by Michael R. Grimaila, Center for Cyberspace Research
Despite our best efforts to secure our cyberspace, we inevitably experience incidents in the cyber domain which result in the loss of the confidentiality, integrity, or availability of an information resource. When a cyber incident occurs, we must quickly and accurately estimate and report the resulting negative impact, not only in terms of the infrastructure damage, but also in terms of the mission impact experienced by all affected organizations. Unfortunately, existing methods for mission impact assessment are hindered by the lack of standardization in the way that we identify, value, track, document, and report critical information resources. The purpose of the Cyber Incident Mission Impact Assessment (CIMIA) project is to overcome these limitations to improve the accuracy and timeliness of the mission impact assessment. CIMIA is a joint research effort between AFIT, AFRL's Human Effectiveness Directorate, AFRL's Information Directorate, and Texas A&M University.
Information is a critical asset to all modern organizations, but especially so for the military which uses information to conduct all aspects of its operations. Information is collected, processed, analyzed, distributed, and aggregated to support situational awareness, operations planning, intelligence, and command decision making. The need to incorporate information technology to reduce response time and to increase decision quality is a direct consequence of the nature of modern warfare which is technology enhanced, fast-paced, with high-intensity conflicts. Commanders are tasked with making critical decisions in short time frames based upon limited information. Since the quality, conciseness, and timeliness of the information used in the decision making process dramatically impacts the quality of command decisions, the recognition, quantification, and documentation of these information dependencies is essential to provide accurate and timely damage and mission impact assessment. Further, recently amended military joint guidance requires commanders to ensure operational impact assessment is accomplished following a cyber incident. In short, commanders must be kept aware of how a cyber incident affects their mission operations from the instant it is discovered until the time it is fully remediated. Unfortunately, our existing approach to impact assessment uses technical measures (loss of availability and man hours required to remediate) rather than addressing the more difficult question of mission impact.
Information is THE Asset in Cyberspace
We live in the information age, yet our cyber defense strategies tend focus on the infrastructure rather than the information contained within the infrastructure. The attractiveness of the approach is that it does not require the resources required to conduct a formal risk assessment or maintain critical asset documentation. However, the assumption that technology is an equitable substitute for information is a dangerous assumption and follows a proven path of failure. While infrastructure elements are used to store, retrieve, process, and transport data, the intrinsic value of the data is dominated by the value in the timely and accurate delivery to end users as information. Information is the center of gravity for daily operations because it holds relevance and value as knowledge to decision makers in the organization. Information, not data, should be the focus when valuing cyber resources.
If we accept the idea that information is an asset, we must develop standardized schemes for identifying, valuing, tracking, documenting, and reporting information assets. Existing methods for identification are manual, not standardized, and often contain outdated information. Automated, scalable methods are needed to identify and track information assets throughout their lifecycle. Determining the value of information is a complex task, due to its inherent intangible qualities. The value of information is dynamic and changes from one organization to the next. The complexity of context has confounded many attempts at developing models to account for and definitively measure the value of an information asset. This is because information value is always relative to some goal(s). Since each organization has its own mission, any impact must be reported it terms of its own frame of reference. Any attempt to aggregate the impact across multiple organizations would first require developing a canonical value system across all organizations. To complicate valuation further, the value of an information resource is a time dependent variable and a function of where you are in the mission plan. The mission may require a given resource at one critical point of time in support of its mission, while at other times it may not require it at all. If the resource is inaccessible at the critical point and there is no other source for the information, the result may be inability to complete the mission. Conversely, the resource may be needed continuously throughout the mission. If the resource is inaccessible, the mission may still be able to proceed but at a greater risk of failure or increased harm to friendly forces.
Perhaps most importantly, the identification and valuation of the information assets needs to be formally estimated and documented before an incident occurs. Documentation is required to insure that the estimation of the value can be refined over time, provides transparency, reduces the time required to understand the impact of the loss of a resource, and reduces the variances in loss estimation. Far too many organizations neglect to create and maintain this important documentation. This is not due to ignorance but is often due to the difficulties in obtaining the required information, lack of personnel to collect and record the information, and fear that if the loss estimation is not properly secured it may be used as a targeting map by an adversary. Each of these impediments can be overcome if we dedicate the necessary resources. These problems must be resolved in order to supply meaningful mission impact assessment, develop a timely understanding of adversarial intent, and to enable accurate predictive situational awareness.
What are the consequences of accepting the status quo? Each day, we are the target of multiple attacks by adversarial forces in cyberspace. Even if we are successful at detecting, containing, and remediating a cyber incident in a timely manner, the failure to immediately assess the damage and report the mission impact to commanders may result in other unforeseen higher order effects that may not be immediately apparent at the time of the incident. Consider the following hypothetical scenario:
A deployed military organization is conducting an active military operation on foreign soil. One element of the operation requires the periodic delivery of supplies between facilities located in different parts of the country via ground vehicles. The commander of the unit uses a logistics management program that stores the convoy routes and schedules in a database. A system administrator needs to upgrade the server containing the database, so he temporarily relocates it to an existing database server located in another organizational unit without formally documenting the change. In the meantime, access to our network is provided to a coalition partner to facilitate information sharing on an unrelated operation. Unfortunately, the coalition partner does not enforce stringent access control policies and as a result, an adversary breaches the coalition partner’s system and subsequently breaches the database server containing convoy routes and schedules. The incident is detected by Incident Response Team (IRT) who terminates the adversary’s access to the database and begins to investigate and remediate the breach. The problem is that there is no explicit documentation which identifies all of the entities who depend upon information stored in the database or how their mission would be impacted by a breach. Before the IRT can complete their investigation and notify the affected parties, a convoy listed in the database is ambushed resulting in a significant loss of life and resources. While the scenario presented is hypothetical, it demonstrates the dire consequences that can result from failing to properly track the status of critical information assets. We cannot allow this type of situation to occur when we have it within our power to correct deficiencies in the cyber mission impact assessment process.
While the need for effective cyber damage assessment was recognized more than a decade ago, little progress has been made to attain this objective. The explosive growth of cyber attacks combined with our increasing dependencies on cyberspace to conduct military operations has resulted in the realization that devastating real world consequences can occur resulting from a cyber breach. Commanders are now keenly aware of the shortcomings of existing cyber damage assessment and are expecting progress to be made to improve the situation. The recognition that information is THE asset in cyberspace means that we should focus our efforts on developing robust technology assisted information asset identification, valuation, tracking, documentation, and reporting capabilities. The Cyber Incident Mission Impact Assessment (CIMIA) project is dedicated to overcoming these limitations to improve the accuracy and timeliness of the mission impact assessment reporting. This paradigm shift is required to provide commanders with dominate battlespace knowledge in cyberspace, meet the joint requirements on reporting cyber damage assessment, and enable predictive situational awareness.