全球智库信息集成服务系统

Analyzing mission impact at scale with reasonable resource expenditures is a primary challenge

• Even narrowly defined missions require a vast number of systems, and each system can be quite complex.
• Multiply the complexity of just one mission across every mission in the U.S. Air Force and the number of systems to assess becomes infeasible.

How a mission is performed changes as new systems are introduced, old systems are modified, and tactics, techniques, and procedures evolve

• Changes to systems induce changes to system vulnerabilities and, concurrently, the threat evolves.
• As missions, vulnerabilities, and threats change, risk assessment must be reexamined.

One of the peculiar characteristics of cyberspace is the ineffectiveness of redundancy

• Redundancy does not provide robustness against cyber attack.
• Redundant components share common vulnerabilities to cyber attack.

Loss of command and control can injure a mission without any system or component failure

• Vulnerability to adversary manipulation of command and control is another peculiar cyber effect.
• This type of cyber effect is not normally captured in techniques used in systems engineering for safety.

Decisionmakers often revert to intuition and judgment when they do not understand the workings of analysis

• The more opaque analytical tools are, the more they are perceived as a “black box” and less trustworthy.
• This reaction presents a motivation to be transparent so that the method can be trusted to guide decisions.

The most important consideration when deciding whether to mitigate or accept a risk from a cyber attack to a weapon system is how it affects operational missions — otherwise known as mission impact. It is, however, impractical to do a comprehensive assessment of every system and all missions across the entire Air Force given that each system is complex, with an enormous number of potential vulnerabilities to examine and each vulnerability having its own complicated threat environment.

Enter the cyber mission thread analysis framework. To analyze mission impact, the authors present this new methodology that aims to achieve several goals at once: to be comprehensive enough to be executed at the scale of each of the missions in the U.S. Air Force yet informative enough to guide decisions to accept or to mitigate specific risks. In addition, the method is simple enough to perform in no more than a few months and can be updated as needed.

The framework follows a top-down approach, starting with a "thread" (map) of the overall mission that captures all key mission elements and then the systems that support their execution. While the authors do not reduce the problem of cybersecurity risk assessment to a turnkey solution, they present useful methods for triaging areas of greatest concern to mission success while limiting detailed investigation of vulnerabilities and threats to only the most critical areas. Their framework is designed to be done at scale, to be applicable across scenarios, and to be clear in how it works.

• Chapter One

  Some Considerations for Assessing Cybersecurity Risk of Weapon Systems

• Chapter Two

  A Prototype Framework for Assessing Impact to Mission

• Chapter Three

  Discussion of the Framework