UNCLASSIFIED

UNCLASSIFIED1

Cyberspace and the EMS:

From Awareness to Understanding

AFCEA TechnetAir23 March, 2015

Mr. Malcolm Martin

US Army Cyber Center of Excellence

Chief, Cyber Support Element-Ft. Leavenworth, KS.

UNCLASSIFIED

UNCLASSIFIED

Purpose

Provide discussion of Cyberspace Situational

Understanding (Cyber SU): “what it is, who uses it,

and how commanders apply Cyber Situational

understanding”, today and in the future.

– What has changed? Conflicts and Impacts of Cyberspace

and Electronic Warfare.

– Constant threat and Actors, convergence

–Situational Awareness to Situational Understanding

–Cyber SU Concept and Operational framework

– Cyber SU Impact as holistic aspect of ULO

– Army Cyber Situational Awareness Applied

– Culture change 2

UNCLASSIFIED

UNCLASSIFIED

Georgia-Russia 2008

• August 2008 – Russian troops cross into South Ossetia w/ stated intent to defend their “Russian compatriots”.

• Combined Arms assault was pre-empted by (enabled) by a multi-faceted cyber attackagainst Georgian gov’t and military infrastructure and defacement of web sites

• Distributed denial of service (DDoS) attacks combined with EW jamming disrupted and denied comms simultaneous to an integrated propaganda (MISO and MILDEC) campaign

• Overall operation should be considered the first large scale ‘hybrid’ combined arms operation (air, land, cyber).

UNCLASSIFIED

UNCLASSIFIED

Ukraine-Russia 2014

Russia’s battle with Ukraine is being fought partly in cyberspace where it may have greater room for escalation

because nations increasingly accept covert cyber attack as a valid form of international pressure when more traditional options are too violent – or too visible.

The rule of thumb for seeing disruptive cyber attacks before they happen

is that “physical conflicts beget cyber conflicts.”

The current cyber battle also could spread if the overall strategic

confrontation deepens, say toward a second Cold War. Such a stand-off, pitting Russia against the United States, NATO, and Ukraine

“The Russian occupation of Ukraine in 2014 was carried out with a

military show of force – informed and supported by a coordinated cyber-

spying campaign”.

• The situation in Ukraine has seen relations between Russia and the West deteriorate

to almost Cold War levels

UNCLASSIFIED

UNCLASSIFIED

Cyber Adversary Tactics, Techniques, and Procedures

Hostile Actor

Planning /

Scanning

Web Server/

Webpages

Users

Exploitation Lateral Movement Adversary Intent /

Exfiltration

Reconnaissance

Espionage

Destructive Malware

Email

Target System

- Users/decision-makers

- Their devices

and associated

IP addresses

- Data, databases,

and websites

- Network infrastructure

- Physical locations

Cyberspace Threats

UNCLASSIFIED

UNCLASSIFIED

Operational Convergence

66

• Nation States, Non-state actors or proxies with a full range of capabilities

• Strategy to preclude U.S. from executing preferred way of war

• Designed to impact U.S. actions, from National to Tactical

Cyber

EMSTerrorist/

Criminal

Strategic

Capability

Conventional

Forces &

Capability

Irregular

Operations Proxies

Technology Transfer Non-state

Ideologies

Regional

Hegemony/Hybrid

Near Peer Competitor

Cyber and EW

Capabilities

Failed States

-Integrated C4ISR and Fires

-High Tech: Jam UAS,

disrupt comms, exploit,

influence and attack

-Advanced EW

UNCLASSIFIED

UNCLASSIFIED

Cyber Situational Awareness

JP 3-12 Cyberspace Operations

“Cyberspace SA is the requisite current and predictive knowledge of cyberspace

and the OE upon which CO depend, including all factors affecting friendly and adversary

cyberspace forces”.

• DODIN operations activities are the foundation of cyberspace SA, therefore, DODIN

operations are fundamental to the commander’s SA of the OE.

• Accurate and comprehensive SA is critical for rapid decision making in a constantly

changing OE and engaging an elusive adaptive adversary.”

• SA of friendly cyberspace is provided today by the Services and agencies operating

their portions of the DODIN, DISA, through the theater NETOPS centers, to the CCMD

theater/global NETOPS control centers, USCYBERCOM Joint Operations Center,

Joint Functional Component Command for Space’s Joint Space Operations Center, and their Service/agency leadership. They coordinate with each other as required to

ensure operational effectiveness.

