UNCLASSIFIED
UNCLASSIFIED1
Cyberspace and the EMS:
From Awareness to Understanding
AFCEA TechnetAir23 March, 2015
Mr. Malcolm Martin
US Army Cyber Center of Excellence
Chief, Cyber Support Element-Ft. Leavenworth, KS.
UNCLASSIFIED
UNCLASSIFIED
Purpose
Provide discussion of Cyberspace Situational
Understanding (Cyber SU): “what it is, who uses it,
and how commanders apply Cyber Situational
understanding”, today and in the future.
– What has changed? Conflicts and Impacts of Cyberspace
and Electronic Warfare.
– Constant threat and Actors, convergence
–Situational Awareness to Situational Understanding
–Cyber SU Concept and Operational framework
– Cyber SU Impact as holistic aspect of ULO
– Army Cyber Situational Awareness Applied
– Culture change 2
UNCLASSIFIED
UNCLASSIFIED
Georgia-Russia 2008
• August 2008 – Russian troops cross into South Ossetia w/ stated intent to defend their “Russian compatriots”.
• Combined Arms assault was pre-empted by (enabled) by a multi-faceted cyber attackagainst Georgian gov’t and military infrastructure and defacement of web sites
• Distributed denial of service (DDoS) attacks combined with EW jamming disrupted and denied comms simultaneous to an integrated propaganda (MISO and MILDEC) campaign
• Overall operation should be considered the first large scale ‘hybrid’ combined arms operation (air, land, cyber).
UNCLASSIFIED
UNCLASSIFIED
Ukraine-Russia 2014
Russia’s battle with Ukraine is being fought partly in cyberspace where it may have greater room for escalation
because nations increasingly accept covert cyber attack as a valid form of international pressure when more traditional options are too violent – or too visible.
The rule of thumb for seeing disruptive cyber attacks before they happen
is that “physical conflicts beget cyber conflicts.”
The current cyber battle also could spread if the overall strategic
confrontation deepens, say toward a second Cold War. Such a stand-off, pitting Russia against the United States, NATO, and Ukraine
“The Russian occupation of Ukraine in 2014 was carried out with a
military show of force – informed and supported by a coordinated cyber-
spying campaign”.
• The situation in Ukraine has seen relations between Russia and the West deteriorate
to almost Cold War levels
UNCLASSIFIED
UNCLASSIFIED
Cyber Adversary Tactics, Techniques, and Procedures
Hostile Actor
Planning /
Scanning
Web Server/
Webpages
Users
Exploitation Lateral Movement Adversary Intent /
Exfiltration
Reconnaissance
Espionage
Destructive Malware
Target System
- Users/decision-makers
- Their devices
and associated
IP addresses
- Data, databases,
and websites
- Network infrastructure
- Physical locations
Cyberspace Threats
UNCLASSIFIED
UNCLASSIFIED
Operational Convergence
66
• Nation States, Non-state actors or proxies with a full range of capabilities
• Strategy to preclude U.S. from executing preferred way of war
• Designed to impact U.S. actions, from National to Tactical
Cyber
EMSTerrorist/
Criminal
Strategic
Capability
Conventional
Forces &
Capability
Irregular
Operations Proxies
Technology Transfer Non-state
Ideologies
Regional
Hegemony/Hybrid
Near Peer Competitor
Cyber and EW
Capabilities
Failed States
-Integrated C4ISR and Fires
-High Tech: Jam UAS,
disrupt comms, exploit,
influence and attack
-Advanced EW
UNCLASSIFIED
UNCLASSIFIED
Cyber Situational Awareness
JP 3-12 Cyberspace Operations
“Cyberspace SA is the requisite current and predictive knowledge of cyberspace
and the OE upon which CO depend, including all factors affecting friendly and adversary
cyberspace forces”.
• DODIN operations activities are the foundation of cyberspace SA, therefore, DODIN
operations are fundamental to the commander’s SA of the OE.
• Accurate and comprehensive SA is critical for rapid decision making in a constantly
changing OE and engaging an elusive adaptive adversary.”
• SA of friendly cyberspace is provided today by the Services and agencies operating
their portions of the DODIN, DISA, through the theater NETOPS centers, to the CCMD
theater/global NETOPS control centers, USCYBERCOM Joint Operations Center,
Joint Functional Component Command for Space’s Joint Space Operations Center, and their Service/agency leadership. They coordinate with each other as required to
ensure operational effectiveness.
