Strength in numbers: forming federations in cyber defence

We live in a world increasingly affected by hostile cyber acts. A nation's military forces exist in the same high threat environment but against a backdrop of unique operational priorities and challenges.

The responsibility for cyber security is usually delegated to each force, much as physical defensive responsibilities are, and this encourages individual approaches and solutions. Every force has a different need, with most ensuring that basic controls such as anti-virus tools and web proxies, for example, are ubiquitous on Internet connected networks. There is also an increasing focus on collecting data for analysis after an incident has occurred, but little in the way of pervasive real-time cyber monitoring.

Complete coverage linked back to a Security Operations Centre (SOC) of some form is still rare, but most recognise the need to do so and this is increasingly encouraged by defence-wide improvement programmes.

Linking their operations through formal federation, however, would be even better.

Leveraging the benefits of SOC Federation

While the threat has continuously increased, it feels like opportunities to collaborate against it continue to exist only as informal relationships. Few militaries are leveraging all the benefits that come from a unified approach to cyber defence, for example:

• Sharing threat intelligence and experiences in the detection and mitigation of emergent threats, so forming economies of scale, reducing the time to detection and time to remediation, and particularly within theatre where an adversary's offense threatens all forces equally but the cyber-defence of each force happens independently.
• Making staffing and skills a defence-wide problem and not individual forces' problems, especially for those skills that are hard to acquire and retain.
• Upward reporting of significant incidents to a Joint Forces SOC to simplify detection of coordinated and systematic attacks against the wider organisation.
• Detection Use Cases and Rules that are authored and proven in one operation can be shared such that all operations benefit from the effort and investment in detection techniques.

Federation represents the formalised agreement that SOCs will work together for the greater good. While this can be achieved using an ad-hoc arrangement, which is entirely appropriate for sharing intelligence data, federation specifically places obligations on all parties to fulfil outcomes in a timely and predictable way.

Figure 1 - Range of commitments and alignments of federations

Great federations are not born great, they grow great

Federations are not easy to form and take effort and investment, especially when two existing entities seek to create an integrated or unified operation. Any SOC can find a way to use something that directly benefits them, but few wish to invest time in something that mostly benefits others. Ultimately, the challenges facing federations are likely to remain if ignored and wished away. These include:

• Voluntarily demonstrating that existing security operations are more nascent or immature than previously communicated is understandably troubling as the consequences can be significant to entities and especially to individuals.
• As the demand for high volumes of data shared between SOCs grows, either complex transformation tools or standardisation on common tools with common schema will be needed - both of which are difficult and disruptive.
• Even with a reliable mechanism to exchange data, without the preservation of context some data becomes meaningless. For example it is hard for one SOC to gather context from an alert shared with them if the wider dataset that the alert references is not available, and equally, such data can accidentally expose sensitive operational information.
• Federation links entities and relies on both performing. For federation to become continuously more beneficial, both operations need to mature and expand together, counter to the natural trend of stagnation or deterioration caused by localised prioritisation.
• Sensitive operations can be affected by centralising data, such as inadvertently exposing submarine locations or enabling attribution of Special Forces activity by system administrators.

If it was easy, everyone would do it

While the benefits of federation are clear, implementation will be challenging and the intricacies particular to every instance.

Unless built in from the outset, which is rarely possible, enabling federation and realising the benefits usually requires significant investment and some degree of undesirable business change for at least one party. This will require senior sponsorship to provide the continuous pressure to overcome the multitude of obstacles.

And yet despite this, the need for federation will, I believe, overcome the challenges. In due course, federations will not just be between the forces but also within. Carriers, regional bases and the like will need to be as self-sufficient and autonomous in cyber defence as they are in other areas, and this will form a complex hierarchy of federations within the military of the future.

The alternative is that our adversaries continue to exploit the resulting disconnect between a centralised cyber command and deployed operations, hunting out the weakest link to disrupt or disable combat assets in theatre.

About the author

BAE Systems Applied Intelligence has proven experience delivering capability and solutions in national cyber security and defence. We design, build and consult on Security Operations Centres and play a strategically important role to the security of numerous countries around the globe.