UNCLASSIFIED

UNCLASSIFIED

Cyber SA Functional Elements

8

(U) TRADOC Pamphlet (TP) 525-3-0, The Army Capstone Concept (ACC), asserts

that future Army requires the capability to provide leaders and Soldiers that

understand how and when adversaries employ CO and cyberspace capabilities,

how to mitigate adversary actions, and how to respond to gain and maintain the

cyberspace advantage within the OE in support of ULO

UNCLASSIFIED

UNCLASSIFIED

Awareness vs. Understanding

“Situational awareness (shared or otherwise) is not the same thing as

understanding (which, unlike awareness, requires some useful grasp of the

information at hand). One might argue further that understanding is different

from and inferior to insight or wisdom, and that either of these should be a

recognized goal on the path toward self-synchronization (which does not

automatically result, even from shared situational insight or wisdom).

A shared “warfighting culture” is therefore the ultimate key to shared

situational understanding in the battlespace. It is on this then that we must

focus”.

Richard Stuart Maltz, Military Review 2010

Army ADRP 5-0 Operations Process defines situational understanding as “The

product of applying analysis and judgment to relevant information to

determine the relationships among the operational and mission variables to

facilitate decisionmaking.”

UNCLASSIFIED

UNCLASSIFIED

Cyber SU Definitions

FM 3-38 Cyber Electromagnetic Activities (CEMA) Activities leveraged to

seize, retain, and exploit an advantage over adversaries and enemies in both

cyberspace and the electromagnetic spectrum, while simultaneously denying

and degrading adversary and enemy use of the same and protecting the

mission command system. (ADRP 3-0)

To gain understanding, commanders and staffs process data to

develop meaning. At the lowest level, processing transforms data into

information. Analysis then refines information into knowledge. Commanders

and staffs then apply judgment to transform knowledge into situational

understanding. CEMA provides the means for communication and

synchronization that facilitates a commander’s situational

understanding of the cyber and EMS operational environment.

UNCLASSIFIED

UNCLASSIFIED

CEMA Operational Framework

Electronic

Attack

Electronic

Protect

CF17 Phase 2

EW

INTELSignalCYBEREW

Electronic

Attack

Electronic

Protect

CF17 Phase 2

EW

DoDIN OperationsNetwork Focused –Threat Agnostic

INTELSignalCYBEREW

Cybersecurity

SIGNAL

6

UNCLASSIFIED

UNCLASSIFIED

Cyber Situational Understanding

Warfighting

Functions CEMA Working

Group

CDR’s Intent

Coordination

Synchronization

Integration

Cro

ss-F

un

cti

on

al

Cyber-SU

S3

UNCLASSIFIED

UNCLASSIFIED

Army Cyber SU CONOPS

13

* *

* *

* The COP is defined by the highest

tactical echelon. Each unit displays

“user defined” information for their

operational picture.

“What must the Army do at the

tactical level (corps and below)

to employ cyberspace and EW

capabilities as part of a

combined arms strategy that

enables commanders to gain

and maintain advantages

simultaneously in the

increasingly contested

cyberspace domain and the land

domain?”

“The Army at Corps through BDE and below echelons lacks the ability to aggregate,

analyze, and synthesize cyberspace operations information, and then integrate a visual

representation of that information into the COP.”

Red, Blue, and Grey aspects, as well as how we are seen by them!

Cyber SU Operational View - 1

UNCLASSIFIED

UNCLASSIFIED

Cyber SU CONOPS Working Model

14

Big Data Network View

Cyber Mission Forces

DODIN, DCO and OCO

CONUS and Expeditionary

JIE, COE, LWN

Corps, Division and BCT

Commanders & StaffsHome Station and Deployed

Command Post Computing Environment

Contextualizes three interrelated

“Awareness” outputs:

Threat, Network, and Mission;

And the ability to plan operations!

xxx

CEM

x

xx

CEM

CEM

e.g.Big Data

Analytics/ Dagger-likee.g. GoogleEarth-like

Cyber Analytics (Big Data)

JIMIndustry Commercial

C/JFLCC

“What is needed to achieve Cyber SA; how will Cyber SA be integrated into the COP;

and how will Commanders develop and use Cyber SU to plan, prepare, execute, and

assess operations?”

