Tuesday, January 19, 2016

Lt Gen David Deptula on Desert Storm and Islamic State

This weekend Vago Muradian interviewed Lt Gen (ret) David Deptula, most famous for his involvement as a key planner for the Desert Storm air campaign.

I recommend watching the entire video, which is less than 8 minutes long. Three aspects caught my attention. I will share them here.

First, Lt Gen Deptula said that Desert Storm introduced five changes to the character of warfare. I noted that he used the term "character," and not "nature." If you are a student of warfare and/or strategy, you are most likely in the camp that says warfare has an unchanging nature, although its character can change. This is the Clausewitz legacy. A minority camp argues that warfare can change both nature and character.

Second, turning to the five changes introduced by Desert Storm, Lt Gen Deptula listed the following.

1. Desert Storm introduced "expectations of low casualties, for both sides." I agree with the expectation of low casualties for the US, but I don't think low Iraqi casualties were a primary concern. One could argue that stopping the war during the "highway of death" showed the US didn't want to inflict large casualties on the Iraqi forces, but I still think low casualties were primarily a concern for US troops.

2. Desert Storm "normalized precision." Even though a minority of the ordnance delivered during the war were precision weapons, their use steadily increased throughout all later conflicts.

3. Desert Storm introduced joint and combined organization and execution. This was indeed quite a step forward, although I recall reading that that USMC airpower took measures to remain as separate as possible.

4. Desert Storm put the concepts of "effect-based operations" into action. There is no doubt about this one. Lt Gen Deptula talks about a disagreement with Gen Schwartzkopf's staff concerning disabling the Iraqi power grid. Air power achieved the effect of disabling the grid within 3-4 days, but Schwartzkopf's team used traditional attritional models, noting that less than a certain percentage of destruction mean mission failure. Deptula was right; they were wrong.

5. Desert Storm was the first major conflict where airpower was the centerpiece and key force. Call me biased, and no disrespect to the land forces in the Gulf, but I agree with this one.

The third and final noteworthy element of the interview involved Lt Gen Deptula's opinion of Islamic State. He said "it's not an insurgency. IS is a state." He said IS possesses the five elements of a state, namely:

1. Leadership
2. Key essential systems
3. Infrastructure
4. Population
5. Fielded military forces

I agree with his assessment. I also believe that Western leaders are unwilling to grant IS the legitimacy of it being a state, so they persist in calling IS names like ISIS, ISIL, Daesh, and so on. I see no problem with that approach, since it incorporates political sensitivities. However, that approach also aggravates the perception that Western leaders are out of touch with reality.

Friday, January 08, 2016

Why a War Studies PhD?

When I begin receiving multiple questions on a topic, it's a signal that I should write a blog post.

Several of you have asked me about my experience as a PhD candidate in the King's College London Department of War Studies. In this post I will try to answer your questions by explaining how I got to this point and my overall impressions about the program.

My Academic Background

I have bachelor's of science degrees in history and political science from the US Air Force Academy, and a master's degree in public policy from the Harvard Kennedy School. My last formal academic training ended in 1997 when I graduated from the Air Force Intelligence Officers Training Course.

Why a PhD?

I seriously began considering working on my PhD in 2006, when I was an independent consultant. I've guest lectured at dozens of schools over the years, and taught hundreds of students through my Black Hat courses. I thought the PhD experience would open more doors for future academic opportunities, and I welcomed the opportunity to make an original contribution to the literature. In more recent years I've testified to Congress and worked with think tanks, and in both environments PhDs are common.

My First PhD Choice

After reading Security Engineering (the first edition), I was a fan of Dr Ross Anderson at the University of Cambridge Computer Laboratory. I contacted him, as well as some of his PhD candidates. They invited me to guest lecture at the lab, which I did in May 2006. I considered the possibility of doing research on network security motioning. I liked the idea of the "British system," which emphasized practical research, no coursework, and a high degree of independence. I would have to move my family to the UK.

In the spring of 2007, however, I made contact with my future boss at General Electric. I decided instead to join GE as director of incident response. It was too good an opportunity. That put my PhD plans on hold.

A New Direction

In the fall of 2012 I listened to a 24 lecture series titled Masters of War: History's Greatest Strategic Thinkers by Professor Andrew R. Wilson of the Naval War College. Dr. Wilson reintroduced me to the strategists I had learned about as a cadet twenty years earlier, and kindled a deep interest in strategic history, thought, and practice. I began looking for military history and strategy programs, starting with this list maintained by the Society for Military History.

In the summer of 2013, The Economist magazine asked if I would participate in an online debate with Dr Thomas Rid, author of Cyber War Will Not Take Place. After the debate I read Thomas' book, and learned he was a professor in the KCL War Studies department. I enjoyed the debating process and Thomas' book, so I decided to contact him and some of his PhD candidates to learn more about the PhD program.

