You are on page 1of 35








Joseph L. Veit, Maj, USAF

A Research Report Submitted to the Faculty

In Partial Fulfillment of the Graduation Requirements

Advisor: Maj Paul B. McCombs

Maxwell Air Force Base, Alabama

April 2008

Distribution A: Approved for Public Release; distribution unlimited



The views expressed in this academic research paper are those of the author’s and do not

reflect the official policy or position of the U.S. government or the Department of Defense. In

accordance with Air Force Instruction 51-303, it is not copyrighted, but is the property of the

United States government.






CHAPTER 1: INTRODUCTION.………………..……………………………………………….1


CHAPTER 2: BACKGROUND-THREATS......………………………………………………….2



CHAPTER 3: DEFENSE IN DEPTH………….………………………..………………………..6




CHAPTER 5: OFFENSIVE STRATEGY………………………………...…….………………12

Cyber Craft…………………………………………………………………………………….13


CHAPTER 4: DEFENSE IN DEPTH REVISITED……………..……………………………...16


Host Based Approach...………………………………………………………...…………...17




CHAPTER 6: RECOMMENDATIONS………………………………...………………………23

END NOTES………………..………………..……....……………………………………….…26




This paper is intended to provide a look into current changes in cyberspace and in

particular the network operations area. I wanted to take a look at whether the current strategy of

Defense in Depth as the cornerstone of DOD defense strategy is still valid. There is a lot of

attention on cyberspace and with the emergence of AF Cyber Command and formal development

of Cyber Craft weapons, what should be the cyber defense strategy? Defense in Depth has been

the foundation for network defense for many years now.

I want to thank the ACSC Cyber Research Elective instructors for allowing us the

freedom to choose topics of interest. The first semester seminars provided a great opportunity to

receive insight into the many changes in the communications career field and challenges ahead in




Because of the perceived lack of capability to prevent attacks, some experts have called

the current Defense in Depth strategy the new Maginot Line. There is a growing call advocating

an offensive minded strategy for the overall cyber defense. However, even with an offensive

minded strategy there are still vital areas that need basic protection.

The Defense in Depth strategy and its core elements: People, Technology and

Operations; must be re-evaluated to stay viable. In terms of People, user access and education

and training programs must be continually evaluated to prevent misuse and mistakes from

causing security breaches. In the technology area a host based approach that emphasizes

technology such as virtualization is a critical change. As the network continues to evolve the

IPv6 migration must be capitalized on and risk must be minimized during transition.

Operationally we need to continue to seek standardization throughout the DOD under the

NetOps construct. Many efforts have failed simply due to poor practice of securing the seams.

This will only happen through continued efforts to centralize control over portions of cyberspace

while allowing for decentralized execution. Cyber weapons designated as ‘Cyber Craft’ offer a

shift in current tactics towards an offensive approach. Cyber Craft are expected to sense targets

and mitigate threats prior to their use to exploit and penetrate our networks. Cyber Craft effects

could drastically overhaul the current defensive only approach.

A cyber defense strategy that couples a Defense in Depth strategy and an offensive

element is recommended. Neither strategy alone can provide the level of protection that is

needed. Together a Defense in Depth approach and an offensive strategy is needed to ensure the

necessary Freedom of Action in Cyberspace.



In 2004, the Department of Defense (DOD) and several associated defense industry

computer networks were penetrated and undisclosed amounts of sensitive data was stolen. The

series of attacks that occurred during this period were labeled ‘Titan Rain’ and are believed to

have originated from within China and possibly organized with the consent and direction of the

Chinese government.1 In December 2007, a laptop went missing from Bolling Air Force Base

that contained records of 10,500 active and retired airman’s sensitive personal information. If it

falls into the wrong hands, the information could result in cases of identity theft and intelligence

for future avenues of attack.2

These two recent events, one representing a network intrusion and the other an individual

user’s neglect, highlight the challenges to securing critical network infrastructure and data within

the DOD. The Defense in Depth (DID) strategy has served as the foundation of the Global

Information Grid (GIG) and individual service component’s Information Assurance (IA)

architecture for several decades. Over this period the DOD has experienced growth in

convergence of systems, availability of network access and user demand. As the threat to

security in the cyber realm has increased along with the complexity of systems, the need for a

robust defense strategy grows exponentially. This has caused many to question whether the

current DID strategy still provides an adequate framework for ensuring an adequate cyber

defense. As the Air Force (AF) stands up Cyber Command, it is pursuing a more offensive

based vision as the foundation for cyber strategy. In light of this action, and along with the

changing landscape of technologies and threats, the future of a DID strategy as the foundation to

our cyber defense needs to be examined. The DID strategy is still an important cornerstone but it

will require retooling to stay relevant. The benefits of an offensive approach must be considered


for any new strategy. Changing the overall cyber defense strategy to one that incorporates a

revamped DID coupled with an offensive strategy provides a better model to enhance our overall

cyber defensive posture.

This paper will examine the relevance of the DID as a continued underlying construct and

examine the emergence of an offensive approach. Together these two provide the best option for

the future DOD cyber defense strategy. First, background will be provided on the growth in

major threats that have emerged over the past decade. Second, an examination of the DID

strategy and the implementations and shortfalls in terms of its three major elements: People,

Operations, and Technology is presented. Third an analysis is provided on the move towards a

more offensive mindset, specifically within the AF, and its implications to strategy. Finally,

needed changes for the DID construct to remain viable are presented prior to recommendations.


This paper will focus on a cyber strategy for IP networks and not the entire

electromagnetic spectrum. Additionally, the scope of analysis will be limited to DOD networks

and strategies. The larger issues that face US computer systems and homeland defense in its

entirety will not be specifically addressed though they are closely related.


