In discussions with @MrBoJensen we’ve concluded that most of the times virtual friends (people who we do not actually know) surprise us with their positive and supportive reactions. Yesterday I was to be surprised twice this way.
New book on Security, Game Theory and Algorithms http://bit.ly/sBuUY4 | Pretty expensive for me though
At $64.99 the book carries the typical price from academic publishers. Which of course results in making knowledge contained in the book inaccessble, a contradiction to the very publication of a book. Really people someone has to make the Laffer curve for academic books, paper and textbook prices. Maybe you’ll understand. But I digress.
Minutes after I posted my complaint the Net responded. In my INBOX resided a gift of $64.99 to buy the book. A friend, a net friend whom I’ve never met but with who I’ve discussed various issues over the years and a mutual respect has grown between us, decided that I needed a Christmas present. THANK YOU Sakis. I am deeply moved.
Hours later yet another amazing gesture came. This time from a highly accomplished and respected Greek (a role model one would say). Again I stood speechless for a while trying to comprehend what had happened.
“Other people can do those activities and do them well. Maybe a few years ago it was a good idea for you to help get this farmers’ market started because those Vietnamese farmers in your area needed a place to sell their produce; but it’s going well now, and you don’t have to run it anymore. It’s time for organized abandonment”.
As system administrators we manage organized complexity. When systems outlive their scope, organized abandonment is the way to go. Unmaintained legacy systems is what we get for not planning so.
Vasilis Katos at the 1st Athens Chapter ISACA Conference argued that we do not need cyber security experts, rather we need champions on the multitude of the different and complex areas that this domain encloses. He is not alone in believing this about experts. With the domain being new, hot and with commitment from Governments for financial backing of projects, the landscape is open for expertship claim. And since we are at the infant stages, many try to establish themselves as the strategists who set the pace, no matter how disconnected from reality they may be.
Whenever a new domain is introduced, until it is sufficiently comprehended people try to use analogies to make the connection. It is a no brainer then that since anything colored “cyber” starts to get a military approach, analogies with highly successful strategists of the past and relevant studies of them will appear. Think of it: Sun Tzu seems to fit every subject, from the battle ground, to sports, to (non military) management. I’ve seen efforts for both Sun Tzu (although far from a complete treatment) and Clausewitz and I am sure that others exist too. It is no wonder then that John Boyd and his OODA Loop would receive treatment too.
Since I found the OODA Loop concept interesting I set out to learn a bit more about it. This is not an easy task for a civilian for Boyd did not really leave much written work behind with the exception of a continually refined set of slides that when finalized took about 15 hours to present. To understand the loop, I read “A vision so noble” by Dan Ford. It’s chapter 2 contains a longer explanation of the OODA Loop than Wikipedia does and even includes a hand written sketch of it:
The OODA Loop as John Boyd sketched it toward the end of his life
Boyd is mostly an attacker and not a defender and indeed one can find cyber similarites in his work, where in page 40 Ford uncovered from his boxes:
Infiltration
* Blitz and guerrillas infiltrate a nation or regime at all levels to soften and shatter the moral fiber of the political, economic and social structure. To carry out this program, a la Sun Tzu, Blitz and Guerrillas:
* Probe and test adversary to unmask strenghts, weaknesses, maneuvers and intentions.
* Shape adversary’s perception of the world to manipulate or undermine his plans and actions.
Purpose
* To force capitulations when combined with external political, economic and military pressures.
or
* To minimize the resistance of a weakened foe for the military blows to follow.
Do not all the above match Cyber Warfare aims? So there exists value in studying Boyd and his tactics, but not a one-to-one mapping as many would hope that would make the transition to a cyber domain easier. The OODA Loop is there, one has to understand that it is not completely linear (OODA means Observation, Orientation, Decision, Action but you are constantly in an observation state that provides feedback) and is valuable.
“a contract, hence an agreement, between superior and subordinate. The subordinate agrees to make his actions serve his supervisor’s intent in terms of what is to be accomplished, while the superior agrees to give his subordinate wide freedom to exercise his imagination and initiative in terms of how intent is to be realized.”