During that process, FireEye acquired Mandiant in late December 2013. I decided to change roles and become a full-time strategist, inspired by my changing interests and Prof Wilson's course. That decision definitively shifted my focus away from tools and tactics, and towards operations/campaigns and strategy.

My Final PhD Choice

In early 2014 I connected with Rob Lee, who had started his PhD with Thomas in the fall of 2013. Speaking with Thomas and Rob, I learned the KCL War Studies PhD was even more to my liking than the Cambridge program. KCL also emphasized practical research, no coursework, and a high degree of independence. I would not have to move my family to the UK, but I would have to be very disciplined and stay in contact with my advisor and colleagues.

I applied to the program to meet the spring 2014 deadline, with enrollment in fall 2014. I was accepted and started the program in the fall of 2014, while still maintaining my day job at Mandiant and FireEye.

The Thesis

The desired output for the KCL PhD is a thesis, a 80,000 to 100,000 word work with a goal of eventual publication as a book. Since I was already considering writing my fifth book, this seemed an excellent way to accomplish that goal. Others might find this a scary proposition, but I always enjoyed self-paced research, and the opportunity to devise and answer original research questions was appealing.


I will shift my focus slightly to those who might be interested in applying to the program. The PhD program offers three major milestones. First, one must be accepted to the program. I recommend perusing the list of people to find faculty and current students with interests similar to yours. Contact them via email to identify possible advisors and colleagues. If you aren't able to attract any interest, it's a sign you might not have a topic suitable for a PhD. That's a personal judgement, of course.

I approached the application process very seriously. I took several months to complete it and submitted my Strategy, Not Speed piece as my writing sample. Thankfully I was accepted!

Once in the program, the second major milestone is called the "mini viva" or the "upgrade." Prior to passing this milestone, as I understand it, one is not technically a PhD candidate yet. One must write a document of about 20,000 words that includes a thesis abstract, outline, introductory chapter, sample chapter, and completion work plan. The student must then defend that document, live, in front of a panel. I passed that stage of my PhD journey late last year.

The third and final major milestone is the "viva" or the defense of the completed thesis. I am several years away from this step, but I expect it to be an extended version of the upgrade process. Remember that one of the purposes of a PhD is to demonstrate the ability to produce high-level, independent research, so I expect my viva to reflect that philosophy.

My Experience

My experience thus far has been excellent and I plan to continue. However, I would like to highlight a few aspects of my situation. First, I am doing research independently, not at the Strand campus in central London. Several of my colleagues are there now, and they have daily access to a whole world of academic experiences that are unavailable to remote students. If you want a campus experience, you should study in London.

Second, I am still working my day job and being a husband and father, which are my priorities. That means I have to be very careful about  how I manage my time. I felt that I could handle the situation, based on my experience writing and publishing my last book. I started writing my last NSM book in January 2013 and had it ready for Black Hat in late July that year, during the time when Mandiant released the APT1 report.

Third, my thesis, the nature of counter-intrusion campaigns, dovetails well with my day job and professional interests. I would not be able to pursue a PhD in a field not related to my professional life -- I simply wouldn't have the time for research. Because my research matches the needs and interests of my employer, the work I do for Mandiant and FireEye frequently doubles as research for my PhD. Obviously I have a very flexible employer who supports my research, and for that I am grateful.

Fourth, although I am independent, thanks to the initiative of colleagues in the DC area, I am not alone. Last month one of us started a group for War Studies students in the DC area, and we plan to have monthly meetings. I also try to meet with KCL personnel (students or faculty) if we happen to be in the same part of the world at the same time. I started a Slack channel but it hasn't really yet taken off.

Recommended Reading

In addition to reading the KCL and War Studies Web sites, I suggest reading Authoring a PhD by Patrick Dunleavy. It is generally aimed at the British PhD process, focusing on the so-called "big book" thesis.  If you find the sort of research and writing described in that book to be exciting, then a KCL PhD might be for you.


In brief, I recommend the KCL War Studies PhD if you meet the following requirements:

  • You have a suitable undergraduate background, temperament, and social and financial situation, such that you are capable of independent research at the highest level.
  • You have an interest that syncs with at least one possible advisor in the department.
  • You are committed to researching for several years, and writing 80,000-100,000 words on your subject, answering research questions to make original academic and practical contributions to the field.

I may add updates to this post, or simply add them as comments or as answers to questions.

Happy 13th Birthday TaoSecurity Blog

Today, 8 January 2016, is the 13th birthday of TaoSecurity Blog! This is also my 3,000th blog post.

I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. Kevin Mandia was my boss. Today I am starting my third year as Chief Security Strategist at FireEye, still working for Kevin Mandia. (It's a small world. In April I will hit my five year anniversary with the Mandiant part of FireEye.)

In 2015 my blogging frequency increased dramatically, with 55 posts, more than double my 2014 total of 23 and triple my 2013 output of 18. In 2012 I posted 60 stories, so I was close to that level in 2015. It's still nothing like my writing from 2003-2011 however!

