The CyCon Defense Model

Infrastructure Is Us

The CyCon Defense Model

At the national level, a central goal of PDD-63 is to accurately gauge the potential damage of individual and coordinated cyberattacks on U.S. infrastructures, both individually and as they relate to one another. Some of the most interesting research being conducted toward this end is rooted in psychology and behavioral studies. While this line of inquiry will not produce perfect, cut-and-dry answers, it will greatly enhance efforts to generate "indications and warnings"—old school military terms that mean knowing and seeing all in warfare conditions, and being able to react accordingly. The assumption here is that by examining the behavior of systems and comparing it to the spectrum of behaviors of hackers, terrorists and other groups who represent potential threats to the infrastructure, we can develop a baseline of warnings and indications.

The U.S. military employs a five-stage "ThreatCon" and "DefCon" system that uses global events as triggers for enhanced military preparedness. Large organizations and enterprises, infrastructure, government entities and the United States as a whole must similarly establish a common means of measuring the cyberhealth, defensive posture and threats by which a similar cyberresponse policy is developed.

The table below represents a proposed cyber-equivalent of DefCon: a five-level CyCon system. CyCon includes an integrated detection and reaction system for American business and the government. The threats and threat levels outlined in each category are examples of conditions we might expect to see.

CyCon-1, for instance, represents the lowest level of detected offensive activity, while CyCon-5 represents massive detected activities with dire consequences to victims. Note that the scale on the enterprise side is skewed one level compared to the national/government side. While a particular company or organization might be detecting and reacting to CyCon-2 or CyCon-4-level attacks or events, the effect on the national CyCon level will typically be on the order of CyCon-1 or CyCon-3, respectively.

What the CyCon model suggests is a more coordinated approach to organizational and national preparedness, one that reflects the variables and uncertainties of cyberwarfare. Sensors or detection mechanisms are deployed at each CyCon level. These sensors must be able to understand the nature of the attacks and behavioral anomalies throughout the virtual existence of the networks and infrastructures. They must also be able to report back to a centralized repository and response station, such as the NIPC or ISAC.

What is missing in the CyCon model is the means to create a centralized national reporting repository, whereby the national CyCon level can be measured on a real-time basis. Broad CyCon levels can be established with real-time monitoring and detection systems along with proper reporting channels to a centralized facility (enterprise or national). With appropriate weighting for time, intensity, value and other considerations, an enterprise could quickly evaluate the detected activity in much the same way we use network-monitoring tools to gauge the real-time performance of a network.

In more sophisticated applications, heuristics will come into play. The systems will be more self-adapting and self-learning; automatic remote responses will be monitored, and momentary spikes of high CyCon levels will be dealt with quickly and automatically. Thus, if a severe attack occurs against a major domestic firm, and if its own detection/reaction systems are in order, the reports that it feeds to the national CyCon repository would barely register a blip.

—Winn Schwartau

Five-Level Cycon System

CyCon 1

Corporate/Organizational

• Noise level.
• No attacks above set threshold.

Governmental/National

• Occasional reports of CyCon-2 from corporate.
• No systematic assaults against government facilities or infrastructure.

CyCon 2

Corporate/Organizational

• Unapproved scans.
• Occasional hack attempts.
• Detection sensors triggered.

Governmental/National

• Some government facilities under attack.
• Limited DoS and/or reports of CyCon-3 from corporate.
• Infrastructure not affected.

CyCon 3

Corporate/Organizational

• Coordinated hacking and some denial-of-service (DoS) attacks.

• Losses evident.

Governmental/National

• Noticeable successful attacks into government systems or medium-level DoS.
• More than one corporate CyCon-4 event reported.
• Infrastructure under some duress from assaults.

CyCon 4

Corporate/Organizational

• Company under assault.
• Portions of networks isolated.
• Customer services degraded.

Governmental/National

• Government systems under coordinated assault.
• Systems under heavy DoS.
• Several corporate CyCon-4 reports (or a mixture of at least two corporate

CyCon-5 reports and one major infrastructural attack causing severe degradation of service).

CyCon 5

Corporate/Organizational

• Company under heavy assault.
• Must shut down all electronic facilities to isolate and preserve systems.

Governmental/National

• Some government sites shut down or isolated by heavy attacks and DoS.
• Several corporate CyCon-5 reports.
• Several successful infrastructural attacks.
• National economy affected.

&copy 1999 Information Security Magazine. Used with permission.
Information Security, the official publication of the ICSA, is dedicated to the needs of all security-conscious IT professionals. Free to qualified readers, Information Security features in-depth articles, product announcements and more analysis of information security issues than any other trade magazine. Subscribe today!