Technology Today - Home
Attack and Defend in Cyberspace — and Within Raytheon
"Attack and defend in cyberspace" took on a new meaning within Raytheon last year through the Information Operations Enterprise Initiatives. Raytheon engineers from across the company embarked on a mission to fulfill two major requirements:

  1. Demonstrate the ability to attack and defend in cyberspace
  2. Demonstrate the ability to connect cybereffects to physical effects
Addressing Customer Concerns
In discussing cyberspace with current and potential customers, it is apparent they have a strong desire for one of their trusted partners to step to the front with a demonstrable capability that addresses their concerns with regard to protecting the cyberdomain. For some entities, the defense of their networks is the primary concern. For other entities with Title 10 or Title 501 authority, the ability to provide active defense widens the aperture.

In a recent meeting, a Raytheon customer stressed the need to be able to actively visualize enterprise resources through complete cyber situational awareness faculties, track intrusion attempts, perform forensic analysis, and — when the threat reaches a predefined threshold — execute a precision response using a tool box of cybereffects. The enterprise initiatives developed a demonstration scenario that will be used to highlight our ability to meet our customer's need.

Raytheon excels at defending and securing cyberspace for our customers. But what about attack? This is a more difficult problem to address. First, in order to attack, one has to have a target and the authority to launch an attack on the target. However, Raytheon lacks the authority to launch an attack, as only certain entities within the government possess the Title Authority to prescribe cyberoffensive maneuvers. Second, many of the cybereffects we develop for our customers are locked in classified vaults and cannot be brought into an open environment.

To address customer concerns, Raytheon has developed a representative architecture.

The architecture provides a layered approach driven by cybersensing and effects as well as physical sensing and effects. These lower level entities depend on the "plumbing" provided by the secure overlay layer to parse, (potentially) label, filter and normalize the data provided to the knowledge base. The knowledge base provides the engine for the architecture and interacts with decision support (sometimes referred to as command and control). The knowledge base provides data for the analytics engine and the visualization engine. Modeling and simulation capabilities are provided through the prediction component. The demonstration will eventually reside in the Raytheon Cyber Tactics Center.

Three projects are being delivered under the cybersensing umbrella. The Botnet Discovery project will develop a system that actively seeks out command and control systems of botnets. The Active Enterprise Security Platform project will develop a common execution and data integration environment for deploying command-line tools to support both computer network defense and computer network operations. In conjunction with Active ESP, the Computer Network Attack and Response project will develop a prototype system that can detect an attack and actively formulate and deploy a response.

Because of the secure nature of many of the cybereffects in Raytheon, a primary focus of the cybereffects projects is the development of unclassified non-kinetic computer effects that can be used as demonstrable evidence of Raytheon's capabilities in this area. Projects focus on different types of effects, including polymorphic agents, rootkit exploitation techniques, hypervisor rootkits, the use of steganography to produce an effect, and the ability to persist the effect within a computer or network. Effects are being developed in many areas and include the capability to destroy, degrade, deny, deceive and disable assets and/or operations. On the flip side, research is being conducted to counter the technical threats to the effects being generated. This dynamic, coupled with the cybersensing projects, will provide an active offense versus defense scrimmage capability.

In Melissa Hathaway's Cyberspace Policy Review delivered to President Obama in May 2009, she noted that "The growing sophistication and breadth of criminal activity, along with the harm already caused by cyber incidents, highlight the potential for malicious activity in cyberspace to affect U.S. competitiveness, degrade privacy and civil liberties protections, undermine national security, or cause a general erosion of trust, or even cripple society."2

Cyberattack is real and the consequences of not being prepared are severe. Through the diligent work of engineers across the company, the Information Operations Enterprise Initiatives scenario will transform from an intriguing story to a live demonstration of some of the most advanced cybereffects in the world today.

Rick Butler

1Title 10 Authority gives a government entity the authority to launch a cyberattack on an adversary. Title 50 Authority allows a government entity to perform computer network exploitation.
2"Cyberspace Policy Review," Page 2,