Why the drop over the years? I "blame" my @taosecurity Twitter account. With almost 36,000 followers, easy posting from mobile devices, and greater interactivity, Twitter is an addictive platform. I have authored roughly 16,000 Tweets since first posting in July 2009.

Second, blogging used to be the primary way I could share my ideas with the community. These days, speaking and writing are a big part of my professional duties. I try to track media reports here and I archive my non-blog writing at my Academia.edu account.

Third, time is precious, and blogging often takes a back seat. I'd rather spend time with my family, write and research my PhD, collaborate with think tanks, and so on.

I still plan to keep blogging in 2016. Twitter's only a 140 character platform, and some days I have the time and inclination to share a few thoughts beyond what I've said or written for work. I have to decide if I want to write about strategy here, or move to another location.

Thanks you to Google for providing me this free platform for the past 13 years, and to you for reading what I post. I'm one of the few original "security bloggers" still active, though not writing in the same way as I did in 2003.

I realize my transition from technical details to strategic considerations has alienated some readers, but I am comfortable with my interests and I believe the greater security community needs to hear from people who think outside the tools and tactics box. This is especially true when the majority of the security community isn't aware they are inside such a box, or that there is another set of ideas and people available to contribute to the world's digital safety and security.

Tuesday, January 05, 2016

2014-2015 Professional Reading Round-Up

At an earlier point in my career, I used to read a lot of technical security books. From 2006 to 2012 I published a series of Best Book Bejtlich Read posts. Beginning in 2013 I became much more interested in military-derived strategy and history, dating back to my studies at the Air Force Academy in the early 1990s. I stopped reviewing books at Amazon.com and didn't talk about my reading.

Last week I read Every Book I Read in 2015 by T. Greer, which inspired me to write my own version of that post. I have records for 2014-2015 thanks to a list I keep at Amazon.com. I'm modifying Greer's approach by not including personal reading, but I am adopting his idea to bold those titles that were my favorites.

The following are presented such that the most recently read appears first.

2015 Reading (37 books):

Restraint: A New Foundation for U.S. Grand Strategy 
by Barry R. Posen *(I'm joining the "restraint" school. I will say more about this in 2016.)

Learning to Eat Soup with a Knife: Counterinsurge​ncy Lessons from Malaya and Vietnam
by John A. Nagl

On Guerrilla Warfare
by Mao Tse-tung

The Rise of China vs. the Logic of Strategy
by Edward N. Luttwak *(I became a Luttwak fan when I read his book on Rome in 2014. Although I don't agree with everything he writes -- such as his stance on humanitarian assistance -- I find his "logic of strategy" compelling and correct.)

The Dragon Extends its Reach: Chinese Military Power Goes Global
by Larry M. Wortzel

War and Politics
by Bernard Brodie *(I became a huge Brodie fan in 2015, and this book was just as good as the first Brodie book I read, listed below.)

Strategy: Second Revised Edition
by B. H. Liddell Hart

Science, Strategy and War: The Strategic Theory of John Boyd
by Frans P.B. Osinga

The U.S.-China Military Scorecard: Forces, Geography, and the Evolving Balance of Power, 1996-2017
by Eric Heginbotham, Michael Nixon, Forrest E. Morgan

Strategy in the Missile Age
by Bernard Brodie *(This book made me a Brodie fan. I like his clear reasoning and writing style.)

Strategy: The Logic of War and Peace, Revised and Enlarged Edition
by Edward N. Luttwak *(Despite how much I like Brodie's work, this is probably my "book of the year." It gave a voice to many of the frustrations with the way my technical- and tactics-obsessed colleagues in the digital security world approach offense and defense. Introducing the "technical" level of war (below tactics) and the "classic delusion of the 'final move'" described well what happens in traditional digital security practice and thought.)

Boyd: The Fighter Pilot Who Changed the Art of War
by Robert Coram

In Pursuit of Military Excellence: The Evolution of Operational Theory
by Shimon Naveh

The Grey Line: Modern Corporate Espionage and Counter Intelligence
by Andrew Brown *(This book wins the "weirdest book of the year" award. The author makes outrageous claims, with no sourcing, but seems to know what he is talking about.)

Broker, Trader, Lawyer, Spy: The Secret World of Corporate Espionage
by Eamon Javers

The Nature of War in the Information Age: Clausewitzian Future
by David J. Lonsdale

Cyberspace and the State: Toward a strategy for cyber-power
by David J Betz, Tim Stevens

Grant's Last Battle: The Story Behind the Personal Memoirs of Ulysses S. Grant
by Chris Mackowski

There Will Be Cyberwar: How The Move To Network-Centri​c Warfighting Has Set The Stage For Cyberwar
by Richard Stiennon

The Future of Violence: Robots and Germs, Hackers and Drones Confron​ting A New Age of Threat
by Benjamin Wittes, Gabriella Blum *(This book offered valuable insights, including How The World Butchered Benjamin Franklin’s Quote On Liberty Vs. Security.)

Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It
by Marc Goodman *(This book was surprisingly good. After I read past the "cyber" parts, I found myself thinking differently about "connectivity" and its effects.)

Cyber Policy in China
by Greg Austin

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
by Bruce Schneier *(I like that, after documenting privacy concerns caused by public and private actors, Bruce tells the reader to work through the democratic process to reform the system -- not become anarchists.)

Strategic Reassurance and Resolve: U.S.-China Relations in the Twenty-First Century
by James Steinberg, Michael E. O`Hanlon *(The first book in the "restraint" school I read in 2015.)

@War: The Rise of the Military-Inter​net Complex
by Shane Harris *(I was surprised by the amount of backroom information the author obtained. Fascinating insights.)

Spam Nation: The Inside Story of Organized Cybercrime-fro​m Global Epidemic to Your Front Door
by Brian Krebs *(So much more than spam! Must-read.)

Cyber War versus Cyber Realities: Cyber Conflict in the International System
by Brandon Valeriano, Ryan C. Maness *(I disagree with a lot of this book, but I appreciate this sort of research.)

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
by Kim Zetter *(I thought the story of Stuxnet was already well-documented, but this was a great book -- especially during the finalization of the Iran nuclear deal.)

The Barefoot Lawyer: A Blind Man's Fight for Justice and Freedom in China
by Chen Guangcheng *(I was so pleased to testify with the Barefoot Lawyer himself last year -- awesome experience!)

by Lawrence Freedman

Competitive Strategies for the 21st Century: Theory, History, and Practice
by Thomas Mahnken

Computer Capers
by Thomas Whiteside

China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain
by Jon R. Lindsay, Tai Ming Cheung, Derek S. Reveron

On War
by Carl von Clausewitz, Michael Eliot Howard, Peter Paret

Strategy: A History
by Lawrence Freedman

U.S. Army War College Guide to National Security Issues: Volume II - National Security Policy and Strategy (5th Edition)
by U.S. Army War College

U.S. Army War College Guide to National Security Issues- Volume I: Theory of War and Strategy (5th Edition)
by U.S. Army War College

Talking another page from Greer, if I were to add entries to my quantum library, they would include the books by Brodie, Luttwak's Strategy: The Logic of War and Peace. I would probably also have to add Clausewitz, if only because everyone in the strategy world obsesses about him.

2014 Reading (24 books):

Forged in Fire: Strategy and Decisions in the Airwar over Europe 1940-1945
by Dewitt S. Copp

A Few Great Captains: The Men and Events That Shaped the Development of U.S. Air Power
by Dewitt S. Copp *(The title of this book was derived from one of my favorite quotes: "No army produces more than a few great captains." Army Chief of Staff Gen George Marshall, eulogizing airman Lt Gen Frank Andrews in 1943.)

The Rise of American Air Power: The Creation of Armageddon
by Michael S. Sherry *(This book made a powerful case that airpower was promoted as a less violent way to win wars, in comparison to the slaughter of World War I. Unfortunately, during World War II, it became probably more violent, demonstrated by the firebombing of Germany and Japan.)

The Icarus Syndrome: The Role of Air Power Theory in the Evolution and Fate of the U.S. Air Force
by Carl H. Builder *(This book helped me understand how and why pilots think as they do, and why a separate Cyber Force is likely necessary, from a personnel standpoint alone.)

Airpower for Strategic Effect
by Colin S. Gray *(Gray is a prolific author, but with this book I decided to no longer read his works. His style is difficult for me to follow.)

The American Way of War: A History of United States Military Strategy and Policy
by Russell F. Weigley

Command in War
by Martin Van Creveld

The Masks of War: American Military Styles in Strategy and Analysis: A RAND Corporation Research Study
by Carl Builder *(Builder writes with penetrating insight regarding how military services see each other.)

American Cold War Strategy: Interpreting NSC 68
by Ernest R. May *(NSC 68 is like Clausewitz -- you have to be conversant with it!)

The Wizards of Armageddon 
by Fred Kaplan *(This book introduced me to Brodie and the other early nuclear strategists. I extracted some excellent lessons from my PhD from it, especially concerning the early Air Force's inability to physically execute the aircraft operations it said it could perform to provide retaliatory options. It reminded me of Libicki's erroneous belief that cyber security vulnerability is the victim's choice.)

History and Strategy
by Marc Trachtenberg

Strategy in the Contemporary World
by John Baylis, James J. Wirtz, Colin S. Gray *(Yes, I read a no-kidding text book.)

The Grand Strategy of the Roman Empire: From the First Century A.D. to the Third
by Edward N. Luttwak *(This book sold me on Luttwak, but I hadn't read about his "logic" yet.)

