Saturday, July 03, 2010

Lessons from NETOPS vs CND

Volume 13 Issue 2 of IATAC's IA Newsletter features an article titled Apples and Oranges: Operating and Defending the Global Information Grid by Dr Robert F Mills, Maj Michael Birdwell, and Maj Kevin Beeker. The article nicely argues for refocusing DoD's "NETOPS" and "CND" missions, where the former is defined currently as

activities conducted to operate and defend the Global Information Grid

and the latter is defined currently as

actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.

After spending years to "converge" the two missions, the authors argue DoD needs to separate them (as I understand the Air Force has done, bringing back the AFCERT for example).

I'd like to present selected excerpts with my own emphasis.

Cyberspace is a contested, warfighting domain, but we’re not really treating it as such, partly because our language and doctrine have not matured to the point that allows us to do so.

One reflection of our immature language is our inability to clearly differentiate the concepts of network operations (NETOPS) and computer network defense (CND). This creates confusion about the roles and responsibilities for provisioning, sustaining, and defending the network — much less actually using it.

Only by separating these activities can we more effectively organize, train, and equip people to perform those tasks...

Effective CND uses a defense-in-depth strategy and employs intelligence, counterintelligence, law enforcement, and other military capabilities as required. However, the CND culture is largely one of information assurance (e.g., confidentiality, integrity, and availability), system interoperability, and operations and maintenance (O&M).

Many of the things that we routinely call ‘cyberspace defense’ in cyberspace are really just O&M activities — such as setting firewall rules, patching servers and workstations, monitoring audit logs, and troubleshooting circuit problems...

[W]e do not treat cyberspace operations like those conducted in other domains... [T]housands of systems administrators routinely count and scan computers to ensure that their software and operating system patches are current. The objective is 100% compliance, but even if we could achieve that, this is a maintenance activity.

(Indeed, do we even really know how many computers we have, let alone how many are compliant?)

This is no more a defensive activity than counting all the rifles in an infantry company and inspecting them to ensure that they are properly cleaned and in working order.

Our current NETOPS/CND mindset is intentionally focused inward... Contrast this with a traditional warfighting mentality in which we study an adversary’s potential courses of action, develop and refine operational plans to meet national and military objectives, parry thrusts, and launch counter attacks.

While we do worry about internal issues such as security, force protection, logistics, and sustainment, our focus remains outward on the adversary.

Does that sound familiar? An "outward focus on the adversary" reminds me of my concept of threat-centric security instead of "inward" or vulnerability-centric security.

Our intent is not to diminish the importance of NETOPS activities... But they are not defensive activities — at least not in the classical understanding of the concept. Turning to Carl von Clausewitz, we see a much different concept of defense than is currently applied to cyberspace:

"Pure defense, however, would be completely contrary to the idea of war, since it would mean that only one side was waging it....

But if we are really waging war, we must return the enemy’s blows; and these offensive acts in a defensive war come under the heading of ‘defense’ – in other words, our offensive takes place within our own positions or theater of operations.

Thus, a defensive campaign can be fought with offensive battles, and in a defensive battle, we can employ our divisions offensively... So the defensive form of war is not a simple shield, but a shield made up of well-directed blows."

I find it interesting to see these authors cite Clauswitz. Anyone notice blast Sun Tzu but speak better of Clauswitz recently?

These definitions of defense do not sound like our current approach to NETOPS and CND. Clausewitz might say we have a shield mentality about cyber defense...

An active defense — one that employs limited offensive action and counterattacks to deny the adversary — will be required to have a genuinely defensive capability in cyberspace.

Our recommendations to remedy this situation are as follows:

  1. Redefine NETOPS as “actions taken to provision and maintain the cyberspace domain.” This would capture the current concepts of operations and maintenance while removing the ambiguity caused by including defense within the NETOPS construct.

  2. Leverage concepts such as ‘mission assurance’ and ‘force protection’ to help change the culture and engage all personnel — users, maintainers, and cyber operators. Everyone has a role in security and force protection, but we are not all cyber defenders. Force protection and mission assurance are focused inward on our mission.

  3. Redefine our CND construct to be more consistent with our approach to the concept of ‘defense’ in the other domains of warfare, to include the concept of active defense. This would shift the concept from maintenance to operations, from inward to outward (to our adversaries). CND is about delivering warfighting effects (e.g., denying, degrading, disrupting, and destroying the cyber capabilities of our adversaries).

