Manipulating information over cyber networks has become a societal weapon of choice. Compared to traditional military, diplomatic and economic instruments of state power, cyber information power has competitive advantages.
Unlike military power and similar to transnational crime, cyber influence can be projected worldwide at low cost. Unlike diplomacy and similar to customer relations, cyber can influence specific individuals. Unlike economic sanctions and similar to capital losses, cyber can instantly destroy finances. With the advent of 5G technology, artificial intelligence, and quantum computing, cyber threats come with unprecedented uncertainty. For large and small states, businesses, groups, and even individuals, the need for security plus resilience to prevent and recover from attacks is acute.
This Paper critiques cyber security and cyber resilience standards, a compliance requirement whose scope is greater than focusing on threats. The effort must be equal to competitiveness in the information environment.
(Cyber security + cyber resilience) compliance > threats; = competitiveness.
Attacks on businesses and governments at all levels include massive data breaches in large enterprises (Twitter, Marriott Hotels, MGM Resorts, Zoom, Magellan Health in 2020) and opportunistic exploitation of the COVID-19 pandemic (moral depravity of hackers and ransomware organization here). Criminal gangs offer Ransomware-as-a-service (Raas), renting customizable code via portals, followed up by extortion-inducing leak sites of victims.
Verizon’s Data Breach Investigations Report for 2020 indicates most perpetrators are financially motivated organized criminals using hacking to exploit errors and social vulnerabilities:
For 2021, The International Security Forum’s Threat Horizon anticipates the following three themes:
1 – DIGITAL CONNECTIVITY EXPOSES HIDDEN DANGERS:
1.1 5G technologies broaden attack surfaces
1.2 Manipulated machine learning sows confusion
1.3 Parasitic malware feasts on critical infrastructure
2 – DIGITAL COLD WAR ENGULFS BUSINESS:
2.1 State-backed espionage targets next-gen tech
2.2 Sabotaged cloud services freeze operations
2.3 Drones become both predator and prey
3 – DIGITAL COMPETITORS RIP UP THE RULEBOOK:
3.1 Digital vigilantes weaponize vulnerability disclosure
3.2 Big tech break up fractures business models
3.3 Rushed digital transformations destroy trust
These threats shape the information environment by setting advantageous conditions. Threats take many forms of human and machine maliciousness. The lineup includes criminal groups, transnational organizations, state-backed spies, unauthorized insiders, individual extortionists, manipulated machine learning, flawed software, and parasitic malware. The condition-setting includes imposed costs, compromised data, stolen credentials, more confusion, frozen operations, and less trust. And, get ready for artificial intelligence that writes its own code.
To deal with these threats, businesses doing business with the government have had to meet compliance standards set forth in the Department of Commerce’s National Institute of Standards and Technology Special Publication 800 series. Most of the standards are reactions to threats. The basis for the standards comes from federal regulation based in law: the Defense Federal Acquisition Regulation Supplement (DFARS) under the DoD Defense Pricing and Contracting office. The draft document NIST SP 800-172 is the latest almost-guidance relevant here. The document is updated with enhanced protection across 14 inter-related “security requirement families”:
Following the experience-based advice provided by cyber security expert Jennifer Kurtz of Manufacturers Edge, we can group these families, which are potential targets, based on interrelationships:
Enter the Cybersecurity Maturation Model Certification from the Department of Defense. This new process unifies the above NIST standards, adds three more (Asset Management, Recovery, Situational Awareness), and regards them as capability domains. So let’s rearrange our constellation of 17 domains in two new ways, by grouping:
Contractors who deal with Federal Contract Information (FCI) or Confidential Unclassified Information (CUI) must meet at least CMMC level 3. This effort requires active management and documentation of cyber hygiene performance:
The highest levels, 4 and 5, intend to protect contractors from advanced persistent threats (APTs). APTs are cyber predators supported by governments such as the Peoples’ Republic of China, the Islamic Republic of Iran, the Democratic Republic of North Korea, and the Russian Federation. Here is the draft NIST SP 800-172’s definition of an APT:
An APT is an adversary or adversarial group that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception.
In light of these threats and our compliance mandate, a key concern for any business is how to prevent and recover from threats without undermining a proactive, competitive culture. Businesses need to make operational decisions while under attack, and on a larger scale and broader scope than ever before. Any information sharing infrastructure, such as spectrum sharing between commerce and defense, risks cyber attack. At the same time, new technologies and relationships can produce competitive advantages. Market uncertainties include vulnerabilities. Even a small business that manufactures one component is subject to effects from suppliers of suppliers’ attack surfaces. Of the nearly quarter of a million Department of Defense contractors who need to achieve CMMC, over 160,000 are small businesses. The NIST Manufacturing Extension Partnership (MEP) that helps grow competitiveness via Centers responsible for groups of states. Manufacturers Edge is the catalytic organization in Colorado:
Colorado is one of ten MEP centers to receive NIST funding to lead the creation of cyber security competency in preparation for CMMC. Colorado MEP will be responsible for Montana, North Dakota, South Dakota, Wyoming and Utah, in partnership with the principal investigator for this NIST project, California Manufacturing Technology Consulting.
Compliance lends itself to checklists, schedules, and assessments to ensure accountability. Companies quickly hone in on how many points auditors will deduct for failing to meet a requirement. Some will negotiate diluting requirements (“this is FCI, not CUI”) and opting out of them altogether. For anyone familiar with running checklists in contested space, the leadership challenge is to frame the importance of detailed procedures for mission objectives in a threat environment. In military aviation for instance, robust standardization and evaluation (checkrides) and safety programs exist to support the mission. Safety is not the highest priority by itself; fulfilling the mission is the top priority while defeating or at least mitigating threats. This proactive perspective is similar to that expected at the highest levels of CMMC.
DFARS, NIST and CMMC standards must be complied with (DFARS, NIST) or conformed to (CMMC) at the level of objectives, but without losing overall situational awareness (SA) of the threat environment. We are not aware of any CMMC objectives yet, just the 110 NIST SP 800-171 (Revision 2) controls and 20 added enhancements. Most of those appear to be addressed by NIST 800-171A. The enhanced security requirements below focus on penetration-resistant architecture, damage-limiting operations, and cyber resilience survivability. Contrary to the first bullet’s claim, most of the enhancements do not appear to be threat-centric:
Instead of a threat-centric approach to cybersecurity and resilience, we see a population-centric approach. As in a counterinsurgency strategy. Insurgents attempt to overthrow governments. How? By obtaining passive or active support form the population. Best practices of counterinsurgency focus on protecting the population first, and eliminating irreconcilable insurgents second. We need both. With that in mind, let’s look at the bullets below. The left side concisely states the NIST 800-172 security enhancements listed above. The right side shows a few ways to secure a population from insurgent threats.
What’s the relevance of counterinsurgency strategy to cyber threats? In both cases, threats embed themselves in a population. They exploit grievances, identities, and practices. They go where there is weak governance and lack of control. They exercise patience and opportunism, then attack and recede into the population.
Population-centric compliance is about improving Situational Awareness of the information environment, which also enhances threat awareness. SA is now a CMMC capability domain, and needed to conduct business in the presence of any threat, known and unknown. Threats include analytics-driven and artificial intelligence-guided predators that steal, disrupt or manipulate data to damage a business’ bottom line. Level 3 targets are far from being immune to attack. Certainly, threats will attack those who are not expected to be proactive.
The distinction between threat and environment may seem to be a fine point, but it’s all too easy to fixate on running checklists against threats thereby losing sight of the environment. Using analytics to characterize the information environment can identify opportunities to influence a population and its infrastructure. Dr Ron Machoian’s insightful ISCL Paper #4 on situational awareness comes to mind. Ron challenges analysts to go beyond current perceptions of what is going on, and seek broader comprehension of how and why. Then, project that situation into the future (Mica Endsley’s model on dynamic decision making). To do this, we have to proactively comply with government standards, standards that are necessary but insufficient to surviving in a hyper competitive, uncertain environment.
What to do, in a resource-constrained world where one overlooked malware attack can destroy a business?
All businesses seek reasonable security, a balance among various risks. We confront trade-offs, such as adding security controls instead of investing in encrypted capability. Depending on our vulnerabilities and what we know or anticipate about threats, we set priorities on which standards to meet minimally, and where to spend more. As emphasized above, government cyber security and cyber resilience standards require strict oversight of necessary processes and practices. In general, companies will seek to develop a culture of internal transparency and caution. This involves controlling areas and their systems (mobile devices, servers, desktop computers, e.g.). Resolving the security requirements of this architecture with the need to expand business opportunities requires leadership with competitive vision.
A Table-Top Exercise (TTX) is one way to envision and clarify major decisions to be made. Another way is to look at historical cases such as those in NIST‘s Small Business Cybersecurity Corner. Let’s assume that businesses plan and conduct relations employing instruments of influence to attain the greatest wealth, which we describe as Revenue and Reputation (R2). Broadly speaking, available assets are investment capital, human capital, fixed capital, and cyber defense capabilities. We’ll refer to these types of capital as wealth management.
In the context of protecting and securing wealth management, a business needs to anticipate three basic types of cyber attacks—insider, phishing, and ransomware. These threats to your business may be an integral part of a predator’s business operation. What are the typical costs of each type of attack? For the purposes of discussing impact and what to do, we’ve assumed the following costs:
Often the attacks are combined, a “competitive strategy” (Shulsky in Mahnken, 178) that induces a target to spend more on resources that benefit the attacker.
Many ransomware attacks start with phishing. From Figure 1 we see that nearly a third of data breaches involve an insider. Social engineering may be required to dupe the insider. There are many other possibilities, ranging from a large-scale botnet attack such as distributed denial of service, to a specific app-based attack such as Zoom-bombing.
By outlining three basic attack vectors and assigning an anticipated cost to R2, a business can discuss where to invest and what to put in actual plans. Of course a business is not really interested in a typical cost of each attack, but rather the cost on that business. By discussing the typical costs, we hope to stir up conversations that otherwise might not happen. In contrast to a victim, an attacker’s losses tend to be minimal. A reasonable conjecture is that an attacker risks the following losses of R2 if detected, revealed, and prosecuted:
Cyber defense can be considered to be in two categories–general purpose and specialized. Let’s take CMMC-provided government standards as the general purpose requirements. What else does a business need?
We need to make informed assumptions about the effectiveness of such general purpose cyber defense. Let’s assume that the effectiveness of CMMC standards against all types of cyber attack is 1 unit of a your business’ R2. Actual effectiveness needs to be assessed, but this rule gets us to compare defenses to attacks. What about specialized cyber defense? For that, let’s assume that a business must decide to: (1) upgrade systems and components (encryption) and (2) implement less expensive controls (dual authorization and monitoring).
To clarify this investment decision, we compare Figure 3 (CMMC Capability Domains, Grouped by Relationships) to the eight enhanced security requirements. Our rough determination yields the following two groups: (1) upgraded systems; and (2) controls:
As you can see in Figure 6 above, the only “system or control” decisions that we fudged were Situational Awareness and Asset Management. Depending on the investment decisions made to enhance the other 15 capability domains, Situational Awareness (SA) and Asset Management (AM) could be a 1 or 2. Our assumption here is that SA and AM flow from the other decisions. For the purpose of this exercise, we categorize each capability domain as an enhancement of systems (including components) or as an enhancement of controls.
Next, let’s establish the effectiveness of each specialized cyber defense against the three types of cyber attack. To do that, we consider the 17 capabilities to be cyber defense. These capabilities require six functions: management, security and protection; which work through people, policies and technology (thanks to Jennifer Kurtz for the last three). We expect the effectiveness of the first three functions against the three main types of threats to be as follows, in order of most effective to least effective:
This is a working hypothesis, so we’ll look at the enhanced security requirements for CUI listed for each CMMC capability domain. From that review, we built a cross-reference table, looking for gaps. Instead, we found a way to display interdependence among capabilities and responsibilities:
Enhanced Security Requirements for CUI
3.1.1 Dual authorization
3.1.2 Restricted access
3.1.3 Controlled information flows
3.2.1 Awareness training
3.2.2 Practical exercises with threat scenarios
3.3 No enhanced security requirements
3.4.1 Authoritative source and repository
3.4.2 Automated detection
3.4.3 Automated inventory
3.5.1 Crypto-based replay-resistant ID/authentication
3.5.2 Automated password management
3.5.3 Procedures for trusted connections
3.6.1 Security operations center
3.6.2 Cyber incident response team
3.7 No enhanced security requirements
3.8 No enhanced security requirements
3.9.1 Personnel screening/reassessment
3.9.2 CUI protections for adverse information
3.10 No enhanced security requirements
3.11.1 Threat intelligence to risk
3.11.2 Cyber threat hunting
3.11.3 Automated analytics
3.11.4 Security solution and risk
3.11.5 Security solution effectiveness
3.11.6 Supply chain risks
3.11.7 Supply chain risks plan
3.12.1 Penetration testing
3.13.1 Diversity of systems
3.13.2 Disrupt attack surface
3.13.3 Confuse and mislead adversaries
3.13.4 Physical and logical isolation techniques
3.14.1 Root of trust/ cryptographic verification
3.14.2 Monitor for anomalies
3.14.3 Operational technology to detect/cause change
3.14.4 Refresh from known/trusted state
3.14.5 Review/purge CUI
.
.
.
.
No enhanced security requirements
are available for
Recovery,
Asset Management,
and Situational Awareness
We tried to not put an X in every square, but each capability domain’s practices were broad, not narrow.
Here are five observations. First, Management is required for all domains—the active oversight of responsibilities. Second, Security and Protection cannot be separated—a reduction in one weakens the other. Third, People are extensively involved—there seem to be less people required for Configuration Management and Asset Management, however. Fourth, Policies are absent in Situational Awareness—managerial oversight covers that anyway. The same coverage decisions apply elsewhere, too. Fifth, depending on how one values confidentiality, integrity, and availability of information (the “security triad”) one would mark different X’s throughout the template — such as exchanging Management for Technology, or vice versa.