There have been threats to computer systems since the first network connections were

established. This section is provided to frame the severity of the current threat and how it drives

the need to update our current cyber defensive strategy. The rapid growth in technology is a

primary reason for the continued rise in threats. In a 2006 report the Federal Cyber Security and

IA Interagency Working group denoted several major trends that have contributed to the security


threat.3 Three of the trends are very applicable to DOD systems. The first trend recognizes that

as technology has expanded, IT systems have grown increasingly complex. This has led to the

second trend where network convergence has evolved the communications infrastructure. An

example of convergence is the rise in Voice over IP and Video on Demand systems. Traditional

stove-pipe telephonic and video conferencing systems now traverse the same IP backbone as all

other data. Finally, the third trend of expanding wireless connectivity for distributed users has

posed new challenges to traditional network boundaries.4 Increased user mobility has driven the

need for better security for user end devices such as PDA’s and laptops as well as securing the

links to these devices to protect the data. Together these three trends have provided new avenues

for sophisticated attacks against DOD cyber systems.


To categorize the threats there are several common approaches. One approach is to

group them into the actors involved in launching attacks and the means of carrying out an attack.

Actors are either directly or indirectly involved and range from individual users, hacker and

terrorists groups to nation states. Individual users represent the insider threat to systems. A user

is already given basic access to the system via his or her credentials. Once on the network a

user’s malicious or improper actions can have a large impact on system security. A user falling

indirectly victim to social engineering tactics that causes them to unwittingly execute an

embedded email virus can cause as much damage as a user intentionally trying to exploit the

system from the inside.

Hackers, terrorists, and nation state attacks are direct actors and generally external in

nature. They typically originate from outside of defensive perimeters. Hackers generally act

maliciously for personal gain and the thrill of penetrating hardened defenses. Terrorists are out


to gain intelligence to launch harmful physical or network attacks to further their cause.5 It is

anticipated that groups such as Al Qaeda will attack US financial networks in order to cause

disruption to the US economy.

The emergence of nation states into the cyber arena causes additional concern. As cited

previously, China has been increasingly blamed for probing DOD networks to gather intelligence

data. Incidents similar to ‘Titan Rain’ have been attributed to China, though not proven due to

difficulties in tracing attacks to their true origin. The ability for attackers to remain anonymous

and shield the true source of attacks is a challenge given today’s state of technology.

Unfortunately China is not alone; nations such as Russia, Iran, and North Korea provide

additional examples of states that fund cyber warfare activities that threaten US interests in

cyberspace.6 The moves China and other nations are undertaking to increase cyber attack

capabilities pose possible grave concerns for the future.7 This rise in nation state backing of

cyber attacks is compounded when tied to the capability to carry out sophisticated attacks. These

means of attacks will be discussed next.


There are many sophisticated means for carrying out attacks in cyberspace. Denial of

service attacks, worms and viruses and insider activities are just a few that prey upon system

vulnerabilities. This paper will concentrate on the latest threat to emerge that incorporates all of

these. It is commonly referred to as the “zero-day exploit”. The common definition of a zero

day attack is that it occurs on the same day a vulnerability is broadcast by a particular vendor.

Thus, zero days between the announcement of the weakness and the development of a fix occur

before a system is attacked.8 This type of attack is seen as the most dangerous since it comes

without any warning. It truly brings fears of a ‘digital Pearl Harbor’ to bear.9


This definition does not take into account the likely occurrence that attacks can be

launched prior to a weakness even being discovered or made widely known. Given the

sophistication of today’s hacker and state sponsored groups it is expected that as soon as one of

these discovers a hole they will be capable of launching an attack. In a case study of one zero

day example, Norwich University details the attack on several US Army Web Servers in March

2003. In this case the external attack exploited an unknown buffer overflow vulnerability and

was able to penetrate Army severs and collect data remotely.10

Once an exploit is made known, other concerns exist. Both the time it takes for a vendor

to release a patch and to actually distribute the patch to all end devices is problematic. In the

2003 US Army attack it took Microsoft one week after learning of the attack to release a patch to

counter the vulnerability. Some of the reasons for vendor delays include time to test the patch

against different versions of the same operating system. Using Microsoft again as an example, in

2006 they averaged thirteen days to release an operating system patch and ten days for a browser

fix.11 For the DOD facing an environment of over three million desktops and hundreds of

thousands of networked servers world-wide, this poses a huge challenge to react and keep

configurations up to date and vulnerabilities closed.12 Patch management processes that use

technology to automate the distribution and verification of operating system and applications

patches become critical.

The increasingly sophisticated network attacks and growth in technology all pose

challenges to securing cyberspace. Zero-day exploits and other threats are compounded with the

realization that foreign governments are orchestrating attacks. For these reasons examination of

our current cyber defense strategy is needed.


Defense in Depth

For the past two decades the prevailing Information Assurance/cyber strategy for the

DOD has been that of Defense in Depth. Joint Doctrine 3-13, in conjunction with DOD

Directive 8500 “Information Assurance” and Instruction 8500.2, ‘IA Implementation’, specifies

the DID strategy as the basis for cyber defense. The DID strategy in its most common portrayal

is analogous to a medieval castle. In medieval times the castle provided a strong central

foundation for protection of the people and treasures inside. Connected to the castle were

hardened external defenses in the form of high walls that posed a formidable obstacle for

opponents to breach. In additions to the walls, other barriers such as moats, drawbridges, and

other external defensive points existed to stem the tide of any hostile invaders. If a breach did

occur at any point, the additional layers were present to protect the individuals and treasures

inside. As described by the Joint Staff in 2000, the medieval castle system allowed for evolution

over time based upon two key principles: one, continually strengthen the defensive barriers, and

two, provide mechanisms for an active defense.13

In applying this analogy as strategy for securing today’s information systems, the data

equals the crown jewels that need protection. The outermost barrier defenses are represented by

the network of firewalls, intrusion detection systems and other security mechanisms in place to

monitor and secure the GIG from intrusion. Physical computers and the associated operating

systems and applications are represented by the foundation of the system, the castle. According

to a National Security Agency (NSA) White Paper on DID, in order to successfully implement

the DID strategy there needs to be focus and balance amongst three major elements: People,

Technology, and Operations.14 This section of the paper will examine each of the three elements

in more detail.



The People element represents the first line of the strategy. There are several categories

of people. The first category is the information professionals such as administrators who

operate, maintain and set policies for the system. These individuals must be trained and certified

to perform their duties properly. The second category is the users. This encompasses the first

group but additionally includes all personnel who have access to information systems as part of

their duties. To appreciate the magnitude of this group, the Air Force alone has almost 800,000

users, the largest of the DOD services.15 A challenge exists between allowing users freedom to

perform their duties and maintaining effective security policies to secure the enterprise.

