Why a mission-first network is the foundation for cyber warfighting
- By Robert Schumann
- May 12, 2021
Cyberwarfare has been described as the future of conflict between nations. There are many forms that cyberwar can take - attacking another nation’s infrastructure (such as the power grid or internet), utilizing resources to hit military-specific targets (such as weapons systems or R&D programs), or stealing classified, top-secret information, just to name a few.
In addition to having a cyber army trained in offensive techniques, nations need cybersecurity experts who can shore up defenses against other nations and make sure that critical functions can proceed as usual.
During a conflict, it is expected that both sides will use offensive cyberwar measures to either make it harder for their opponents’ commands and messages to be received on the battlefield, or for critical offensive and defensive systems to even function. For example, missile defense systems could be attacked and knocked offline before having a chance to react. Commands that aren’t received can lead to a breakdown of strategy and planning. This highlights the importance of having a strong, secure infrastructure in place. If the network isn’t protected and able to repel attacks, then you’re immediately at a disadvantage.
But having a strong network backbone may not be enough, especially when it comes to future warfare. Networks need to be designed and implemented with a worse-case scenario in mind. Commanders need to be able to adjust the network and infrastructure as needed to ensure that there is not a breakdown in command. To do this, the network infrastructure needs to be flexible and adaptable enough for command to make adjustments quickly and easily during a pressure situation. This type of network philosophy is what we call a “mission-first network.”
This network is a stateful fabric, routing sessions, not simply packets. It understands the context of those sessions by asking 3 critical questions of each session: who is the source of the traffic, what is the intended destination, and if the who is allowed to access the what, how can the session be escorted to its destination in the most optimal way (without wasting precious bandwidth on tunnels or encapsulation), based upon the mission-planner’s intent and current state of the network.
Putting the Mission First
So the first question you likely have is “what is a mission-first network?” Well, the idea is that the network is constructed in such a way that the way it operates can be changed quickly, easily, and with little advance notice. It is also a network where the intent of mission planners and the data model used to configure the network are as close as possible. The more translation required to take the intent of the mission planner and achieve the desired network outcome the slower the network can react, the more brittle the network is, and the more error prone each change becomes. In short, the network can adapt to the network terrain in front of it and find a way to put the mission first, by ensuring that the desired connection gets through, the orders are sent and received, and there are no breakdowns in command.
Mission-first networks must be intelligent, adaptable, resilient and secure so that the network can be changed on the fly. The ability to see, understand and modify your network’s behavior, from warfighter to warfighter or warfighter to cloud, is critical in order to ensure you can make the proper changes and adjustments in real-time, ensuring that commands and messages get through.
Leaders must also be able to prioritize mission-essential traffic above everything else running on the network. They need to be able to ensure seamless connectivity - and that all network paths chosen for their traffic will meet the appropriate service levels, managing for latency, loss, and jitter, even as the network is dynamically changing in the midst of a battle or cyberwar. In addition, the network must utilize everything as efficiently as possible. Therefore, tunnel overhead must be eliminated wherever possible - meaning your mission-first network must also be tunnel-free.
Finally, and most importantly, leaders need to have the tools available to ensure that only authorized users and devices can access the commands, messages and network traffic. With these guidelines in place, your network is ready for cyberwarfare.
Network awareness means having accurate, up-to-date information about the state of the network, the location of users and of services, and how key workloads are performing.
But awareness requires context - the network needs to interrogate each session related to who (user / device) is generating traffic, what its intended destination is, and, if policy allows it, how should that traffic be escorted across the network. The network can then tell mission planners of its state and performance, so adjustments can be quickly made, as needed, to ensure that the mission-related traffic is prioritized above any and all other traffic.
All this needs to be done across any type of IP connectivity (5G, LTE, SatCom, MPLS, public internet). If issues are present, the network needs to be able to self-remediate, or provide pinpoint accuracy as to the location of the fault.
Mission-first networks must be resilient, allowing leaders to adjust network behavior to instantly implement desired outcomes. The networks must be designed to offer seamless application delivery across changing network types, connectivity and conditions.
In the middle of a critical situation, such as a conflict between nations, the desired network path may no longer be available or performing. Preferred infrastructure may be damaged or offline, meaning you need to find another way to ensure that your commands and messages are sent and received as intended. In these situations, it is important to have set your system up to operate in Denied, Degraded, Intermit, or Limited Bandwidth Environments (DDIL). The ability to intelligently route traffic from one user to application, maximizing the available bandwidth, will help ensure commands are received as intended, as quickly and efficiently as possible.
“Fixed fortifications are a monument to the stupidity of man,” said General Patton. Those “fortifications” today are network access locations, teleports, and VPN points. The mission-first network makes those fixed location ephemeral and transient, existing for days or even just hours.
The mission-first network must be able to create new points of presence for network access, as needed, allowing mission-first networks to define the battlefield based on where you currently are, instead of having to use a static position, masking your location and intentions. Obfuscation of critical communications between endpoints makes it more difficult for enemies and other parties to conduct traffic analysis. Making those endpoints ephemeral adds even more complexity.
Zero Trust Security
One of the most important aspects of setting up your infrastructure is making sure that it’s secure from attackers. Traditional network routing approaches to security create a trusted environment by overlaying security features onto the core functions of the network. While this prevents a certain level of breaches and attacks, when you’re considering what’s needed to protect in a cyber warfare environment, security needs to be embedded into the network fabric itself.
The strongest security you can implement is building your network with a zero-trust philosophy. Zero-trust networks prevent breaches caused by privileged access abuse, making each piece of traffic prove that it is authorized to access the network. Those in charge of the network - i.e., those in charge of the mission - can easily define who is allowed to access applications and services, then deploy that policy globally, modifying it on-demand to define where, when and to whom an encrypted data session will be allowed.
It is impossible to perfectly predict what a cyberwarfare environment would look like. All of the theory and simulations in the world will never be 100% correct at laying out the potential problems faced on the battlefield. That’s why it pays to be prepared for all eventualities.
The key elements of a mission-first network are preparation and control. Control of how you want your network to behave under both optimal and not-so-optimal conditions. In a cyberwarfare environment you need to be able to have context-aware/mission-aware failover so that traffic is re-routed and commands are sent and received regardless of any network issues and in the face of natural and man-made interruptions.
The network should never be able to be defeated. Setting up your infrastructure in a mission-first direction will go a long way toward ensuring that leaders have the control they need to ensure their messages and commands get through - and the mission is successful.
Robert Schumann is a solutions architect with Juniper Networks.