With this matrix of relationships and the details of each practice (the NIST discussion includes protection strategies and effects on adversaries), business teams can discuss the capabilities and responsibilities needed to counter or recover from each type of attack.
For the sake of space here, consider “Phishing an Insider for Ransom.” Phishing can involve social engineering of an Insider who clicks on a hyperlink and downloads malware onto a connected portable device. That action enables ransomware to penetrate a system, leading to an attacker’s demands for payment(s) otherwise data will be permanently stolen, etc.
At a minimum, the capabilities needed to stop this chain of events include: Access Control to the victim; Awareness & Training to recognize a phishing attempt; Media Protection and Configuration Management enforcement to prevent ransomware insertion; and Incident Management and Recovery to limit further damage. The latter might include persistent extortion and actual or feigned long-term surveillance.
For this scenario, it’s clear that knowledge about specific threats is necessary but insufficient to think through what to do. We need situational awareness of these interdependent capabilities and responsibilities in order to counter and recover from threats.
The sheer variety of cyber threats complicates the defense’s task in characterizing attacks. Here are some common attack vectors from NIST SP 800-61r2: external or removable media (infected USB); attrition (brute force); web (cross-site scripting); email (malicious link); impersonation (rogue wireless access points); improper usage (unauthorized file-sharing); loss or theft of equipment (authentication token); and of course, other (insider social engineering). Recognizing known and anomalous tactics, techniques and procedures (TTP) is vital to correlating threat sources and attributing intent.
Threat variety also expands the ways adversaries can shape the information environment. Shaping activities may occur as preparation for attacks, influence operations, or covert surveillance. Furthermore, attackers combine desired effects, specific targets, attack tools, and ways of access. So we might not see a TTP match. However by analyzing our information environment, we can anticipate and profile competitive, combined strategies whose strengths are suited to exploit vulnerabilities.
For instance, if: our employee awareness & training activities are substandard even for one individual; and transfer points between process owners and users are unspecified; and our third party host’s security does not include encryption or data backups or reporting breaches; then the following threat should be anticipated. An attack to steal financial data targets the database with a banker trojan horse that gains access via social engineering an insider into revealing credentials. This logic can be programmed or learned by trained artificial intelligence.
If attackers know your level of CMMC compliance, they know your practices. Clever attackers don’t take a target-centric approach. They look at structures, connections and technologies across the information environment to identify vulnerable populations. With broad intelligence on the information environment—such as systems, sub-systems, and human profiles— an attacker can mix a cyber cocktail just for you.
No checklist can prepare us for all possible threats. However, inclusive templates that explain the significance of standards can improve situational awareness. To shape that environment to our advantage, we need to map linkages among capability domains, know our routines and responsibilities compared to threat patterns, look for trends and anomalies, and interrupt adversary condition-setting.
In this regard CMMC levels 4 and 5 consist of proactive activities against threats, but need to include how threats assess and shape the information environment. What is the threat environment—is part of the architecture overseas? Is there transparent and enforced rule of law? What are the supply chain characteristics and vulnerabilities? These large questions lead to smaller ones, just as important. For instance, if you de-identify information to share it with a vendor, what evidence do you have about third-party security practices? All of these factors are risks to wealth management, cyber security and cyber resilience.
Empowering employees to share data and make decisions can be a comparative advantage in competitive information environments. What does this mean? For a manufacturer, production floor employees may not even be using computers, so area-level controls are appropriate. Such as managing physical access control, entry barriers, and segmentation. For employees who interface with digitized data, access control should add firewalls, multi-factor identification, hard-wires, and encrypted wireless systems. Determining who needs what information is an indirect control within which employee initiative can roam free.
How free? That depends on leadership. There are many tools with which to make data and analytics-driven decisions (see Tenable, for instance). Which decisions to centralize and which to delegate is an important issue. Meanwhile a “pass-the-CMMC-audit” culture will perpetuate an existing system security plan (SSP). A SSP is a huge effort, a comprehensive description of all of security controls. This situation incentivizes easy, incremental changes. To incentivize bold change, leaders should ensure that employees know: (a) the CMMC standards that apply to their functions, and (b) the company’s vision and commitment to them. This responsibility implements CMMC processes and practices and rewards improvements. An incentive program should include proposals to improve existing ways of doing things as well as making big changes. After all, a leader’s vision needs to be broad enough to see more opportunities than adversaries see.
Overall, these considerations provide a combined perspective on the information environment, a lens for framing the details of compliance and focusing on proactive competition.
Thanks to Jennifer Kurtz of Manufacturer’s Edge, whose knowledge and courses provide many businesses the opportunity for continuous improvement.