Ebook: Strategic Cyber Defense

As the world becomes more digitalized and dependent on internet technologies, cyber security has increasingly been regarded as a national security issue. For the last six years, the number of countries having published cyber security strategies has been on the rise. However, due to the cross-cutting character of cyber security, national cyber security strategies often run the risk of failing to address all cyber security requirements of the institutions within a country. Therefore, many national cyber security strategies highlight the importance of generating institution-based cyber security strategies which specifically envision precautions for the existing problems and provide guidance on how to tackle future challenges.

The NATO Advanced Research Workshop (ARW), entitled “A Framework for a Military Cyber Defense Strategy” was held from 11 to 13 April 2016 in Norfolk, Virginia, USA. It was organized by the Old Dominion University and the Taras Shevchenko National University of Kyiv. The workshop was enabled by NATO's Science for Peace and Security (SPS) Program and focused on SPS's key priority areas for cyber defense along with NATO's cyber defense policy implementation. The ARW brought together experts with an eclectic mix of backgrounds and specialties, from a group of NATO Member States and partner countries that mirror the diversity of the Alliance and its people. The participants considered not only technical implications of cyber security efforts, but also legal, strategic, educational and organizational aspects, providing, in the limited timeframe, for a surprisingly ample view of this field and its intricacies. The discussions highlighted the complexity of cyber security and the numerous challenges associated with the field, which will only be compounded by the formulation of a collective strategy on cyber security and its attendant activities. Key to cyber security efforts is the diversity of the stakeholders involved, ranging from government institutions, the militaries, private and public companies, academia and civil society groups, setting up a vast web of relations whose complexity must be managed. Beginning with the different interests and motivations of the participants, continuing with their differing resources, visions and modes of operation, and ending with the monumental task of setting up a system where these actors march in lock-step in the direction of mutually reinforcing collective action for security gains is crucial.

Cyber security studies is almost two decades old, yet has become subject of not only practitioners but also academics. Hitherto cyber security studies showed that cyber security is not a discipline yet and requires an interdisciplinary approach. This book aims to present state of the art approaches from a multidisciplinary view.

In this book, highlights from the discussions in the ARW are shared in 15 chapters under three sections which are:

– Critical Infrastructure Protection and Situational Awareness

– Policy and Legal Aspects of Cyber Warfare and Security

– Emerging Issues in Cyber Security: Maritime Cyber Security, Big Data and Exercises

The invaluable knowledge presented in the book contributes to readers' cyber security understanding and stimulates them to deliberate more on creating well-tailored and efficient cyber security strategies.

Unal Tatar, Yasir Gokce and Adrian V. Gheorghe

Our Critical Infrastructure (CI) systems are, by definition, critical to the safe and proper functioning of society. Nearly all of these systems utilize industrial Process Control Systems (PCS) to provide clean water, reliable electricity, critical manufacturing, and many other services within our communities – yet most of these PCS incorporate very little cyber security countermeasures. Cyber-attacks on CI are becoming an attractive target. While many vendor solutions are starting to be deployed at CI sites, these solutions are largely based on network monitoring for intrusion detection. As such, they are not process-aware, nor do they account for interdependencies among other CI sites in their community. What is proposed is an architecture for coordinating all CI within a community, which defines characteristics to enhance its integration, its resilience to failure and attack, and its ultimate acceptance by CI operators.

Although a huge number of problems have not been exactly solved yet, technical and organizational aspects of cyber security have been widely addressed by the security community. A new era that covers the national aspect of the problem domain has started with the publishing of national cyber security strategies. Capabilities of national CERTs have been strengthened and their responsibilities have been extended beyond the basic incident coordination activities. Obtaining the national level cyber situational awareness is among the foremost responsibilities of authorities and operational bodies. Therefore, this new era requires situational awareness systems that perform security monitoring and information sharing functions for the determination of the nation-wide security status. In this study, the national cyber security strategies and the responsibilities of relevant agencies are analyzed from the situational awareness perspective. An analysis of the systems that help to understand national situational picture is also given within the study.

A command and control (C2) structure is maintained by situation awareness, which in turn is reliant on information sharing. In complex connected military environments, information sharing is supported by the communication and information systems, which are cyberspace dependent. This dependency results in an immense interconnectedness. The transformation of cyberspace into a warfare domain enables new capabilities. The operational utilization of these capabilities requires a C2 structure or system that is compatible with the requirements of cyberspace. Consequently, situation awareness in the cyberspace becomes paramount in the discussion of cyberspace and cyber operation. Although cyber situation awareness is distinct from the traditional warfare situation awareness, human cognition is an indispensable component in both. Present discussions in cyber situation awareness, however, do not include a compressive discussion of human cognition. This paper proposes a necessary improvement to cyber situation awareness by including human cognition using the Situation Theory approach. It studies cyber situation awareness in the context of cyberspace in the framework of the information environment of joint force operations.

