Lors d'une recherche hasardeuse dans un disque dur (qui accumule des myriades de rapports et d'études souvent vite oubliés), je suis tombé sur le Cyberspace Operations Concept Capability Plan 2016-2028 de l'US Army comportant trois graphiques aussi sobres qu'instructifs.
« Cyberspace can be viewed as three layers (physical, logical, and social) made up of five components (geographic, physical network, logical network, cyber persona, and persona) […] The physical layer includes the geographic component and the physical network component. […] The logical layer contains the logical network component which is technical in nature and consists of the logical connections that exist between network nodes. […] The social layer comprises the human and cognitive aspects and includes the cyber persona component and the persona component. The cyber persona component includes a person’s identification or persona on the network (e-mail address, computer IP address, cell phone number, and others). The persona component consists of the people actually on the network. An individual can have multiple cyber personas (for example, different e-mail accounts on different computers) and a single cyber persona can have multiple users (for example, multiple users accessing a single eBay® account). This holds important implications for Army forces in terms of attributing responsibility and targeting the source of cyber action. It also means Army forces will require significant situational awareness (SA), forensic, and intelligence capabilities to counter the complex cyber threat. »
« The Army depends upon the Nation’s critical infrastructure and key resources for many of its activities, including force deployment, training, transportation, and normal operations. Physical protection of these is no longer sufficient as most critical infrastructure is controlled by networked and interdependent SCADA or distributed control systems (DCS). The Department of Homeland Security (DHS) chart at figure 2-3 highlights the various infrastructures that must be protected. [...] Since private industry is the primary catalyst for technologic advancements, the military may become increasingly reliant on commercial off-the-shelf (COTS) technology. This reliance may present three primary vulnerabilities:
1/ Foreign ownership, control, and influence of vendors. Many of the COTS technologies (hardware and software) the Army purchases are developed, manufactured, or have components manufactured by foreign countries. These manufacturers, vendors, service providers, and developers can be influenced by adversaries to provide altered products that have built in vulnerabilities, such as modified chips.
2/ Supply chain. The global supply chain has vulnerabilities that can potentially lead to the interception and alteration of products. These vulnerabilities are present throughout the product life cycle, from the inception of the design concept, to product delivery, and to product updates and support.
3/ COTS and government off-the-shelf (GOTS) balance. The vast majority of the Army’s CyberOps components and capabilities are from COTS and to a much smaller degree, GOTS technologies. »
US Army : Cyberspace Operations Concept Capability Plan 2016-2028 (PDF, p.13-14, p.16-17)