Each user is a front-line element for any robust cyber defense and one of the largest

vulnerabilities. Mitigating this inherent weakness drives the need for comprehensive training

programs that focus on security awareness and education. To date these have been the primary

mechanism to counter user vulnerabilities. They have come normally in the form of annual

training and individual certification efforts that have centered on making users aware and

cognizant of the threat and implications of their failure to act. Effectiveness of these programs is

hard to measure. The continued impact of attacks has shown the inability to completely

overcome the sophistication of social engineering attacks. Users continue to browse malicious

web sites and open email attachments that are potentially harmful to DOD systems. Attacks also

can change rapidly. One attack can appear remarkably different from the rest. This changing

and complex nature requires constant evaluation of education and training to ensure they can be


A second challenge is ensuring access to sensitive information is granted to only those

users with proper credentials and a need to know. Even with unclassified systems, data exists


that does not need to be accessible to all users in the system. For example, contract details,

technical specifications of weapons systems, and other documents should only be accessed by

those who require it to perform their duties. Efforts to meet this challenge have ranged from

complex password protection mechanisms to securing access to networked information

repositories. Use of certificates to authenticate access between clients and web servers is one

example. The danger that results from lack of basic information restrictions comes to the

forefront when a particular user’s credentials are compromised, an insider threat emerges or a

user loses control of an asset (Bolling laptop example).

Maintaining effective user training and access to overcome human self inflicted denials

of service are a challenge for securing the enterprise. Because of this, understanding how the

people element factors in is one of the greatest challenges to maintaining a successful DID



Technology is the second element of the DID strategy. Technology is implemented

within multiple layers of this strategy and via a diverse utilization of tools. The layers represent

major decisive points of the computing system architecture. As presented by the Joint Staff,

these four layers are the network infrastructure, local enclave boundaries, local computing

environments and supporting infrastructures.16

Defending the network infrastructure layer entails ensuring that both local and wide area

networks are protected from external attack. Implied here is the ability to operate through or

around any situations where the network is degraded or certain links have failed. Even in the

face of threats the network must continue to operate. Additionally, this area requires that the

integrity of the information transmitted is maintained. Data integrity must be maintained


throughout the transmission from origin to intended user. This is commonly met through

deployment of encryption mechanisms.

The local enclave boundary layer protects sub areas of the network from outside

intrusions. It is designed to shield the internal networks and hosts from external threats.

Firewalls, intrusion detection devices and other sensor technologies are present to scan traffic

and prevent unauthorized entry. Boundaries exist at all levels of the GIG, from the gateways

between the commercial world wide Internet and the NIPRNET, to further inside the architecture

where individual services and bases have boundaries shielding and protecting their local


The local computing environment includes not only the local networks behind the

boundaries outlined above, but also the end hosts. These hosts include servers, end user

workstations and user mobile computing devices such as PDA and laptops. The diversity of

assets presents an extremely challenging environment. A myriad of technologies and protection

mechanisms are implemented to preserve the integrity of the system. Authentication

mechanisms and other host based security applications are just a few prominent examples in

technology designed to protect and secure information at this layer.

The last layer of technology is the supporting infrastructure. As defined in DOD

Directive 8500.01E, this is the “collection of interrelated processes, systems and networks that

provide a continual flow of Information Assurance services throughout the DOD, e.g., the Key

Management Infrastructure or the incident detection and response infrastructure”.17 This

underlying area cuts across and provides integral capabilities to the other three layers. It

comprises the components that perform the logistics and maintenance required to keep systems

up and operational. For example the skilled personnel and replacement hardware needed to


maintain systems are possible components. It also incorporates resources and specialized

technologies designed to provide both encryption mechanisms as well as incident response


Over the last decade the ‘depth’ of the strategy has expanded to one of ‘breadth’. This

reflects the growing challenge faced in the need to stretch security and technology to protect the

rapid growth in network and user demand. Due to its natural complexity, shortfalls in

technology are a given. Rapid breakthroughs in technology can happen every day that change

the situation. As in the medieval example, the core infrastructure constantly requires upgrades to

stay current and strengthen the barriers to protect the systems from emerging threats.


The final element of the overall DID strategy is Operations. According to the NSA,

Operations are the DID actions required by an organization to maintain an adequate defense of

their systems.18 It includes the establishment of polices, standards and Tactics, Techniques, and

Procedures for coordinating response to threats. Operations essentially are how the DOD

organizes itself to counter and defend cyberspace.

Within the DOD there exists joint level, service component and defense industry

organizations that manage components of the GIG. In order to handle the complexity of

defending the systems a crucial construct exists called NetOps. NetOps grew out of the need for

a clear chain of command within the DOD for managing and securing the GIG components. The

Joint CONOPS for GIG Network Operations (origin of the term, NetOps) provides mechanisms

for accountability and incident reporting by assigning overall responsibility to a single combatant

commander, US Strategic Command.19 The NetOps framework focuses on three core tasks,

Global Enterprise Management, Global Network Defense (IA), and Global Configuration



Management.20 In relating back to the DID strategy areas, this is a clear approach for focusing

the ‘Operations’ and ‘Technology’ areas. NetOps is an effort to correct shortfalls in organization

and use of technology under the overall strategy of DID.

The result from NetOps has been to focus defensive approaches to one of ‘Vulnerability

Management’.21 This approach attempts to provide standardized configurations, ensure technical

deployment of configuration changes (patches for example), and guarantee reporting and

compliance mechanisms are in place and functioning. It does not end the threat of attacks but

relies on keeping the defensive posture at the highest state through tight configurations with the

latest patches and software updates pushed out to the network. The intent is to provide for a

quick reaction and recovery from any attack that does take place.

One of the limitations that has proved to be a major vulnerability for the DOD has been

protecting vital information that resides among defense contractors and educational institutions

with ties to the department. For example in August 2007, Chinese attacks targeted contractor

sites in the US and attempted to steal vital aircraft engineering data.22 It was determined that

these sites did not follow common defensive methods that the DOD had in place. These attacks

showed that DOD cyber defense tactics need to extend to more than just the traditional military

portions of cyberspace. In terms of the organization element of DID, NetOps has drastically

changed the way cyber forces are organized to respond to threats and actual attack by providing a

clear joint chain of command for the components.

