Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/1136584
www.vanguardcanada.com JUNE/JULY 2019 31 CYBER Understanding the interdependency How a network is managed, specifically its technical management capabilities, has a significant impact on the range of mechan- ical options available to cyber defence and security personnel. Deploying purpose- built defensive cyber operations (DCO) capabilities is required, but it is not the simple acquisition, deployment, and use of those technologies that will win the cyber fight, just as simply having tanks does not win the tactical fight. From a technology perspective, many advanced cyber defence tools need specific types of services, con- figurations, and accounts to allow them to function effectively. In terms of process, change and configuration management needs to account for potential actions be- ing initiated for defence or security pur- poses. Finally, DCO/ITS capabilities can be used to enable in service support (ISS) and product managers to more effectively monitor and manage the health and hy- giene of an IT system, which directly ben- efits any related defence or security efforts. A network's maturity state for cyber defence and system management are highly linked Cyber capabilities are dependent upon the maturity of a range of processes and tech- nical configurations within an IT system. There are many examples of this type of dependency: deploying security patch- es within a network uses that system's mechanisms to deploy any generic patch; effective network monitoring should use context information from endpoints and networking devices to inform and enrich information; deploying custom tools to devices during an incident relies upon the IT system's underlying ability to remotely install, manage, and configure programs; and, restoring a hacked device to a safe and trusted state leverages tools to deploy new hosts and to manage endpoint con- figuration. What the defender can do in any given situation is limited or enabled by the options that the underlying system provides. Increases in the type and quality of information can improve intrusion de- tection activities, just as granular endpoint configuration management can improve the dexterity of actions aimed at blocking an attack or eradicating malicious code. Understanding this critical dependency, the capabilities to manage network infra- structure, users, program, endpoints, and data should be recognized as providing two types of value to any organization. The first is the efficiencies that are gained for the management of the system, which by itself is of significant value. The second is the increased cyber operational capabil- ity that is generated. The converse is also important to understand, particularly when deploying ad hoc networks or scaled down networks in support of deployed operations. Losing management capabili- ties in a system or deciding not to build in specific management features has effects beyond the ISS organization and could impact the degree to which cyber opera- tions can be successful. Within any deployed military system, DCO/ITS capability requirements must be accounted for in management and configu- ration tools and processes, as they will either limit or enable available response options. All configuration changes on a system should use the same change mechanisms For many types of cyber events that re- quire a response, time and human resourc- es are limited. High-threat security patches need to be pushed out and installed across disparate networks before the vulnerability they are patching can be exploited. De- vices that have been compromised need to be quarantined, investigated, and restored. Changes to how networking infrastruc- ture moves data within a system may be required to defeat an ongoing attack. In all of these cases, the responses to an at- tack require making a change to the sys- tem, where the efficacy of that change will affect how successful it is. The need to take timely action com- monly leads to the idea of giving DCO/ ITS teams the access and authorization to implement changes directly, particularly where ISS organizations are not resourced to provide timely support. For a single in- cident and a small set of changes, the po- tential risks may not be obvious, as their impacts are likely predictable and there- fore seem manageable. If scaled over time and across an enterprise with potentially multiple DCO/ITS teams, significant sys- tem stability risks will arise after multiple system changes cause variations between what the configuration should be and what it actually is. The knowledge level of the DCO/ITS individual conducting the ac- tion may be insufficient to understand its broader system-level impacts. Solutions developed without the support of ISS or a related product manager are less likely to be the most effective method to achieve a particular goal. While there is no doubt that actions need to be taken in response to current or potential incidents, there are alternatives to providing DCO/ITS teams with the ability to change configurations. ISS and engineering teams should be resourced to provide timely support, which has the add- ed benefit of increasing the resources avail- able to provide general support for that system. For those cases where required actions have very tight timelines, pre-es- tablished sets of actions can be designed and prepared by the correct support per- sonnel to create a library of pre-authorized CPL Dave Bergeron and PVT Danny Gagne, test the Multilateral Interoperability Pro- gramme used to transmit information between nations during Combined Endeavor. Photo: U.S. Air Force photo/Senior Airman Adawn Kelsey.