Professional Documents
Culture Documents
Functional Analysis of Cyberspace Operations: Abstract-Cyberspace Is A Relatively New Domain of
Functional Analysis of Cyberspace Operations: Abstract-Cyberspace Is A Relatively New Domain of
This work has been funded through the annual NATO Military Budget (NMB) Program of Work for NATO Allied Command Transformation (ACT).
978-1-5386-7185-6/18/$31.00 ©2018 IEEE 673
Milcom 2018 Track 4 - System Perspectives
To address such a broad and complex issue in a relatively conducting cyberspace operations (how). The functional
short amount of time, the use of a formal, analytical, analysis can assist in developing answers to these questions,
engineering-based methodology is highly advisable, as the however, there are better engineering products for them. With
rapid evolution of modern warfare, technology and the intention to respond to the question ‘what shall NATO do to
applications of cyber capabilities do not allow the long lead conduct operations in/through cyberspace?’, NATO Allied
time associated to the doctrinal development and refinement Command Transformation (ACT), with the support of the
used for the other military domains. Subsequently, traditional NATO CIS Agency (NCI Agency), developed in 2017 a
information management system-engineering methodologies cyberspace operations functional analysis [9], with the purpose
do not appear to be well tailored to address the military of (1) Developing the understanding of NATO’s role in
Command and Control (C2) problem space. Effective C2 cyberspace; (2) De-conflicting this understanding with the
development demands a strongly user-centered approach that nationally provided cyberspace capabilities and contributions;
recognizes the subjective nature and variability of human- (3) Further analyzing the NATO capability requirements based
based decision-making, as well as the incorporation of on the functions that are selected for NATO implementation
knowledge at each stage of the C2 process. C2 development and; (4) Increasing interoperability of NATO’s cyberspace
needs to recognize that the essential mission of a C2 system is capabilities with those provided by the nations and other
to support the human tasks that make up the C2 activities in partners (through the analysis of all input/output interfaces for
planning, directing and monitoring military operations. all identified functions). The functional analysis is purposely
agnostic of organization, intent, mission, capability and
The Mission-Function-Task (MFT) methodology [4] is an technology, with the aim to provide a generic view for
elegant engineering approach to military C2 specification discussion, but also to allow embracing all possible national
development. Since it originates from the field of human arrangements and all possible mission types within a single
factors engineering [5], it is relatively close to problems where analysis.
the requirements are behavioral-based, soft, somehow
subjective and therefore loosely coupled to the capabilities Figure 1 below depicts the Level 1 and 2 functional
supporting them. The MFT methodology analyses systems by decomposition of the ‘Conduct (Joint) Cyberspace
decomposing the problem into: the Mission Analysis (purpose, Operations’. The term ‘Joint’ expresses the recognition that
environment, objectives, scenarios and phases); Function cyber will very often be a component of any and all future
Analysis (functions or sequence of functions that that must be missions, and seldom a single domain of operation, with the
performed for the system under analysis to achieve mission possible exception of the enduring cyber activities that are
objectives); Task Analysis (information requirements, permanently on-going due to the continuous nature of
performances, discrete actions and decision requirements) and adversaries’ actions and persistent threats.
Operational Sequence Analysis 3 (sequences of tasks, their
frequency, variability and correlations among them). Several
attempts have been made to apply the MFT analysis approach
to cyber, including its applications to generic CIS security and
defensive cyber operations [6]. No attempt, however, to map
the complete spectrum of cyberspace operations has been
found in the literature.
The mission analysis for NATO cyberspace operations is
well addressed in [7], which describes the unique aspects of
cyberspace missions in NATO, and the vision and strategy to
operate in it. The strategy is expressed using complementary
ways for NATO to achieve its vision for operating in
cyberspace, which can be achieved through a number of
concurrent, different efforts.
674
Milcom 2018 Track 4 - System Perspectives
conducting (stand-alone or joint) operations in cyberspace, (ISR), contributing to joint SA and sharing it with applicable
which involves the traditional activities of planning, C2 and partners.
effect delivery.