JFHQ-C

UNCLASSIFIED

UNCLASSIFIED

Joint EW ICD

1 Oct 09

Document Overall Requirement

Display all relevant cyberspace

operations information to include data

from other specified cyberspace

elements

Cyber CBA

15 Dec 13

Commanders need visualization of the

adversary’s internet and capability

along with an ability to understand CO

impact on their missions

ICDs

CBA

ONSs

DCGS-A

20 May 13

Provide a common suite of tools

enabling collaboration within the

tactical community, includes sharing of

ideas and situational understanding

between levels of command

Enable commanders to integrate and

synchronize cyberspace operations,

spectrum management operations

(SMO), and intelligence operations to

accomplish their missions

Provide method that will deconflict,

integrate, synchronize, and direct

community awareness of cyber

intelligence requirements

15

Cyber SU IS ICD Strategy

Net-Enabled MC ICD

27 Dec 11

Joint Attack ICD

02 May 12

Joint Cyber SA ICD

23 Apr 12

LWN ICD

30 Jul 14

JIE ICD

14 Jul 14

Big data

15 Jan 14

14-20079, 12-16393

15 AUG 14 8 NOV 12

14-1945, 14-19420

9 JAN 14, 12 NOV 13

7 of 13 JUONs/ONSs reviewed have specific implications and are

linked to the Cyber SA requirements

Cyber SU IS ICDDRAFT

CC-0427

12 Nov 10

CC-0433

21 Dec 10

UNCLASSIFIED

UNCLASSIFIED

Notional but in development from Cyber CBA 2013. * Assumption: Cyber SU capabilities fielded and CO authority granted

Cyber and EW Corps & Below CONOPS

xxx

CEM

x

xx

CEM

CEM

Tactical Cyber and EW assets exploit, attack and influence*- Planning- Tiered capabilities*

- Assign AO and control measures;

close area – deep area framework

Corps, Division, BCT Commanders and Staffs

Cyber/EW

UA

BCTs conduct EW and cyberspace ISR

in the “close” fight while the corps

conducts the full range of CO and EW

activities in the “deep” fight

UNCLASSIFIED

UNCLASSIFIED

Unified Land/Cyber Ops & Planning

Red, Blue Grey and CEMA Running

Estimate

Mission Analysis, COA Development,

Wargaming

Interactive with Mission

Command and Intelligence

systems

Cyber SA Dashboard “Look”

Cyber SU utilizes standard geospatial reference map displays resident in future

command post computing environment. Overlay creation tools available and provide

export/sharing of displayed data directly to the Common Operational Picture (COP).

UNCLASSIFIED

UNCLASSIFIED

Change the Culture

The Network:•The DODIN is the base for Mission Command, enables all Warfighting Functions, and is foundational to Cyberspace

Operations, underpinning OCO & DCO functions•The Signal Corps will remain irreplaceable in DODIN Operations, and will assume responsibility for the TS/SCI

network

Signal-Intel-EW-Cyber Collaboration:•Both internal and external collaboration is required to

achieve synergy of effort•Signal and Intel are becoming increasingly dependent upon

each other

Combined Arms Cyber Teams:•Cyberspace Operations is inherently Joint, Interagency,

Intergovernmental, Multinational•Signal, EW, and Intel capabilities must be integrated with all stakeholders to be successful

DODIN

DCO OCO

MC, FIRES, Maneuver, MED, MCO, EW, INTEL

JWICSNSA NET

EW

EnterpriseEnabling Platform WFX

Cybersecurity

Rifleman Radio

18

UNCLASSIFIED

UNCLASSIFIED

Drive Convergence

19

CY

BE

R T

RA

NS

FO

RM

AT

ION

TS/SCI

NSANeTJW ICS

SIPR

NIPRNIPR

COMMAND POST OF THE FUTURE

SIPR

SIPRNIPR

BMA – Business Mission AreaDIMA – DoD portion of the Intelligence Mission Area

DODIN – Department of Defense Information Network

EIEMA – Enterprise Information Environment Mission Area JW ICS – Joint Worldwide Intelligence Communication System

NIPR – Non-secure Internet Protocol (IP) Router Network

UNIFIED CLOUD DATA

JW ICS

NIPR

COMMON OPERATING ENVIRONMENT

SIPRNIPR

NSANeT– National Security Agency NetworkSIPR – Secret Internet Protocol Router Network

W MA – Warfighting Mission Area

TOC – Tactical Operations CenterTS/SCI – Top Secret/Sensitive Compartmented Information

SIPR

UNIFIED

CLOUD DATA

JW ICS

NIPR

CONVERGENCEThe effective merging or integration of distinct staffs, networks and systems,

into a unified whole to achieve decisive results.