UNCLASSIFIED
UNCLASSIFIED
Cyber SA Functional Elements
8
(U) TRADOC Pamphlet (TP) 525-3-0, The Army Capstone Concept (ACC), asserts
that future Army requires the capability to provide leaders and Soldiers that
understand how and when adversaries employ CO and cyberspace capabilities,
how to mitigate adversary actions, and how to respond to gain and maintain the
cyberspace advantage within the OE in support of ULO
UNCLASSIFIED
UNCLASSIFIED
Awareness vs. Understanding
“Situational awareness (shared or otherwise) is not the same thing as
understanding (which, unlike awareness, requires some useful grasp of the
information at hand). One might argue further that understanding is different
from and inferior to insight or wisdom, and that either of these should be a
recognized goal on the path toward self-synchronization (which does not
automatically result, even from shared situational insight or wisdom).
A shared “warfighting culture” is therefore the ultimate key to shared
situational understanding in the battlespace. It is on this then that we must
focus”.
Richard Stuart Maltz, Military Review 2010
Army ADRP 5-0 Operations Process defines situational understanding as “The
product of applying analysis and judgment to relevant information to
determine the relationships among the operational and mission variables to
facilitate decisionmaking.”
UNCLASSIFIED
UNCLASSIFIED
Cyber SU Definitions
FM 3-38 Cyber Electromagnetic Activities (CEMA) Activities leveraged to
seize, retain, and exploit an advantage over adversaries and enemies in both
cyberspace and the electromagnetic spectrum, while simultaneously denying
and degrading adversary and enemy use of the same and protecting the
mission command system. (ADRP 3-0)
To gain understanding, commanders and staffs process data to
develop meaning. At the lowest level, processing transforms data into
information. Analysis then refines information into knowledge. Commanders
and staffs then apply judgment to transform knowledge into situational
understanding. CEMA provides the means for communication and
synchronization that facilitates a commander’s situational
understanding of the cyber and EMS operational environment.
UNCLASSIFIED
UNCLASSIFIED
CEMA Operational Framework
Electronic
Attack
Electronic
Protect
CF17 Phase 2
EW
INTELSignalCYBEREW
Electronic
Attack
Electronic
Protect
CF17 Phase 2
EW
DoDIN OperationsNetwork Focused –Threat Agnostic
INTELSignalCYBEREW
Cybersecurity
SIGNAL
6
UNCLASSIFIED
UNCLASSIFIED
Cyber Situational Understanding
Warfighting
Functions CEMA Working
Group
CDR’s Intent
Coordination
Synchronization
Integration
Cro
ss-F
un
cti
on
al
Cyber-SU
S3
UNCLASSIFIED
UNCLASSIFIED
Army Cyber SU CONOPS
13
* *
* *
* The COP is defined by the highest
tactical echelon. Each unit displays
“user defined” information for their
operational picture.
“What must the Army do at the
tactical level (corps and below)
to employ cyberspace and EW
capabilities as part of a
combined arms strategy that
enables commanders to gain
and maintain advantages
simultaneously in the
increasingly contested
cyberspace domain and the land
domain?”
“The Army at Corps through BDE and below echelons lacks the ability to aggregate,
analyze, and synthesize cyberspace operations information, and then integrate a visual
representation of that information into the COP.”
Red, Blue, and Grey aspects, as well as how we are seen by them!
Cyber SU Operational View - 1
UNCLASSIFIED
UNCLASSIFIED
Cyber SU CONOPS Working Model
14
Big Data Network View
Cyber Mission Forces
DODIN, DCO and OCO
CONUS and Expeditionary
JIE, COE, LWN
Corps, Division and BCT
Commanders & StaffsHome Station and Deployed
Command Post Computing Environment
Contextualizes three interrelated
“Awareness” outputs:
Threat, Network, and Mission;
And the ability to plan operations!
xxx
CEM
x
xx
CEM
CEM
e.g.Big Data
Analytics/ Dagger-likee.g. GoogleEarth-like
Cyber Analytics (Big Data)
JIMIndustry Commercial
C/JFLCC
“What is needed to achieve Cyber SA; how will Cyber SA be integrated into the COP;
and how will Commanders develop and use Cyber SU to plan, prepare, execute, and
assess operations?”
