Operations Research Approaches to Cyber Conflict CCW Short Course 21 September 2011 CDR Harrison Schramm
Lecture Goal • To provide an executive overview of Operations Research… …And the application of these techniques to problems in the cyber domain.
Introduction • Who am I and Why am I here? • How did I get interested in Cyber? • What are sorts of approaches might the OR community have to offer? • Future ideas in OR
Outline Big Questions • What is OR and how can it be applied to the cyber problem? • What specific problems are amenable to analysis? Applications • Network Flow Models • Formulation • Interdiction • Game theory and deterrence • How cyber conflict is different • Epidemic Models
History of Operations Research • Origins in WWII • Convoy Planning (Royal Navy) • Anti-submarine warfare (USA) • Quick case study: Should Air Defense guns be placed on Merchant Vessels?
Military OR and Cyber Conflict Difficulties: • No clear-cut ‘one-to-one’ mapping between traditional models and cyber conflict • Uncertainties in cyber conflict make problem difficult to parameterize. Approaches: • Lanchester Equations • Game Theory • Attacker / Defender Modeling • Applied mathematics from other disciplines Ultimate Goal: to integrate cyber conflict into Campaign Analysis to inform investment and tactical decisions for DoD.
How cyber conflict is different (And why our old tools don’t work) • Fluidity of arsenals • Adversaries’ discovery of vulnerability may make opponents weapon useless. • Deterrence implications • Difficulties with detection and attribution • How do you know when you’re under attack? • Wide estimates of ‘how bad could bad be’ • What is a ‘cyber pearl harbor?’
Our purpose • Is the application of the scientific method to military / policy problems to inform better decisions. • OR is ‘The Science of Better’
What is a Network? • A NETWORK is any system that can be described as a set of Nodes and Arcs. • Arcs have attributes: • Capacity • Cost • Nodes are where Arcs meet • We’re interested in the relationship between the ‘inflow’ and ‘outflow’ at each arc.
Network Example • Example: Driving to San Jose International Airport
(cij, qij) i j (2, 1) 2 4 (1, 2) (1, 4) (2, 2) 1 6 (2, 2) (1, 1) (1, 2) (3, 1) 3 5 Mathematical Representation
The math (in words) • We seek to minimize costs across the network • Such that: • Demand is met • Supply is not exceeded • The net flow at a ‘transient’ node is zero • No arc’s capacity is exceeded • No arc has negative flow. • This becomes a Mathematical Programming problem and is easily solved.
Network Questions • How much can we push through? • Maximum Flow • What’s the cheapest way to move one unit? • Minimum Cost • What’s the cheapest way to move supplies from one or more sources to multiple destinations • What’s the best way to schedule jobs?
Network Flow Problems - Practical • Obvious Networks: • Electrical systems • Road Systems • Computer Networks • Non-obvious networks: • Schedules… • Like a weapons development program
Intermission • Gee, Harrison, that’s really cool. Why are we talking about this? • Glad you asked!
Using attack-based strategies to identify critical infrastructure components is not a new idea • Harris, T.E., and Ross, F.S. (1955), Fundamentals of a Method for Evaluating Rail Net Capacities (SECRET, declassified 1999), RM-1573, RAND Corp. • As documented by Schrijver (2002).
This math used to be Classified! (Sorry, I just have to say that every chance I get)
How is this approach different than others? Decision Making Certainty Uncertainty Optimization Mother Nature (non-deliberate) Enemy (deliberate) Probability Game Theory
Different Approaches to Assessing Risk Assess the “Worst Case” Assess “What is Likely” Model the threat Evaluate expected outcome Relies on historical record, SMEs, “crystal ball” • Model the system • Evaluate potential damage by adversary (capability-based) • Relies on system knowledge Probabilistic Risk Analysis (Natural Disasters) Safety (Accidents) Reliability (Failures) Might be too conservative (Impractical to mitigate) Non- Deliberate Hazard Might not be conservative enough (Limited by imagination) Capability-Based Analysis (e.g., game theory) Intent-Based Analysis (e.g., predicting terrorists) Deliberate Threat Risk = f (T, V, C) Short-term planning only Requires strong intelligence Works for long-term & short-term planning and resource allocation David Alderson – NPS – 22June2011
A Fundamental Question: Is defending a system… • More like protecting against Mother Nature? • Or more like defending against an intelligent adversary? • This is a fundamental issue in the use of risk analysis techniques, but it is not the only one… David Alderson – NPS – 22June2011
What does it mean to ‘attack an arc’? Two interpretations: • The Black Knight Method “NONE SHALL PASS” • set it’s capacity to zero (this is the same as removing it from the model) Or • “The Tollbooth Method” • place an unaffordable tax on the arc to make it cost-prohibitive.
Suppose someone hands you a network model Network Operator (Defender) problem Interdictor (Attacker) problem: Which arc(s) are the best to attack in order to minimize the operators’ best performance Mathematically: How do I choose a set of arcs to attack? • How do I continue to operate my network under attack? • Mathematically: How do I minimize total cost given a set interdicted arcs?
