This object action will not be viewed as an attack, but normal use when analyzed by standard IDS-IPS, logging and expert systems.
[2] Note: For the initial CINDER case, the controlling agent[3] will still be seen as an Authorized Object based on the fact that the security system has passed an evaluation for Assurance and Functionality.
Even if the audit mechanisms are in place, the daunting volume of data produced makes it unlikely that the administrator will detect policy violations.
Prerequisite principles of system ownership and information dominance within the area of object action must be part of any CINDER mission.
And if they are successful in committing that specific transaction and are not interrupted or at least measured or monitored by the owner, that entity will have, if for only a moment in time, dominance and ownership over that object.
[2] To detect past CINDER activity when an exposure has been realized, one must reconcile all object actions (any exchange or transaction between two agents that can be measured or logged) and analyze the result.
In the face of mass-leaking, the CINDER type of response allows the military to continue that philosophy, rather than simply cutting off access to information en masse.