Proactive cyber defence

Proactive cyber defense, means acting in anticipation to oppose an attack through cyber and cognitive domains.^[1] Proactive cyber defense can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence.

Proactive cyber defense differs from active defence, in that the former is pre-emptive (does not waiting for an attack to occur). Furthermore, active cyber defense differs from offensive cyber operations (OCO) in that the latter requires legislative exceptions to undertake. Hence, offensive cyber capabilities may be developed in collaboration with industry and facilitated by private sector; these operations are often led by nation-states.

Methods & Aims[edit]

Common methods of proactive cyber defense include cyber deception, attribution, threat hunting and adversarial pursuit. The mission of the pre-emptive and proactive operations is to conduct aggressive interception and disruption activities against an adversary using: psychological operations, managed information dissemination, precision targeting, information warfare operations, computer network exploitation, and other active threat reduction measures.

The proactive defense strategy is meant to improve information collection by stimulating reactions of the threat agents and to provide strike options as well as to enhance operational preparation of the real or virtual battlespace. Proactive cyber defence can be a measure for detecting and obtaining information before a cyber attack, or it can also be impending cyber operation and be determining the origin of an operation that involves launching a pre-emptive, preventive, or cyber counter-operation.

The offensive capacity includes the manipulation and/or disruption of networks and systems with the purpose of limiting or eliminating the adversary's operational capability. This capability can be required to guarantee one's freedom of action in the cyber domain. Cyber-attacks can be launched to repel an attack (active defence) or to support the operational action.

Cyber defense[edit]

Strategically, cyber defence refers to operations that are conducted in the cyber domain in support of mission objectives. The main difference between cyber security and cyber defence is that that cyber defence requires a shift from network assurance (security) to mission assurance. Cyber defence focuses on sensing, detecting, orienting, and engaging adversaries in order to assure mission success and to outmanoeuver the adversary. This shift from security to defence requires a strong emphasis on intelligence, and reconnaissance, and the integration of staff activities to include intelligence, operations, communications, and planning.

Defensive cyber operations refer to activities on or through the global information infrastructure to help protect an institutions' electronic information and information infrastructures as a matter of mission assurance. Defensive cyber does not normally involve direct engagement with the adversary.

Active cyber operations refers to activities on the global information infrastructure to degrade, disrupt, influence, respond, and interfere with the capabilities, intentions, and activities of a foreign individual, state, organization, and terrorist groups. Active cyber defence decisively engages the adversary and includes adversarial pursuit activities.

History of the term proactive[edit]

In the fifth century, B.C., Sun Tzu advocated foreknowledge (predictive analysis) as part of a winning strategy. He warned that planners must have a precise understanding of the active threat and not "remain ignorant of the enemy's condition". The thread of proactive defense is spun throughout his teachings. Psychiatrist Viktor Frankl was likely the first to use the term proactive in his 1946 book Man's Search for Meaning to distinguish the act of taking responsibility for one's own circumstances rather than attributing one's condition to external factors.

Later in 1982, the United States Department of Defense (DoD) used "proactive" as a contrary concept to "reactive" in assessing risk. In the framework of risk management "proactive" meant taking initiative by acting rather than reacting to threat events. Conversely "reactive" measures respond to a stimulus or past events rather than predicting the event. Military science considers defence as the science-art of thwarting an attack. Furthermore, doctrine poses that if a party attacks an enemy who is about to attack this could be called active-defence. Defence is also a euphemism for war but does not carry the negative connotation of an offensive war. Usage in this way has broadened the concept of proactive defence to include most military issues including offensive, which is implicitly referred to as active-defence. Politically, the concept of national self-defence to counter a war of aggression refers to a defensive war involving pre-emptive offensive strikes and is one possible criterion in the 'Just War Theory'. Proactive defence has moved beyond theory, and it has been put into practice in theatres of operation. In 1989 Stephen Covey's study transformed the meaning of proactive as "to act before a situation becomes a source of confrontation or crisis".^[2] Since then, "proactive" has been placed in opposition to the words "reactive" or "passive".

