It is frustratingly common when working on the cyber survivability of Department of Defense (DoD) systems that different well-informed experts often have radically different views of the system’s level of cyber survivability. One of the main reasons why there is so little agreement on how well our systems are prepared for a cyber-contested environment is that there is not a single “cyber.” Instead, there are four different cybers, as related to a program’s compliance, design, testing, and operational posture. It is thus no wonder that different experts, who are often focused on these different cybers, can come to significantly different conclusions on how well-prepared specific systems are for cyber-related attacks.
The four cyber areas—cyber compliance, cyber design, cyber testing, and cyber operational posture—are more than just lenses that provide different views of a single system. Rather, they are different components of the system’s overall cyber survivability, and each contributes unique insights that may appear nearly independent of each other. For example, an expert focused on compliance may think a system is in good shape because it has completed the expected assessments, while an expert focused on testing may think the same system is in terrible shape since it has accomplished no meaningful cyber testing. Program managers also tend to think about cyber survivability as something that they mitigate and control by spending money, but that money goes into a single, undifferentiated cyber bucket.
To address these challenges, it is proposed that these four areas be established as the four areas of cyber survivability that experts and program managers alike should consider to understand a system’s cyber survivability. Additionally, program managers can affect their system’s cyber survivability by putting resources against any of these areas, and all four should be considered to see where the greatest return-on-investment opportunities are.
Cyber Compliance
The first horseman of cyber compliance is the one typically thought of first by program managers. To illustrate each of the four horsemen, four different levels can be developed from ignoring that particular aspect to industry-leading approaches. Figure 1 shows the four compliance levels.
Figure 1. Cyber Compliance.
As shown, the default needle points somewhere between Risk Management Framework (RMF) Compliance and Additional Compliance, as most programs today currently land somewhere in that zone. A few years ago, some programs were still trying to ignore RMF, but that has become extremely difficult and thus is rare today. There are also a few programs that are trying to combine their cyber compliance work using standardized processes, but that is also relatively rare; and the available standards are still immature compared to other engineering areas, such as safety and reliability.
Cyber Design
On the engineering front, the second horseman is secure cyber design, as shown in Figure 2. The default needle here points toward Reactive Secure Design, as that is where most programs are today. Reactive Secure Design is certainly an improvement over ignoring secure design completely, and while some programs may still attempt to ignore secure design, the DoD’s increasing emphasis on cyber survivability makes that increasingly difficult. So programs generally move up to at least a reactive posture. Risk-Based Secure Design, where design choices are made based on tradeoffs across a risk portfolio, is rare. Furthermore, As Secure As Reasonably Possible (ASARP) is even more rare. ASARP is thus likely only appropriate for extremely important systems that cannot be allowed to be successfully attacked, such as nuclear command and control.
Figure 2. Secure Cyber Design.
Cyber Testing
The third horseman, shown in Figure 3, is cyber testing. Testing is important because not only can it validate that the system is performing as expected under simulated attack, but it can also assist the other horsemen by identifying gaps in compliance and secure design assumptions that are incorrect. The default here is shown as Minimum Cyber Testing, as that seems to be the most common posture, though many programs are accomplishing Standard Cyber Testing with some still trying to avoid all cyber testing if they can. Cyber testing can admittedly be expensive, but it can be one of the best methods to validate that the system is performing as expected under simulated attack.
Figure 3. Cyber Testing.
Cyber Operational Posture
The final horseman is Operational Cyber Posture, as shown in Figure 4. Some program managers might point out that they are not responsible for Cyber Operational Posture, but that is not entirely true. While the operators themselves are responsible for training and defense, program managers are responsible to provide a system that is securely usable and defendable. Operators should be presented with systems where secure operation is the default and obvious way to use the system effectively. Additionally, especially on cyber physical systems such as aircraft and weapons, defenders cannot simply use standard traditional-information technology (IT) defensive tools. Instead, programs need to build defensive tools, such as secure logging, intrusion detection systems, and intrusion prevention systems into the baseline of the system. Data logging and telemetry in particular are usually the first pre-requisites for any successful operational cyber posture, as without them built into the baseline, defenders cannot analyze or defend systems.
Figure 4. Cyber Operational Posture.
A Conceptual Dashboard for Cyber Survivability
The four horsemen can also be brought together to create a conceptual dashboard of where a program sits with respect to its expected cyber survivability. To a program, these “control knobs” can be turned to different settings to adjust outcomes, as shown in Figure 5.
Figure 5. The Four Horsemen as Program Control Knobs.
So, the question is, which knob should a program turn first? As in almost all engineering questions, the answer is, it depends. If a program is early in its life cycle, typically putting focus on secure cyber design will produce the greatest return on investment. If there is great disagreement as to how secure a system is, and no meaningful cyber testing has been accomplished, that may be the greatest priority. And if a program is in sustainment with no real opportunity to redesign, then focusing on improving cyber operational posture may yield the best return.
Regardless, the most important thing to remember is that there are four horsemen, and all should be considered. If one is completely neglected, that is likely also the one that will yield the best return on investment, as the early steps tend to be much cheaper than the later steps. Programs and analysts should thus think about all four aspects of cyber survivability in determining both the current level of a system’s cyber survivability and what should be done about it.
Conclusion
While the concept of four cyber horsemen is admittedly simplistic, it helps to illustrate a significant truth for programs—that there are different aspects of cyber survivability that should be considered. Furthermore, simply achieving an acceptable rating on a compliance measure or running a single cyber test does not mean one’s program is cyber survivable. Instead, program managers should use their available resources across all four horsemen in a deliberate way to ensure all aspects are considered and the overall system meets is cyber survivability goals.
About the Author
Dr. William “Data” Bryant is a cyberspace defense and risk leader who currently works for Modern Technology Solutions, Incorporated. His diverse background in operations, planning, and strategy includes more than 25 years of service in the Air Force, where he was a fighter pilot, planner, and strategist. Dr. Bryant helped create Task Force Cyber Secure and also served as the Air Force Deputy Chief Information Security Officer while developing and successfully implementing numerous proposals and policies to improve the cyber defense of weapon systems. He holds multiple degrees in aeronautical engineering, space systems, military strategy, and organizational management and has authored numerous works on various aspects of defending cyber physical systems and cyberspace superiority.