Historians' Fallacies : Toward a Logic of Historical Thought
by David Hackett Fischer *(This is the sort of book that one can leverage to demolish almost everything you encounter when reading history. It's worth reading several times and I intend to try to avoid the fallacies in my PhD.)

Addressing Cyber Instability
by Cyber Conflict Studies Association

Authoring a PhD Thesis: How to Plan, Draft, Write and Finish a Doctoral Dissertation
by Patrick Dunleavy *(This is a must-read if you are pursuing the "big-book" thesis as found in the British system, as is my situation.)

The Air Campaign
by John Warden III *(I am a big fan of Boyd, Warden, and Deptula and try to read whatever they write.)

Alien: How Operational Art Devoured Strategy
by Justin Kelly, Mike Brennan *(I read this book to be familiar with arguments by those who oppose the utility of an operational level of war, between strategy and tactics.)

The Sources of Military Doctrine: France, Britain, and Germany Between the World Wars
by Barry R. Posen *(I believe Ian Wallace recommended this book. I thought it was great. I already listed Dr Posen's "restraint" work, which I read much later.)

The Air Campaign, John Warden and Classical Airpower Theorists (Revised Edition)
by David R. Mets

Strategic Stability
by Elbridge Colby *(This was some difficult early reading, before I identified my core interests. The concept of "stability" was helpful when I read later works, however.)

Treasury's War: The Unleashing of a New Era of Financial Warfare
by Juan Zarate *(This is an excellent book that documents another major operational mode for US power in the 21st century.)

Cybersecurity and Cyberwar: What Everyone Needs to Know
by P.W. Singer, Allan Friedman

John Warden and the Renaissance of American Air Power
by John Andreas Olsen

The only book to make the "quantum" list, from my 2014 reading, would be Fischer's Historians' Fallacies.

I read a ton of papers and studies in 2014-2015, but these are the books I tracked. I regret that my 2013 reading appears to have disappeared into history. I know that I read Cyber War Will Not Take Place but otherwise I have no concrete records of professional reading in 2013. It was a very busy year with the APT1 report and the FireEye acquisition of Mandiant, so perhaps I didn't read that much.

In any case, I hope you find this list useful and perhaps inspiring, should you share the same sorts of interests, or if you are wondering how to get started in the military, or at least non-business, strategy world.

Wednesday, December 23, 2015

A Brief History of the Internet in Northern Virginia

Earlier today I happened to see a short piece from the Bloomberg Businessweek "The Year Ahead: 2016" issue, titled The Best Places to Build Data Centers. The text said the following:

Cloud leaders including Amazon.com, Microsoft, Google, IBM, and upstart DigitalOcean are spending tens of billions of dollars to construct massive data centers around the world. Microsoft alone puts its total bill at $15 billion. There are two main reasons for the expansion: First, the companies have to set up more servers near the biggest centers of Internet traffic growth. Second, they increasingly have to wrestle with national data-privacy laws and customer preferences, either by storing data in a user’s home country, or, in some cases, avoiding doing just that.

The article featured several maps, including the one at left. It notes data centers in "Virginia" because "the Beltway has massive data needs." That may be true, but it does not do justice to the history of the Internet in Northern Virginia (NoVA), nor does it explain why there are so many data centers in NoVA. I want to briefly note why there is so much more to this story.

In brief, there are so many data centers in NoVA because, 25 years or so ago, early Internet companies located in the area and also decided to connect their networks in NoVA. Key players included America Online (AOL), which built its headquarters in Loudoun County in the early 1990s. About the same time, in 1992, Internet pioneers from several local companies decided to connect their networks and build what became known as MAE-East. A year later, the National Science Foundation awarded a contract designating MAE-East as one of four Network Access Points. Later in the 1990s Equinix arrived and contributed to the growth in data center and network connectivity that continues through the present.

Essentially, NoVA demonstrated real-life "network effects" -- with networks cross-connecting to each other in Ashburn and Loudoun County, it made sense for new players to gain access to those connections. Companies built data centers there because the network connections offered the best performance for their customers. The "Beltway" and its "massive data needs" were not the reason.

If you would like to know more, I recommend reading Andrew Blum's book Tubes: A Journey to the Center of the Internet. Yes, Blum is referring to those "tubes," which he investigates via in-person visits to notable Internet locations and refreshing historical research. Along the way, Blum charts the growth of NoVA as an Internet hub, in some ways, "the" Internet hub.

Thursday, December 10, 2015

Domain Creep? Maybe Not.

I just read a very interesting article by Sydney Freedberg titled DoD CIO Says Spectrum May Become Warfighting Domain. That basically summarizes what you need to know, but here's a bit more from the article:

Pentagon officials are drafting new policy that would officially recognize the electromagnetic spectrum as a “domain” of warfare, joining land, sea, air, space, and cyberspace, Breaking Defense has learned. 