Origins[edit]

Cyber is derived from "cybernetics", a word originally coined by a group of scientists led by Norbert Wiener and made popular by Wiener's book of 1948, Cybernetics or Control and Communication in the Animal and the Machine.^[3] Cyberspace typically refers to the vast and growing logical domain composed of public and private networks; it means independently managed networks linked together the Internet. The definition of Cyberspace has been extended to include all network-space which at some point, through some path, may have eventual access to the public internet. Under this definition, cyberspace becomes virtually every networked device in the world, which is not devoid of a network interface entirely. With the rapid evolution of information warfare operations doctrine in the 1990s, we have begun to see the use of proactive and preemptive cyber defence concepts used by policymakers and scholars.

Current status[edit]

The National Strategy to Secure Cyberspace, a book written by George W. Bush, was published in February 2003 outlining the initial framework for both organizing and prioritizing efforts to secure the cyberspace. It highlighted the necessity for public-private partnerships. In this book, proactive threads include the call to deter malicious activity and prevent cyber attacks against America's critical infrastructures.

The notion of "proactive defence" has a rich history. The hype of "proactive cyber defence" reached its zenith around 1994, under the auspices of Information Warfare. Much of the current doctrine related to proactive cyber defence was fully developed by 1995. Now most of the discussions around proactive defence in the literature are much less "proactive" than the earlier discussions in 1994. Present-day proactive cyber defence strategy was conceived within the context of the rich discussion that preceded it, existing doctrine and real proactive cyber defence programs that have evolved globally over the past decade.

As one of the founding members of Canada's interdepartmental committee on Information Warfare, Dr. Robert Garigue and Dave McMahon pointed out that "strategic listening, core intelligence, and proactive defence provide time and precision. Conversely, reacting in surprise is ineffective, costly and leaves few options. Strategic deterrence needs a credible offensive, proactive defence and information peacekeeping capability in which to project power and influence globally through Cyberspace in the defence of the nation. Similarly, deterrence and diplomacy are required in the right dosage to dissuade purposeful interference with the national critical cyber infrastructures in influence in the democratic process by foreign states.^[4]

Vulnerabilities equities[edit]

Intelligence agencies, such as the National Security Agency, were criticized for buying up and stockpiling zero-day vulnerabilities and keeping them secret and developing mainly offensive capabilities instead of defensive measures and, thereby, helping patch vulnerabilities.^[5]^[6]^[7]^[8] This criticism was widely reiterated and recognized after the May 2017 WannaCry ransomware attack.^[9]^[10]^[11]^[12]^[13]^[14]

Proactive pre-emptive operations[edit]

The notion of a proactive pre-emptive operations group (P2OG) emerged from a report of the Defense Science Board's (DSB) 2002 briefing. The briefing was reported by Dan Dupont in Inside the Pentagon on September 26, 2002, and was also discussed by William M. Arkin in the Los Angeles Times on October 27, 2002.^[15] The Los Angeles Times has subsequently quoted U.S. Secretary of Defense Donald Rumsfeld revealing the creation of the "Proactive, Pre-emptive Operations Group". The mission was to conduct Aggressive, Proactive, Pre-emptive Operations to interdiction and disruption the threat using: psychological operations, managed information dissemination, precision targeting, and information warfare operations.^[16] Today, the proactive defence strategy means improving information collection by stimulating reactions of the threat agents, provide strike options to enhance operational preparation of the real as well as virtual battle space. The P2OG has been recommended to be constituted of one hundred highly specialized people with unique technical and intelligence skills. The group would be overseen by the White House's deputy national security adviser and would carry out missions coordinated by the secretary of defence. Proactive measures, according to DoD are those actions taken directly against the preventive stage of an attack by the enemy.

References[edit]

^ PricewaterhouseCoopers. "Proactive cyber defence and detection". PwC. Retrieved 2022-10-30.
^ Covey, Stephen (1991). "The seven habits of highly effective people". National Medical-Legal Journal. 2 (2). UT: Covey Leadership Center: 8. PMID 1747433.
^ Wiener, Norbert (1948). Cybernetics or Control and Communication in the Animal and the Machine. MIT press.
^ "Information Warfare 2.0".
^ Schneier, Bruce (24 August 2016). "New leaks prove it: the NSA is putting us all at risk to be hacked". Vox. Retrieved 5 January 2017.
^ "Cisco confirms NSA-linked zeroday targeted its firewalls for years". Ars Technica. 17 August 2016. Retrieved 5 January 2017.
^ Greenberg, Andy. "The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days". WIRED. Retrieved 5 January 2017.
^ "Trump Likely to Retain Hacking Vulnerability Program". Bloomberg BNA. Archived from the original on 5 January 2017. Retrieved 5 January 2017.
^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". The Guardian. Retrieved 12 May 2017.
^ Heintz, Sylvia Hui, Allen G. Breed and Jim (14 May 2017). "Lucky break slows global cyberattack; what's coming could be worse". Chicago Tribune. Retrieved 14 May 2017.{{cite web}}: CS1 maint: multiple names: authors list (link)
^ "Ransomware attack 'like having a Tomahawk missile stolen', says Microsoft boss". The Guardian. 14 May 2017. Retrieved 15 May 2017.
^ Storm, Darlene (2017-05-15). "WikiLeaks posts user guides for CIA malware implants Assassin and AfterMidnight". Computerworld. Retrieved 2017-05-17.
^ Smith, Brad (14 May 2017). "The need for urgent collective action to keep people safe online". Microsoft. Retrieved 14 May 2017.
^ Helmore, Edward (13 May 2017). "Ransomware attack reveals breakdown in US intelligence protocols, expert says". The Guardian. Retrieved 14 May 2017.
^ "Do Examines "Preemptive" Intelligence Operations". Secrecy News. October 28, 2002.
^ Arkin, William M. (Oct 27, 2007). "The Secret War". Los Angeles Times.
^ Clarke, Richard; Knake, Robert (2011). Cyber War: The Next Threat to National Security and What to Do About It.
^ Organski, A.F.K.; Kugler, Jacek (1980). The War Ledger.
^ Akdag, Yavuz (2019-06-01). "The Likelihood of Cyberwar between the United States and China: A Neorealism and Power Transition Theory Perspective". Journal of Chinese Political Science. 24 (2): 225–247. doi:10.1007/s11366-018-9565-4. ISSN 1874-6357. S2CID 158222548.
^ Davis, Elizabeth (2021). Shadow Warfare: Cyberwar Policy in the United States, Russia and China. Rowman & Littlefield.
^ Zhang, Li (2012). "A Chinese perspective on cyber war". International Review of the Red Cross. 94 (886): 801–807. doi:10.1017/S1816383112000823. S2CID 144706963.

Sources[edit]