“The very worst part of this prediction is that its inevitable. CEOs typically refuse to act to protect their own companies if it cuts into profit. The U.S. government has refused to do what’s necessary to protect our nation’s critical infrastructure because it’s 90% privately owned, and our laws and system of government has enabled this massive malfeasance so that everyone responsible can claim absence of malice. In the words of Upton Sinclair and the movie based upon his book Oil! – “there will be blood”. It’s just a matter of time”.
What is missing is the State’s ability to run the show. Had the State the ability to run the show, it would not have been that much dependent on such a fragile operation mode for the critical infrastructure. But as it is a waste to maintain an idle workforce capable of “doing the job” while actually not doing it (the other option being running the show, which also means a totally different kind of economy), Government resorts to regulation which again is problematic, since there cannot exist a Good Regulator (the Good Regulator can run the show; how many regulatory authorities actually can?) again this is problematic. To counter the problem new rules are placed on top of older ones and thus the Regulatorium emerges.
Blood? The Critical Infrastructure interdependencies are no less complex than the global Economy (imagine the CIP of a nation being attacked because it exports energy to another which is the actual target) so it is going to be rivers of it.
“Τα στοιχεία θα καταχωρισθούν σε ειδική ηλεκτρονική βάση δεδομένων που κατασκεύασαν τα στελέχη Πληροφορικής του υπουργείου Διοικητικής Μεταρρύθμισης, η οποία δημιουργήθηκε με μηδενικό κόστος «πάνω» στην πλατφόρμα της Google.”
και αυτό (Security Problems with U.S. Cloud Providers):
“I think these are legitimate concerns. I don’t trust the U.S. government, law or no law, not to spy on my data if it thought it was a good idea. The more interesting question is: which government should I trust instead?”
“Those of us who distrust the centralized control over our data and programs that TC platforms and operating systems may enforce can rest assured that the war for total control of computing devices cannot be won.”
Well it is the end of 2011 now and I think we are losing. The computer is being substituted by the tablet and the tablets are dominated by markets (Kindle, iTunes, Android, webstore, Opera, …). Yes you can jailbreak, but really how many do? Since almost every computer related trend seems to be a periodic phenomenon (just think of how many times you’ve seen the thin client vs fat client fashion come and go), we are now reliving the walled garden times. Centralized control is all over the commodity tablets and smartphones (is it really a phone or just a computer who by the way dials too?) “for our good”. The market owners do it “for the customer’s benefit”, not for the money. The developers like it for they push their products through a single channel. And most of the consumers like it for they cannot be bothered to search for applications elsewhere than the store.
Variety kills variety and we’re at the killing stage. We like having options, but we do not like many options and therefore we willfully assigned central control to the industry. It is a periodic phenomenon. We’ll reboot when the industry’s grip gets too tight. In the mean time we who distrust the centralized control over our data and programs are vastly outnumbered by the rest of the consumers.
In any bureaucracy, the people devoted to the benefit of the bureaucracy itself always get in control and those dedicated to the goals the bureaucracy is supposed to accomplish have less and less influence, and sometimes are eliminated entirely.
With the first group exibiting oligarchic behavior, dysergy follows. I will add an exception to Pournelle’s Law: IT people are devoted to the benefit of the bureaucracy itself, yet as a perceived “cost center” they get eliminated too. Interestingly, this happens because as observed by the Shirky Principle:
Institutions will try to preserve the problem to which they are the solution.
IT people do not easily accept the fact that part of their work is to make themselves redundant and by objecting to that (and therefore by maintaining their own internal bureaucracy) they get eliminated while fighting interdepartmental wars that have nothing to do with the organization’s mission. The rest of the departments understand the lesson IT took only after their time comes too.
I had heard Shirky’s Principle years ago (pre 2000) stated by me supervisor at the time in a different way:
A bureaucracy’s first objective is to maintain itself. Then to fulfill the reason it was created for.
Lost in translation. I think I’m going to find myself a Permit A 38 now.
People are so convinced they are doing the right things and so committed to their cause that they come to see the institution as an end in itself. But that’s a bureaucracy
Well one way to answer the title’s question is this: One can view Cyber War as a highly computerized evolved form of the Cold War. It has begun years ago, it is being conducted right now by various players (state and non-state actors) and will continue in the future. So it has already begun.
Managing organized complexity 