Overall the DID approach has provided basic protections for DOD systems. It has been a

struggle to maintain the balance among the three elements of the DID to ensure protection for

critical systems. Attacks such as the examples given show that keeping robust defenses postured



to stay abreast of the pace of emerging threats has been difficult. For this primary reason there is

a growing call to consider another strategy: an offensive one.

Offensive Strategy

The growing sentiment among senior DOD leaders is that maintaining a defensive only

posture is going to be self-defeating in the long run. Because of its perceived lack of capability

to prevent attacks completely, some leaders to include now Vice Chairman of the Joint Chiefs of

Staff General Cartwright, have called the DID strategy ‘the new Maginot Line’. In his prior

position as commander of USSTRATCOM, Gen Cartwright discussed the fact that the United

States needs to “get out of the mindset that it is purely a defensive activity”, in other words the

United States should not feel it must simply stay still in the face of constant attacks. The US

needs the flexibility to take offensive actions when necessary to ensure that a solid defensive

posture is ultimately maintained.23

This is seen as a positive move in the Air Force as well, as it begins to stand up the new

AF Cyber Command. Dr Lani Kass, USAF Cyberspace Task Force, when referring to cyber

defense has said that “defense is a loser’s game” and that going on the offensive is the key.24 An

example of what an offensive element could bring to the fight is presented in Cyber Command’s

new Strategic Vision document and the way it breaks out mission areas. Overall defense of

cyberspace falls within the category of ‘Controlling the Domain’. In this mission area,

traditional cyber defensive efforts remain under the grouping of ‘Defensive Counter-Operations’.

In a change to current operations these traditional defensive areas are now partnered with an

attack element under ‘Offensive Counter-Operations’.25



Within the DOD specifics of the type of operations intended for use by the AF and other

services and agencies remain largely undefined due to sensitivity. They are intended to provide

an offensive capability to target potential threats and ensure freedom of action for US interests.

A more concrete explanation was detailed in a February 2007 interview with Defense News

where unnamed Pentagon officials provided three possible focus areas for offensive operations.

These included intelligence gathering, disruption of enemy activities by altering their systems,

and undertaking activities to dissuade future use of the network as a tool for attack.26 These are

not new military tasks, but having the capability to launch them from the cyber realm makes this

a very attractive approach. Whatever form the exact mission sets take, they can be expected to

be a wholesale departure from previous defensive only strategies in cyberspace.

The benefits of an offensive strategy are very evident. Chief among these are risk and

level of effort required in terms of resources. Clearly a mechanism that provides us a way to

deliver the effects needed without placing military personnel in harms way is of very low risk.

The fact that cyberspace weapons will primarily be software tools and possibly integrated with

only a minimal amount of hardware is another attractive feature. Funding and timelines for

procurement and sustainment costs will be much lower than that incurred by physical weapons

systems such as an aircraft.27 Looking at the dilemma the AF faces today in replacing its aging

aircraft fleet, one can see how the ability to rapidly produce new cyber weapons for a fraction of

the cost and effort of kinetic systems would be welcomed.

Cyber Craft

Any offensive operation will require the tools to successfully execute it. Research to

create cyber weapons to carry out attacks in cyberspace is currently underway. Offensive cyber

weapons designated as ‘Cyber Craft’ offer a shift in current tactics, and forward deploy



technology out in the network to allow for an active defense. Cyber Craft are expected to sense

targets and mitigate enemy threats prior to their use to exploit and penetrate networks.

According to a paper published by the Air Force Research Laboratory in 2005, Cyber Craft will

have small signatures to avoid detection, be capable of being activated from within the network,

contain control information, be remotely controlled, and have a self-destruct mechanism if

detected.28 Many readings have described the Cyber Craft in kinetic terms and made them

analogous to airplanes. This provides a sexy description that is great for procuring funding and

interest among non-technical individuals. In reality these cyber weapons are sophisticated

computer programs (hardware and software in some cases) that deliver advanced technological

capabilities to the warfighter.

The excitement of Cyber Craft comes from the potential effects they will bring to

warfare. They may be destructive in nature, similar to the worms and viruses seen today on the

Internet; or they could be more passive in nature such as a program designed to retrieve

intelligence data. Cyber Craft will be revolutionary when compared to current primitive network

attack tools available for cyber warfare.


A successful offensive strategy clearly is centered upon the development of cyber

weapons. There are several limitations impeding the ability to readily incorporate them into a

viable strategy. The first centers on funding and deployment of a Cyber Craft. The effort will

require potentially far more substantial funding than is presently allocated.29 This may seem

counter to the discussion previously when the low cost of a cyber weapon was listed as a benefit.

However the life expectancy of any one cyber weapon is only as good as the life of the

vulnerability that the cyber weapon is designed to exploit. Once a remote vulnerability/avenue



of attack is closed, the cyber weapon created to capitalize on this may no longer be valid.

Therefore a program that can continually develop newer and sophisticated methods to exploit

anticipated emerging vulnerabilities is needed. Constant dollars for research into newer methods

and technologies in cyberspace may prove costly. This limitation can be mitigated through

proper funding and prioritization.

The second limitation to an offensive strategy is a legal and process driven one.

Depending upon the situation, Cyber Craft targets could fall under Title 10, Title 50 or civilian

law enforcement mission areas. This poses a potential legal constraint on military actions. For

example, traditional clandestine intelligence gathering of a remote system could be a Title 50

event, while an attempt to counter a hacker web site hosted on a commercial server could fall

into the law enforcement arena. A possible mitigation of this issue is that a presidential order

could allow the military to carry out some of these types of operations legally.30 For example the

arrest of Panamanian Dictator Manuel Noriega for extradition by the US Armed Forces was legal

given proper authorization from President Bush. One could easily envision a future presidential

directive to utilize military cyber forces to target a known hacker group that threatened US

National Security along similar lines. The bottom-line is that legal limitations can be overcome

but will require close organizational coordination and monitoring to ensure legal lines are not


A final limitation to an offensive strategy is that it may prove difficult to measure

success. Indicators used to determine success must be carefully considered and need the backing

of credible intelligence. Take the example in which a cyber attack is used to disrupt an enemy

air defense system. The attack is declared successful and when the first aircraft sorties are

launched the enemy does not respond. Is this due to a successful cyber attack or because the



enemy chose to leave his systems turned off? Without specific intelligence to measure the

effectiveness of the cyber attack, this may leave doubt about the success of the attack. Due to

their advanced nature, cyber attacks will provide capabilities to perform missions that are too

risky or complex for traditional means to achieve. We have to be careful however that our

indicators of success and means to gather intelligence on cyber effects are closely examined.

