Lessons from NETOPS vs CND

Volume 13 Issue 2 of IATAC's IA Newsletter features an article titled Apples and Oranges: Operating and Defending the Global Information Grid by Dr Robert F Mills, Maj Michael Birdwell, and Maj Kevin Beeker. The article nicely argues for refocusing DoD's "NETOPS" and "CND" missions, where the former is defined currently as

activities conducted to operate and defend the Global Information Grid

and the latter is defined currently as

actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.

After spending years to "converge" the two missions, the authors argue DoD needs to separate them (as I understand the Air Force has done, bringing back the AFCERT for example).

I'd like to present selected excerpts with my own emphasis.

Cyberspace is a contested, warfighting domain, but we’re not really treating it as such, partly because our language and doctrine have not matured to the point that allows us to do so.

One reflection of our immature language is our inability to clearly differentiate the concepts of network operations (NETOPS) and computer network defense (CND). This creates confusion about the roles and responsibilities for provisioning, sustaining, and defending the network — much less actually using it.

Only by separating these activities can we more effectively organize, train, and equip people to perform those tasks...

Effective CND uses a defense-in-depth strategy and employs intelligence, counterintelligence, law enforcement, and other military capabilities as required. However, the CND culture is largely one of information assurance (e.g., confidentiality, integrity, and availability), system interoperability, and operations and maintenance (O&M).

Many of the things that we routinely call ‘cyberspace defense’ in cyberspace are really just O&M activities — such as setting firewall rules, patching servers and workstations, monitoring audit logs, and troubleshooting circuit problems...

[W]e do not treat cyberspace operations like those conducted in other domains... [T]housands of systems administrators routinely count and scan computers to ensure that their software and operating system patches are current. The objective is 100% compliance, but even if we could achieve that, this is a maintenance activity.

(Indeed, do we even really know how many computers we have, let alone how many are compliant?)

This is no more a defensive activity than counting all the rifles in an infantry company and inspecting them to ensure that they are properly cleaned and in working order.

Our current NETOPS/CND mindset is intentionally focused inward... Contrast this with a traditional warfighting mentality in which we study an adversary’s potential courses of action, develop and refine operational plans to meet national and military objectives, parry thrusts, and launch counter attacks.

While we do worry about internal issues such as security, force protection, logistics, and sustainment, our focus remains outward on the adversary.

Does that sound familiar? An "outward focus on the adversary" reminds me of my concept of threat-centric security instead of "inward" or vulnerability-centric security.

Our intent is not to diminish the importance of NETOPS activities... But they are not defensive activities — at least not in the classical understanding of the concept. Turning to Carl von Clausewitz, we see a much different concept of defense than is currently applied to cyberspace:

"Pure defense, however, would be completely contrary to the idea of war, since it would mean that only one side was waging it....

But if we are really waging war, we must return the enemy’s blows; and these offensive acts in a defensive war come under the heading of ‘defense’ – in other words, our offensive takes place within our own positions or theater of operations.

Thus, a defensive campaign can be fought with offensive battles, and in a defensive battle, we can employ our divisions offensively... So the defensive form of war is not a simple shield, but a shield made up of well-directed blows."

I find it interesting to see these authors cite Clauswitz. Anyone notice attrition.org blast Sun Tzu but speak better of Clauswitz recently?

These definitions of defense do not sound like our current approach to NETOPS and CND. Clausewitz might say we have a shield mentality about cyber defense...

An active defense — one that employs limited offensive action and counterattacks to deny the adversary — will be required to have a genuinely defensive capability in cyberspace.

Our recommendations to remedy this situation are as follows:

1. Redefine NETOPS as “actions taken to provision and maintain the cyberspace domain.” This would capture the current concepts of operations and maintenance while removing the ambiguity caused by including defense within the NETOPS construct.


2. Leverage concepts such as ‘mission assurance’ and ‘force protection’ to help change the culture and engage all personnel — users, maintainers, and cyber operators. Everyone has a role in security and force protection, but we are not all cyber defenders. Force protection and mission assurance are focused inward on our mission.


3. Redefine our CND construct to be more consistent with our approach to the concept of ‘defense’ in the other domains of warfare, to include the concept of active defense. This would shift the concept from maintenance to operations, from inward to outward (to our adversaries). CND is about delivering warfighting effects (e.g., denying, degrading, disrupting, and destroying the cyber capabilities of our adversaries).

I like these three recommendations from a corporate point of view:

1. IT provides "NETOPS".


2. User and management training and awareness are "force protection" activities.


3. CIRTs with Red capabilities, authorized to perform "active defense" against adversaries, perform "CND."

What do you think?