When one considers the decision-making and planning necessary to conduct malicious cyber activity, it becomes easier to understand how it is not simply an “on-the-network” fight. There is no broadly accepted delineation of the various levels of cyber activities. However, it may be useful—and somewhat instructive—to consider thinking of the cyber domain through a framework that is fairly consistent throughout both government and the private sector: Strategic, Operational, and Tactical levels.
The Strategic Level of Cyber
The Strategic level of cyber activity is the determination of objectives and guidance by the highest organizational entity representing a group or organization and their use of the group or organization’s resources towards achievement of those objectives. A consideration of “what do we have that others want,” “how valuable/important is it,” and “how well are we protecting it” begins the process of risk characterization. In other words, the organization must determine what the opponent want to achieve and generally how they will attempt to achieve their aims.
Such activities, conducted by the adversary might include:
(1) The decision to use cyber capabilities to acquire information or technology
(2) The decision to attack a particularly sensitive or strategically important target
(3) The action of allocating resources towards developing general capabilities for exploitation or attack
Intelligence must be included in the calculus so that strategic-level decision makers can understand the threats that may inhibit or prevent obtaining their strategic objectives.
When considering what type of intelligence may be considered of strategic importance, leaders should concentrate on that which reveals new or changed risk with relation to the organization’s strategic objectives.
The Operational Level of Cyber
At this level, malicious actors plan their campaigns based upon what they have learned in collecting their own intelligence and on what they had surmised as being necessary based upon their strategic goals. Actors build the capabilities needed to support the tactical operations. They maneuver in cyberspace (hop points) to position capability where they need to in order to be effective in their tactical missions. This is the level where a hactivist group may plan both cyber and physical world activities to support their objectives.
The Tactical Level of Cyber
Activities at this level focus on the ordered arrangement and maneuver of combat elements in relation to each other and to the enemy to achieve combat objectives” [emphasis added]. The tactical level of the cyber domain is where the on-the-network actions take place. This is where malicious actors and network defenders maneuver against each other. This is where botnets are directed towards a specific target and then unleash their payload. This is where an adversary finds a vulnerability and infiltrates a network. This is where an actor using advanced persistent threats maneuvers laterally inside the target network, finds the information he wants, copies it, encrypts it, and exfiltrates the data. This is where most of the attention of cyber defense is focused today.
Cyber intelligence is a complex, as yet undefined, multifaceted approach to framing, thinking about, and reacting to cyber adversarial activity. Many discussions emphasize the complexity of the cyber operational domain, the speed in which activity and operations take place, and the supposed inherent advantage of the attacker. The importance of integrating sound and time-tested intelligence thinking and methodology becomes significant when we address the problem.