formerly known as Facebook) announced their newest initiative – the metavavers. While not a new term or concept – Science Fiction author Neil Stephenson famously coined the term in 1992’s Snow Crash. Also, witness Nintendo’s Animal Crossing or Linden Labs Second Life as but two online gaming exemplars – it is seeing a resurgence with all the vast resources a company like Meta can bring. It is to be taken seriously.

The risk aperture and security lens are now at their widest. It’s time to posture our strategy accordingly.

Risk Allocation and Strategy

This becomes an interesting conversation when CIOs, CSOs, CROs, and cybersecurity leaders at all levels assign risk and align resources accordingly. This new view on the operational business environment and its attendant security paradigm offers both promise and peril. The rich tapestry that is the layered cyberspace landscape offers near limitless connective tissue, while at the same time increasing the attack surface area by many orders of magnitude. The risk aperture and security lens are now at their widest. It’s time to posture our strategy accordingly.


Looking to DoD

In this area, commercial sector equities can look to the current work going on within the U.S. government (USG) – and specifically the Department of Defense (DoD) via Cyber Command. Cyber Command looks at the cyberspace landscape as three interconnected and interlaced domains: the cognitive space, the physical space, and the virtual space. It’s time the serious cybersecurity practitioner starts doing the same. 

Thinking of “cyber” as merely a conversation on boxes, devices, and data flows is myopic and dangerous. Unlike other domains – i.e., air, land, sea, space – cyber is ephemeral and dynamic, the landscape constantly changing (i.e., dynamic IP addresses vs. static ports) and the associated attack surface moves with it. Indeed, the attack surface as presented to an adversary must now be looked at as much more than a simple network topology. Or, perhaps more important – the cyber-physical attack surface must now include the human (cognitive) dimension.

Information Environment – The Three Dimensions

The cognitive space represents the humane dimension of thoughts, ideas, and memories. In essence, the human mind becomes the attack surface and point of exploitation and/or access. Sometimes it is the target and sometimes it’s merely a transition point to another dimension – i.e., virtual or physical or another human. These are the so-called “cognitive effects”.

The physical space contains all the boxes, wires, cables and normal associated “real world” things an IT Department would consider relevant. This includes the ever-expanding OT, or Operational Technology, landscape…much bigger than most know. Indeed, some would argue it is truly unknowable.

The virtual space then represents the ephemeral flow of information and data – the packets and so-called “trons” or electrons constantly moving around us every day.

It Was Never “Just” About “The Box”

Within the USG, efforts like “Defend Forward” and “Persistent Engagement” and “Constant Contact” are currently in use and critical to understanding adversary intent and capability across the cognitive, physical, and virtual “cyber” space. While the DoD is starting to think this way, commercial sector CIOs, CISOs, CSOs, CROs, and boardrooms may not be.

However, commercial sector cybersecurity professionals do have access to many – if not all – of the capabilities and strategies used by DoD and USG to enable network resiliency, maintain connectivity, and enable information assurance. This article asks that we consider five key capabilities that when taken together should inform the larger cybersecurity posture and strategy.

Know Your Enemy

In order to move away from a purely reactive security posture and begin to regain control, retain the initiative, and start having a real conversation about resiliency of the network and data/information flows, we need to begin understanding the “what” and “where” of the adversary’s “how”. In a word: “sense”.

Leaders at U.S. Army Cyber Command have an acronym for this. Building off former U.S. Air Force Colonel and Fighter Pilot John Boyd’s seminal OODA Loop research (Observe, Orient, Decide, Act) and U.S. Special Operations Command’s F3EA approach to actionable intelligence and fusion cell operational work (Find, Fix, Finish, Exploit, Analyze), Army Cyber has developed the SUDAA Loop (Sense, Understand, Decide, Analyze, Act) more aligned to  cyber domain(s). 

Note how they lead with “sense”. All too often, in a security incident – especially one in a crisis or contingency mode – we act before understanding what is going on, wasting perishable and finite time and resources – all the while bleeding data and allowing further adversary intrusion and maneuver across the network.

It’s not “just” about intelligence:

Sensing is the secret sauce that will amply and inform true information advantage and decision dominance — both in the commercial space as well as government, across all three cyber layers.

New Tools for a New Fight

Artificial Intelligence (AI), Big Data (BD), Machine Learning (ML), and Natural Language Processing (NLP) are readily available tools that will help with “sensing”. These tools are available today to the commercial sector – indeed, commercial sector is taking the lead in developing the capabilities (witness work ongoing at Google, Amazon, Netflix, Alphabet, and Meta – the so-called FAANG companies). It’s not “just” about intelligence – sensing is the secret sauce that will amply and inform true information advantage and decision dominance – both in the commercial space as well as government, across all three cyber layers.

The roles played by AI, ML, BD, and novel techniques such as NLP offer an ability to move past “just” intelligence, merely informing and reacting…they offer potential for truly sensing adversarial intent and movement. Both are seen as key to reducing scale and scope of attack.

While capabilities such as AI, ML, and Big Data may be familiar, Natural Language Processing is relatively unknown, yet its effects are felt daily in everything we do online. Natural Language Processing (NLP) and its associated capabilities such as Natural Language Understanding (NLU) and Natural Language AI (NLAI) offer a powerful addition to the security practitioners toolbox. NLP/NLU enable an understanding of sentiment, entity analysis, and syntax analysis. When we start to look at cybersecurity as more than just boxes and devices, and weave in the cognitive layer(s), this becomes critical to unpacking and understanding adversary intent. 

As but one example of this for the commercial sector – who lack the unique extra-legal access, authorities, and manpower possessed by the U.S. government: Leveraging the ability to pull in various threat intel streams that are produced by the U.S. National Security apparatus (i.e., CISA, FBI, InfraGard, etc.), which represents a huge treasure trove of actionable data (much of it in the native language of the adversary) and, in turn, NLP/NLU and NLAI can assist with. The text hidden deep within code are the very signatures and keys to helping understand the “who’s who in the adversary zoo”, and via AI, patterns can begin to emerge…history then becomes the future (i.e., predictive analytics).

Mitigating and Enabling Strategies

One particular strategy that is gaining momentum within USG in general and DoD in particular is Zero Trust. So-called Zero Trust methodologies are designed to ensure least common access and privileges and are uniquely postured for the coming information environment fight. Indeed – the Department of Defense has gone so far as to formally announce the creation of an Office of Zero Trust to help secure the world’s largest network – the Defense Industrial Base (DIB) and its supporting network infrastructure.

Conclusion

Mitigating and enabling strategies such as “Zero Trust” and capabilities such as Artificial Intelligence, Machine Learning, Big Data, and National Language Processing offer unique and novel ways to capture the inherent possibilities of “connecting all the things, in all the dimensions” while at the same time affording security professional options and armaments to reinforce and extend security within, and across, all three dimensions.

As capabilities such as AI, Big Data, ML, and NLP are refined and mature, they represent the future of cybersecurity in a world of multi-dimensional information and data flows, while “sensing” offers truly game changing capability to those who understand the landscape and are willing to embrace its potential.  lock

Works Cited

Taking stock of Rand’s research about the information environment. RAND Corporation. (n.d.). Retrieved December 2, 2021, from https://www.rand.org/ard/topics/information-environment.html 

Jack Koons

Leave a Comment