>Cyber Warfare and Enterprise Architecture

>

Security is a cross-cutting perspective in Enterprise Architecture, but I treat it as its own EA perspective because of its importance. And this is especially true in a law enforcement and defense readiness organization.

While security in EA is generally of a defensive nature, we must remember that as a nation, we must be ready to not only defend ourselves, but also to launch offensive operations and take out the enemy.

According to Military Information Technology Magazine, 9 April 2008, in an interview with Major General William T. Lord, the Department of Defense is standing up a new Cyberspace Command in the U.S. Air Force.

Why do we need this new Cyberspace Command?

There are many threats to us that emanate from cyberspace that include:

  • Cyber-criminals—looking to steal your identity or your money
  • Cyber-terrorists—“wants to disrupt, dissuade, or deter us from doing something
  • Nation States—“some of which are out to interrupt U.S. interests anywhere in the world.”

Cyberspace is a dangerous place, especially if you’re DoD; they “get about 3 million attempted penetrations” a day!

This is why defense in depth is so important, so that if an enemy manages to get through the perimeter of our network security, we can still stop them at the second or third tiers of our defensive capabilities.

In terms of offensive capabilities, sometimes you have to take the battle to the enemy. At times, it is necessary to “disrupt an enemy prior to the conduct of kinetic combat operations, [so] that the enemy could not figure out what its command and control system was, had false data, could not see an attacking force, and was making decisions based on information systems that been manipulated in advance of combat operations.”

To architect the defensive and offensive cyberspace capabilities necessary to combat our enemies, it is imperative to continuously build information sharing and partnership between the parties involved, such as the Departments of Defense, Homeland Security, Justice and the Director of National Intelligence. This is a core tenet of user-centric EA.

Just as we invest in the latest and greatest kinetic weapons to defeat our enemies, we must also invest in non-kinetic weapons including “our electronic warfare, space systems, and cyber-systems. As Major General Lord, stated: “it’s not always about destroying things, but about changing behavior, so that an enemy concludes that the costs of whatever they had in mind is too great and will stop. [Then again,] sometimes you have to be able to whack somebody in the nose.”

>Doomsday and Enterprise Architecture

>

Enterprise architecture is about planning and transitioning from the baseline to the target state.

However, as architects, there are times when we need to plan for the worst and hope for the best, as the saying goes.

As the price of oil has reached and exceeded $100 a barrel and significant new findings of oil are becoming a rarity, some people are starting to get nervous and are planning for a day when oil will be scarce, pricey, and society as we have come to know will cease to exist. Yikes, doomsday!

Are these people simply uninformed, pessimists, or non-believers that technological progress will outpace the demands we are placing on this planet’s resources?

The Wall Street Journal, 26 January 2008, reports about everyday people, like the Aaron Wissner in Middleville, Michigan, a school computer teacher with a wife and infant son, who became “peak-oil aware.” This term refers to his “embracing the theory that world’s oil production is about to peak.

These people fear the worst; “Oil supplies are dwindling just as world demand soars. The result: oil prices ‘will skyrocket, oil dependent economies will crumble, and resource wars will explode.’” Mr. Wissner’s forebodings include, “banks faltering” and “food running out.”

And they believe that we cannot stop this from happening. “no techno-fix was going to save us. Electric cars, biodiesel, nuclear power, wind and solar—none of it will cushion the blow.”

So Mr. Wissner and his family are preparing and transitioning themselves for the worst, they “tripled the size of his garden…stacked bags of rice in his new pantry, stashed gold…and doubled the size of his propane tank.”

According to the article there are thousands of people that adhere to the peak-oil theory.

Of course, there are many doomsday scenarios out there that end in war, famine, disease, and so on. During the cold war, people built bomb shelters in their back yards, and school children had drills hiding under their desks. These days, many fear that globalization will drive this country to economic ruin. Al Gore and other environmentalists espouse the global warming theory. And since 9/11, fears are heightened about terrorists hitting us with nuclear, biological, chemical, or radiological agents. Even Hollywood has entered the fray with movies such as Armageddon about meteors hitting the Earth or The Day After Tomorrow with the greenhouse effect sending us back to the ice-age.

Whether you adhere with any of these various doomsday scenarios or visions of the future (their believed target architecture, not necessarily their desired one) and how they are preparing (transitioning) to it or you think they are just a bunch of nut-balls, it seems important as an enterprise architect to recognize that targets are not always rosy pictures of growth and prosperity for an organization, and the transition plans are not always a welcome and forward movement. Sometimes as architects, we must plan for the worst–hoping, of course that it never comes–but never-the-less preparing, the best we can. As architects, we don’t have to put all the enterprise’s eggs in one basket. We can weigh the odds and invest accordingly in different scenarios. Our organization’s resources are limited, so we must allocate resources carefully and with forethought. Of course, no architecture can save us from every catastrophe.

