Wednesday, June 22, 2016

Useful Fundamental Metrics for Cyber Power

Quoting from his article:
How do we define cyber power?  In other words, how do we measure who is stronger (or weaker) in the exercise of cyber force?  In this domain we lack any equivalent to counting tanks or airplanes.  What are the alternative measures?

If you're measuring cyber power, you can measure it in a number of different ways:
  • Exploitation
  • Implantation
  • Exfiltration and Analysis
  • Integration into other capabilities (HUMINT, for example)
  • Achieved Effect
From an offensive practitioner's perspective, it doesn't really matter what you analyze, but looking at the implant technology is probably easiest. Exploitation is more of a statistical game than anything else, and relies on complex amortization and depreciation concepts we don't want to use as part of any kind of simplistic capability measurement. Measuring effect is often a matter of measuring the level of policy aggression a particular service has. Which brings us into the scope of any capability (service level, not country level): the NSA obviously can be a "5" while the FBI is a "3".  Measuring on a per-country basis can occlude that distinction. 

I want to refer to this chart from few blog posts back, and build a simple plan for making a metric that solves this problem for you. There are probably a hundred different dimensions you could measure "implant capability" - I drew upon my experience designing, writing and using implants to make this chart and simplify it to some base components.  

As a funny note: Designing a system to do anonymous deconfliction is useful both between intra-government services  (FBI/NSA/.mil) and between yourself and your adversaries. For example perhaps both China and the US are on an ISIS commander's laptop, and they want to coordinate without officially coordinating... 

Comments from one of the more actively attacked companies after I posted this chart were "Russia's SIGINT team going against us is at 4 or 5 on every category according to our internal incident response". Because the chart is essentially exponential, not linear, that indicates an extreme peak of capability and expense. It's easy though to confuse exponential cost and exponential effect, which is a fancy way of saying that in the Cyber domain you sometimes have to pay a lot of money for an incremental effect. 

If you just take "Sourcing", "Networking", and "Persistence" you get a nice graph of capabilities of different services from publicly available information or things you might have laying around if you are an incident response firm or counter-intelligence agency.

Measuring capabilities based on public information is an important part of this method.

No comments:

Post a Comment