The subsequent paragraphs describe the three Level 1
function areas and, as mentioned earlier, these areas are
applicable to both NATO and individual nations. NATO does,
however, face additional challenges related, but not limited, to
the integration of SA products from the nations, collation of the
C2 information required to facilitate the Commander
conducting the mission and the coordination of cyberspace
effects delivery. NATO specific requirements are not
addressed in the functional analysis, as this begins the
questions of ‘how’, for which the functional analysis is not
expected to address.
4
Adapted from [12]
675
Milcom 2018 Track 4 - System Perspectives
676
Milcom 2018 Track 4 - System Perspectives
collateral damages, which might have strong implications for can be very well used to model the delivery of cyber weapons.
civilians, among others. The Kill Chain cycle can be further augmented by
decomposing it using any of the many commercially available
The C2 part of mission execution also has some cyber- life cycles and models/frameworks. For example, MITRE’s
related peculiarities. Exercising control of operational units threat-based security approach [18] further decomposes the
involves both synchronization of network-defensive measures Kill Chain phases ‘Control, Execute, Maintain’ into 10
and the integration of operational cyber effects. The first one, different tactics that represent the tactical goals of a cyberspace
defensive measures, trigger the functions identified in the first operations, which include: Persistence, Privilege Escalation,
function in Level 1, ‘protect and defend own-cyberspace’, Defense Evasion, Credential Access, Discovery, Lateral
while the integration of effects calls for synchronization of Movement, Execution, Collection, Exfiltration and C2. The
cyber and non-cyber effects, and the request of effects, outcome, as depicted in Figure 5, can be used to inform the
normally blind from the underlying providing weapons. functional decomposition of the ‘Deliver offensive cyber
A partial Level 1 to 5 decomposition of ‘Conduct effects’ Level 5 function.
Cyberspace Operations’ can be seen in Figure 4, while the full
decomposition is available in [9].
There is not much publicly available information on the
Level 5 function ‘deliver offensive cyber effects’. Delivery of
offensive cyber effects attempts to exploit vulnerabilities to
create effects that interfere with the ability of their victims to
carry out military or other tasks [15]. The US Air Force Space
Command Functional Concept for Cyberspace Operations [16]
describes force application in combat operations in, through,
and from cyberspace to achieve military objectives, and
influence the course and outcome of conflict by taking decisive
actions against approved cyberspace or other data/information
infrastructure targets. While a valuable description, it says little
about the actual functional process to deliver those effects. Figure 5. Functional decomposition of ‘Deliver Offensive Cyber Effects’.
677
Milcom 2018 Track 4 - System Perspectives
and mission threads), enable the production of the capability functional analysis should be capable to model and describe
architectures supporting capability development and any and all of the options and their combinations to make sure
acquisition. it serves as a vehicle to de-conflict roles and responsibilities
among NATO organizations, NATO and the nations, and
between those and any external (civilian or military) partner.
REFERENCES
[1] DPRC-WP(2016)0003-REV14 (INV)-FINAL, Warsaw Summit
Communiqué, Item #70. July 2016. Available at
https://www.nato.int/cps/ic/natohq/official_texts_133169.htm.
[2] Springer Publishing, “Cyber Defence and Situational Awareness”,
Volume 62, 2014
[3] AAP-06. NATO Glossary of Terms and Definitions. Edition 2018. URL
http://nso.nato.int/nso/zPublic/_BranchInfo/Terminology_Public/Non-
Classified%20NATO%20Glossaries/AAP-6.pdf.
[4] Engel, R. “Guidelines for Human Factors Engineering Requirements for
Canadian Forces Command and Control Information Systems”. DCIEM
No 98-CR-20, Department of National Defence, Government of Canada,
April 1998. URL http://cradpdf.drdc-
rddc.gc.ca/PDFS/zbb62/p508761.pdf.
[5] MIL-HDBK-46855. Human Engineering Requirements for Military
Systems, Equipment and Facilities. US Department of Defense. 24 May
2011. URL http://everyspec.com/MIL-HDBK/MIL-HDBK-9000-and-
Up/MIL-HDBK-46855_24733/.
