The CUAS/Nefarious UAS Kill Chain, “Left of Launch,” and the Clueless and Careless
This article was written by David Kovar, CEO and Founder of URSA Inc. He is a Cleared Private Sector Partner for the New Hampshire Information & Analysis Center, and a UAS/CUAS Analyst with the Delaware Emergency Management Agency.
The Kill Chain
What is a “kill chain”? Some version of the kill chain concept existed as far back as World War II but I was first introduced to it in the cybersecurity concept. In cybersecurity, it is used as a model for the identification and prevention of cyber intrusions activity. Essentially, it is all of the actions that a threat actor must successfully execute to accomplish their objective.
CUAS Kill Chain
The counter UAS kill chain can be described as the steps that a CUAS operator must execute to mitigate a malicious UAV. Here is one version of it:
Traditionally the CUAS Kill Chain includes detect, identify, locate, track, and disable / kill / mitigate. And the chain often stops there, with mitigate.
It is important to extend the chain to include “analyze” and “attribute”. Analyze the UAV that has been mitigated to understand the “who, what, when, where, why and how” relating to its operation. Then, if possible, attribute the operation to an individual, group, or possible threat actor. Finally, feed the results of those steps back into the kill chain via intelligence sharing.
Why? To prevent the next malicious UAV operator before it occurs.
This is known as the “left of launch” or “right of bang” space, and analysis isn’t the only activity that can take place here.
The Importance of Understanding the Nefarious UAS Kill Chain
Consider the nefarious use of UAS rather than the CUAS Kill Chain. These are all of the steps a UAS operator must successfully execute to accomplish their objectives. If we can break any one link of the Nefarious UAS Kill Chain then the we prevent the actor from accomplishing the objectives.
Here are some of the steps that a malicious actor would need to execute, successfully, to use a UAV to have an effect on your operation:
So, how do we use this understanding of the threat actor’s process to counter them? Some examples:
- Determine objective – Similar to making your home less enticing than your neighbor’s home to a burglar, make it impossible to achieve the objectives by attacking your facility.
- Gather intelligence – Make the information required to plan a successful operation unavailable to the threat actor. Or, at least, set tripwires that let you know when someone has gathered some of the necessary information. (Counter-intelligence or counter-surveillance)
- Approach (phase of flight) – Prepare your environment in such a way that it is difficult for a UAV to approach your facility undetected. (This also contributes to deterring the threat during the objective development phase.)
My favorites are ones that feed into something you’ve seen me talk about elsewhere – threat intelligence sharing:
- Develop tactics, techniques, and procedures (TTPs) – If a threat actor uses previously identified TTPs that we can detect in our environment before they achieve the objectives then we create an opportunity to break the chain. We must develop a method for formally describing and sharing these TTPs for this to be effective.
- Train and rehearse – A dedicated threat actor will rehearse all phases of the operation prior to executing it. If your surveillance system extends far enough out then you have an opportunity to detect these rehearsals. Obviously, a power plant on the East Coast cannot deploy a national CUAS capability. This is why fusion centers along with their Federal, state, local, and private sector partners must develop raw data collection, analysis, and distribution capabilities. But that is the subject of another article.
Building a kill chain for a malicious UAV operator requires a lot of information and is generally classified as threat modeling. With a solid understanding of the threat, you can identify opportunities to prevent the malicious actor from carrying out their mission “left of launch”, before they even lift off.
Applying the Nefarious UAS Kill Chain to the Clueless and Careless
We can apply the same process to helping the clueless and careless UAV operators become compliant operators. If successful we will eliminate some of the “noise” in the airspace, leaving us with either the compliant operators or the truly malicious in our airspace.
Any UAV operator, compliant, clueless, or malicious, executes the same three high level steps: planning, preparation, and execution.
- We need to plan where we are going to fly, even if it is just “at the golf course” or “to see what the smoke is beyond the trees”.
- We need to prepare – get the drone we are going to use, make sure our mobile device is charged, and work through the “have you updated the firmware?” questions.
- And then we need to execute. Drive to the golf course or walk into the backyard. Power everything on. Connect to the UAV. Launch.
FAA regulations attempt to break the clueless and careless chain in the Planning stage. When the operator is gathering intelligence, we hope they’ll learn how to be compliant. No fly zones implemented on the UAV attempt to break the chain in the Execute stage by preventing the UAV from launching. If these measures were 100% effective, we would not need to address the clueless and careless.
Critical infrastructure managers, public facilities, and other popular places for the clueless and careless to fly need to identify opportunities to break the Nefarious UAS Kill Chain for their own areas of responsibility.
The least expensive and perhaps most effective method is to get inside of the social media spaces used to gather information about cool places to fly, either directly or through influencers.
Put signs up at popular launch locations. Do community outreach through colleges, model aircraft flying clubs, maker spaces, and other areas where UAV operators might congregate.
And, find an opportunity to demonstrate that there are consequences for clueless and careless operations. One law enforcement agency very politely engages with non-compliant operators at a regional airshow every year. If the word gets out that a) law enforcement is both well informed and polite and b) that they can and will find you if you are non-compliant, then fewer people will be clueless and the careless may think twice before launching.
Interested in submitting original content to C-UAS Hub?
When it comes to airspace awareness and protection, we can all learn from the knowledge, experience, and perspectives of others in this emerging field. If you have original, never-before-published content, thought leadership, research, reports, multimedia resources, or other interesting airspace awareness or Counter-UAS content, we’d love to hear from you.
For your work to be considered for publication on C-UAS Hub, please send an email containing any relevant information to support@cuashub.com. We will respond to your email as soon as we are able.