IO Convergence: Cyber Warfare Unified Taxonomy...

Information Operations (IO) is an Operational Risk Management priority in both the public and private sector these days. Is it lawful for a U.S. company and U.S. citizens to train and perform cyber warfare activities on behalf of a foreign country?

Flashback to 2012, The Washington Post reports:

By Ellen Nakashima, Published: November 22

"In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center. He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.

Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state.

That was when J. Michael McConnell, then a Senior Vice-President at Booz Allen and former Director of National Intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.

“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it.”

A common taxonomy was developed years ago for the cyber terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say Information Operations policy as it pertains to the digital world.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:

• Hacker
• Spies
• Terrorists
• Corporate Raiders
• Professional Criminals
• Vandals
• Voyeurs

Each is unique and has its own domain or category. We are sure that the same could be used for the context of attackers in the non-digital world, possibly with the exception of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:

• Attackers
• Tool
• Vulnerability
• Action
• Target
• Unauthorized Results
• Objectives

Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the anti-terrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:

• Challenge, Status, Thrill
• Political Gain
• Financial Gain
• Damage

When we move to the off line domain and are doing risk mitigation and preparedness exercises for anti-terrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards.  Here are Five factors:

• Existence addresses the question of who is hostile to the assets of concern?
• Capability addresses the question of what weapons have been used in carrying out past attacks?
• History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?
• Intention addresses the question of what does the potential threat element hope to achieve?
• Targeting addresses the question of do we know if an aggressor is performing surveillance on our assets?

Two years later, the Washington Post reports:

By Ellen Nakashima, Published: November 14

President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks.

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October. The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

We believe that as our cultures, countries, agencies and professionals work together on Information Operations (IO) and online counter-terrorism initiatives, we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident management systems, being developed by relevant organizations in mutual collaboration.

Once we have accomplished this fundamental understanding, then true Critical Infrastructure Protection (CIP) cooperation and coordination will occur.