"A Proactive Holistic Approach To Strategic Cyber Defense"., Bradley J. Wood, O. Sami Saydjari, Victoria Stavridou PhD., SRI International
"APT0 Study on the Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity" (PDF). Communication Security Establishment, Bell Canada and Secdev Cyber Corp. 31 Mar 2011.
"APT1 Exposing One of China's Cyber Espionage Units" (PDF). Mandiant. 2004.
Arquilla; Ronfeldt. "Cyberwar is Coming, RAND corporation". Journal of Comparative Strategy. 12.
"Combating Robot Networks and Their Controllers: PSTP08-0107eSec (PSTP)". Bell Canada. 6 May 2010.
"Best Practices in Computer Network Defense: Incident Detection and Response".
Busey IV, Adm. James B., USN (Ret.) (October 1994). "Information Warfare Calculus Mandates Protective Actions, Presidents Commentary". Signal. AFCEA: 15.{{cite journal}}: CS1 maint: multiple names: authors list (link)
Campen, Alan D., ed. (October 1992). "The First Information War". Fairfax, VA: AFCEA International Press.
"Challenges for inter-governmental and multilevel governance of the IoE, 2017". Clairvoyance Cyber Corp.
"Cyber Forechecking". Frontline Magazine. Clairvoyance Cyber Corp. 2017.
"Information Warfare 2.0, Cyber 2017". Clairvoyance Cyber Corp.
"Combating Robot Networks and Their Controllers: PSTP08-0107eSec 06 May 2010 (PSTP)".
"ACritical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies". by Tyson Macaulay (Author) BN-13: 978-1420068351
"Defensive Information Warfare (DIW) Management Plan". l.2. Defense Information Systems Agency. 15 August 1994. 4 sections and Appendices.
Directorate of Army Doctrine Update: Information Operations Doctrine Review, Sep 2005
Future Security Environment 2025 (FSE) Supreme Allied Commander Transformation Branch Head Strategic Analysis / Intelligence Sub-Division
Garigue, Lieutenant(N) R. (10 July 1995). "Information Warfare: Developing a Conceptual Framework". Draft Ver 2.0 for Discussion, SITS/ADM(DIS).
Garigue, Robert. "Canadian Forces Information Warfare- Developing a Conceptual Framework 1994".
Garigue, Robert; Mackie, Andrew (16 April 1999). "From Provincial Action to National Security: A National Information Protection Agenda for Securing Government in Cyberspace, CIO Conference, Information Protection and Assurance White Paper".
Garigue, Robert (1992). "On Strategy, Decisions and the Evolution of Information Systems". DSIS DND Government of Canada.
Garigue, Robert. "Information Warfare: Developing a conceptual framework. A discussion paper". Archived from the original on 2000-08-18. Retrieved 2019-07-03.
Garigue, Robert (1995). "Information Warfare — Theory and Concepts, Ottawa: Office of the Assistant Deputy Minister — Defense Information Services, DND, Government of Canada Report".
Garigue, Robert (1992). "On Strategy, Decisions and the Evolution of Information Systems. Technical Document. DSIS DND Government of Canada".
Government Accounting Office. Technology Assessment: Cyber security for Critical Infrastructure Protection. May 2004 (http://www.gao.gov/new.items/d04321.pdf)
Garigue, Dr. Robert (1993). "Information Warfare, Developing a Conceptual Framework".
Macaulay, Tyson— Critical Infrastructure: Understanding its Component Parts, Interdependencies, Vulnerabilities and Operating risks, 700 pages Auherbach publishing, June 2008
Macaulay, Tyson— Security Converged IP Networks: New requirements for information and Communications Technology Security and Assurance, 300 pages, Auherbach publishing, June 2006
McMahon, Dave, Rohozinski, Rafal - Combating Robot Networks and their Controllers, Bell Canada and the Secdev Group, 750 pages, August 2004
McMahon, Dave, Rohozinski, Rafal - Dark Space Report, Bell Canada and the Secdev Group 600 pages, December 2012
McMahon, Dave, - A Canadian National Proactive Defense Strategy, Bell Canada, 800 pages, August 2004
McMahon, Dave (2014). "Think Big on Secdev" (PDF). Cyber Corp.
McMahon, David, Cyber Threat: Internet Security for Home and Business, Hardcover – Oct 1 2000
National Infrastructure Security Coordination Center NISCC Briefing 08/2005 Issued 16 June 2005, Targeted Trojan Email Attacks, Titan Rain
NATO Cooperative Cyber Defence Centre of Excellence
NATO Cooperative Cyber Defence Centre of Excellence, Tallinn Manual on the International Law Applicable to Cyber Warfare 2013
"Best Practices in Computer Network Defense: Incident Detection and Response". NATO.
Network Centric Warfare: Developing and Leveraging Information Superiority, David S. Alberts, John J. Garstka, Frederick P. Stein, DoD C4ISR Cooperative Research Program, February 2000
Networks and Netwars: The Future of Terror, Crime, and Militancy, Edited by: John Arquilla, David Ronfeldt, RAND Corporation, 1999
Omand, Sir David, Jamie Bartlett & Carl Miller, “Introducing Social Media Intelligence (SOCMINT)” published: 28 Sep 2012.
Proactive Cyber Defense and the Perfect Storm. www.cyberthreat.ca David McMahon 19 April 2008
""GhostNet" was a large-scale cyber spying operation discovered in March 2009" (PDF). Secdev.
Secdev, “Shadows in the Cloud”. A complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. http://www.nartv.org/mirror/shadows-in-the-cloud.pdf
https://ccdcoe.org/cyber-definitions.html Archived 2016-03-08 at the Wayback Machine
Office of Homeland Security; The National Strategy to Secure Cyberspace, February 2003
Office of Information Assurance and Critical Infrastructure Protection Federal Technology Service General Services Administration Before the Subcommittee On Terrorism Technology And Government Information Committee On Judiciary And The United States Senate July 25, 2001
Schwartau, Winn. "Information Warfare — Chaos on the electronic superhighway "Thunder's Mouth Press, New York, 1994
Science Application International Corporation (SAIC), "Planning Considerations for Defensive Information Warfare — Information Assurance -", 16 December 1993, 61 pages.
Taipale, K.A. Executive Director, Center For Advanced Studies NYLS, Bantle (March 29–30, 2006). "Seeking Symmetry In Fourth Generation Warfare: Information Operations In The War Of Ideas". INSCT Symposium.{{cite journal}}: CS1 maint: multiple names: authors list (link)
Subcommittee on Emerging Threats and Capabilities, Committee on Armed Services United States Senate Hearing on Cyber Security and Critical Infrastructure Protection, Martin C. Faga, Executive Vice President, The MITRE Corporation, March 1, 2000
Toffler, Alvin, and Heidi Toffler. War and Anti-War. New York: Warner Books, 1995. 370pp. (U102 .T641 1995)
What Works in Implementing the U.S. National Strategy to Secure Cyberspace Case Studies of Success in the War on Cyber crime and Cyber Espionage, A SANS Consensus, Document Version 1.0 December 10, 2007

