Cyber Situational Awareness


I’m still thinking about Cyber Command and what will make it different from commands whose assets are firmly in the physical world.

One of the first priorities of this command will be to address the fundamental command and control necessity of situational awareness; the omnipresent Common Operating Picture (COP) re-imagined for the cyber domain. Or, in the words of the nascent Cyber Command, a Cyber Blue Force Tracker.

Despite the audible industry lip smacking, I think this is going to be a relatively difficult nut to crack (at least to do it well).

At issue is the fundamental idea of situational awareness as a 2-dimensional geo-spatial concept (that expands to 3-dimensions for pilots, submariners, and air defense units). There is no warfighter that isn’t immediately comfortable with a map or chart, and the typical icons that represent “blue” and “red” forces moving around on it. From drawings in the sand to paper to plexi-glass and grease pencils to computer screens, the basic metaphors have remained the same for centuries.

The map or chart is simple but powerful. In a mere two dimensions it can show the characteristics of the domain (e.g. terrain, depth, etc.), it can display the friendly and enemy order of battle with detailed data on speed, course, altitude/depth, etc., and can readily display mission plans and intent in the form of course lines, movement orders, etc. They are readily understood and easily produced.

In an Air Force Air Operations Center (AOC) or inside an Army Tactical Operations Center (TOC) nearly every display will be fundamentally geo-spatial, the map metaphor made electronic and embedded in nearly every system. “Crap on maps” with only the overlays and map source imagery changing from console to console. In the TOC, Maneuver Control System will show a map, as will the Advanced Field Artillery Tactical Data System, Force XXI Battle Command Brigade and Below, and Global Command and Control System – Army. The Tactical Airspace Integration System will mix things up by adding a third dimension to the still fundamentally geo-spatial display and Command Post of the Future will add 3-D terrain renderings.

But what about the Cyber Domain? What does a “map” of the Cyber Domain look like?


In the Cyber Domain an effective “common operating picture” must first convey situational awareness of the domain itself; the cyber equivalent of terrain. There are a variety of network modeling tools to show the linkages between nodes, traffic flow between them, and rough orientation on a geo-spatial map where significant nodes can be physically mapped. Most enterprise network administration tools do not, however, emphasize physical location because the rack in the data center is typically irrelevant.

In the military context; however, it is critical that the Cyber COP and the COPs for the physical domains match up geo-spatially for two fundamental reasons:

– ensure that cyber “terrain” and cyber resources can be readily visually correlated with the war fighting order of battle that is using / consuming them and,

– because it will often be necessary to interact with the physical devices in those physical domains so their exact locations are needed (in the case of enemy cyber assets it will often be necessary to apply physical effects, or plant physical surveillance devices).

So, in a military war fighting context network monitoring visualizations should be enhanced to optionally include hi-fidelity geo-spatial location in the visualization suitable for overlay onto standard physical domain COP tools.


What about the actual war fighting and the situational awareness tools to support it?

Perhaps the Army TOC and the Army Battle Command Systems suite that fills it provides a good analogy. Within the TOC you find a suite of systems focused on different aspects of the ground fight: maneuver (MCS), tactical maneuver (FBCB2), Air Defense (TAIS), Fires (AFATDS), Intel (AMDWS), and etc.

Of particular interest is the migration of ABCS systems to a “common viewer.” There is general recognition that a common way of interacting visually with the various mission-specific functionality is highly valuable; both for ease-of-use and application composability considerations. A similar model for cyber warfare should be considered; a Cyber Battle Command System (CBCS) to deal with the cyber situational awareness already considered, but also suites of tools for cyber offense, defense, surveillance, and etc. in a common viewer framework; with a twist.

The twist is that many cyber warfare functions will not conform to a geo-spatial 2-space construct of visualization at all. A typical Intrusion Detection System (IDS) for example may be processing data across the huge IP name space, across thousands of ports, on thousands of physical nodes, across multiple network links, and etc. The resulting analysis is n-dimensional and when simplified to fit into the constraints of a 2-D display will seem nothing like the familiar geo-spatial representation.





The resulting displays are more akin to signals processing or sonar bearing / time waterfall displays, frequency displays, and active sonar range / bearing displays. The skilled warfighter in this domain assimilates information from these various displays and internalizes it into a geo-spatial construct, because in this case their ultimately is a target with a geo-spatial location. However, this will rarely be true in cyber defense; where the warfighter will often be working against coordinated but distributed networks of probing / attacking nodes. And like it’s brethren displays, IDS visualization displays will not always be suitable for general warfighter SA but will be the domain of warfighters with specific skills like the Sonar Technicians on a submarine or airborne SIGINT analysts.

The overall CBCS suite would strive to go from high-level description of the domain terrain and warfighter-friendly SA to specific tool suites designed for highly-trained specialists but while retaining composability into the broader system suite. And that is the challenge; creating a suite of command and control and integrated “weapons” that provide appropriate situational awareness from the warfighter commander (without a signals background) to the wire licking sysadmin / network attack rating.

Leave a Reply

Your email address will not be published / Required fields are marked *