Cyber Warfare Metrics����Dr. David S. Alberts����presented to�28^th ICCRTS�November 2023�

1

A Mature Analytic Ecosystem

2

Body of

Evidence

Domain Knowledge

Analyst

Work Force

Analysis

Community

Infrastructure

Conceptual Framework

MoE and MoP

Assessment Methodology

Models and Tools

Community Fora

…

​

Literature

Testbeds

Simulation Environments

Weapons Ranges

…

Education - Training

Credentials

Mentors

Codes of Best Practice

…

Lessons Learned

Case Studies

Experimental Results

…

Operational Concepts, Doctrine, Tactics�Operational Effectiveness

Force Posture and Structure

Weapon Capabilities and Performance

…

Threats and Scenarios

Asset Vulnerabilities

Task-Mission Dependencies

…

Cyber Warfare Analytic Framework�

3

Initial Conditions to Risk to Mission

*For this example, deterrence and suppression are not considered

The extent to which potential CRM is passed on is a function

of the effectiveness of risk management at each link in the chain

CRM Parametric Model Purpose and Analytic Uses�

• Transforms the Conceptual Framework from a concept into an analytic tool by identifying the specific metrics and relationships needed to link Cyber Assets and capabilities to Mission Outcomes
• Captures and synthesizes what we know about parametric values and relationships from multiple sources to highlight most needed data collection, analysis, and research
• When calibrated and tuned, it provides results that can be used to diagnose problems and answer questions at different levels of analysis
• What is my Cyber Risk to Mission (CRM)? Risk to Strategy (CRS)?
• Why are the drivers of this risk?
• What are my options to manage CRM? CRS?
• What is my RoI for specific investments in people, processes and technologies?
• To what extent can I increase an adversary’s CRM?
• Facilitates sensitivity analyses to answer ‘what if’ related to changes in people, processes, technologies, resources, and/or adversary capabilities and behaviors
• Can be a ‘hands-on’ discovery tool to learn about and facilitate discussion of Cyber Warfare, Multi-Domain Operations, and operating in a Contested Cyber Environment

​

​

​

​

​

​

4

Multi-Domain CRM Model Components

Initial Conditions

• The initial conditions for a model run include parameter and relationship settings that represent the following

​

• Mission Challenge
• CRM Challenge
• Mission Objectives and Constraints
• Force Characteristics, Doctrine, and Capabilities
• Relevant Cyber Terrain
• Mission Stack Dependencies

​

6

Events

• An Event is an attack or other occurrence that has the potential to adversely impact the capability of one or more Cyber Assets.
• The CRM PM tracks the number of of events by the criticality* and defense posture of targeted cyber assets

7

Cyber Terrain of Interest

Protected

Not Critical

Attacked by

Adversary

No Events

Critical

* Some critical assets are also time-sensitive

• The number of Events of each type that take place depends upon
• # Assets in the Cyber Terrain
• Cyber Force Sizes, Utilization, Employment, and Targeting Efficiencies
• In turn, C2 Approach and Decision-Making Quality determine Force Utilization, Employment, and Targeting Efficiencies

​

​

EVENTS

Damage to Cyber Capabilities

Whether or not a Cyber Asset sustains damage depends upon the values of parameters associated with the Defensive Cyber Engagement Model

​

8

Cyber Terrain of Interest

Protected

Not Critical

Attacked

Damaged

Attacked

No Damage

Critical

* Some critical assets are also time-sensitive

Damage

to Cyber

Capabilities

Defensive Cyber Engagement Model: Attack Damage�

Defensive Cyber Engagement Model

Damage Adjudication

Rules and Relationships

- assets not attacked = not damaged

- assets attacked but not defended = damage

- for defended assets

-- if CPT Blue effectiveness > Red Effectiveness = not damaged

-- if asset hardness or local defender is high = not damaged

else, damaged

​

Outputs

-# Cyber Assets by Type Damaged

Inputs

-Blue Cyber C2 -> allocation of defense forces (assets defended)

-Red Cyber C2 -> assets attacked

-Red Cyber Forces -> attacker effectiveness

-Blue Cyber Forces -> defender effectiveness

-Cyber Terrain-> asset defense posture (hardness)

​

Cyber Damaged Not Restored in a Timely Manner

Whether or not a damaged Cyber Asset is restored in a mission timely manner depends upon the Defensive Cyber Engagement Model damage restoration assumptions and parameters values

​

​

10

Cyber Terrain of Interest

Protected

Not Critical

Damaged

Not Restored

In a Timely

Manner

Critical

Cyber Damage

Not Restored

In a timely

manner

Damaged

and Restored

In a Timely

Manner

*all time-sensitive assets are critical by definition

Defensive Cyber Engagement Model: Damage Restoration�

Defensive Cyber Engagement Model

Damage Restoration

Rules and Relationships

- if a damaged cyber asset is time-sensitive => not restored in a

timely manner

- if asset is not time-sensitive and

-- allocated cyber restoration capabilities => restored

-- self-healing => restored

restored

​

​

Outputs

-# Cyber Assets by Type Damaged and Not Restored in a Timely Manner

Inputs

-Blue Cyber C2 -> allocation of defense restoration forces

-Blue Cyber Forces -> restoration effectiveness

-Cyber Terrain-> mission criticality and time-sensitivity.

of damaged cyber assets

​

Adverse Mission Impacts

The extent to which critical cyber assets are damaged and not restored adversely impact the mission is determined by the Mission Model

12

Adverse

Mission

Impacts

Step 1: From % Critical Cyber Assets Damaged and Not Restored to % Joint Functional Capability

​

Step 1

Step 2

Step 2: From % Joint functional Capability to OPLAN Impact

​

​

% OPLAN

Impact

​

% Joint

Functional

Capability

% Critical Cyber Assets Damaged and Not Restored

% Joint functional Capability Lost

​

Baseline Case

Significance of Adverse Mission Consequence

• The significance of adverse mission consequences depends upon the context in which the mission is being undertaken
• The context provides thresholds that determine significance

13

Significance of

Adverse

Mission

Consequences

Cyber Risk to Misison

• Risk to Mission is determined by using a Risk Taxonomy
• Different Risk Profiles pose different challenges and are more amenable to different approaches to managing the risk
• Determining the Risk Type requires both the significance of adverse mission consequences and the likelihood of occurrence

14

Insights: Feasibility, Utility, Challenges

• Quantifying key Cyber Warfare metrics is well within our current capabilities
• The initial version of the parametric model provides the necessary holistic structure* to support a variety of Cyber Warfare strategy and mission assessments and analyses, including mission forensics
• The framework and model serve to integrate the activities and contributions of the various organizations that contribute to the attainment of Cyber Strategy goals and objectives
• Useful results and insights can be obtained from observations and from data from exercises and wargames
• Instrumented operations and well-designed experiments are needed to fill in gaps in knowledge and data

​

15

*this structure provides the hooks necessary to incorporate more detailed models of specific processes and relationships