[1] PricewaterhouseCoopers. "Proactive cyber defence and detection". PwC. Retrieved 2022-10-30.

[2] Covey, Stephen (1991). "The seven habits of highly effective people". National Medical-Legal Journal. 2 (2). UT: Covey Leadership Center: 8. PMID 1747433.

[3] Wiener, Norbert (1948). Cybernetics or Control and Communication in the Animal and the Machine. MIT press.

[4] "Information Warfare 2.0".

[5] Schneier, Bruce (24 August 2016). "New leaks prove it: the NSA is putting us all at risk to be hacked". Vox. Retrieved 5 January 2017.

[6] "Cisco confirms NSA-linked zeroday targeted its firewalls for years". Ars Technica. 17 August 2016. Retrieved 5 January 2017.

[7] Greenberg, Andy. "The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days". WIRED. Retrieved 5 January 2017.

[8] "Trump Likely to Retain Hacking Vulnerability Program". Bloomberg BNA. Archived from the original on 5 January 2017. Retrieved 5 January 2017.

[9] Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". The Guardian. Retrieved 12 May 2017.

[10] Heintz, Sylvia Hui, Allen G. Breed and Jim (14 May 2017). "Lucky break slows global cyberattack; what's coming could be worse". Chicago Tribune. Retrieved 14 May 2017.{{cite web}}: CS1 maint: multiple names: authors list (link)

[11] "Ransomware attack 'like having a Tomahawk missile stolen', says Microsoft boss". The Guardian. 14 May 2017. Retrieved 15 May 2017.

[12] Storm, Darlene (2017-05-15). "WikiLeaks posts user guides for CIA malware implants Assassin and AfterMidnight". Computerworld. Retrieved 2017-05-17.

[13] Smith, Brad (14 May 2017). "The need for urgent collective action to keep people safe online". Microsoft. Retrieved 14 May 2017.

[guard1-14] Helmore, Edward (13 May 2017). "Ransomware attack reveals breakdown in US intelligence protocols, expert says". The Guardian. Retrieved 14 May 2017.

[:1-15] "Do Examines "Preemptive" Intelligence Operations". Secrecy News. October 28, 2002.

[16] Arkin, William M. (Oct 27, 2007). "The Secret War". Los Angeles Times.

[17] Clarke, Richard; Knake, Robert (2011). Cyber War: The Next Threat to National Security and What to Do About It.

[:0-18] Organski, A.F.K.; Kugler, Jacek (1980). The War Ledger.

[19] Akdag, Yavuz (2019-06-01). "The Likelihood of Cyberwar between the United States and China: A Neorealism and Power Transition Theory Perspective". Journal of Chinese Political Science. 24 (2): 225–247. doi:10.1007/s11366-018-9565-4. ISSN 1874-6357. S2CID 158222548.

[20] Davis, Elizabeth (2021). Shadow Warfare: Cyberwar Policy in the United States, Russia and China. Rowman & Littlefield.

[21] Zhang, Li (2012). "A Chinese perspective on cyber war". International Review of the Red Cross. 94 (886): 801–807. doi:10.1017/S1816383112000823. S2CID 144706963.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]