A scalable architecture for improving the timeliness and relevance of cyber incident notifications

Abstract

The current mechanics of cyber incident notification within the United States Air Force rely on a broadcast “push” of incident information to the affected community of interest. This process is largely ineffective because when the notification arrives at each unit, someone has to make a decision as to who should be notified within their unit. Broadcasting the notification to all users creates noise for those who do not need the notification, increasing the likelihood of ignoring future notifications. Selectively sending notifications to specific people without a priori knowledge of who might be affected results in missing users who need to know. Neither of these approaches addresses the passing of notifications to downstream entities whose missions may be affected by the incident. In this paper, we propose a modular, scalable, cyber incident notification system concept that makes use of a “publish and subscribe” architecture to assure the timeliness and relevance of incident notification. Mission stakeholders subscribe to the status of mission critical information resources (external and internal) and publish their own mission capability allowing other units to maintain real-time awareness of their own dependencies. We contend that this architecture is a significant improvement over current methods by making direct connections between mission stakeholders and their dependencies and eliminating multiple levels of human processing, thereby reducing noise and ensuring relevant information gets to the right people.