Category: Uncategorized

A vision so noble

Vasilis Katos at the 1st Athens Chapter ISACA Conference argued that we do not need cyber security experts, rather we need champions on the multitude of the different and complex areas that this domain encloses. He is not alone in believing this about experts. With the domain being new, hot and with commitment from Governments for financial backing of projects, the landscape is open for expertship claim. And since we are at the infant stages, many try to establish themselves as the strategists who set the pace, no matter how disconnected from reality they may be.

Whenever a new domain is introduced, until it is sufficiently comprehended people try to use analogies to make the connection. It is a no brainer then that since anything colored “cyber” starts to get a military approach, analogies with highly successful strategists of the past and relevant studies of them will appear. Think of it: Sun Tzu seems to fit every subject, from the battle ground, to sports, to (non military) management. I’ve seen efforts for both Sun Tzu (although far from a complete treatment) and Clausewitz and I am sure that others exist too. It is no wonder then that John Boyd and his OODA Loop would receive treatment too.

Since I found the OODA Loop concept interesting I set out to learn a bit more about it. This is not an easy task for a civilian for Boyd did not really leave much written work behind with the exception of a continually refined set of slides that when finalized took about 15 hours to present. To understand the loop, I read “A vision so noble” by Dan Ford. It’s chapter 2 contains a longer explanation of the OODA Loop than Wikipedia does and even includes a hand written sketch of it:

The OODA Loop as John Boyd sketched it toward the end of his life

For a more understandable version of the loop see the Wikipedia drawing and article.

Boyd is mostly an attacker and not a defender and indeed one can find cyber similarites in his work, where in page 40 Ford uncovered from his boxes:

Infiltration
* Blitz and guerrillas infiltrate a nation or regime at all levels to soften and shatter the moral fiber of the political, economic and social structure. To carry out this program, a la Sun Tzu, Blitz and Guerrillas:

* Probe and test adversary to unmask strenghts, weaknesses, maneuvers and intentions.

* Shape adversary’s perception of the world to manipulate or undermine his plans and actions.

Purpose
* To force capitulations when combined with external political, economic and military pressures.

or

* To minimize the resistance of a weakened foe for the military blows to follow.

Do not all the above match Cyber Warfare aims? So there exists value in studying Boyd and his tactics, but not a one-to-one mapping as many would hope that would make the transition to a cyber domain easier. The OODA Loop is there, one has to understand that it is not completely linear (OODA means Observation, Orientation, Decision, Action but you are constantly in an observation state that provides feedback) and is valuable.

Boyd believed that People not weapons win wars. Not very far from the observation that a good friend has made that people and not machines get hacked or my belief that people are the actual cyber weapons.

A good 70 page book based on Ford’s MSc Thesis that definitely helps expand our thoughts on the matter.

Off to read “The Dynamic OODA Loop: Amalgamating Boyd’s OODA Loop and the Cybernetic Approach to Command and Control” now.

PS1: An earlier version of Ford’s book seems to be available on Lulu as PDF.

PS2: Boyd on management

on management

“a contract, hence an agreement, between superior and subordinate. The subordinate agrees to make his actions serve his supervisor’s intent in terms of what is to be accomplished, while the superior agrees to give his subordinate wide freedom to exercise his imagination and initiative in terms of how intent is to be realized.”

John Boyd, Patterns of Conflict, slide 76.

“There will be blood”

Jeffrey Carr concludes his 2012 cyber predictions by writing:

“The very worst part of this prediction is that its inevitable. CEOs typically refuse to act to protect their own companies if it cuts into profit. The U.S. government has refused to do what’s necessary to protect our nation’s critical infrastructure because it’s 90% privately owned, and our laws and system of government has enabled this massive malfeasance so that everyone responsible can claim absence of malice. In the words of Upton Sinclair and the movie based upon his book Oil!“there will be blood”. It’s just a matter of time”.

What is missing is the State’s ability to run the show. Had the State the ability to run the show, it would not have been that much dependent on such a fragile operation mode for the critical infrastructure. But as it is a waste to maintain an idle workforce capable of “doing the job” while actually not doing it (the other option being running the show, which also means a totally different kind of economy), Government resorts to regulation which again is problematic, since there cannot exist a Good Regulator (the Good Regulator can run the show; how many regulatory authorities actually can?) again this is problematic. To counter the problem new rules are placed on top of older ones and thus the Regulatorium emerges.

Blood? The Critical Infrastructure interdependencies are no less complex than the global Economy (imagine the CIP of a nation being attacked because it exports energy to another which is the actual target) so it is going to be rivers of it.

“με μηδενικό κόστος”

Διαβάζω αυτό:

“Τα στοιχεία θα καταχωρισθούν σε ειδική ηλεκτρονική βάση δεδομένων που κατασκεύασαν τα στελέχη Πληροφορικής του υπουργείου Διοικητικής Μεταρρύθμισης, η οποία δημιουργήθηκε με μηδενικό κόστος «πάνω» στην πλατφόρμα της Google.”

