Cyber Situational Awareness
Modern-day society is increasingly dependent on functioning IT services, and information security is increasingly about protecting society as a whole and its prosperity. Technology creates many new opportunities, but it also introduces new challenges in the form of complexity and difficult-to-understand cross-dependencies.
Today, almost all vital societal functions contain IT elements, which means that nearly all societal disruptions also have information and cyber security elements—directly or indirectly. This project develops technology and methods for improved cyber situational awareness (CSA). In order to make wise and relevant decisions in the event of war, crises, and social disturbances, relevant decision-makers must always have as good an understanding of the situation as possible; when the decisions concern the cyber environment, it follows that the situational awareness must also do so.
The need for CSA is highlighted in many countries’ national cyber strategies, and in the Swedish national security strategy, information and cyber security has its own heading. Here, the government notes that threats are increasingly difficult to detect and that risks are becoming more challenging to assess. The strategy also calls for improvements in the ability to prevent, detect, and respond to IT incidents and antagonistic attacks in all vital societal functions, which requires a good situational awareness.
The research field is heterogeneous and has several different specializations. From a technical perspective, tools and algorithms for CSA are needed in the form of, e.g., methods for information and data fusion to manage uncertainty and risk or to find patterns in network data. Another important CSA perspective is based on visualization and human-computer interaction and focuses on how information should best be presented for human decision-makers to be able to assimilate it.
An important starting point for the project, and CSA research in general, is that situational awareness is not just about technology. Technical sensors, such as antivirus software, firewall logs, and intrusion detection systems, certainly play a significant and often crucial role in detecting what is happening. Still, situational awareness does not arise until it is in the minds of decision-makers. Thus, training, exercises, and organizational structures where information-flows and decision-making mandates are adapted to current threats and risks are required. Future CSA research will increasingly need to focus on achieving a synthesis of the existing building blocks.
An example of the complexity of today’s CSA needs concerns how distributed-denial-of-service attacks (DDoS) have developed from being relatively unqualified disruptions to being used as diversions, for example in advanced attacks on banking. As society becomes increasingly IT-dependent, more and more subtle societal disturbances will work in the same way as these digital banking attacks. Therefore, more and better CSA is required, i.e., better understanding and tools for decision-makers to manage cyber events.
This project conducts research in support of developing the CSA capability of government agencies in the security sector in general and the Swedish Armed Forces in particular. This is done by (i) setting requirements for CSA with a focus on the relevant operations, (ii) developing measures and methods for measuring the achieved CSA level of a decision-maker or other user, (iii) developing tools that facilitate the operations to collect data from external IT sensors, (iv) develop processes and technologies for how data from widely different types of IT sensors can be merged, and (v) develop processes as a basis for how the essential components included in the CSA of a specific enterprise can be identified. In this way, the project contributes to achieving the goal of improved CSA for society’s vital functions.
