Ready to launch your cyber fleets admirals?

Naval strategy has underlined the importance of lines of communication and controlling them, understanding the fleets that operate in the maritime domain, construction and control of harbors that enable the communications flows and support the fleets, and the fluid, ever-changing nature of the domain and its parts. It has been suggested that the maritime strategy offers a solid framework also for preparing one’s activities in cyber domain, where the sea is an ever-changing human-constructed network and where information gets transported, defended, attacked, and stolen for various tactical and strategic purposes.

In our previous blog posts we have highlighted the importance of information, this time we concentrate more on the network aspects of cyber security. Major part of current discussion related to organizing cyber defenses has been concentrated around the concept of network security. In a very high level this can be understood to cover discovering and protecting the organization’s network access points, ensuring both the availability and the security of the transfer channels, protecting the internal networked systems from external tampering, ensuring the availability of necessary resources for the availability of network-based services, monitoring the network activities for any unwanted behavior and anomalies, and being prepared to act at the time of incidents.

The above mentioned activities exemplify the core need for organizations both to secure the command of their networks and through the secured command also to allow the exercise of command. The exercise of command means here the use of networks and lines of communications for any desired purpose to fulfill organizations’ current mission. Nevertheless, the technical networks are just one example of various kinds of networks that your organization should take into account, when preparing the organization to be more resilient against cyber threats.

First of all, it is important to position the organization well in the network of critical information flows. We mean by this that the organization should recognize and take actively part in expert forums, where information regarding cyber threats gets discussed and exchanged. Organization should also enable itself to receive open-source, commercial, and governmental information about latest threats and transfer that information into actionable form. The organization should also be prepared to share its information about malicious activities that it has encountered with public and private entities.

One should also be able to understand the importance of people networks for the systemic resilience of the organization. Here the key questions include: whether the organization’s key individuals for the cyber response have been recognized, whether they know the importance of their skills and know-how for the organization, and what kinds of links connect them to the other internal key individuals, recognized expertise outside the organization, and the command and control structures within your organization.

Lastly, the structure of networks and dispersal of resources and power to make decisions are important for the organizational resiliency. While high-level of standardization, centralization of control, and removal of redundant structures and organizational slack may provide short-term financial efficacy, these activities may prove to be detrimental for the organization’s ability to stay operational and adaptive at the time of crisis. These actions may simplify the attackers’ task to contest the command of target organization’s systems, to remove the target’s ability to control and organize its resources, and to deny target’s ability to fight back through adaptation.

Coming back to the naval strategy, in order to exercise the command in the cyber domain, or to be able to fulfill organization’s tasks in the cyber domain, the organization needs to be able to secure at least a temporary command of the domain. While the technical networks and their functioning have dominated the thinking, the organizational capabilities are strongly defined by understanding and taking advantage of various other kinds of networks, such as critical information flows, people networks, and decentralized, networked decision-making. Without assigning high enough value to these kinds of networks, keeping the command of the domain at the time of crisis might prove to be impossible against a skilled opponent.