Using network digital twins to improve cyber resilience of missions

The need to secure information and weapon systems against cyber threats is a critical objective for the US Department of Defense and its allied partners. Understanding the end-to-end performance of such systems under realistic operational conditions, including cyber disruptions, is critical for achieving mission goals. Identifying and mitigating shortfalls in operational performance under adverse operational conditions can provide significant value to our defense capabilities and directly save lives. As an illustrative example, we consider the Joint All Domain Command and Control (JADC2) system. JADC2 fundamentally relies on communications and networks to contain, extract, and disseminate time-sensitive, missionrelevant information to win decisively against opposing forces. Future conflicts are likely to involve attempts to disrupt information systems that are critical for JADC2 communication and for assured operation of highly sophisticated weapons systems. Disruption is already a capability of potential adversary forces and will spread to secondary threats allied to them. The complexity of a JADC2 combined cyber and kinetic battlefield requires the training, analysis, test, and evaluation communities to adequately account for potential impacts of degraded network operations and/or exploitation of cyber vulnerabilities on overall mission outcomes. This has motivated a significant amount of ongoing research and development into tools, techniques, and methodologies to assess cyber resiliency of military systems in general, and combat systems in particular. The complexity and interdependencies among combat systems and connections among them complicate current resiliency analysis methods. For example, a risk associated with a single point of failure in a network could be mitigated with redundant components, assuming that the failure is a random hardware failure. However, an unmitigated cyber vulnerability could result in identical failures in redundant components as well. Even if there is no vulnerability in the component itself, an attack that succeeds in interfering with timing of data exchanges, for example by loading a data bus, could result in degraded combat system performance. Similarly, establishing communication links through delayed, intermittently connected, low-bandwidth environments may require the relaying of information using multiple hops, which increases susceptibility to man-in-the-middle attacks. It is also the case that a cyber vulnerability in a weapon system is not necessarily a mission vulnerability, as exploiting that vulnerability may or may not impact the overall system capabilities needed to achieve mission objectives. To assure a mission against cyber threats, cyber resilience of the weapon system must be assessed in a realistic tactical environment, so as to: