On Tuesday, March 12, 2013, the Office of the Director of National Intelligence (ODNI) released its “Worldwide Threat Assessment of the U.S. Intelligence Community,” naming cyber the top priority. That same day on Capitol Hill, Gen. Keith Alexander, commander of U.S. Cyber Command and director of the National Security Agency, told the Senate Armed Services Committee cyber threats are becoming more severe. Driving the message home to everyday Americans, evening newscasts reported hackers had gained sensitive financial information about First Lady Michelle Obama, Vice President Joe Biden, senior law enforcement officers, and a handful of Hollywood celebrities.
“We are in a major transformation because our critical infrastructures, economy, personal lives, and even basic understanding of—and interaction with—the world are becoming more intertwined with digital technologies and the Internet,” the ODNI assessment read. It also noted there is a remote chance of a major cyber attack against U.S. critical infrastructure in the next two years that could result in a long-term, wide-scale disruption of services.
Alexander shared similar concerns with lawmakers that day, and he appealed to Congress to pass legislation parallel with White House initiatives and facilitate the sharing of information between government and private critical infrastructure operators.
This is only a snapshot of one day in the never-ending cycle of cybersecurity news. It’s nearly impossible to peruse the Internet without encountering a glaring headline pondering the possibilities of a cyber Cold War or the looming threat of a cyber Pearl Harbor.
While cyber is on the forefront of almost all government officials’ minds, as well as many citizens’, it’s not always obvious that the new domain isn’t just some nebulous creature lurking in the ether of the connected world. Cyber adversaries work from real locations on Earth using tangible hardware; real servers are located in buildings that connect to fiber running through dirt and cement. All “virtual” activities originate from and are made possible by people and objects somewhere on Earth at some point in time. At this intersection is the “cyber-location nexus.”
“Cyberspace is just another layer on earth,” said Chris Tucker, principal of Yale House Ventures, who coined the term “cyber-location nexus” in 2010. “You need to be able to geo-locate your cyber activity to the actual landscape of the Earth. If there is an attack, I care about the location. If there’s a vulnerability to a system, I care about where that system is.”
Tucker said the world is experiencing a collision of real-world geography with nearly unlimited connectivity.
“We have an explosion in devices that are IP enabled,” Tucker said. “We now have enough address space to enable TVs and refrigerators and make every house smart. We are phasing our entire world to the web. We’re entering this world where you’re going to connect everything and it’s all location-enabled.”
Although the cyber-location nexus term is relatively new, the concept is not. Umbrella words such as “cyber” and “cybersecurity” have masked the complexity around geo-location, Tucker said.
But the connections between cyber and location should be obvious: If an agency is hacked, what country should be attributed? If a virus compromises a network, what facility or land did it originate from? If the DoD is interested in acting offensively in cyberspace, what does it know about the locations of the target’s cyber infrastructure? And perhaps most importantly, how does a nation identify, map, and defend its cyber infrastructure?
For these reasons, analysts at the National Geospatial-Intelligence Agency (NGA) have been active in the cyber arena for some time.
“NGA is a player and is going to continue to be a player [in the cyber domain],” said Ellen McCarthy, COO of NGA. She added the agency is “using GEOINT analysis tradecraft to better understand the physical characteristics of cyberspace.”
Much like geography, the cyber domain is becoming ubiquitous, which is yet another explanation for why the two are inextricably interwoven.
“Cyber is a domain that’s spread across the Earth and geo-location is critical to it,” Tucker said.
Identifying High-Value Targets
The number of mobile devices coming online is rapidly outnumbering the global population, according to Sean Gorman, a chief strategist with Esri and co-founder of real-time location analysis software provider GeoIQ, which was acquired by Esri in 2012.
“Each of these mobile devices are becoming increasingly location and time aware,” Gorman said. “But that’s all tethered back into a real, fixed physical infrastructure. We’re going to become more dependent on the physical infrastructure as these human sensors continue to grow very rapidly.”
Gorman describes mapping a logical network to a physical network as a complex but necessary challenge.
“Multiple physical manifestations can cause issues with your overall cybersecurity, but it’s really difficult to understand what those manifestations look like without mapping out the co-location of those infrastructures,” he said.
The first step is determining what those critical infrastructures are.
Strategic cyber consultant Melissa Hathaway considers infrastructure such as telecommunications and Internet service providers to be the central part of the cyber-location nexus. Hathaway, who led the Joint Interagency Cyber Task Force within the ODNI during the George W. Bush administration, points out that many sectors are still trying to understand what their dependencies are.
For example, if AT&T were to suffer a disrupted value of service, how would that degrade the financial services sector in New York City? Although cyber experts often ponder the vulnerability of the financial services industry, they should be looking a layer deeper at the telecommunications vulnerabilities, according to Hathaway.
“Pretty much all of what were formerly isolated critical infrastructure are now on one single backbone of the Internet,” she said.
This greatly increases the potential domino effects of a cyber attack, while diminishing the number of high-value national security targets, Hathaway explained. In February, the Obama administration took a large, though some would argue overdue, step toward addressing this concern, with the release of an executive order titled, “Improving Critical Infrastructure Cybersecurity.”
Suzanne Spaulding, deputy under secretary for the National Protection and Programs Directorate (NPPD) with the U.S. Department of Homeland Security (DHS), said under the executive order, NPPD will apply a risk-based approach to compile by mid-July a list of the nation’s most critical cyber infrastructure.
During a speech at a recent cyber-security conference in Washington, D.C., Spaulding said NPPD has established an integrated implementation task force, drawing experts in both physical and cybersecurity from across DHS.
“We’ve already been pulling in our cyber folks and our physical experts to do joint assessments—looking at what are the cyber vulnerabilities, what are the physical vulnerabilities, how do they relate, and what are the cascading effects?” she said.
In a separate keynote address at the same conference, Maj. Gen. Brett Williams, director of operations for CYBERCOM, said there are a wide variety of secondary effects that need to be taken into account when operating in the cyber domain, beyond what one has to consider in the physical world. He outlined the multiple layers to cyber operations, adding that in order for CYBERCOM to perform its mission, these shouldn’t be considered in isolation.
“In the simplest case there’s the physical and geographic layer, there’s the logical layer … and then finally there’s the human layer,” Williams said. “And so you’re looking at a very multi-dimensional space that you have to operate in, in which there are strategic operational and tactical [repercussions] that affect the civilian community, the commercial community, the federal government, and other governments.”
Jenny Menna, director of stakeholder engagement and cyber infrastructure resiliency within NPPD’s Office of Cybersecurity and Communications, and Brandon Wales, director of the Homeland Infrastructure Threat and Risk Analysis Center within NPPD’s Office of Infrastructure Protection, are tasked with bridging the gap between physical and cybersecurity experts within the directorate.
“Cybersecurity poses a challenge for thinking about location in that, in the physical sense we are most concerned about natural hazards and [tangible] attacks,” Wales said. “But cyber attacks have the possibility to disrupt multiple locations simultaneously. You can have widescale destruction from a single type of attack, and that requires us to understand the infrastructure in a far more detailed way.”
A lot of the existing efforts within NPPD are geospatially-enabled, according to Wales. In the case of cyber infrastructure, he predicted there would be a series of fixed locations making up the critical cyber infrastructure list, as well as some broader functions where there could be cascading events. As the list will be updated annually, Wales said its maturation and NPPD’s ability to identify specific locations should improve over time.
“One of the key enablers between cyber and location is the physical underpinning of the cyberspace, which really happens throughout the communications sector,” he said.
This is a fact Hathaway said many cyber stakeholders do not yet realize.
“There is not a true grasp of how important telecommunications is,” she said. “If there were, then we would be seeing legislation in Congress that would focus on the telecommunications backbone as the No. 1 area of interest to solve this problem.”
Mapping the cyber terrain can help facilitate greater understanding about the significance of telecommunications infrastructure locations.