JFHQ-C
UNCLASSIFIED
UNCLASSIFIED
Joint EW ICD
1 Oct 09
Document Overall Requirement
Display all relevant cyberspace
operations information to include data
from other specified cyberspace
elements
Cyber CBA
15 Dec 13
Commanders need visualization of the
adversary’s internet and capability
along with an ability to understand CO
impact on their missions
ICDs
CBA
ONSs
DCGS-A
20 May 13
Provide a common suite of tools
enabling collaboration within the
tactical community, includes sharing of
ideas and situational understanding
between levels of command
Enable commanders to integrate and
synchronize cyberspace operations,
spectrum management operations
(SMO), and intelligence operations to
accomplish their missions
Provide method that will deconflict,
integrate, synchronize, and direct
community awareness of cyber
intelligence requirements
15
Cyber SU IS ICD Strategy
Net-Enabled MC ICD
27 Dec 11
Joint Attack ICD
02 May 12
Joint Cyber SA ICD
23 Apr 12
LWN ICD
30 Jul 14
JIE ICD
14 Jul 14
Big data
15 Jan 14
14-20079, 12-16393
15 AUG 14 8 NOV 12
14-1945, 14-19420
9 JAN 14, 12 NOV 13
7 of 13 JUONs/ONSs reviewed have specific implications and are
linked to the Cyber SA requirements
Cyber SU IS ICDDRAFT
CC-0427
12 Nov 10
CC-0433
21 Dec 10
UNCLASSIFIED
UNCLASSIFIED
Notional but in development from Cyber CBA 2013. * Assumption: Cyber SU capabilities fielded and CO authority granted
Cyber and EW Corps & Below CONOPS
xxx
CEM
x
xx
CEM
CEM
Tactical Cyber and EW assets exploit, attack and influence*- Planning- Tiered capabilities*
- Assign AO and control measures;
close area – deep area framework
Corps, Division, BCT Commanders and Staffs
Cyber/EW
UA
BCTs conduct EW and cyberspace ISR
in the “close” fight while the corps
conducts the full range of CO and EW
activities in the “deep” fight
UNCLASSIFIED
UNCLASSIFIED
Unified Land/Cyber Ops & Planning
Red, Blue Grey and CEMA Running
Estimate
Mission Analysis, COA Development,
Wargaming
Interactive with Mission
Command and Intelligence
systems
Cyber SA Dashboard “Look”
Cyber SU utilizes standard geospatial reference map displays resident in future
command post computing environment. Overlay creation tools available and provide
export/sharing of displayed data directly to the Common Operational Picture (COP).
UNCLASSIFIED
UNCLASSIFIED
Change the Culture
The Network:•The DODIN is the base for Mission Command, enables all Warfighting Functions, and is foundational to Cyberspace
Operations, underpinning OCO & DCO functions•The Signal Corps will remain irreplaceable in DODIN Operations, and will assume responsibility for the TS/SCI
network
Signal-Intel-EW-Cyber Collaboration:•Both internal and external collaboration is required to
achieve synergy of effort•Signal and Intel are becoming increasingly dependent upon
each other
Combined Arms Cyber Teams:•Cyberspace Operations is inherently Joint, Interagency,
Intergovernmental, Multinational•Signal, EW, and Intel capabilities must be integrated with all stakeholders to be successful
DODIN
DCO OCO
MC, FIRES, Maneuver, MED, MCO, EW, INTEL
JWICSNSA NET
EW
EnterpriseEnabling Platform WFX
Cybersecurity
Rifleman Radio
18
UNCLASSIFIED
UNCLASSIFIED
Drive Convergence
19
CY
BE
R T
RA
NS
FO
RM
AT
ION
TS/SCI
NSANeTJW ICS
SIPR
NIPRNIPR
COMMAND POST OF THE FUTURE
SIPR
SIPRNIPR
BMA – Business Mission AreaDIMA – DoD portion of the Intelligence Mission Area
DODIN – Department of Defense Information Network
EIEMA – Enterprise Information Environment Mission Area JW ICS – Joint Worldwide Intelligence Communication System
NIPR – Non-secure Internet Protocol (IP) Router Network
UNIFIED CLOUD DATA
JW ICS
NIPR
COMMON OPERATING ENVIRONMENT
SIPRNIPR
NSANeT– National Security Agency NetworkSIPR – Secret Internet Protocol Router Network
W MA – Warfighting Mission Area
TOC – Tactical Operations CenterTS/SCI – Top Secret/Sensitive Compartmented Information
SIPR
UNIFIED
CLOUD DATA
JW ICS
NIPR
CONVERGENCEThe effective merging or integration of distinct staffs, networks and systems,
into a unified whole to achieve decisive results.
