Cyber Situational Awareness


I’m still thinking about Cyber Command and what will make it different from commands whose assets are firmly in the physical world.

One of the first priorities of this command will be to address the fundamental command and control necessity of situational awareness; the omnipresent Common Operating Picture (COP) re-imagined for the cyber domain. Or, in the words of the nascent Cyber Command, a Cyber Blue Force Tracker.

Despite the audible industry lip smacking, I think this is going to be a relatively difficult nut to crack (at least to do it well).

At issue is the fundamental idea of situational awareness as a 2-dimensional geo-spatial concept (that expands to 3-dimensions for pilots, submariners, and air defense units). There is no warfighter that isn’t immediately comfortable with a map or chart, and the typical icons that represent “blue” and “red” forces moving around on it. From drawings in the sand to paper to plexi-glass and grease pencils to computer screens, the basic metaphors have remained the same for centuries.

The map or chart is simple but powerful. In a mere two dimensions it can show the characteristics of the domain (e.g. terrain, depth, etc.), it can display the friendly and enemy order of battle with detailed data on speed, course, altitude/depth, etc., and can readily display mission plans and intent in the form of course lines, movement orders, etc. They are readily understood and easily produced.

In an Air Force Air Operations Center (AOC) or inside an Army Tactical Operations Center (TOC) nearly every display will be fundamentally geo-spatial, the map metaphor made electronic and embedded in nearly every system. “Crap on maps” with only the overlays and map source imagery changing from console to console. In the TOC, Maneuver Control System will show a map, as will the Advanced Field Artillery Tactical Data System, Force XXI Battle Command Brigade and Below, and Global Command and Control System – Army. The Tactical Airspace Integration System will mix things up by adding a third dimension to the still fundamentally geo-spatial display and Command Post of the Future will add 3-D terrain renderings.

But what about the Cyber Domain? What does a “map” of the Cyber Domain look like?


In the Cyber Domain an effective “common operating picture” must first convey situational awareness of the domain itself; the cyber equivalent of terrain. There are a variety of network modeling tools to show the linkages between nodes, traffic flow between them, and rough orientation on a geo-spatial map where significant nodes can be physically mapped. Most enterprise network administration tools do not, however, emphasize physical location because the rack in the data center is typically irrelevant.

In the military context; however, it is critical that the Cyber COP and the COPs for the physical domains match up geo-spatially for two fundamental reasons:

– ensure that cyber “terrain” and cyber resources can be readily visually correlated with the war fighting order of battle that is using / consuming them and,

– because it will often be necessary to interact with the physical devices in those physical domains so their exact locations are needed (in the case of enemy cyber assets it will often be necessary to apply physical effects, or plant physical surveillance devices).

So, in a military war fighting context network monitoring visualizations should be enhanced to optionally include hi-fidelity geo-spatial location in the visualization suitable for overlay onto standard physical domain COP tools.


What about the actual war fighting and the situational awareness tools to support it?

Perhaps the Army TOC and the Army Battle Command Systems suite that fills it provides a good analogy. Within the TOC you find a suite of systems focused on different aspects of the ground fight: maneuver (MCS), tactical maneuver (FBCB2), Air Defense (TAIS), Fires (AFATDS), Intel (AMDWS), and etc.

Of particular interest is the migration of ABCS systems to a “common viewer.” There is general recognition that a common way of interacting visually with the various mission-specific functionality is highly valuable; both for ease-of-use and application composability considerations. A similar model for cyber warfare should be considered; a Cyber Battle Command System (CBCS) to deal with the cyber situational awareness already considered, but also suites of tools for cyber offense, defense, surveillance, and etc. in a common viewer framework; with a twist.

The twist is that many cyber warfare functions will not conform to a geo-spatial 2-space construct of visualization at all. A typical Intrusion Detection System (IDS) for example may be processing data across the huge IP name space, across thousands of ports, on thousands of physical nodes, across multiple network links, and etc. The resulting analysis is n-dimensional and when simplified to fit into the constraints of a 2-D display will seem nothing like the familiar geo-spatial representation.





The resulting displays are more akin to signals processing or sonar bearing / time waterfall displays, frequency displays, and active sonar range / bearing displays. The skilled warfighter in this domain assimilates information from these various displays and internalizes it into a geo-spatial construct, because in this case their ultimately is a target with a geo-spatial location. However, this will rarely be true in cyber defense; where the warfighter will often be working against coordinated but distributed networks of probing / attacking nodes. And like it’s brethren displays, IDS visualization displays will not always be suitable for general warfighter SA but will be the domain of warfighters with specific skills like the Sonar Technicians on a submarine or airborne SIGINT analysts.

The overall CBCS suite would strive to go from high-level description of the domain terrain and warfighter-friendly SA to specific tool suites designed for highly-trained specialists but while retaining composability into the broader system suite. And that is the challenge; creating a suite of command and control and integrated “weapons” that provide appropriate situational awareness from the warfighter commander (without a signals background) to the wire licking sysadmin / network attack rating.

