Research Questions What are the repercussions of a cyber attack to information systems on combat support functions? How might such attacks affect operations? How might those impacts be mitigated?
While combat support communities are not responsible for defending cyber networks, they are required to ensure mission execution, including when under cyber attack. Assessing mission assurance for combat support when under a cyber attack is challenging. The fact that many combat support systems do not reside on the most secure networks indicates potential vulnerabilities to cyber attack. Yet the sheer number of information systems that can be attacked, the range of vulnerabilities that these might have, the large number of combat support functions they support, and the complicated connections all of these have to operational missions makes assessments difficult. Add to this the evolving nature of the threats and vulnerabilities in cyberspace, and the task of finding adequate mitigation plans for all possibilities is formidable. RAND researchers developed a tool that presents a sequential process for identifying those functions and information systems most likely to be problematic for the operational mission during cyber attacks.
Key Findings Making the Data Manageable Is Crucial Analyzing this issue with a brute force approach is impractical because of the sheer number of permutations to assess and the constantly evolving nature of the information systems, vulnerabilities, and threats. The Air Force counts 25 combat support functional communities, many of which have numerous subfunctions, and the sum of the functions are supported by hundreds of information systems. There are numerous ways in which a cyber attack can occur and a variety of impacts that might result. These include denial-of-service attacks from outside a firewall, manipulating data from within a firewall, interrupting communications, taking control of a system, and others. Analyzing every possible attack on all systems and assessing the impact to both combat support and operations would be impractical. Even if it were done, the results from such an analysis would be obsolete before completion. A Sequential Process Prioritizes Those Programs Most in Need of Mitigation RAND researchers developed a sequential process for identifying those functions and information systems most likely to be problematic for the operational mission during cyber attacks. The approach finds the functions and information systems that are simultaneously the most critical to the mission — those that cause repercussions to the operational mission the fastest and those that have the highest risk of attack as defined by the threat, their vulnerability, and the impact of an attack. The method is implemented in a Microsoft Excel-hosted decision support tool that does not require any special expertise in the cyber domain.
Table of Contents Chapter One
Analyzing Cyber Attacks Against Combat Support
Chapter Two
A Decision Support Tool for Identifying Areas of Highest Interest
Research conducted by Resource Management Program RAND Project AIR FORCE
The research described in this report was conducted within the Resource Management Program of RAND Project AIR FORCE and was commissioned by the U.S. Air Force Materiel Command.
This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.