In many cases future Cyber Craft may stop an attack from happening. Perhaps as in the

Cold War, the threat of cyber attack might dissuade someone from any hostile intentions.31

However, in the end it does not prevent all possible attacks. Given today’s technology an

offensive strategy does not solely guarantee the security of our own systems. Therefore a

defensive element is still a critical piece to any robust cyber defense and why the DID approach

cannot be discarded.

Defense in Depth Revisited

As discussed, the current DID approach has shortfalls that have allowed attacks. By

design, our defensive perimeters must allow connections for necessary traffic and as a result the

threat of penetrations will continue to be an operational reality. Therefore, to improve upon the

current implementation of DID a re-examination of the key elements is necessary.

Technology Revisited

Cyberspace technologies are constantly changing. Newer technologies continue to

emerge that enhance the way the DOD operates. Technologies for cyber defense are no

different. As improved methods for increased security architectures emerge they need to be

adopted into the DOD infrastructure to replace outdated and vulnerable methods.



Host Based Approach

The move away from a DID policy that focuses solely on boundary protection is one

possibility. In a recent report to the AF, the Gartner Group presented research that showed that

the majority of today’s attacks are at the application versus the network layer.32 For this reason

the need for improved protection of applications and operating systems on individual hosts is

paramount. New technologies are coming out that focus on host based protection and the DOD

is moving to implement them.

One example is the Host Based Security System (HBSS) implementation that is currently

underway within the DOD. In what is considered the largest security deployment to date, HBSS

is targeted for all DOD workstations and servers. This will include both UNIX and Windows

based platforms. The HBSS program is based upon a commercial solution from software maker

McAfee and provides central management of security processes such as intrusion detection,

prevention and firewall mechanisms locally on the host. Additionally it provides buffer overflow

protection and prevents unauthorized installation of software and hardware on host machines.

This is an important step since these are two of the most prevailing avenues of attack today.33

HBSS is considered a crucial piece to the evolving DID architecture and certainly promises to

shore up needed protection at the host level.

Criticisms of current host based mechanisms are that they provide only application layer

protection and leave the core operating system vulnerable to attack.34 The next generation of

technology that will move beyond techniques such as that employed by HBSS is virtualization.

Virtualization is an emerging area that offers to improve upon host based protection schemes. In

a virtualization scenario, any user accessing a computer performs his functions in a virtual

session that is separate from the core operating system. Resident between this virtual level and



the core is what is referred to as a ‘hypervisor’ level. The hypervisor creates virtual user sessions

and provides access to shared resources. This allows security mechanisms to operate at a level

below the operating system.35 The implications are that if any vulnerabilities are present in the

operating system they are mitigated by the security system. This results in a better defense

against the threat of a zero day exploit and provides increased levels of protection.

Since the DOD relies upon the commercial industry for its operating systems it is

important that industry is moving ahead with plans for virtualization. One key vendor Microsoft

is already moving forward by introducing this concept into its future operating systems.36

Microsoft Server 2008 is one of the first operating systems to center on virtualization. As

Microsoft and other commercial vendors improve capabilities in this arena the benefits to DOD

security will be great.


Despite the benefits of a host based approach, focus must still be given to the network

layer to keep up with changing technology. Perhaps the most significant change in network

technology is the shift in the IP architecture that is coming with the rollout of IP version six

(IPv6). IPv6 will replace IPv4 as the standard underlying protocol for IP networks. IPv6 has

been in the works since the early 1990’s and is intended to solve many of the shortfalls inherent

in IPv4. Chief among these shortfalls are address space availability and several key security

issues. IPv6 will implement several important new features. These are an increased address

space, removal of the need for address translation and an embedded encryption capability.

The first of these improvements addressed the shortfalls of address space. The

tremendous growth in networked devices has drastically diminished the pool of available address

spaces. It is anticipated that IPv4 will exhaust the remaining addresses in the near future. To



address this problem, IPv6 implements a 128 bit address scheme versus 32 bits for IPv4.

According to a Government Accounting Office report the actual increase is from around 4.3

billion addresses to 3.4 x 1038 in IPv6. This allows for an almost unlimited number of address

spaces to meet today’s environment and well into the future.37 This flexibility will allow for the

continued growth that is occurring in the number of networked devices. This larger address pool

brings an added security benefit by reducing the chance of being subject to a random attack.

With so large of an address space available, a hacker’s ability to randomly locate targets is much

more complicated. It is hoped that many of today’s common mass attacks seen in the internet

will be reduced under IPv6.38

A second improvement with IPv6 is that it removes the need for Network Address

Translation (NAT) that is commonly used today. NAT allows administrators to use a single

address to represent an entire range of addresses. This provided the ability to overcome limits in

availability of address space and additional security protection by shielding the true internal

addresses from external networks. With IPv6, there are no longer address limitations, so

therefore end-to-end connectivity and application use is expected to grow immensely.

Networked applications will now operate more seamlessly without the complexity of dealing

with NAT devices in the middle doing address conversion.39 A major advantage for security is

that it removes much of the means to remain anonymous in the network. Computer Associates

predicts that this will have an “immediate impact” on reducing the threat of spam and worms

common in the internet today. Tracing attacks back to the source will be much easier than in

IPv4.40 This is an important improvement that is hoped to end the ability to undertake

anonymous attacks so easily. Having the ability to trace attacks to their true source may cause



nations such as China to reduce many of their cyber attacks due to fear of being attributed as the

source more easily.