• • •

8th AF Cyber Command

After a couple of off-topic posts (rants?) I’m going to try to get back on track now with some thoughts, just thinking out loud really, on the new Air Force Cyber Command.

During the cold war the U.S. Navy Submarine force is said to have engaged in an on-going hidden near-war referred to by its participants as “Cowboys and Cossacks.” Like the aggressive interactions between U.S. Air Force interceptors and Soviet Tu-54 Bear strategic bombers, these torpedo-less near-fights tested and improved tactics, validated the U.S. force’s acoustic superiority, gathered voluminous and detailed intelligence, and established the hunter mentality required to be prepared if called upon to rapidly transition to real war.

During a recent briefing on the new Cyber Command by Lt. Gen. Elder of the 8th Air Force I found myself hoping we are establishing the same kind of aggressive dominance in the Cyber domain that we previously established in air and submarine warfare. Are we proving to ourselves in real world situations today that we will be able to gain, maintain, and exploit information superiority at the tactical, operational, strategic levels of war?

Lt. Gen. reiterated the Joint Chief’s definition of the cyber domain as “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.”

My first reaction was that a definition that broad, by trying to include everything, may be too broad to effectively address anything.

Much of Lt. Gen. Elder’s discussion then went on to focus on the protection of military networks and the disruption of enemy networks through a combination of electronic and kinetic means. I had never really thought of a HARM missile as a cyber weapon before, but within the 8th AF’s definition of the Cyber Domain it makes sense.

The Cyber Command will have its hands full if it is going to have to deal from day one with everything from radars to satellites, IP networks to IFF beacons, bot networks to SIGINT, and everything electronic in between; offensively and defensively, at the tactical, operational, and strategic levels of war (maybe those definitions no longer really make as much sense?). Starting from a clean slate and focusing more narrowly might be easier than fighting the organizational battles associated with taking on existing programs, capabilities, and responsibilities.

My natural instinct would be to have DHS and law enforcement focus on cyber defense of CONUS commercial and infrastructure vulnerabilities, use “organic” defensive units for defense of tactical and operational level defense networks (with Cyber Command development of tactics, techniques, and procedures), and focus the 8th AF on “cyber deep strike.”


Because of the 8th AF strategic heritage going all the way back to 1940’s Europe, I was really expecting more focus on cyber deep strike. In the same way that the 8th AF was used during WWII to disrupt civilian infrastructure by striking deep into enemy territory, I assumed an 8th-AF-seeded Cyber Command would have significant focus on behind the lines disruption of communications, power generation and distribution, banking and financial services, and other key infrastructure; at least where our potential adversaries are reliant on modern networks for those functions.

Obviously, in an asymmetric context Cyber Command becomes mostly about defense and maintenance of information superiority while the offensive operations are carried out in the land, sea, and air domains.

There are some problems with strategic deep strike cyber warfare which might be why it wasn’t really mentioned.

To conduct strategic deep strikes you need intelligence on targets and vulnerabilities. Strategic cyber warfare is bound by some of the same constraints as early cold war strategic air warfare. To identify targets inside of a potential enemy’s domain you had to fly over it. If you are the 8th AF in 1943 you might get shot down flying recce flights; or if it is 1960 you might end up trading spies for Francis Gary Powers.

The problem is, how do you identify targets and build up your “cyber MIDB” without risking taking the risk of conducting illegal activities on a potential enemy’s networks?

Today US military and critical-infrastructure commercial networks are regularly probed by both state and non-state actors for vulnerabilities. We should not assume that these probes are looking for immediate payoff; but instead should assume that our potential adversaries are simply building up their own cyber MIDB.

We should probably be doing the same thing. However, we should also remember that cracking is almost always a combination of network-based efforts with “social engineering,” or good old fashioned human intelligence gathering.

For example, if Cyber Command is interested in being able to disrupt a future adversary’s electric grid or telephone infrastructure, it may be useful to obtain engineering information from SCADA and telephone switching vendors in use in those countries; and where “natural” vulnerabilities are not readily available, it may be required to install software agents within those systems in situ. Naturally this will require close coordination between Cyber Command and other government agencies.

It may not always be necessary to directly identify and exploit an adversary’s network vulnerabilities. There are as many as 100 million compromised personal computers on the Internet throughout the world today combined into remote controlled bot networks.

These are generally painstakingly assembled machine by machine and then control is sold to people interested in using them for a range of illegal activities. However, in some cases bot networks in the US may have been assembled by state actors and designed to look like the work of criminal gangs and placed into “standby” for use to disrupt commercial network activities when desired at a later date.

It may also be possible to co-opt these bot networks without actually conducting the illegal activity that initially compromises the machines, by discovering the illegal networks and then identifying the particular exploit used, and then exploiting the exploit at a later time. Identifying these indirect vulnerabilities in our potential adversary’s networks and making them available in our cyber MIDB could be a valuable strategy for predetermining deep strike targets and vulnerabilities while conducting completely legal network activity.

• • •

The Cost of War

The President submitted his budget to the Congress last week and the numbers were staggering. With supplementals, the proposed defense budget at $620 billion is the highest it has been since the Korean War.