In this paper, the details of critical infrastructure protection program of the United States of America are shared by taking the cyber resilience into account. The academic and institutional studies on the concepts of cyber maturity, critical infrastructure protection program and cyber resilience are explained in detail. By the help of these studies and national efforts, the relations among these concepts are set forth. The key components of a cyber security strategy and action plan for a cyber-resilient society is proposed by taking these three concepts into account. As the final step, the recent cyber security efforts of Turkey are shared with the readers and assessed according to the determined key components.

Despite various doomsday scenarios or popular cyber war theories if you ask ten people what cyber-terrorism is, you will get at least nine different answers. In fact, the roots of the nation of cyber-terrorism and an “electronic Pearl Harbor” and can be traced back to the early 1990's when people started to discuss the rapid growth in Internet use with the emerging of “information society.” Nevertheless, it should be added that despite all the gloomy predictions, until now, no single instance of real cyber-terrorism has been recorded.

Nevertheless, experts are strongly arguing that cyber terrorism is not just a theoretical threat and it could really impact the nations and cyber terrorists are seeking to cause physical harm. But how cyber-terrorism threat and warfare is real and how much should the society and the governments should worry about? In such context, it should be reminded that the overreliance on computers and information systems in every aspect of our lives which means banking, e-commerce, business, air transportation, law enforcement, etc. systems are increasingly become a subject of the likelihood of the threat and more interconnectivity is associated with more sophisticated threats.

Among all these infrastructures, as the modern society and economy rely heavily on the continuous and uninterrupted flow of energy supply, energy infrastructures comes forefront as a topic that should be assessed independently. In that regard, during this article, the potential threat of cyber terrorism and cyber crimes posing the critical energy infrastructures will be investigated, and the link between energy and cyber security will be tried to be outlined. Additionally, a number of case studies with lessons learned and recommendations will be listed as a consequence.

This paper analyzes the commercial satellite (ComSat) segment within the communications sector of the critical infrastructure framework, and the intersection between ComSats as part of United States (US) critical infrastructure as well as national space policy. In assessing the vulnerabilities present within ComSat constituent components, as well as means to mitigate the risks associated with those vulnerabilities, the paper identifies apparent tacit or even active state actor support directed at exploiting US ComSat vulnerabilities. This paper concludes that efforts to reduce ComSat risks, especially those emanating from state and non-state threat actors, requires an adaptation in both critical infrastructure and space policies to account for the convergence that has resulted from ComSat usage within the federal government, and recommends that US Cyber Command be included a key coordinating entity as those policies are updated.

The rapid increase in the use of technologies dependent on the Internet has brought to the fore the security threats stemming from cyberspace. The argument that cyber threats are overestimated and viewed as a larger threat than they really are is also a point that is debated, as the constantly evolving security and threat perceptions are shaped by the changes in cyberspace. According to the proponents of this argument, cyber threats are not as severe as they are presented, despite the large budgets states assign to cyber security, cyber armies they set up or the news in the media. The most significant argument of those who assert that cyber threats are exaggerated is that known cyber-attacks have never physically harmed anyone so far. On the other hand, the idea that the world should be ready for cyber wars is voiced over and over again, specifically by state authorities. US officials have been devising analogies such as “Cyber Pearl Harbor” and “Cyber 9/11,” which indicate that cyber threats are viewed as national security issues. This article explores the efficiency of the use of cyber power diplomatically in the events that have taken place thus far and compares cyber weapons and nuclear weapons by analyzing the debates on cyber security and cyber warfare definitions. The article, as a result, views cyber security studies as an essential element of national security.

Much of the social, economic and political activities in the region of South-East-Europe (SEE) take place via so-called cyberspace. Even though there is evidence of growing dependence of cyberspace in SEE countries the practice shows that there is no parallel match to security. Giving that no one is safe in the cyberspace the main argument of this article is that in order to provide effective defense from malicious and aggressive actors against their own citizens, the SEE countries should focus on building cyber resilient societies. In doing so, they need to concentrate on building an effective strategy, adjust the law and develop appropriate doctrine.

