This is not the notion of “war” in discuss; nor is it the norm of “security” that we are striving to deal with. But we believe that thinking about these two notions is an important step to truly understand and increase the add- value of our efforts. According to general definition, “war” is described as: “A series of conflicts and battles through which countries engage by ceasing their diplomatical relations.” From the international relationships perspective, we also come across similar descriptions with just fancier expressions.
In this perspective, where does an activity described as “Cyber War” stand? The notion of “New Wars” which was built upon the criticism of Clausewitz approach is explained with determinants like globalization, economic factors, erosion of nation-states, the role of technology and specialization of violence. This notion also took its place in the literature thanks to Kaldor’s “Old & New Wars” (1998) and Münkler’s Die Neuen Kriege (2002).
Studies aiming to redefine and analyze war are actualy meaningful for the Cyber World. The experts who conduct their studies on an interdisciplinary structure actually agree on the inadequancy of the word “war” to describe the overall process. Yet, the notion of war symbolizes a limited duration of time where a conflict starts, continues and is finally terminated. There, on the other hand, are serious differences between being prepared for a non-ending struggle and getting ready for a conflict which will eventually have a closure.
In this context, one needs to evaluate the activities in the cyber area as a struggling period. More than that, the operations where both cyber and kinetic areas are aggressively used also need to be considered as a whole within the activites of cyber area. Only such approach enables us to develop new strategies by taking different disciplines into consideration.
In general, studies which are conducted under the roof of “SOC” are stuck in the centerline of SIEM and Monitoring and are unfortunately lack of the projection of our new world and its inevitable future. Prevention and protection focused preparation processes are also pretty insufficient to clear the dects for a never-ending struggle process which has a an unconventional nature in the first place.
In a struggle period, facing an attack is unavoidable. Thereby, a full architecture needs to be formed on which the fight will be carried out. Such that, this architecture requires a wide spectrum of coordinational capabilities ranging from micro-scale technical competency to macro-scale process analysis.
As stated before, cyber struggle embraces all parameters of unconventional war and is asymmetrical by nature. Throughout the process; the schedule, the origin and the duration of the attack are completely in the initiative of the attacker. Therefore, the combat process starts with an asymmetrical disadvantage.
When viewed from this aspect, there indeed exists no asymmetrical war as emphasized by some circles. Instead, there is an asymmetrical effect for a certain amount of time during the combat or the war. The side that catches the asymetrical advantage at different times and maintains it for a longer period of time, turns out to be the dominating side of the conflict.
Asymmetrical advantage can be acquired by either the technologies in use and the intimidating elements in hand or by the numbers or the level of quality which outstands the opponent. Like in kinetic wars, asymmetrical advantage can be gained during the process with management, command and control, and coordination strengths. When descended from the team to the individual, personnel asymmetry can be turned into an advantage by showing supremacy in mental situation, endurance and resistance.
Frictions are the most essential factors that separate the theory from the practice. They are the most significant parameters to finalize the preparation phase in advance for struggle process and to secure the desired results in alert situations.
Imagine that there is an attack to your corporation and you own the personnel to respond back but they are inaccessible at that moment. Or in another case, the personnel is eligible to respond with all required skills but it is then discovered that some critical data logs have never been recorded. In such circumstances, frictional elements play tremendous roles which determine the course of events. There also are similar examples in kinetic combat processes such as an artillery personnel not being able to give support to another military unit because of fog.
To obtain a sustainable asymetric advantage during struggle process, a detailed analysis on frictions needs to be executed and necessary preparations should be completed in accordance with the analysis outputs. One should also not fail to notice that all factors carry their own potential frictions.
Visibility is one of the most crucial components of zone control and should consist of a clear management process within the corporation, the predictions provided through global progression, the revelation of probabilities through information acquired by intelligence.
The higher the visibility level is, the stronger zone dominance will be. Thus, all assets in the constitution, other assets owned by these assets, personnel profiles, the inventory to be used during struggle process, frictions and possibilities need to be visible and clarified. Global and local processes need to be followed up; political, sociological and psychological processes must be analyzed accurately and related danger levels ought to be implemented in accordance with the analysis outputs.