USER DEFINED OPERATIONAL PICTURE

SIPRNIPR

SIPR

DODIN ENABLED

KNOWLEDGE

UNIFIED DATA CENTER

OBJECTIVE (INTEGRATED INFORMATION ENVIRONMENT)

SECRET

UNCLASSIFIED

TOP SECRET

SCIF

NSANeT

CURRENT (LACK OF CYBER SITUATIONAL AWARENESS)

INTERIM (MOVE TOWARD

COMMON OPERATING ENVIRONMENT)

COORDINATIONThe harmonious functioning of staffs, networks and systems for effective

results.

COLLABORATIONTo work jointly with staffs, networks, and systems to achieve effective

results.

IO S6 FIRES S2 EW IO S6 FIRES S2CYBER

EW

AMDWSBET

CPOF

GCCS-A

AFATDSBCS-3

TAISDTSSIMETS

DCGS-A

WMA COMMAND POST I TOC

DATA INFORMATION

TS/SCINIPRTS/SCINIPR

UNIFIED CLOUD DATA

PROCESS & RESOURCE

SHARING

OR

GA

NIZ

AT

ION

DA

TA

TR

AN

SP

OR

T

TOC TOCTOC

UNCLASSIFIED

UNCLASSIFIED

Mr. Malcolm W. “Mack” Martin

US Army Cyber Center of Excellence

Cyber Support Element – Fort Leavenworth, KS.

malcolm.w.martin2.civ@mail.mil

Office: (913) 684-4600

Mobile: (913) 991-3505

Questions?

20

UNCLASSIFIED

UNCLASSIFIED

Cyberspace Domain

CYBERSPACE: Cyberspace is a global

domain within the information environment

consisting of the interdependent network of

information technology infrastructures and

resident data, including the Internet, telecommunications networks, computer

systems, and embedded processors and

controllers (JP 1-02).

Characteristics:

• Manmade domain…ever changing• Physical, functional, cognitive, logical/virtual and social• Programming code and protocols define rules of the domain

• Environment and TTPs evolve at speed of code• Constant presence – Phase 0 on-going

• Unlimited, instantaneous (operational) reach

Success in this domain means being smarter, more

creative, faster, and stealthier than your opponent

UNCLASSIFIED

UNCLASSIFIED

Required Capabilities

22

RC (CSa01) Overall Commander’s SU

Gap 17: Commander’s SU

(includes social/media layer)

RC (CSa02) Adversary awareness,

understanding, impacts

RC (CSa03) Awareness of own networks,

impacts

RC (CSa05) Legal considerations,

intelligence gain & loss, risk

RC (CSa07) Awareness, understanding of

social layer of network

RC (CSa08) Awareness across cyberspace

and EMS enable integration

RC (CSa09) Awareness of OCO effects on

adversary (BDA)

LegendSA: Situational AwarenessEMS: Electromagnetic Spectrum

OCO: Offensive Cyberspace OperationsBDA: Battle Damage Assessment

RC: Required Capability

Cyber SU was Cyber CBA #1 Gap; Army SU Required Capabilities (RC) are directly

linked to the Joint Cyber SA ICD RCs;

UNCLASSIFIED

UNCLASSIFIED

Unified Land Operations

ADRP 5-0: 1-10. The operations process, while simple in concept is dynamic in

execution. Commanders must organize and train their staffs and subordinates as an

integrated team to simultaneously plan, prepare, execute, and assess operations. In

addition to the following principles of mission command, commanders and staff

consider following principles for the effective use of the operations process: • Commanders drive the operations process.

• Build and maintain situational understanding.

• Apply critical and creative thinking.

• Encourage collaboration and dialogue.

COMMANDERS DRIVE

THE OPERATIONS

PROCESS

Understanding is fundamental to the commander’s ability to establish a situation’s

context. It is essential to effective decisionmakingduring planning and execution.