A computer model suggests how to fight to win in a cyber conflict.

As a CNA analyst who has worked closely with the nation’s leading cyber commanders, Dr. S. John Spey long felt that he was working at a disadvantage. His CNA colleagues who advise the US Navy on how best to fight using submarines, ships, and aircraft can draw upon experience from previous wars and battles. But the world has never experienced full-scale cyberwarfare. Spey could refer to case studies of various cyber skirmishes between adversaries, but it was not enough. “If we were to get 24 hours’ warning, and the cyber commander wants to know how to fight, there was never enough material out there for me to base my answer on,” he says. “No one could answer that.”

Now Spey has something almost as useful as real-world cyberwar experience. His new report, A Novel Model of Cyber Combat, researched with fellow CNA cyber analyst Zeeve Rogoszinski, describes a simplified computer model they designed that can rapidly run thousands of iterations of a simulated cyber operation to evaluate the range of possible outcomes. And though the analysts have only scratched the surface of the experimentation opportunities that their model allows, the report points to several insights from its first simulations.

What the cyber model tells us about cyber warfare

One insight is that in a war, offensive cyber resources should generally not be wasted upon attacking other cyber capabilities. Spey explains that he tested the model on cyber campaigns using three different approaches to gain access to enemy intelligence and infrastructure. The first two began by directly attacking the adversary’s cyber forces: one sought to break down the enemy’s cyber defenses; the other tried to steal the enemy’s offensive cyber weapons and use that knowledge for network defense. In either case, weakening the enemy’s cyber forces was intended to eventually make it easier to damage their actual fighting ability, for example by disrupting their military communications or gathering intelligence about battle plans.

But the model suggests that time and effort spent attacking cyber forces is inefficient, delaying cyberattacks on non-cyber forces that affect success on the real battlefield. When the model was told to use a third approach, leaving enemy cyber forces alone and focusing immediately upon cyber actions that could weaken their physical forces, success rates were much higher. “Winning the cyberwar alone is hollow victory if it‘s a big fight with missiles and bombs and torpedoes,” says Spey.

Another noteworthy insight from the model is that for a network intrusion to be successful, the intruder must be not just a bit more capable than the defender, but actually must be thousands of times better at avoiding detection than the network defender is at detecting intruders. The model showed that most intruders are kicked out quite quickly. But successful intruders typically must linger in a network for months. Spey says he “naively assumed” that once highly skilled intruders avoid detection for several days, their chances of getting caught must start to go down. But the model showed that the cumulative chance of being detected was constantly increasing, even for highly skilled intruders. “You only need to get caught once,” he notes, “and then you lose.”

The cyber model vs. the real world

This kind of insight from the model has practical implications. For example, the fact that the chances of getting caught continue to rise leads to a consideration of trade-offs that may mean it makes more sense to an intruder to accomplish what they can in a short period of time and then get out. Having a model to test such ideas could be invaluable for analysts like Spey—currently the CNA Scientific Analyst to the Deputy Chief of Naval Operations for Information Warfare—and the leaders they advise. Spey previously served for years as a CNA field representative to Naval Network Warfare Command and later to Fleet Cyber Command. He is a member of CNA’s Cyber, IT Systems, and Networks team.

The CNA analysts validated the model by comparing its results to real-world data about cyberattacks on private, commercial networks. They used a Verizon database of thousands of network intrusions by hackers, examining when the intruders first accessed a network and when they were caught. The data lined up very closely with the model’s predictions. In the real world, for example, most intruders are caught on the first day.

Spey and Rogoszinski designed the model with potential for expansion to take on different questions. It could give leaders suggestions for how to allocate cyber resources for the greatest effect. It could be used to compare alternative tactics. It might even explore different strategies in the midst of an intrusion. Cyber challenges are continually evolving, but after well over a decade of cyber analysis, Spey has found one constant: “There are always more questions.”

Don Boroughs is a senior advisor in the CNA Office of Communications. He is the author of The Story of CNA.