I like these three recommendations from a corporate point of view:

  1. IT provides "NETOPS".

  2. User and management training and awareness are "force protection" activities.

  3. CIRTs with Red capabilities, authorized to perform "active defense" against adversaries, perform "CND."

What do you think?


Mister Reiner said...

Read this first.

I agree with your three recommendation. Those are good things. I'm not so sure about the effectiveness of active defense, but the capability should be available if required.

These guys make it sound like cyberattack is equivalent to Russian tanks crossing the East German border. The most effective intruders I've encountered are low, slow and stealthy (Ninjas), so any attempts to "deliver warfighting effects" requires the knowledge that you're being attacked. The DoD is not so good in this area unless the enemy is wearing a clanking suit of armor and is trying to break through the front door. In other words, they are over-reliant on HIDS and NIDS for situational awareness.

People who administer networks and computers within the DoD need to be held to a higher standard than they are now. When it comes to security, many just know the basics. "Raising the bar" education wise is an understatement. There are guys that are exceptional, but those are few and far between. When it comes to monitoring and detection, most are noobs.

In my opinion, network and system admins need to be more like Special Ops guys that can do anything and everything to administer, secure, detect intrusion and defend any piece of gear. What good is someone if he can't even tell that his system is hacked or if he needs to call the CERT for help? Is that expecting too much? If so, then maybe this whole notion of defending the DoD against intrusions is just a big joke.

Mr. Mike said...

I would contend there is a fourth tenant / recommendation. Independent verification and validation.

This resides somewhere in-between and outside NETOPS and CND. Using your rifle example, it is important to count and check rifles, but it is important make sure it is being done correctly.

Likewise, evaluating the effectiveness of the CND can determine how many rifles you may need. An example being, if your CND is on high defensible ground with an established perimeter or not. That can help determine effort required and the number "Cyber Warriors" needed for defense. This would be analogous to the amount of CAP your aircraft carriers needed to provide for a particular campaign.

Right now, those closest to that role are worried about making sure the rifles are counted (FISMA), not how effective are your CND activities.

Anonymous said...

The article makes some good points especially about unifying doctrine and policy, but it would have been better if they had focused on NetOps vs. Computer Network Operations (CNO). Both have a CND component, but execute their mission from different perspectives. NetOps views CND as a combination of situational awareness, network/systems management, and IA. (defensive) On the other hand, CNO views CND as activities that protect and defend networks under attack or targeted for attack by adversaries. (offensive)

dearista said...

I don't see anything new written in the article, except for the name of the guys who published yet another article on "cyber".

NetOps is a concept of operations, which includes defending the networks from attacks. The folks doing the defense are called CND Service Providers, similar to an MSSP or CIRT/CERT. Per DOD policy, the CNDSP is supposed to have a working relationship with LE/CI. Additionally, a CNDSP is supposed to conduct AS&W as well As I&W leveraging intelligence...this is very much outward looking.

CND has it's role in NetOps, but it also has it's role in Information Operations, as one of the three tenants of CNO. Which is essentially CYBERCOMs overall mission...and the "hunt" is in their mission statement...again very outward looking.

These authors are probably now considered "cyber" SMEs b/c of this article....they talk about changing culture, they should have just focused on that, b/c otherwise this a very amateurish and pedestrian article.

Anyone who is looking for accurate and meaningful insights into the DOD's CONOPS, doctrine, policy etc. in this area is encouraged to read:

NetOps CONOPS, DODD/I 8530.01, and DISA’s Integrated Checklist:
A Guide to NetOps Readiness.

dearista said...

Did the authors read the NetOps CONOPS or DODD/I 8530.01 before launching this dud?

Everything they're saying is policy. If they want to discuss culture change, then they should be discussing incentives...why does the culture not conform to the policy? Changing culture sounds like a behavioral issue...maybe some economics involved too..may not even be considered a cybersecurity issue once you look at it that way.

Nothing worse than amateur security people trying to be amateur social scientists...but I guess once you publish in IATAC you're a "cyber SME".

PS That is a large focus of the WEIS conference btw :)

dearista said...

Oh, one other thing...if a CNDSP is doing it's job correctly there is plenty of LE/CI interaction and outward use of intelligence to build AS&W and I&W etc.

CND is an element of NetOps...but it's also an element of CNO, which is a element of IO. Did these guys mention CYBERCOM?

These are all common misconceptions so I'm not surprised hearing ... but I'm a bit surprised IATAC published it.