Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/1065131
20 DECEMBER 2018/JANUARY 2019 www.vanguardcanada.com successful, as well as the planning and ex- ecution of real-world operations to get the malware close to its target. From start to finish, the Stuxnet attack likely took many months, if not years, to gather intelligence, plan, and target this single specific system. It is only useful to compare Stuxnet to a threat to another system if it has the same strategic value as Natanz to a capable ad- versary. Don't worry about cyber-meteors. To verify if a risk is a meteor ask: "When has this risk been seen in a real situation with relevant context to this mission?", "Under which conditions would this risk be the attack mechanism selected by a known adversary?", and "Why would the use of this tactic be of optimal value to a known adversary?" There are many IT risk-based method- ologies that are used to support IT/cyber decision-making, most of which are inef- fective for a variety of reasons. IT and cyber communities are replete with various risk- based methodologies, many of which are deeply flawed or inappropriate to support a military commander's decision-making. When being presented with a risk assess- ment, a commander or their staff should challenge conclusions if they observe any of the following circumstances: a) There is a vulnerability assessment that is masquerading as risk assess- ment. IT security professionals have a tendency to generalize operational impacts and threat likelihoods, which can cause cases where non-compliance to a standard or the mere presence of Stuxnet, a virus that spread around the world while attempting to locate and disable Iranian uranium centrifuges at the Natanz nuclear facility, is a prime example of a meteor. cYBer a vulnerability is called a risk. Risks only occur where there is also a threat (likelihood) or a verified potential impact. Don't get caught protecting a CF-18 from a meteor. b) Be wary of risk assessments that use general threat levels to describe the threat to a system. Requesting a cyber threat level for an entire system, geo- graphic region, or operation is as use- ful as asking what the temperature is on the planet. Drive your intelligence staff to get useful threat assessments. c) When considering directed threats from state-level adversaries, be wary of risk assessments that do not account for non-technical aspects of how at- tacks would be planned and executed within a larger non-cyber effort, as this creates cyber-meteors. Relevant factors inhibiting cyber tactically in- clude: duration of effect, develop- ment cost, complexity, opportunity, the ability to synchronize effects, and the scale of targets. Drive your staff to get useful risk assessments, accounting for how cyber is a single component of the larger picture. d) Avoid using any risk assessments that are oriented toward a specific standard rather than toward the realities of the mission. Commanders should recognize that hav- ing DCO capabilities can enable them to actively defend a system and avoid relying upon risk avoidance as a primary strategy. Making quality risk decisions means chal- lenging models and information that do not make sense. Lexicon is the enemy of effective deci- sion-making. Placing 'cyber' or 'IT' in a phrase confuses its meaning and creates the impression that it is somehow distinct form the word it is placed with. For exam- ple, cyber espionage is espionage leverag- ing cyber. Cyber mission assurance should be a sub component of mission assurance. IT security should be an integrated com- ponent of security. Cyber intelligence, surveillance, and reconnaissance (ISR) should be a subcomponent of ISR. Elimi- nate the disjointedness between functions that have been segregated by lexicon and the cyber prefix by simply flipping them around and directing the function that cyber was modifying to ensure that cyber is integrated. For example, those respon- sible for ISR should be tasked with ensur- ing that cyber ISR is integrated into ISR. To succeed in cyber, commanders should ensure that they understand how to frame the cyber problem to their mis- sion, cause integrated planning to occur, drive intelligence producers to provide relevant information, ensure that technical cyber specialist look beyond the technical, and avoid pitfalls in decision-making. For the past decade, Nicholas Scheurkogel has led key cyber intelligence capabilities at the Department of National Defence (DND) including strategic cyber assessment, tac- tical support to cyber defence teams, and intelligence operations. Since 2006, he was the go-to cyber threat expert at DND and beyond. He is currently Director, Cyber In- telligence at Cytelligence.