Cyber Risk to Mission Exploratory Analysis

presentation to the 29^th ICCRTS

​

Dr. David S. Alberts

Cyber Analytics Lead Support

Cyber Warfare Directorate/DASD(P&W PM)/OUSD(A&S)

September 24-26, 2024

Contested Cyberspace Environment� �Cyber Risk to Mission (CRM)

While cyber operations involve and target the cyber and infrastructure capabilities,

their effects are far-reaching and have the potential

to create complex cascades of impacts

​

2

National

Security

• social
• economic
• geopolitical
• …

=

Strategic Risk

Tactical Risk

Tier 1

Organization

Tier 2

Mission Processes

Tier 3

Information Systems

Source: NIST Special Publication 800-39:

Managing Information Security Risk

Power of Network Centric Warfare�

3

Combat

Power

and

Competitive

Advantage

Network and Cyber-Enabled Capabilities

Impact of Improved Technology

Impact of Co-evolution

not the ‘Network’ per se

rather from ‘Networking’

Network and Cyber-Enabled Capabilities

CRM has the potential to negate the �Power of Network Centric Warfare�

4

Network and Cyber-Enabled Capabilities

Combat Power

and

Competitive

Advantage

CRM Analytic Framework �

This end-to-end framework can be used to measure, assess, and diagnose BOTH offensive and defensive missions

The objective of Defense is to reduce one’s own risk to an acceptable level

The objective of Offense is to increase adversary risk to an unacceptable level

Defense

Offense

CRM Taxonomy

6

Multi-Domain CRM Parametric Model Components

CRM Parametric Model Purpose and Analytic Uses�

• Transforms the Analytic Framework from a concept into an analytic tool by identifying the specific metrics and relationships needed to link Cyber Assets and capabilities to Mission Outcomes
• Captures and synthesizes what we know about parametric values and relationships from multiple sources to highlight most needed data collection, analysis, and research
• When calibrated and tuned, it provides results that can be used to diagnose problems and answer questions at different levels of analysis
• What is my Cyber Risk to Mission (CRM)? Risk to Strategy (CRS)?
• Why are the drivers of this risk?
• What are my options to manage CRM? CRS?
• What is my RoI for specific investments in people, processes and technologies?
• To what extent can I increase an adversary’s CRM?
• Facilitates sensitivity analyses to answer ‘what if’ related to changes in people, processes, technologies, resources, and/or adversary capabilities and behaviors
• Can be a ‘hands-on’ discovery tool to learn about and facilitate discussion of Cyber Warfare, Multi-Domain Operations, and operating in a Contested Cyber Environment

​

​

​

​

​

​

8

What is Exploratory Analysis?

• Exploratory Analysis (EA)* examines the consequences of parametric and structural uncertainty by exploring how a range of parameter values and variations in structure (relationships) impact outcomes
• It is useful for gaining a broad understanding of a problem domain; helps to map the analytic terrain and identify key variables and relationships to study in more detail
• Sensitivity Analysis (SA), on the other hand, usually employs an organizationally-accepted model and instantiates it with a base-case scenario (specific mission and circumstances)
• SA is suitable for answering questions that begin with “How does the outcome change if …”
• Thus, EA differs from SA in that it does not require the existence of an accepted model and has a much wider analytic aperture

​

9

• EA is closely related to scenario space analysis, “exploratory modeling,” and more recently exploratory data analysis

Davis, Bigelow, and McEver, Exploratory analysis and a case history of multiresolution, multi-perspective modeling, RAND 2000

​

Hypotheses�(to illustrate a PM-driven EA)

• H1: There is a trade-off between Relative Force Size and the Quality of Awareness such that one can make up for a smaller force with better Quality of Awareness.
• H2: The higher the ratio of Red to Blue forces, the more important it is for Blue to have a competitive Quality of Awareness.
• H3: The higher the proportion of Mission Critical assets that are time-sensitive, the more Quality of Awareness matters.
• H4: There is no ‘one size-fits-all’ ratio of local defenders to total defenders that is appropriate for defensive cyberspace operations.
• H5: The Cyber C2 Approach adopted makes a difference in the ability to manage CRM.

​

​

10

These Hypotheses drove the design of CRM Parametric Model runs

Illustrative Results

Increasing CRM

​

H1: There is a trade-off between Relative Force Size and the Quality of Awareness such that one can make up for a smaller force with better Quality of Awareness.

​

​

H2: The higher the ratio of Red to Blue forces, the more important it is for Blue to have a competitive Quality of Awareness.

.

​

​

H3:The higher the proportion of Mission Critical assets that are time-sensitive, the more Quality of Awareness matters.

Inappropriate

Force

Allocation

Some CRM Implications

• There are multiple variables that interact to determine CRM; understanding these interactions is critical
• To improve our ability to manage CRM, we need to:
1. Develop a better understanding of cyber asset mission criticality and time-sensitivity; while denying adversaries the ability to do the same
2. Increase our cyberspace awareness and cross domain shared awareness
3. Adopt an appropriate Cyberspace Force Mix and employment priorities and a corresponding Muli-Domain C2 Approach

assuming parametric model is deemed to be credible

Thoughts / Questions