Figure 6. The role of the functional analysis in the cyberspace domain, [6] Bernier, M. Perrett, K. “Mission Function Task Analysis for Cyber
capability and operations development. Defence” Technical Report, Defence Research and Development
Canada Ottawa, Ontario Canada, 11 Jul 2014. URL
In the operational dimension, the operational users http://www.dtic.mil/dtic/tr/fulltext/u2/1017005.pdf.
(Commanders and forces) will employ those capabilities [7] MC 0665 (Military Decision). NATO Military Vision and Strategy on
(material and non-material) to execute missions and operations. Cyberspace as a Domain of Operations. 23 February 2018.
The lessons identified should serve to inform the evolution of [8] ISO/IEC 2382:2015, Information Technology - Vocabulary. May 2015.
doctrine, thus completing the development life-cycle for URL https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:ed-1:v1:en.
cyberspace domain operations. [9] 6000/TSC FCR 0200/TT-180201/Ser: NU0269. Cyberspace Operations
Functional Analysis. 17 April 2018. NATO Unclassified.
[10] Alfred Thayer Mahan, “The Influence of Sea Power Upon History”
IV. FUTURE WORK Little, Brown and Company, 1894.
At the time of writing, several task analysis activities are [11] Alison Lawlor, “Strategic A2/AD in Cyberspace” Cambridge University
taking place, including the development of concepts, Press 2017.
information flows, mission threads and architectures. Those [12] Office of the US Secretary of Defense. Memorandum to the Chairman,
under-development products are already being used to inform Defense Science Board on the Final Report of the Defense Science
Board (DSB) Task Force on Resilient Military Systems, October 2012.
capability acquisition, and multiple cyber specific or cyber-
aware exercises are systematically taking place in NATO. [13] Hallingstad. G, Dandurand, L. “Communications and Information
Systems Security Capability Breakdown” Rev 4, NCIA, August 2013.
Those activities will certainly allow for the validation and NATO Unclassified.
enhancements of the functional analysis, towards eventual [14] National Institute of Standards and Technology. Framework for
formal adoption. At the same time, the functional analysis and Improving Critical Infrastructure Cybersecurity. Version 1.1. April 16,
the derived capability breakdown are being used as the basis 2018. URL
for structured scorecards to enable baselining NATO and https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
national capabilities, and evaluating their evolution overtime, if [15] Libicki, M. “Cyberspace Is Not a Warfighting Domain” I/S: a Journal of
so desired. Law and Policy. Vol. 8:2, 2012. URL
http://moritzlaw.osu.edu/students/groups/is/files/2012/02/4.Libicki.pdf.
[16] Air Force Space Command Functional Concept for Cyberspace
V. CONCLUSIONS Operations. June 2010. URL https://info.publicintelligence.net/USAF-
CyberspaceOpsConcept.pdf.
Engineering methodologies are very useful approaches to
[17] Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin. Intelligence-
develop a brand-new, science and technology heavy domain of Driven Computer Network Defense Informed by Analysis of Adversary
operations. The functional analysis of cyberspace operations is Campaigns and Intrusion Kill Chains. 2010. URL
a great modelling tool to answer the question of ‘what’ the https://www.lockheedmartin.com/content/dam/lockheed-
Commander needs to do to conduct an operation in/through martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-
cyberspace. The functional analysis needs to be complemented Defense.pdf.
with a number of other products to provide a domain-wide [18] B. Strom, J. Battaglia, M. Kemmerer, W. Kupersanin, D. Miller, C.
Wampler, S. Whitley, R. Wolf. Finding Cyber Threats with
BoK. This BoK should be the reference in support of ATT&CK™-Based Analytics. MITRE Technical Report MTR170202.
operations, capabilities and doctrine development. The key for The MITRE Corporation, 2017. URL
broad stakeholders’ applicability and long-term validity of the https://www.mitre.org/sites/default/files/publications/16-3713-finding-
functional analysis is to make it agnostic to nation, cyber-threats%20with%20att%26ck-based-analytics.pdf
organization, mission-type, intent and technology. The
678