A final improvement in IPv6 is the ability to provide encryption. IP Security (IPSec) is

built into IPv6. In the current IPv4 architecture this is not the case. IPv6 will allow user traffic

to have basic encryption as it traverses the network. IPSec is provided to further support end-to

end connectivity concepts as NAT is removed from the network. In IPv4, the widespread use of

NAT prevented use of IPSec.41 In an environment where much of DOD traffic must traverse the

internet due to mission necessity, the ability to encrypt military data over commercial links is

highly necessary.

As with any new technologies, IPv6 brings security risks along with its adaptation. The

largest risk comes during the transition from IPv4. The current mandate for all federal agencies

to demonstrate IPv6 in their core backbones is June 2008.42 It is estimated that it could take up

to ten years to fully transition the network to IPv6.43 During this time both IPv4 and IPv6

technologies will be deployed. Hardware and software that can provide dual-stack technology to

allow transitions between the two protocol versions will be required. This complexity introduces

risk. The network will still be subject to IPv4 based attacks as well as any new IPv6 threats that

emerge while the network is transitioned. This will require close ties between commercial

vendors and government agencies to ensure that hardware and software are transitioned to IPv6


The technology element requires a full utilization of available capabilities to counter

emerging threats and their deployment needs to be continually reviewed. Areas such as host

based security and virtualization that offer better means of preventing attacks and compromise of

key systems need to be explored. Additionally, continuing to improve technologies present at



the network layer is critical. The IPv6 migration is the most essential key to this area. The DOD

must quickly capitalize on its improvements while mitigating security risks during transition.

Technology will not provide the entire answer to a solid DID strategy but is central to achieve


Operations Revisited

Technology will continue to provide newer mechanisms to reduce both the threat and our

ability to respond to cyber attacks. It can reduce the impacts from the human error but not

completely prevent it. The operations element is where a military organization such as the DOD

gains the ability to overcome the individual threat inherent with the human element. Operational

establishment of centralized control through policies and standards that can be enforced is


The DOD needs to continue down the path that NetOps has started in seeking concise

command relationships and standardization. As discussed, past efforts have failed due to poor

practices in securing the seams. The vast community of interest that the DOD covers requires

tight central standards and control policies to ensure protection of the enterprise. The DOD

recognizes this and is laying the groundwork to establish standardized controls over the entire

DOD domain. Former J6 Vice Director Major General Dennis Moran acknowledged in a 2006

interview that “if you are doing business one way and another agency is doing it another way,

this creates seams an intruder can take advantage off.”44 Removing these seams is a critical step

towards ensuring that policies and standards designed to protect information are extended

throughout the entire enterprise.

The moves within the Air Force provide an additional operations example. Over the last

several years the AF has consolidated its network operations. Prior to 2007, the Air Force had



seventeen Network Operations and Security Center’s (NOSC) throughout the enterprise, and

now has only four. The emergence of just a handful of Integrated NOSC’s has reduced the time

to respond to emerging threats as well as better control configuration management.45

Improving a DID strategy’s effectiveness at the operations level will only happen through

continued efforts to centralize control over the entire DOD area of cyberspace. Improved central

controls will still allow for the basic tenet of decentralized execution among services and


People Revisited

The People element is continually described as a stand alone group from operations.

However the education and training they receive must come from the operations element. This

ensures that standardization of training and enforcement programs are the same across the

organization. The former J6, Vice Admiral (ret) Browne stated it best when discussing IA, “the

main ingredient in this vital discipline is the human element, and the key aspect that needs

improving is training”.46

One positive move ahead in the training arena is the DOD IA Workforce Improvement

Program established in 2005 that is receiving more attention today in terms of focus and funding.

The program focuses on those individuals responsible for securing the enterprise and is intended

to certify over 90,000 DOD IA members to the same standard. A key feature of the program is

that it is extended to include contract and civilian workers. By enforcing this program, it

removes the previous inconsistencies that were resident in relying on individual services and

agencies given responsibility for training their personnel.47

The People element is integral to any cyber defense strategy, and remains crucial to DID.

People by nature inherently provide possible weaknesses to system security and this cannot be



overlooked. The increasingly mobile and networked aspects of the user population continue to

provide open doors to attack. Only through implementation of improved technologies and

refined operations can the DID maintain the proper balance necessary to protect the

infrastructure and ultimately the information. That is why in focusing on the Operations and

Technology areas the way forward is found.

Each of the three DID elements is intertwined with one another. In order for the DID

approach to remain viable for the future, correct prioritization of effort and focus on application

of technology is necessary. Operations must extend over the entire enterprise and provide for a

central coordinated effort. Even with the necessary improvements, the DID strategy will not

prevent all attacks due to the complexity and inherent nature of technology to provide new

avenues to attack.


As presented both an enhanced DID strategy and an offensive strategy offer positive

ways to secure cyberspace. Both strategies have limitations in that they alone cannot provide

total protection. In either an offensive minded or defensive only scenario there are still vital

areas that are vulnerable to attack. This drives the need for both an offensive and a defensive

approach that is blended together. Just as the DID strategy always required a balance among its

elements, any future strategy requires this same balance between offense and defensive

approaches. In the near term this strategy is achievable if given the correct priority in terms of

funding and organization. Shortfalls within the People, Technology and Operational elements

must be corrected to allow for an improved defense. Additionally the limitations to

implementing an effective offensive strategy must be addressed.



In returning to our original analogy of the castle for DID, we can see that several factors

in the new strategy makes this analogy obsolete. While protection of the castle’s treasure is still

our central goal, the treasure is now dispersed. Critical information in today’s net-centric

enterprise is resident everywhere and cannot be protected by a single wall or castle. Thus

protection at all points is necessary and must be coupled with a mobile element that can seek out

and destroy threats.

One new possible analogy as the DOD moves forward to dominate the cyberspace

frontier comes from the American West. As America stretched westward in the 1800’s and

expanded its borders, the US Army provided protection for the lawless frontier. The Army

established a system of small forts throughout the region to provide protection of vital supplies

and personnel. In addition to these fixed fortifications, the US Cavalry provided a highly lethal

offensive force to counter any threats and could be called upon to come to the rescue and aid in

times of need. The cavalry’s strength was that it could move rapidly throughout the frontier and

quickly overwhelm any opposing force. Additionally the cavalry provided reconnaissance and

armed escort for caravans. In cyberspace the Cyber Craft represent the new cavalry, while host

based and network technologies represent the forts that protected the personnel and supplies.