“It’s important to have the terrain mapping of the Internet and telecommunications providers and where there are strategic areas of interest from a geographic perspective,” Hathaway said.
Mapping the cyber terrain can help identify areas of redundancy, resiliency, and vulnerability.
“You can have a very logically well-structured network with a lot of alternative paths and good security practices against it, but the physical infrastructure could still be vulnerable and all those logical paths could go across the same bridge into Manhattan,” Gorman said.
From a logical perspective the computing may look redundant, but if that one physical line fails, then all of the logical redundancies fail as well. This is something that has been seen a lot recently through natural disasters, accidents, and malicious intent, Gorman added.
Maj. Gen. Suzanne Vautrinot is commander of the 24th Air Force, which is responsible for providing CYBERCOM and combatant commands with trained and ready forces to plan and conduct cyber operations. Vautrinot said the nation is just beginning to scratch the surface of the obvious synergies between space and cyber, and that now more than ever is the time to think broadly.
“It used to be people tried to map the network,” Vautrinot said. “Our initiative is to map the mission.”
Meaning, the 24th Air Force is dedicated to mission assurance as opposed to network assurance, she elaborated.
“How do I map my mission dependency and make sure that’s what I’m protecting—my ability to do the mission?” Vautrinot said. “Otherwise, you defend everything to do with the network, then you’re back to the old adage, ‘to protect everything is to protect nothing.’”
Vautrinot described the cyber domain in three layers. The first is the physical network layer, composed of geography such as the land, air, sea, and space where elements of the network reside. Physical network components, or the hardware, system software, and infrastructure that support the network and the physical connectors, are also included in this layer.
The second is the logical network layer, which consists of the elements of the network that are related to one another in a way that is abstract from the physical network, meaning the form or relationships are not tied to a specific individual, path, or node.
The third is the cyber persona layer, which includes the people actually on the network. One individual may have several cyber personas. For example, someone with access to the Internet through a personal laptop, smartphone, and tablet, has three cyber personas. Conversely, an office desktop PC, which exists as a single cyber persona, may have multiple users.
“To have situational awareness, you have to have all of those layers, because they’re interacting with each other,” Vautrinot said.
She compared not doing so to the difference between a game of checkers or chess.
“If you don’t think about all of those layers and the way they interact, then at best you’re playing a game of checkers.”
Instead, cyber operations require flexibility and a strategic approach that incorporates the multiple layers.
“You’ve got to have serious game to play in this domain and to have a future in this global environment,” Vautrinot said.
Col. Jennifer Buckner, commander of the U.S. Army 780th Military Intelligence Brigade, better known as the Army’s cyber brigade, shares the sentiment that geography is critical for cyber mission planning and operations.
“In terms of a cyber common operational picture, geospatial intelligence really continues to enhance situation awareness,” Buckner said.
She added that geospatial analysts are an integral part of the 780th, and are actively involved in planning and conducting operations.
CW4 Al Mollenkopf, who serves as Buckner’s technical adviser, said the 780th persistently geo-rectifies its information to glean the locations of its computers and underlying infrastructure around the world, and then provides commanders with insight to develop protocol for areas that are vulnerable.
“It’s important for us to have a very clear picture of where our information systems are located spatially, logically, and geographically,” Mollenkopf said.
Analytical Graphics Inc. (AGI) works in partnership with Scalable Technologies to help the defense and intelligence communities create that clear picture.
“We model the physical world, then we model the cyber world with [Scalable’s] partner products,” said Paul Graziani, AGI CEO and co-founder. “We then put both of those models into a context that allows you to understand where they meet.”
This intersection between the physical world and the logical world where the information is flowing represents the cyber-location nexus, according to Greg Haun, a cyber expert with AGI. Knowledge of that intersection is essential in order to impact a location from a cyber perspective.
Hathaway believes mapping the cyber terrain will become increasingly important as the nation evolves to next-generation architecture, and new countries and regions grow more significant.
