The Army has always understood the vital importance to soldiers of resilience. Resilience is defined by the Army Recovery Care Program as “the mental, physical, emotional, and behavioral ability to face and cope with adversity, adapt to change, recover, learn, and grow from setbacks.”
Numerous studies show a direct correlation between soldiers’ resilience and their success in training, on the battlefield and after combat. Both military and civilian therapeutic treatments stress developing and strengthening resilience as key to successful treatments for trauma, depression, anxiety and other negative events.
But resilience is essential beyond human endeavors. Its benefits also extend to cyber tools. The Army has recognized the need to not only defend against cyberattacks but also to recover quickly from them. Such resilience is crucial as the Army battles multiple invisible adversaries—from the coronavirus to computer viruses—in today’s multidomain battlespace. To ensure readiness across domains, the Army has identified cyber resiliency as vital to our national defense.
Security and Hygiene
Across the military and in the private sector, we are on heightened alert for “online security” and “cyber hygiene.” Cybersecurity and cyber hygiene are largely about how to prevent a compromise or attack in the first place. Cyber resiliency, on the other hand, specifically focuses on what happens after the occurrence of an attack, such as cyber infection with a virus, malware, ransom attack, cyber compromise or other adversarial online incident. DoD defines such resilience as the ability of systems to receive, absorb, adapt and recover from an adverse occurrence.
We can look at cyber resilience through the lens of the fight against the COVID-19 pandemic. Our defense against the disease is about resilience and recognition that diseases happen. Just as we cannot guarantee a cyberattack will not occur, we cannot be secure from the emergence of new microorganisms such as viruses.
Like computer hackers, viruses change identities. They mutate. They always evolve. Because of this, we must be prepared for something new that may do something unpleasant to us. Just as we cannot be fully successful in preventing viruses from entering individual organisms and communities, we similarly cannot be fully successful in preventing attacks on our cyber world: Our systems and networks.
Accomplishing the Mission
Despite hazards like bacteria and viruses, we must continue to function and live productive lives. Similarly, the Army must continue to accomplish its missions despite inevitable cyber risks. That means the nation must have the means, mechanisms and processes to contain these threats. We must overcome adversity and continue to live our normal lives and get things done that need doing. In that sense, COVID-19 helps us understand cyber resilience and how the Army is enabling it.
The Army recognizes that it must be prepared for conflicts involving technologically sophisticated competitors with significant capabilities in cyberwarfare. When the Army arrived at a new doctrine —Multi-Domain Operations—a couple of years ago, it included cyberspace as one of the preeminent domains in which a conflict will unfold. Cyber is an increasingly important and distinct battle space. Cyber also is closely integrated within other, more conventional domains.
If the competitor on a multidomain battlefield is technologically sophisticated in terms of cyber capabilities, then a potentially significant fraction of our systems could be compromised. Despite being compromised, a system will have to continue to operate. Like a soldier in the heat of combat, the system will have to continue to fulfill its mission while in active engagement with its cyber adversary.
Many conventional approaches, such as centralized monitoring, detection and response, are nearly impossible on the battlefield. With large numbers of mobile, geographically dispersed assets, often with limited size, weight and power capabilities and limited communications, the options for centralized support become limited, and local resilience becomes crucial. In a battle, even a manned combat vehicle will not have a highly qualified cyber defender and cyber responder on board.
Further, as unmanned and robotic vehicles become prominent on the future battlefield, the systems will have to exhibit a high level of resilience. This means they must have the ability to defend themselves from a cyber compromise, and continue to operate and execute the mission. As in any battle, even with somewhat diminished capacity, they must nevertheless continue to fight.
In a strange way, COVID-19 is showing us the future. COVID-19 protocols are a useful analogy to what might be done about cyber resiliency and cyber security. What we are seeing now may become the new normal, e.g., people working from homes instead of conventional office buildings, which creates numerous security challenges as well as opportunities.
As a precaution against COVID-19, citizens are told to stay home and be safe. In the cyber world, we also tell ourselves to stay home and be safe. We need to figure out which set of systems and technologies will enable us to operate from our homes, resiliently. This demands more sophisticated endpoint protections, better-protected Wi-Fi, more sophisticated use of firewalls and more distributed information technology services in our home offices.
Corporations and agencies must think about more clever ways of dealing with side channels and physical access to systems. We must consider security implications of people passing through our homes and workspaces.
As with COVID-19, we should apply the lessons of social distancing to our approach to cyber resilience. This may imply adding extra layers of indirection and automated analysis of traffic between employees and other layers of businesses.
Another protection against COVID-19, washing our hands with soap, also has a parallel in the cyber world. Such “washing” might mean more sophisticated and aggressive reimaging of devices, refreshing software more frequently, and more in-depth scanning of devices.
Citizens are told to wear masks to prevent the spread of the virus. Similarly, “masking” in the cyber world can protect a system: Do not reveal to the world what your systems and data look like. Systems should look different, even unrecognizable, in a technological mask.
Another lesson of current events is the profound value of diversity. No one can discount the value of diversity, not only in the societal world, but also in the cyber world. We must create more diverse systems that cannot be compromised all at once, and where different groups of systems can support each other. We must have the capacity to mix and match diverse systems as the situation demands. Diverse systems can work together and operate more resiliently than a collection of homogeneous systems.
Yet another lesson we can learn from COVID-19: Let’s not get too excited about unproven cures. Just as we should be careful about taking unproven medicines, even if they sound useful, piling cyber controls one on top of another doesn’t necessarily help. It may, in fact, be harmful. A combination of several cyber controls—even if each one seems useful individually—might create additional unexpected vulnerabilities. We must always test and measure cyber controls, resilience techniques and procedures, in realistic complex environments and against a broad range of sophisticated threats. That is the only way to make sure we are prepared for a cyberattack.
Therefore, as we work to develop better technologies for cyber resilience, we face a formidable challenge: the ability to measure the cyber resiliency of systems and networks in a consistent, scientifically grounded, well-engineered, meaningful way. The techniques, methods and even basic theory of these kinds of measurements are still under development.
We know from the history of technology that a technology rarely achieves major growth and success without developing an ability to measure what it does, i.e., what a specific engineered artifact produces. We cannot develop truly effective resilience mechanisms without knowing how to measure what they do.
Even when suitable and effective controls are available, the importance of preparedness cannot be overstated. Corporations and agencies must take cyber resiliency seriously. They must wargame and rehearse their responses to cyber incidents.
In addition, from the technological perspective, artificial intelligence ultimately will become an enormously important part of our approach to cyber resilience. Especially in the context of battlefield decisions that concern the Army, the service must have artificially intelligent cyber defense and resilience agents that can reside on all systems and offer a robust, effective response to a broad range of cyber compromises.
Building such advanced and diverse technologies requires efforts of multiple organizations. The U.S. Army Combat Capabilities Development Command Army Research Laboratory works on cyber-related research and development with both academia and industry research institutions in numerous ways through various channels. The lab has created regional extensions at several locations in the U.S. as part of its Open Campus business model to better engage with academia and industrial researchers. Such collaborations benefit the Army as well as the lab’s partners across government and the military.
The Army collaborates just as extensively with other services—the Navy and the Air Force in the U.S.—as well as with allies and partners internationally, particularly through NATO research activities. For example, the Army recently leveraged a NATO research activity to create a working group on autonomous agents for cyber resilience, comprising representatives from the government and military, academia and industry from the U.S. and NATO nations.
In such a broad-based, complex landscape of project and institutions, it is possible to see some overlapping as well as complementary work. To make sure the Army avoids duplication of efforts and maximizes use of results across the research process, the Army Research Lab engages in rigorous exchanges of technical information with colleagues in other research organizations, other services and government agencies. The lab is part of the U.S. Army Futures Command and, as such, is a primary interface, particularly to the academic research community. The lab serves Futures Command as well as other U.S. defense organizations that want to engage with the U.S. academic research community, which is the largest, most productive and diverse research community in the world.
The Army Research Lab also engages with the worldwide research community, with an active presence overseas. Cyber resilience is one of the technology topics that benefits from such broad collaboration, both domestic and international.
This article is based in part on remarks presented by Alexander Kott during the Armed Forces Communications and Electronics Association’s July webinar on cyber resilience.