The designation would mark the biggest shift in Defense Department doctrine since cyberspace became a domain in 2006. With jamming, spoofing, radio, and radar all covered under the new concept, it could potentially bring new funding and clear focus to an area long afflicted by shortfalls and stovepipes.

The new electromagnetic spectrum domain would be separate from cyberspace, although there’s considerable overlap between the two... 

But the consensus among officials and experts seems to be that the electromagnetic spectrum world — long divided between electronic warriors and spectrum managers — is so technologically complex and bureaucratically fragmented by itself it must be considered its own domain, without trying to conflate it with cyberspace.

My initial reaction to this move is mixed. History and definitions provide some perspective.

One of the big differences between the civilian and military views of "cyberspace" has been, prior to this story, the military's more expansive view.

The formerly classified National Military Strategy for Cyberspace Operations, published in 2006, defined cyberspace as

A domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. (emphasis added)

The NMS-CO in a sense embedded cyberspace within EMS. That document also signaled DoD's formal recognition of cyberspace as a domain. By associating EMS with cyberspace, DoD thought of cyberspace in larger terms than civilian counterparts. In addition to activities involving computers, now cyberspace theoretically incorporated electronic warfare and other purely military functions with little or no relationship with civilian activities.

Army Doctrine Reference Publication No. 3-0 published in 2012 introduced the term "cyber electromagnetic activities" (CEMA). It defined CEMA as

Activities leveraged to seize, retain, and exploit an advantage over adversaries and enemies in both 
cyberspace and the electromagnetic spectrum, while simultaneously denying and degrading adversary and enemy use of the same and protecting the mission command system. Cyber electromagnetic activities consist of cyberspace operations, electronic warfare, and electromagnetic spectrum operations.

This Army publication separates cyberspace and EMS, and created "CEMA" as an umbrella over both.

The more recent  Joint Publication 3-12R, published in 2013, drops explicit mention of the EM spectrum. It defines cyberspace as

A global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

With the definitions and their evolution out of the way, consider what it means for cyberspace to be separate from EMS.

In my opinion, cyberspace has always been more about the content, and less the infrastructure. In other words, it's the information that matters, not necessarily the containers. I first appreciated this distinction when I was stationed at Air Intelligence Agency, where we helped publish Air Force Doctrine Document 2-5: Information Operations in August 1998. Page 3 states

The Air Force believes information operations include actions taken to gain, exploit, defend, or attack [GEDA] information and information systems. (emphasis added)

*Note that document doesn't use the term "cyber" very much. When describing information warfare, it states

Information warfare involves such diverse activities as psychological operations, military deception, electronic warfare, both physical and information (“cyber”) attack, and a variety of defensive activities and programs.

In any case, the "GEDA" concept stuck with me all these years. I think the focus on the information, rather than the infrastructure, is conceptually useful. Consider: would there be "cyberspace" if it contained no information? The answer might be yes, but would anyone care to use it? It's the information that makes "cyberspace" what it is, I believe.

In this sense, separating the physical aspect of EMS seems to make sense. However, what does that mean for other physical aspects of manipulating information? EMS seems most tangible when considering radio and other radio frequency (RF) topics. How does that concept apply to cables or servers or other devices? Are they part of EMS? Do they "stay" with "cyberspace"?

Finally, I am a little worried that a reason from creating EMS as a sixth domain could be because it is " technologically complex and bureaucratically fragmented," as described in the article excerpt. "Creating" a military domain should not be done to solve problems of complexity or bureaucracy. Domains should be used as constructs to improve the clarity of thinking around warfighting, at least in the military world.

Addendum: When reading Joint Publication 3-13: Information Operations for this post, I saw the following figure:

It is one way to show that DoD considers Information Operations to be a much larger concept than you might consider. IO is often neglected in the "cyber" discussions, but with the ideas concerning EMS, IO might be hot again.

Saturday, December 05, 2015

Not So Fast! Boyd OODA Looping Is More Than Speed

The name "John Boyd" and the term "OODA Loop" are probably familiar to many of the readers of this blog. I've mentioned one or the other in 2006, 2007, 2009 (twice), and 2014. Boyd was a fighter pilot in the Korean war and revolutionized thinking on topics like fighter design and military strategy. His OODA loop -- an acronym for Observe, Orient, Decide, Act -- is the contribution that escaped from the military sphere into other fields of thought. In a world that has finally realized prevention eventually fails, the need for a different strategy is being appreciated.

I've noticed an increasing number of vendors invoke Boyd and his OODA loop as an answer. Unfortunately, they fixate on the idea of "speed." They believe that victory over an adversary results from operating one's OODA loop faster than an opponent. In short, if we do something faster than the adversary, we win and they lose. While there is some value to this approach, it is not representative of Boyd's thought and misses key elements of his contribution.