I was in the Navy when Reagan was spending the military out of it’s post-Vietnam malaise (and the CCP back to it’s pre-Soviet roots) so I thought I knew what high military spending looked like. A 600 ship Navy, star wars weapon systems, complete new facilities for bases one step from the brac list and etc.
We are spending that much or more now. The difference is that in the 80’s we were spending in a sense just to spend it; we simply needed to out-spend the Soviets and drive them into a hole as we forced them to try to keep up. In some ways the “what” mattered less than the “how much.”

Now we are spending it to meet very real and pressing needs. Today we are spending it to replace equipment being worn out in the desert sand, to pay for the troops who run that equipment, while at the same time we continue to equip our forces for tomorrow’s potential threats.

This budget was sent to Congress the same week that I was gathering my tax stuff together and it got me thinking. Numbers this large become little more than an abstraction to an individual (and I suspect that our political leaders are happy to keep it that way) but in a democratic republic it seems to me that citizens should understand things like this in more concrete terms. How much is this war costing me this year? How much is it going to cost me in total?

I’m an engineer… so I reached for a mechanical pencil and a napkin.

There are approximately 300 million men, women, and children in the U.S. What if each one of them got an invoice for their share?

Here’s yours:


Where did that number come from?

This year’s supplemental request is $141B spread across those aforementioned 300 million men, women, and children. You’re share will be $470. If your kids don’t have jobs pay theirs too.

Wait though… the $170B is only the supplemental. Current operations are also being paid for out of the normal defense budget. The amount is a little bit murky; but when you consider equipment wear and tear, operational and training costs, the cost of in-country re-building etc, it is probably another $100B or so (the budget acknowledges at least $30B for equipment re-set). If we call it roughly $240B when all up then your share becomes $800; again, you’ll need to write a check that covers your entire family.

By the way, your share of the entire defense budget (not just associated with this war) will be $2,076 (per person).

Since this is the first time we’ve sent out these invoices, we’re going to need to re-coup fees for the previous years as well. All told, estimates of the war’s cost to date run about $1.35 trillion, or about $4,500 per person; we’ll add that to the $800 you already owe for a total so far of $5,300 per person.

The ‘07 budget will get us through the end of ‘07 and maybe we will have wound down our presence by then. I’m going to go out on a limb and guess that we won’t be completely out yet (though it would be wonderful if I’m wrong). If we are half way out, our ‘08 budget will add another $400 to your total, plus we need to account for two years of $15B per year to replace worn out equipment. No worries, that’s only another $50.

All up it is looking like $5,750 per person plus or minus 25% (after all, we are doing this on the back of an envelope).

Of course, this isn’t how our tax code works. We never adopted a straight tax and you don’t get an invoice labeled “War on Terrorism Fee” (at least not until we outsource the rest of the military to Blackwater and Canopy).

So to figure out what you’ll really pay we have to account for where you are in the tax bracket hierarchy. If you are poor, this may be one time in your life you’ll consider yourself lucky as you will pay for less of the war than what is indicated above. If you are in a higher bracket generally you will pay more for the war.

Back to our assumption that the war should cost about $240B in ‘07. With a total budget request of $2.8T the war will cost about 8.5% of the total budget this year. Just multiply your estimated ‘07 taxes paid (the net, not the gross) by that percentage to figure out what share of your taxes will be going to the war. To estimate your 2007 taxes just take your latest return and scale it up by any expected pay increases. I’m not going to say what this number is for me when I figure it out, but it is significant.
For example, if you will make $100,000 in 2007 and are in the standard 28% tax bracket, your total bill for the war in 2007 will be approximately $2,380 (not accounting for deductions).

Don’t forget, that’s just one year. Do the same thing for each of the last four years and then guess how many more years you’ll need to do it for just like we did above to estimate the total cost of the war to you and your family. For our $100,000 family that might end up around $11,210 or more.

Wait… that’s not quite right. That math assumed that we are paying for this war as we go. But since our current rate of deficit spending is 15% after the adminstration’s tax cuts ($2.8T in budget against optimistically estimated revenues of $2.4T) we aren’t paying for it as we go. We are paying for no more than 85% of it as we go, and the Chinese are paying for the rest by buying Treasury bonds. So, if you are the hypothetical $100,000 income family, you are actually going to pay $11,210 and you’ll be in debt by an additional $1,681.

When you get the invoice you’ll have to use your own political persuasion to inform how you think that $1,681 or more will be paid back to the Chinese. Either pay it yourself when a new administration comes in and starts paying down our debts or just turn around and give the invoice to your kids. They can write IOU on it. Maybe China will let them wash dishes when they grow up to pay it off.

If you want to completely eliminate any remaining vestiges of abstraction in this math, just ask yourself how many hours, deals, days, or whatevers you are going to have to work to earn that much after tax income. I’m sure the number feels significant but I’m equally sure it pales in comparison to the fees being paid by our soldiers, Marines, airman, and sailors who are participating in a much more personal way.

• • •