In implementing an approach similar to the Air Force Cyber Command’s concept for

‘Controlling the Domain’ that provides an offensive element along with the foundation that a

Defense in Depth brings, will provide the best overall cyber defense. The tenets of Network

Defense that have been in place for several decades must not be forgotten. The DID approach

must remain the bedrock for future cyber defense. At the end of the day we must protect the

information the best way possible. AF Secretary Wynne put it best, “all of our data will be



relatively useless unless it can be protected”.48 Forgetting the basic need to protect and ensure

integrity of the information will leave the DOD and the nation too vulnerable.

Marrying Cyber Craft capabilities with the DID will allow for an active defense. It

provides the best possibility for stopping attacks at the source, while ensuring basic protections

of DOD systems remain in place. In the future, as newer technologies emerge from research in

cyber craft and other fields, the DOD will be able to truly implement the revolutionary concepts

of an offensive strategy. In the end our necessary Freedom of Action in cyberspace must be

maintained through a comprehensive cyber strategy.




Taipei Wendell, "Computer Attacks from China Leave Many Questions," Defense News

(2007). 1.

Theresa Corzine, "Protecting Data through Increased Encryption Methods," Air Force News


Interagency National Science and Technology Council, Information Working Group on Cyber

Security and, and Assurance, Federal Plan for Cyber Security and Information Assurance

Research and Development (Arlington, VA: National Coordination Office for Networking and

Information Technology Research and Development, 2006). 1-2.

Ibid. 1-2.

Sebastian M. Convertino et al., Flying and Fighting in Cyberspace / Sebastian M. Convertino Ii,

Lou Anne Demattei, Tammy M. Knierim, Maxwell Paper ; No. 40 (Maxwell Air Force Base,

Ala.: Air University Press, 2007). 23-25.

Ibid. 27.

Wendell Minnick, "Computer Attacks from China Leave Many Questions," Defense News 22,

no. 32 (2007). 1-2.

Bryce Porter, "Approaching Zero a Study in Zero-Day Exploits Origins, Cases, and Trends,"

Norwich University Journal of Information Assurance (NUJIA) 2, no. 2 (2006). 3.

Shane Harris and William Duke, "Blindsided," Government Executive 36, no. 7 (2004). 4.

Porter, "Approaching Zero a Study in Zero-Day Exploits Origins, Cases, and Trends." 8-9.

Ryan Singel, "The Threats You Can't See," PC World 25, no. 4 (2007). 124.

Harris and Duke, "Blindsided." 1.

United States. Joint Chiefs of Staff, Information Assurance through Defense in Depth

(Washington, D.C.: Joint Chiefs of Staff, 2000). 4.

National Security Agency, "Defense in Depth," 1.

Mark Kellner, "Interview (with) Lt.Gen. Michael Peterson, U.S. Air Force's Chief Information

Officer," Defense News 22, no. 8 (2007).

Bradley Ashley, "Information Assurance through Defense in Depth," IA Newsletter 3 No 2,

no. Fall 1999,

DISA, "8500.01e Information Assurance (Ia)," ed. Department of Defense (2007 (updated)).


National Security Agency, “Defense in Depth”. 3.

Government: United States Congress. House Committee on, Information Policy Reform.

Subcommittee on Technology, and the Census Intergovernmental Relations, Who Might Be

Lurking at Your Cyber Front Door? Is Your System Really Secure? (Washington: U.S. G.P.O. :

2004). 58.

David Pistilli, "USAF Network Operations Functional Concept," ed. USAF (HQ 8 AF, 2006).


United States Congress. House Committee on, Reform. Subcommittee on Technology, and

Intergovernmental Relations, Who Might Be Lurking at Your Cyber Front Door? Is Your System

Really Secure? 58.

Rebecca Grant, "The Dogs of Web War," Air Force Magazine, January 2008. 24-25.



John T. Bennett, "Dod Struggles to Craft Offensive Cyberspace Plan " Defense News 22, no. 9

(2007). 1-2.

Shawn Waterman, "Analysis: A New USAF Cyber-War Doctrine," United Press International

(2007). 1.

Air Force Cyber Command, "Air Force Cyber Command Strategic Vision," ed. United States

Air Force (2008). 12-13.

Bennett, "Dod Struggles to Craft Offensive Cyberspace Plan ". 1.

Convertino et al., Flying and Fighting in Cyberspace / Sebastian M. Convertino Ii, Lou Anne

Demattei, Tammy M. Knierim. 58-60.

Dr Paul Phister, "Cybercraft: Concept Linking Ncw Principles with the Cyber Domain in an

Urban Operational Environment," in DODCCRP conference 2005 ed. Dan Fayette (Air Force

Research Laboratory, 2005). 3-4.

Convertino et al., Flying and Fighting in Cyberspace / Sebastian M. Convertino Ii, Lou Anne

Demattei, Tammy M. Knierim. 72.

Bennett, "Dod Struggles to Craft Offensive Cyberspace Plan ". 2.

Convertino et al., Flying and Fighting in Cyberspace / Sebastian M. Convertino Ii, Lou Anne

Demattei, Tammy M. Knierim. 60.

Henry S Kenyon, "Air Force Refocuses Network Defense," SIGNAL 62, no. 5 (2008). 51.

"Hosting Security," Military Information Technology 10, no. 5 (2006), http://www.military 1.

Mark Zielinski, "Zero-Day Exploits: Consider the Os," Network World 24, no. 30 (2007). 26.

Carey Allen, "Outweighing the Virtual Risks," IA Newsletter 10, no. 4 (2007). 9.

Mike Ricciuti, "Microsoft 'Hypervisor' Plan Takes Shape," CNET News (2005), 1.

GAO, "Ipv6 Federal Agencies Need to Plan for Transition and Manage Security Risks,"

(2005), 2.

Doug Bezier, "Agents of Misfortune (Old and New Issues Loom Large as Ipv6 Enter the

Cybersecurity Fray)," Washington Technology 21, no. 24 (2006), 1.

Julie C. Gaffin, Internet Protocol 6 (New York: Novinka Books, 2007). 14-15.