και αυτό (Security Problems with U.S. Cloud Providers):

“I think these are legitimate concerns. I don’t trust the U.S. government, law or no law, not to spy on my data if it thought it was a good idea. The more interesting question is: which government should I trust instead?”

Υπάρχει ΠΑΝΤΑ κόστος.-

Report: Patriot Act Fears Squash UK Defense Company’s Microsoft Cloud Plan.

Revisiting “Reflections on trusting trust revisited”

In 2003, Diomidis Spinellis in “Reflections on trusting trust revisited” concluded:

“Those of us who distrust the centralized control over our data and programs that TC platforms and operating systems may enforce can rest assured that the war for total control of computing devices cannot be won.”

Well it is the end of 2011 now and I think we are losing. The computer is being substituted by the tablet and the tablets are dominated by markets (Kindle, iTunes, Android, webstore, Opera, …). Yes you can jailbreak, but really how many do? Since almost every computer related trend seems to be a periodic phenomenon (just think of how many times you’ve seen the thin client vs fat client fashion come and go), we are now reliving the walled garden times. Centralized control is all over the commodity tablets and smartphones (is it really a phone or just a computer who by the way dials too?) “for our good”. The market owners do it “for the customer’s benefit”, not for the money. The developers like it for they push their products through a single channel. And most of the consumers like it for they cannot be bothered to search for applications elsewhere than the store.

Variety kills variety and we’re at the killing stage. We like having options, but we do not like many options and therefore we willfully assigned central control to the industry. It is a periodic phenomenon. We’ll reboot when the industry’s grip gets too tight. In the mean time we who distrust the centralized control over our data and programs are vastly outnumbered by the rest of the consumers.

Bureaucracies and information flow (take 2)

Actually just a few observations others have made, but observations I live within everyday:

The Iron Law of Bureaucracy states that:

In any bureaucracy, the people devoted to the benefit of the bureaucracy itself always get in control and those dedicated to the goals the bureaucracy is supposed to accomplish have less and less influence, and sometimes are eliminated entirely.

With the first group exibiting oligarchic behavior, dysergy follows. I will add an exception to Pournelle’s Law: IT people are devoted to the benefit of the bureaucracy itself, yet as a perceived “cost center” they get eliminated too. Interestingly, this happens because as observed by the Shirky Principle:

Institutions will try to preserve the problem to which they are the solution.

IT people do not easily accept the fact that part of their work is to make themselves redundant and by objecting to that (and therefore by maintaining their own internal bureaucracy) they get eliminated while fighting interdepartmental wars that have nothing to do with the organization’s mission. The rest of the departments understand the lesson IT took only after their time comes too.

I had heard Shirky’s Principle years ago (pre 2000) stated by me supervisor at the time in a different way:

A bureaucracy’s first objective is to maintain itself. Then to fulfill the reason it was created for.

Lost in translation. I think I’m going to find myself a Permit A 38 now.

Update 2011/12/21: Peter Drucker writes:

People are so convinced they are doing the right things and so committed to their cause that they come to see the institution as an end in itself. But that’s a bureaucracy

(part 1)

It has already begun

Not a post, but my response to “How Would We Know if a Cyber War Started?“:

Well one way to answer the title’s question is this: One can view Cyber War as a highly computerized evolved form of the Cold War. It has begun years ago, it is being conducted right now by various players (state and non-state actors) and will continue in the future. So it has already begun.

Other than that, I’m with @JeffreyCarr on the article’s relevance.

“died of states’ rights”

I am reading the first paragraph of “Local Defense and the Overthrow of the Confederacy“†:

“In recent years it is becoming more apparent to students of Confederate history that the Confederacy collapsed more from internal than from external causes and the most disastrous of these internal ailments was the attempt of the southern people to practice their theory of state rights during the war. This destroyed the possibility of cooperation, embittered and demoralized the people, and pitted the state governments against the Confederate government like hostile powers. This struggle between the states and the Confederate government extended into many fields, mostly related to the conduct of the war. One of the most important of these fields was the matter of local defense. It is the object of this paper to present a careful study of the policy of local defense in the Confederacy, and show how it contributed to the downfall of that government.”

How’s that any different from the EU (the Confederacy) and the financial crisis (the conduct of war) it is in right now?

[†] – Interesting paper for Game Theory newbies by the way

Embracing the Kobayashi Maru

It seems that I am not the only one who has thought† that the Kobayashi Maru can be used in a cyber security context. “Embracing the Kobayashi Maru: Why You Should Teach Your Students to Cheat” describes the tricks employed by the students when they were given a very short notice to memorize the first 100 digits of π and then write them down. The students were allowed to cheat, but if they were caught they would fail the exercise. This as part of a class that aims to help students build adversarial thinking.

While the discussed solutions were indeed innovative, I strongly believe that the average Greek University student would come up easily with a few working plans :) Next time, if the authors want to make the exercise harder, they should use the previous students as proctors and grade them too. That would develop adversarial thinking even further and could become the Prison Experiment for cyber security.

Hat tip to GK for showing me the article!


[†] – Cyberdefense and the Kobayashi Maru.