USER DEFINED OPERATIONAL PICTURE
SIPRNIPR
SIPR
DODIN ENABLED
KNOWLEDGE
UNIFIED DATA CENTER
OBJECTIVE (INTEGRATED INFORMATION ENVIRONMENT)
SECRET
UNCLASSIFIED
TOP SECRET
SCIF
NSANeT
CURRENT (LACK OF CYBER SITUATIONAL AWARENESS)
INTERIM (MOVE TOWARD
COMMON OPERATING ENVIRONMENT)
COORDINATIONThe harmonious functioning of staffs, networks and systems for effective
results.
COLLABORATIONTo work jointly with staffs, networks, and systems to achieve effective
results.
IO S6 FIRES S2 EW IO S6 FIRES S2CYBER
EW
AMDWSBET
CPOF
GCCS-A
AFATDSBCS-3
TAISDTSSIMETS
DCGS-A
WMA COMMAND POST I TOC
DATA INFORMATION
TS/SCINIPRTS/SCINIPR
UNIFIED CLOUD DATA
PROCESS & RESOURCE
SHARING
OR
GA
NIZ
AT
ION
DA
TA
TR
AN
SP
OR
T
TOC TOCTOC
UNCLASSIFIED
UNCLASSIFIED
Mr. Malcolm W. “Mack” Martin
US Army Cyber Center of Excellence
Cyber Support Element – Fort Leavenworth, KS.
Office: (913) 684-4600
Mobile: (913) 991-3505
Questions?
20
UNCLASSIFIED
UNCLASSIFIED
Cyberspace Domain
CYBERSPACE: Cyberspace is a global
domain within the information environment
consisting of the interdependent network of
information technology infrastructures and
resident data, including the Internet, telecommunications networks, computer
systems, and embedded processors and
controllers (JP 1-02).
Characteristics:
• Manmade domain…ever changing• Physical, functional, cognitive, logical/virtual and social• Programming code and protocols define rules of the domain
• Environment and TTPs evolve at speed of code• Constant presence – Phase 0 on-going
• Unlimited, instantaneous (operational) reach
Success in this domain means being smarter, more
creative, faster, and stealthier than your opponent
UNCLASSIFIED
UNCLASSIFIED
Required Capabilities
22
RC (CSa01) Overall Commander’s SU
Gap 17: Commander’s SU
(includes social/media layer)
RC (CSa02) Adversary awareness,
understanding, impacts
RC (CSa03) Awareness of own networks,
impacts
RC (CSa05) Legal considerations,
intelligence gain & loss, risk
RC (CSa07) Awareness, understanding of
social layer of network
RC (CSa08) Awareness across cyberspace
and EMS enable integration
RC (CSa09) Awareness of OCO effects on
adversary (BDA)
LegendSA: Situational AwarenessEMS: Electromagnetic Spectrum
OCO: Offensive Cyberspace OperationsBDA: Battle Damage Assessment
RC: Required Capability
Cyber SU was Cyber CBA #1 Gap; Army SU Required Capabilities (RC) are directly
linked to the Joint Cyber SA ICD RCs;
UNCLASSIFIED
UNCLASSIFIED
Unified Land Operations
ADRP 5-0: 1-10. The operations process, while simple in concept is dynamic in
execution. Commanders must organize and train their staffs and subordinates as an
integrated team to simultaneously plan, prepare, execute, and assess operations. In
addition to the following principles of mission command, commanders and staff
consider following principles for the effective use of the operations process: • Commanders drive the operations process.
• Build and maintain situational understanding.
• Apply critical and creative thinking.
• Encourage collaboration and dialogue.
COMMANDERS DRIVE
THE OPERATIONS
PROCESS
Understanding is fundamental to the commander’s ability to establish a situation’s
context. It is essential to effective decisionmakingduring planning and execution.