Before continuing I'd like to mention a recent talk on OODA within the security community that didn't fall into the "speed rules" trap. At the last Security Onion conference, Martin Holste presented Security Event Data in the OODA Loop Model. His spoken remarks reflected the issues I raise in this post, and for a hint in his Prezi material you see statements like "At higher levels, OODA speed is less important than accurate mental models." I was glad to see Martin avoid the speed trap in his talk!

The best reference for gaining a deep appreciation for Boyd's strategic thought is the book Science, Strategy and War: The Strategic Theory of John Boyd by Frans P.B. Osinga. I have the Kindle and paperback editions. The Kindle version is readable, but you may have trouble with some of the tables and figures.

The following is a selection of quotes from the book, re-ordered, highlighted, and lightly edited to capture the author's message on properly appreciating Boyd and OODA.

[T]he common view that the OODA loop model, interpreted as an argument that victory goes to the side that can decide most efficiently, falls short of the mark in capturing the meaning and breadth of Boyd’s work...

The first misconception about the OODA loop concerns the element of speed. The rapid OODA looping idea suggests a focus on speed of decision making, and ‘out-looping’ the opponent by going through consecutive OODA cycles faster. This is not incorrect, indeed, Boyd frequently suggested as much, [however]...

Whereas rapid OODA looping is often equated with superior speed in decision making, Boyd employs the OODA loop model to show how organisms evolve and adapt.

[U]ncertainty as the key problem organisms and organizations have to surmount...

One may react very fast to unfolding events, but if one is constantly surprised nevertheless, apparently one has not been able to turn the findings of repeated observations and actions into a better appreciation of the opponent, i.e. one has not learned but instead has continued to operate on existing orientation patterns...

[T]he abstract aim of Boyd’s method is to render the enemy powerless by denying him the time to mentally cope with the rapidly unfolding, and naturally uncertain, circumstances of war, and only in the most simplified way, or at the tactical level, can this be equated with the narrow, rapid OODA loop idea...

This points to the major overarching theme throughout Boyd’s work: the capability to evolve, to adapt, to learn, and deny such capability to the enemy...

It is not absolute speed that counts; it is the relative tempo or a variety in rhythm that counts. Changing OODA speed becomes part of denying a pattern to be recognized...

The way to play the game of interaction and isolation is [for our side] to spontaneously generate new mental images that match up with an unfolding world of uncertainty and change...

In order to avoid predictability and ensuring adaptability to a variety of challenges, it is essential [for our side] to have a repertoire of orientation patterns and the ability to select the correct one according to the situation at hand while denying the opponent the latter capability...

[In Boyd's words, one should] "operate inside [an] adversary’s observation-orientation-decision-action loops to enmesh [the] adversary in a world of uncertainty, doubt, mistrust, confusion, disorder, fear, panic, chaos . . . and/or fold adversary back inside himself so that he cannot cope with events/efforts as they unfold...

[We should ask ourselves] how do we want our posture to appear to an adversary, i.e., what kind of mental picture do we want to generate in his mind?

Designing one’s defense on this basis is obviously quite a departure [from current methods].

My take on these points is the following: Boyd's OODA loop is more about affecting the adversary than it is about one's own operations. Our side should take actions to target the adversary's OODA loop such that his cycle becomes slower than ours, due to the adversary's difficulty in properly matching his mental images of the world with what is actually happening in the world. On our side, we want to be flexible and nurture a variety of mental images that better match what is happening in the world, which will enable more efficient OODA loops.

In brief, the OODA concept has a speed component, but it is much more about coping with perceptions of reality, on the part of the adversary and ourselves. This approach can be used offensively and defensively.

What might this look like in the security world? That is worth one or more future posts.

If you'd like to learn more, in addition to Osinga's book I recommend reading Boyd: The Fighter Pilot Who Changed the Art of War by Robert Coram and listening to the Pattern of Conflict videos on YouTube. All 14 parts occupy about 6 1/2 hours. I recommend extracting them to audio format and listening to them on a long drive or flight. I listened to them driving to and from the aforementioned Security Onion conference. There is really no substitute to listening to the master at work. It brings the books to life when you have Boyd's voice and mannerisms playing in your mind.

Saturday, November 28, 2015

Seven Tips for Personal Online Security

Last year I wrote Seven Tips for Small Business Security, but recently I decided to write this new post with a different focus. I realized some small businesses are in some ways indistinguishable from individuals, such that advice for personal online security would be more appropriate for some small businesses. In other words, some businesses are scaled such that one or a few people are the entire business. In that spirit, I offer the following suggestions for individuals and these small businesses.

1. Protect your email. Email is the number one resource most of us possess, for three reasons. First, imagine that you forget your password to just about any Web site. How do you recover it? It's likely you request a password reset, and you get an email. Now, if you no longer control your email, an attacker can reset your passwords and take control of your Web accounts. How does an attacker know what accounts you own? That is answered by the second key to email: content. A quick check of your emails will reveal the organizations with which you do business. The content can also provide means to access other accounts. The third reason email is so critical is that it is essentially your online identity. An attacker can use your email to impersonate you and try to gain access to those that trust you.