Intelligence serves visibility on an unowned area. When intelligence activities are limited to detect phishing domains, harmful IP addresses, recent vulnerabilites; they won’t contribute enough for a sustainable and solid command process. This is tactical information and obviously not enough. Forming intelligence networks among underground entourage, taking human-focused intelligence actions and staffing in cyber area will, on the other hand, bring a tremendous add-value to visibility. Intelligence should cover not only tactical information, but also cover operational and strategical information.
To identify the influence level of a vulnerability and its affect on the constitution is as crucial as to be aware of it. In case a phishing activity is detected, it is also vital to be informed on what is being planned by attackers. From this point of view, intelligence should be evaluated in a broad spectrum and both formative and offensive skills should be used with full potential.
Technical Competence and Resource
No matter how advanced the technology is, personnel is urgently important in management, micro response and analysis flows. In contrary to the general belief, personnel requirement will not decline in alignment with developments in automation. Moreover, the required qualities of the personnel will evolve and diversify.
Such personnel who will perform successfully in a new generation struggle process should have a profile which is highly competent to see the big picture, produce micro-level technical response and maintain micro and macro transition in a robust way.
Forming correlation and analogy between disciplines is indispensable. Even when specific actions are automatized, responsibilities such as process management, correlation/analogy based technical responses, preventive policing and intutive processes will be in the hands of the personnel.
When scenario and skill based approaches are considered, various cases require very diversified skill sets. However, recruiting an expert for each area of profession will be opposed to the nature of employment process. That is why the personnel to be hired should be competent to form correlation and analogy between different disciplines so that they become capable of evaluating the big picture in aspects of international relations, sociology, criminology, profiling, penetration and investigation techniques, etc. Along with these qualifications, it is also crucial for the personnel to maintain a high-level mental endurance and psychological control regarding the high probability of continious tension during their professional studies. As unconventional struggle process is in discuss, these experts should be be evaluated within the scope of special forces as well.
On the other hand, the mindset of personnel is another critical parameter. Especially in SOC environment, the one who will operate in the field should have extremely resilient mind against pressure, long working hours, etc. like a special force unit.
Nowadays, the general department structure is appraised in a global and conventional point of view. Frankly, a similar organization which is embraced in kinetic areas is also encountered in cyber security; such as Network Security, Web Security, etc.
However, this said organizational framework will actually cause inevitable and serious frictions in the decision and initiative processes. Due to role and category-based divergence of responsibilities, intensive frictions and failures are frequently observed both in coordination and rapid reaction processes.
Considering the unconventional war concept emphasized in previous chapters, a new generation department structure with uplifted maneuverability and coordination is absolutely required. Above, a general department structure chart that will increase the effectiveness of the struggle process is suggested as a solution.
The most critical feature of the suggested architecture is that all experts who work throughout the incident management process hold hybrid skills. In such organization, these experts that take part in vulnerability management focus as well on other aspects of the struggle process from various categories: They also work in areas such as penetration testing, intelligence, offensive solutions and manage studies in various categories related to network, web, etc.
Among the most significant areas in department structures, R&D and project management certainly take their place. Currently, none of those products which had already been developed meet the requirements of constitutions. From this point of view, it is requisite not only to corporatize these products and correlate them with different services, but also to customize and develop them regarding different constitutions’ requirements. All activities which are conducted to enable these features should be considered as a project and thus, stands in need of a project manager. An agile culture can be embraced to increase the effectiveness of such an approach. There should be frequent alterations between the teams. Therefore, the information level should be spread to the constitution.
It is also essential to keep the team spirit and the unity of the personnel at highest level. One should never underestimate these assets just because they are not technical know-how related abilities.
As a result, activities that are largely reduced to SIEM and monitoring aspects became highly popular in our country with the aim of higher profitability. On the other hand, these studies are very limited, compared to SOC extent.
It is obvious that awareness should be raised to recognize and understand the cyber struggle process by constitutions, customers and service – solution providers.
Struggle is a never-ending process. Thus, it needs to be approached as a whole. Via this article, to provide an introduction about the whole process had been aimed. A study in a detailed book format is still in progress.