Attacker / Defender Schematic Attacker shows defender ‘best’ attack for system configuration Operator Attacker Operator shows attacker ‘best’ system operation under attack
“Punch line” • Added numbers of attacks may lead you to attack different things • An attacker with more resources may attack different things than a less capable attacker; both may be acting optimally!
Example: PORT OF LOS ANGELES Attacker’s problem: find attack paths for multiple, simultaneous attackers that minimize getting stopped. Defender’s problem: preposition radar and small boats to maximize early detection
Example II: Building a first nuclear weapon • A regional power seeksinternational prestige and influence • Growing industrial base • Well-funded research universities • Several civilian power reactorsunder IAEA safeguards • Established, high-volume producerof uranium ore and yellowcake NPS OR Department David Alderson – NPS – 22June2011
Gantt chart Operator’s problem is to manage his project to minimize the completion time of his first weapon Attacker’s problem is to delay the completion time of his first weapon David Alderson – NPS – 22June2011
Part II: Deterrence • “Deterrence, it seems, works better in Practice than in Theory”
References • Thomas Schelling: Arms and Influence • Herman Khan: On Thermonuclear War • Glenn Kent: Thinking about America’s Defense
Deterrence: Is.. Is challenging to study because… We only gain partial information about effectiveness. When we (or others are attacked) we can conclude that our deterrence was insufficient When attacks to not happen, it may be because of our deterrent, or another effect. We never truly know the motivations / utilities of our adversaries. Their private utilities are probably ‘unknowable’ • A coercive strategy which aims to maintain the status quo by forcing an adversary to re-consider the costs and benefits of their actions • Requires: • The ability to inflict harm to something the adversary values • The Will to inflict this harm • Effective communication of the ability and will • Can sum these up in one word: CREDIBILITY No one wants to be in the position of finding a problem both important for study and without good analytic methods to tackle it. - Jervis 38
Analytic Methods • Critical Thinking / Systems Analysis • Kent’s First Strike Stability • Statistical Analysis: fitting models to datasets • Difficulties: Coding data, model specification, descriptive statistics. Presupposes model format. • Huth, Signoriono • Game Theory • Difficulties: presupposes an ability to compute utilities • Schelling, Zagare and Kilgour • History • Difficulties: May not be applicable to future campaigns • Meershimer, Keegan, others 39
General Conclusions • Deterrence requires all the levers of national power – it is not simply a military problem – (all methods) • Deterrence is most likely to fail when: • At least one side perceives the campaign will be ‘quick’ and ‘easy’ (History, Strike Stability) • At least one side perceives the campaign feels that they are in a ‘use or lose’ situation (History, Game Theory) • Deterrence postures irrelevant if not effectively communicated (History, Statistics) • Communication Fails (History) • The objective of deterrence cannot be ‘Everything – Everywhere’ – we should prioritize what we wish to deter. 40
Who is deterrable? Deterrable Not deterrable Groups who do not seek to minimize costs Because they don’t count them Because they have ideological imperatives to act Because they seek conflict Nations who feel they are in a use / loose situation. • Nations that seek to minimize costs • Nations that feel secure in their nuclear (and other) deterrents 41
Nuclear Deterrence: The Gold Standard? • Kent’s model of Nuclear Deterrence • Advantages: tractable, simple, elegant • Disadvantages: Measures the ‘costs’ of attacking first versus the ‘costs’ of attacking second • The closer this ratio is to unity, the more stable the system is. • Sources of Stability: • Clear Communications • Assured Retaliation • Sources of Instability: • “Splendid First Strike” • Deterrence capability made irrelevant: • Communication lapses i.e. Saddam Hussein • “Mandates” – Political or personal motives that force a solution • Germany WWII? 42
Kent’s Model of deterrence First strike Stability Index: Where: C represents costs; several definitions have been used Ratios don’t tell the whole story; magnitude of potential costs key as well. 43
Missing Rungs on the “ladder of Escalation Nuclear Exchange Conventional War Blue left with the choices of increasing escalation beyond their desires or simply ‘taking it’ Blue has no appropriate response Adversaries’ Provocation Limited Retaliatory Strike Diplomatic Censure 44
Discussion: • What are the prospects for deterrence in cyberspace?
Research Question • What sorts of actions will best enable deterrence of hostile acts in cyberspace?
Part III: Epidemic Models and Applications • Used to study the transmission of disease from antiquity. • Separate a closed population into groups or ‘Cohorts’ • Here we will discuss the simplest model.
The ‘Simple’ Epidemic • The story: There is a population with a fixed number of members, some of whom are infected with a virus for which there is no cure. Population members meet and mingle with some intensity.
Members Susceptible. Does not have the disease, but may become infected if encounters an Infective S I Infective. Has the disease and may spread it to any susceptible he meets.
Stick Figure Dynamics + I I S S I I I S S I = No Change + = No Change With some Probability, S converts to I + = + +