So, how should you protect your email? I offer four recommendations. First, select a provider who gives you plenty of insight into how your account is used. Would you get an alert when someone logs into your account from a foreign country, for example? Second, select a provider who offers two-factor authentication. This means you can choose to log in with more than just a username and password. Third, select a provider who has experience with confronting and defeating intruders, and who takes actions to continuously improve their security. For consumers, I prefer Gmail. Of course, I am not of fan of being monetized by Alphabet and Google, but the trade-off is worth it for most of us.

My last recommendation is to limit what you store in email. Don't transmit or store sensitive information, like your personally identifiable information (Social Security number, etc.), in your email. As a thought experiment, imagine what it would look like to have your email published online. What would be the consequences? Try to address those concerns by removing such content from your email.

2. If you don't need it, delete it. This general rule applies to applications and data. If you don't need Java or Flash or other applications on your PC, phone, or tablet, remove them. The less software on your device, the better. For data, be judicious about what you store in digital form. Anything stored on a device or in the cloud can be read, copied, changed, or deleted by an attacker. My post “If you can’t protect it, don’t collect it” offers more on this topic.

3. Patch the software you keep. If you use Windows, run a modern version such as Windows 7 or newer, and install patches regularly, for the operating system and applications. On Windows it can be tough to identify just what needs to be updated. A free tool that can help is SUMo, the Software Update Monitor. Download the "lite" version and run it to see what needs to be updated. Pay attention to applications from Adobe, like Flash, Reader, and such. Remember tip 2!

4. Run a modern Web browser. For general consumers, the best Web browser in my opinion is Google Chrome. Make sure it is set to auto-update so you are running the latest version. Install an ad-blocker like Adblock Plus.

5. Back up your data. Research and implement a way to back up the data on your devices. This can be a complicated issue. For example, you may keep sensitive data on your laptop or PC, and you fear putting it in the cloud. One way to address that concern is to store that data in encrypted form on your laptop or PC, such that when it is stored in the cloud it is also encrypted.

Some may argue that certain cloud providers will encrypt your data for you, so why encrypt it locally first? My answer: if an attacker gains access to your cloud backup username and password, he can access your cloud backup provider and download your data, regardless of whether the cloud provider encrypts it or not. If the attacker finds your most sensitive data encrypted within the cloud backup, that means he needs to beat the encryption you applied on your own. Like all the measures in this post, nothing is foolproof. However, introducing challenges to the adversary is the key to security.

Furthermore, don't confuse cloud storage with backup. If you store data in Google Drive, or other locations, don't consider that a backup. I recommend adding a real backup provider to your configuration.

On a related note, enable full-device encryption on devices you are likely to lose. This applies most likely to your phone and tablet. The danger you are trying to mitigate here is physical loss or theft of your device. Be sure you enable a numeric pin such that a thief can't simply log into your lost or stolen device. I am also a fan of services that let you remotely locate your lost or stolen device, such that you can either find them or wipe them at a distance.

6. Buy Apple phones and tablets and keep them up-to-date. This looks like a blatant advertisement for Apple, but I promise you I am not an Apple fan boy. The fact of the matter is that Apple iPhones and iPads, when running the latest versions of the iOS software, provide the best combination of features and security available to the general consumer. They are easiest to operate and to update. Updating iOS and the installed apps is exceptionally easy. Furthermore, the best metric we have regarding software security shows that exploits for iOS devices cost far more than other software or platforms. This means it is tougher for intruders to break into devices running iOS.

7. Consider a password manager, but not for every Web site. Nothing is (or should be) absolute in security. Password managers are applications that assist users with storing, supplying, and even generating usernames and passwords for Web sites and other applications. They are an improvement over using the same username and password at multiple Web sites. However, when using a password manager, you run the risk of a flaw in that manager being used by an attacker to access your username and passwords! It sounds like a tough situation, but in general the benefits of the password manager outweigh the risks. If you choose a password manager, select one that offers two factor authentication, such that accessing your usernames and passwords requires you to enter a numeric code. Also, don't put your most sensitive accounts in the manager. For example, in deference to point 1, don't store your email username and password in the manager.

Bonus: Be vigilant. Wherever you can introduce alerts about how your accounts and data are being used, enable them. For example, does your credit card offer the option to email you when a purchase is made? Perhaps you only care about overseas purchases, or purchases above a certain amount, or at gas stations. The point is to put your service providers to work for you, such that they give you information that informs your security posture. If you learn of a suspicious event and react in time, you can potentially limit or eliminate the damage through swift personal response.

There are many other considerations for individuals, especially with respect to resisting targeted attacks. I didn't address resisting social engineering, phishing, and the like, but I believe that is well-covered elsewhere. To counter the general opportunistic attacker, these are the steps I would recommend to individuals and small businesses.