Active Cyber Defense tend to be associated with the phrases “hacking back” or “attacking the attacker,” denoting retaliation or retribution with the likelihood of harming unrelated third parties. Nevertheless, Active Cyber Defense has long been employed by States facing increasingly sophisticated cyber incidents in combination with Passive Cyber Defense. Some of the Active Cyber Defense measures taken against another State in self-defense fall within the category of international law governing the use of force, and therefore should be dealt with using the tenets provided by that branch of law. The main assertion of this essay is that ethical and legal issues surrounding some Active Cyber Defense measures can effectively be handled through the legal framework provided by the Caroline formulation of the preemptive doctrine.

Privacy concerns in internet communications are increasing steadily among citizens who reside in both repressive regimes and other developed countries, due to the technical network interception possibilities which threat personal rights and freedom. Moreover, identifying personal identity and other private data of internet users can be easily categorized as an emerging risk which may hinder freedom of speech and other democratic rights. Due to privacy concerns and other factors mentioned above, usage of anonymity technologies on the Internet is growing. In this research, we take a closer look at the anonymization technologies, from a risk analysis perspective in terms of success rate to circumvent internet censorship efforts. Furthermore, we investigate what is the current status of Internet censorship in wide variety of nations, taking into account the couple of recent reports published by reputable sources.

International commerce is dependent on sea lines of communication. The ability for a nation to operate a system of international commerce unimpeded is vital to its security. More than 95% of America's international trade traverses the nation's maritime infrastructure through the 361 ports in the United States on approximately 7,500 foreign-flagged vessels that make more than 50,000 port calls annually. Every year more than 6 million containers, carrying more than 156 million tons of hazardous cargo and 1 billion-plus tons of petroleum products depart American ports. The shutdown of one or two ports could potentially cause more damage to the U.S. economy than the September 11 attacks. Maritime assets such as offshore production platforms, deep seabed mining operations, and liquefied petroleum tankers are attractive targets to a terrorist organization or a state actor seeking to strike a strategic U.S. center of gravity, disrupting sea lines of communication and its ability to operate internationally. With an ever - increasing reliance on networked technologies to manage this infrastructure, a federal framework to manage the cyber risks posed to maritime assets should be adopted.

The global maritime safety system depends on the effective use of Automatic Identification Systems (AIS). Ease of use, simple and modular structure, along with cost efficiency have accelerated the deployment of AIS equipment and enlarged the network of these systems. AIS-based maritime safety systems are subject to cyber attacks, and the impact of these attacks may be strategic. This paper categorizes the errors occurred during the evolution of the AIS-based maritime system and provides an ecosystem of cyber-physical spaces to provide potential solutions to the errors.

Cyber security is a great challenge for organizations. Big Data and Machine Learning can be used to improve cyber security protection mechanisms for organizations. This article presents two applications of Latent Dirichlet Allocation (LDA) model for cyber defense. In the first application, we present how to use LDA to discover users' possible hidden intentions from a collection of the user's operations extracted from a very large volume of security monitoring data. This new application can help intrusion detection and malicious activities conducted by insiders. In the second application, we present an architecture used for identifying and redacting sensitive information from outgoing emails in an organization, which may help an enterprise or organization to protect their sensitive information from both intended or unintended leak.

Cyber security exercises became an important tool for the information security domain for various reasons. Raising awareness, improving readiness to cyber-attacks, and testing capabilities of experts before a real incident are some. However, measuring the success of exercises and the participants participating in the game is a vague area, which no scientifically elaborated approach has been followed, according to the current literature. In this research, some of the well-known cyber security exercises are compared and contrasted by evaluation metrics they use and scoring systems they have implemented to their game. Other than capture the flag type events, which collecting points depend on how many challenges participants solve, this paper elaborates on red team vs. blue team exercises. The ultimate goal is to observe strengths and weaknesses of their approach and identify which metrics are commonly used. According to the findings, after a detailed comparison of these exercises, it was realized that current evaluation techniques in cyber security exercises mostly focus on metrics representing the defensive and offensive success of participants. Keeping the systems up and running, successfully defending systems, or attacking other players are some of the key elements. Furthermore, it was realized that exercises provide a useful way to raise awareness, improve technical competence, and enhance the readiness of cyber security experts in the field. Thus, it is important to extract meaningful outcomes from those exercises, such as understanding which participant has enough capacity to deal with eminent cyber security attacks. There are a number of exercises that aim to achieve this goal; however, it is not clearly described how to evaluate the success metrics. Other than that, evaluating players with a solid, reusable, and meaningful approach is still missing. Non-technical, but important, issues like reporting and media relations lack in many of them. It was seen after this research that it should not be just about who comes first in these cyber security exercises; rather, it should tell who is ready for the real combat.