Bezier, "Agents of Misfortune (Old and New Issues Loom Large as Ipv6 Enter the

Cybersecurity Fray)." 2.

NSA, "Internet Protocol Version 6," ed. IA Dept Systems and Network Analysis Center (NSA,

Unknown). 1.

William Jackson, "Guidance for Demonstrating Ipv6 Capability," Government Computer

News, Feb 28, 2008. 1.

Bezier, "Agents of Misfortune (Old and New Issues Loom Large as Ipv6 Enter the

Cybersecurity Fray)." 1.

Dawn Onley, "Red Storm Rising, Dod Efforts to Stave Off Nation-State Cyberattacks with

China," Government Computer News, no. Aug 21, 2006, 4.

House Armed Services Committee on Terrorism and Unconventional Threats, Information

Technology Issues and Defense Transformation, Lt Gen Peterson Testimony, April 6, 2006. 3.

Herbert A Browne, "Information Assurance--Train Now or Pay Later," SIGNAL (2003). 1.



Kellye Whitney, "DIAP: The Dod's Certified Guard against Ia Threats," CERT Magazine, no.

October 2007,

id=240. 1-2.

AJ Bosker, "Secretary of the Air Force: Dominance in Cyberspace Is Not Optional," (2007), 1.




Air Force Cyber Command. "Air Force Cyber Command Strategic Vision." edited by United
States Air Force, 2008.
Allen, Carey. "Outweighing the Virtual Risks." IA Newsletter 10, no. 4 (2007).
Ashley, Bradley. "Information Assurance through Defense in Depth." IA Newsletter, no. Fall
Bennett, John T. "Dod Struggles to Craft Offensive Cyberspace Plan " Defense News 22, no. 9
Bezier, Doug. "Agents of Misfortune (Old and New Issues Loom Large as Ipv6 Enter the
Cybersecurity Fray)." Washington Technology, no. 24 (2006),
Bosker, AJ. "Secretary of the Air Force: Dominance in Cyberspace Is Not Optional." (2007),
Browne, Herbert A. "Information Assurance--Train Now or Pay Later." SIGNAL (2003): 2.
Command, Air Force Cyber. "Air Force Cyber Command Strategic Vision." edited by United
States Air Force, 2008.
Convertino, Sebastian M., Lou Anne DeMattei, Tammy M. Knierim, Doctrine Air University .
College of Aerospace, and and Education Research. Flying and Fighting in Cyberspace /
Sebastian M. Convertino Ii, Lou Anne Demattei, Tammy M. Knierim, Maxwell Paper ;
No. 40. Maxwell Air Force Base, Ala.: Air University Press, 2007.
Corzine, Theresa. "Protecting Data through Increased Encryption Methods." Air Force News
DISA. "8500.01e Information Assurance (Ia)." edited by Department of Defense, 2007
Gaffin, Julie C. Internet Protocol 6. New York: Novinka Books, 2007.
GAO. "Ipv6 Federal Agencies Need to Plan for Transition and Manage Security Risks." (2005),
Grant, Rebecca. "The Dogs of Web War." Air Force Magazine, January 2008, 23-27.
Harris, Shane, and William Duke. "Blindsided." Government Executive 36, no. 7 (2004): 48-52.
"Hosting Security." Military Information Technology, no. 5 (2006), http://www.military
House Armed Services Committee on Terrorism and Unconventional Threats. Information
Technology Issues and Defense Transformation, Lt Gen Peterson Testimony, April 6,
2006 2006.
Jackson, William. "Guidance for Demonstrating Ipv6 Capability." Government Computer News,
Feb 28, 2008 2008.
Kellner, Mark. "Interview (with) Lt.Gen. Michael Peterson, U.S. Air Force's Chief Information
Officer." Defense News 22, no. 8 (2007).
Kenyon, Henry S. "Air Force Refocuses Network Defense." SIGNAL 62, no. 5 (2008).
Minnick, Wendell. "Computer Attacks from China Leave Many Questions." Defense News 22,
no. 32 (2007): 14-14.
National Science and Technology Council, Interagency, Information Working Group on Cyber
Security and, and Assurance. Federal Plan for Cyber Security and Information
Assurance Research and Development. Arlington, VA: National Coordination Office for
Networking and Information Technology Research and Development, 2006.



National Security Agency. "Defense in Depth."
NSA. "Internet Protocol Version 6." edited by IA Dept Systems and Network Analysis Center:
NSA, Unknown.
Onley, Dawn. "Red Storm Rising, Dod Efforts to Stave Off Nation-State Cyberattacks with
China." Government Computer News, no. Aug 21, 2006,
Phister, Dr Paul. "Cybercraft: Concept Linking Ncw Principles with the Cyber Domain in an
Urban Operational Environment." In DODCCRP conference 2005 edited by Dan Fayette:
Air Force Research Laboratory, 2005.
Pistilli, David. "USAF Network Operations Functional Concept." edited by USAF: HQ 8 AF,
Porter, Bryce. "Approaching Zero a Study in Zero-Day Exploits Origins, Cases, and Trends."
Norwich University Journal of Information Assurance (NUJIA) 2, no. 2 (2006): 1-28.
Ricciuti, Mike. "Microsoft 'Hypervisor' Plan Takes Shape." CNET News (2005),
Singel, Ryan. "The Threats You Can't See." PC World 25, no. 4 (2007): 119-24.
United States. Congress. House. Committee on, Government, Information Policy Reform.
Subcommittee on Technology, and and the Census Intergovernmental Relations. Who
Might Be Lurking at Your Cyber Front Door? Is Your System Really Secure?
Washington: U.S. G.P.O. : 2004.
United States. Joint Chiefs of Staff. Information Assurance through Defense in Depth.
Washington, D.C.: Joint Chiefs of Staff, 2000.
Waterman, Shawn. "Analysis: A New Usaf Cyber-War Doctrine." United Press International
Wendell, Taipei. "Computer Attacks from China Leave Many Questions." Defense News (2007).
Whitney, Kellye. "Diap: The Dod's Certified Guard against Ia Threats." CERT Magazine, no.
October 2007 (2007),
Zielinski, Mark. "Zero-Day Exploits: Consider the Os." Network World 24, no. 30 (2007): 26-26.