“Knowing the Internet terrain and how that technology all interoperates is essential,” Hathaway said. “From a policy and a legal aspect, at least for the U.S., we are not making progress and addressing solutions because few people understand the terrain and how that technology intersects with the terrain.”
But what comes after the cyber-location nexus is visualized on a map? Information is then used to determine operations.
“Having that map between the two domains, the logical and physical, allows decision-makers to decide where and how to operate,” Haun said.
For example, a natural disaster such as Hurricane Sandy can create a massive denial of service without an adversary being involved.
“Many people had trouble communicating and getting access to information,” Haun said. “That’s based on location phenomena.”
The visualization of the terrain is also effective for offensive cyber purposes, such as effecting or denying access to information, he added. To avoid speculation about how the DoD or Intelligence Community might deploy such techniques, Haun paints a scenario of a civilian en route to the grocery store.
“Say you’re going to the grocery store and someone is going to send you a grocery list,” he said. “If I need to deny you from getting that information, having knowledge of where you are traveling and the infrastructure, then maybe affecting the tower I know you will be near without affecting the whole infrastructure I can deny you that message.”
Visualization of the cyber terrain is key, according to McCarthy. NGA is working steadily to address the geospatial analysis of the physical characteristics of cyber in order to provide a better understanding of the domain for analysts across government, she said.
“NGA uses data visualization, which allows analysts to gain insights that will lead to a much more wholesome understanding of what our adversary’s cyber capabilities and intentions are,” McCarthy said.
She also noted that humans largely rely on visuals, and posited that perhaps the public is having a difficult time wrapping its mind around cyberspace because it typically isn’t thought of visually.
“The fact that NGA is there and can actually show this problem in a way that’s easily understandable is critical to our government’s ability to take this mission on effectively,” McCarthy said.
Ret. Army Col. David Tohn, now executive director of the Cyber Technology Innovation Center for CyberPoint International in Baltimore, said where cyber activity occurs has an impact on how it occurs.
“The interaction between place and cyber drive what kind of solution sets you have to put in place,” Tohn said. “You are defending against a threat that can come at you from three dimensions.”
Tohn said many of his assignments while in the Army were trying to tie insurgents operating on the Internet in Afghanistan to where they were operating physically using precise targeting and geo-location.
“It became really important to identify where someone was posting from,” Tohn said. “What Internet café, what set of IPs, what locations they were consistently posting at—to identify where someone was acting physically as they act in cyberspace so that you can tie cyber actions and effects to physical actions and effects.”
Tohn uses a generic neighborhood in a Middle Eastern town afflicted by IEDs as a prime example of activities in the cyber landscape transpiring into real activity in the physical landscape.
“If you can identify where someone is posting videos of IEDs going off and say they are typically showing up from this area of town and identify Internet cafés that are there, then you can tie together physical actions,” Tohn said. “You can put out searches in those areas around the same time that this guy physically posts. You take cyber and identify enough of the geospatial layer so that you can act physically.”
A Critical Mosaic
The cyber-location nexus represents a complex mosaic of interactions between two realms, beginning with the identification of critical infrastructure, the mapping of this nexus—where the logical and physical meet—and the real-world actions that can be derived from this knowledge.
Tucker said he hopes the Intelligence Community will continue to open its eyes to the breadth and criticality of the cyber-location nexus.
“Cyber is just that extra layer of communication and expression that is mapped onto the world’s geography, Tucker said.
Infrastructure holds up just one leg of the complicated cyber-location nexus tripod. There are other aspects to be considered as well, such as the role of location in cybersecurity law and attribution, or lessons learned from the geo-tagged social media capabilities now at everyone’s fingertips.
But the bottom line is, everything happens somewhere, even in the mystical cyber domain of ones and zeroes.
“It’s about the ability to act. You can do all sorts of things in the cyber world, but they are very ephemeral,” Tohn said. “Effects are fleeting, but if you want to act offensively or defensively and to cause change, you have to know where something is.”