>Fire Sale Attack and Enterprise Architecture

>

Fire Sale─“Matt Farrell (Justin Long), a character in the movie Live Free or Die Hard, used this term to describe the plot by Thomas Gabriel (Timothy Olyphant) to systematically shut down the United States computer infrastructure. The plan crashes the stock market, communications and utilities infrastructure, crippling America’s economy and causing nation-wide chaos. The term was coined because of the phrase “everything must go” meaning all of the world’s technology based off of a computer system, virtually everything.” (Wikipedia)

The New York Times, 4 June 2007, in an article titled, “When Computers Attacks,” states how governments are preparing for the worst in terms of cyber attacks.

Anyone who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. Although the long-announced, long-awaited computer-based conflict has yet to occur, the forecast grows more ominous with every telling: an onslaught is brought by a warring nation, backed by its brains and computing resources; banks and other businesses in the enemy states are destroyed; governments grind to a halt; telephones disconnect.”

What systems are at risk?

All computers are at risk that connect “to the Internet through the industrial remote-control technologies known as Scada systems, for Supervisory Control and Data Acquisition. The technology allows remote monitoring and control of operations like manufacturing production lines and civil works projects like dams. So security experts envision terrorists at a keyboard remotely shutting down factory floors or opening a dam’s floodgates to devastate cities downstream.

But how bad would a cyberwar really be — especially when compared with the blood-and-guts genuine article? And is there really a chance it would happen at all? Whatever the answer, governments are readying themselves for the Big One.

For example, “China, security experts believe, has long probed United States networks.Congress, China’s military has invested heavily in electronic countermeasures and defenses against attack, and concepts like “computer network attack, computer network defense and computer network exploitation.” According to a 2007 Defense Department annual report to

What are we doing?

The United States is arming up, as well. Robert Elder, commander of the Air Force Cyberspace Command, told reporters in Washington at a recent breakfast that his newly formed command, which defends military data, communications and control networks, is learning how to disable an opponent’s computer networks and crash its databases.

How serious is the threat of cyber attack?

An all-out cyberconflict could ‘could have huge impacts,’ said Danny McPherson, an expert with Arbor Networks. Hacking into industrial control systems, he said, could be ‘a very real threat.’”

Is our nation’s architecture prepared to secure our enterprises and this country from a fire sale-type or other cyber terrorism attacks? Here are some actions that have been taken based on a CRS Report for Congress on “Computer Attacks and Cyber Terrorism” (17 October 2003)

  • In 2002, The Federal Information Management Security Act (FISMA) was enacted giving the office of OMB responsibility for coordinating information security and standards developed by civilian federal agencies.
  • In 2003, The National Strategy to Secure Cyberspace was published by the administration to encourage the private sector to improve computer security for critical infrastructure.
  • DHS has established the National Cyber Security Division (NSCD) to oversee the Cyber Security National Tracking and Response Center to conduct analysis of threats and vulnerabilities, issue alerts and warnings, improve information sharing, and respond to major cyber security incidents.
  • The Cyber Warning and Information Network (CWIN) is an early warning system for cyber attacks.
  • In 2003, there was established a new Terrorist Threat Integration Center (TTIC) to monitor and analyze threat information (composed of CIA, FBI, DOD, DHS, and Department of State officials)

Additionally, “The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation’s Internet infrastructure, US-CERThttp://www.us-cert.gov/) coordinates defense against and responses to cyber attacks across the nation.

According to the CRS Report For Congress, in July 2002, The U.S. Naval War College hosted a three day seminar style war game called ‘Digital Pearl Harbor;” 79% of participants believed that a strategic cyber attack was likely within 2 years.

While the dreaded cyber attack did not occur as feared by the war game participants, the scenario of a devastating cyber attack remain a real possibility that we must be prepared to confront and defeat.

As in the movie Live Free or Die Hard, a major cyber attack on this country could quickly bring us to our knees, if successful. We have become a nation born and bred on computers and automation. I challenge you to think of many things that you do that does not in some way involve these. We have formed a day-to-day dependency on all things computers, as individuals and as a nation.

In our enterprise architecture, we must continue to focus on comprehensive security frameworks for our organizations that address technical, managerial, and operational security areas. While the Federal Enterprise Architecture treats Security as a cross-cutting area, I believe that Security should be its own perspective (even though it crosses all domains), so that it can be given focus as an area that each and every agency and organization addresses. We must do more than create alerts, warning, and reporting capabilities. We need both “computer vaccines” that can quickly cure and rid us from the encroachment of a cyber attack, as well as hunter-killer offensive capabilities that can paralyze any warring nation or terrorist organization that would dare to attack us.

I remember hearing a saying that once something is created, it is bound to eventually be used. So it was with the atomic bomb. So it will be with cyber warfare, and we must be prepared to defend this nation.