I haven’t met Richard Bejtlich yet, but I have a feeling we’d get along just fine. We’re both fans of the History Channel, have backgrounds in martial arts, love the show Human Weapon (martial arts AND the History Channel!), and have a background in the military (four years on a Navy ROTC scholarship, but I ended up becoming a paramedic instead of going active duty).
That said, I have to slightly disagree with his latest post where he criticizes Jay Heiser, my friend and former colleague, for being “anti-military”. As usual, I’ll be my slimy self and take a position just between my associates. I think I lived in Boulder, Colorado for too long or something – it made me go all soft.
Jay’s original article discusses how we, in non-military information security, need to leave the military mindset behind.
Military defense models are great for the military, and (as Richard’s post demonstrates) often contain some extremely valuable principles and techniques we can translate into non-military security. The problem with trying to follow military principles too closely is that they don’t translate well in two dimensions:
- The Mission: The mission of the military is dramatically different than that of most private businesses. The military is completely defined by the mission of defending the nation, from culture, to org structure, to every policy and procedure. That mission also creates a unique risk profile that doesn’t translate well to the civilian world. Sure, on the Internet we’re all targets, but when you combine the mission and risks of the military it drives policies and procedures that will be very different than what we civvies need. There’s overlap, but the devil is in the details and trying to push military models in commercial enterprises nearly always fails (unless we stick to very abstract levels, as Richard does in his post).
- The Culture: Human behavior doesn’t change, but one of the most powerful aspects defining behavior is culture. All organizations have a culture, whether they want it or not. I define culture as the instinctive behavior of employees; within an organization it’s what someone does without thinking. The military culture is one of the most powerful in existence, defining everything from haircut, to dress, to speech patterns. It’s been fourteen years since I left the Navy (and I was only active for summer training), and people can still tell. Civilian corporate culture is wildly divergent from military culture, and this limits the effectiveness of many military solutions to security problems.
We still have a lot we can learn from the military (and law enforcement, for that matter), and shouldn’t throw out the bath water out with the baby, but we need to pay better attention to which lessons we bring over, and increase the rigor of how we translate those for private enterprises. Some examples?
- Defense style data classification doesn’t work outside of defense/intelligence/government.
- Certification and accreditation are a waste of time and resources (probably for the government as well as the rest of us, but that’s for another post).
- Common Criteria below EAL-5 doesn’t provide any significant value in assessing the security of a product.
I’ll keep telling budding information security pros to learn history, read Sun-Tzu, familiarize themselves with the Orange book, and study military principles, but it’s equally important to show them where these models don’t work in the private sector, why, and how to translate them into something effective for us civilians.
Reader interactions
5 Replies to “Learn From The Military, Don’t Emulate It”
So good, I had to do a full blog entry instead of replying to our comments.
had a little back and forth with rybolov in the comments on my military post, and he introduced me to something called the Business Reference Model right out of some government
OK, Rich, you pushed me over the edge. =)
http://www.guerilla-ciso.com/archives/248
http://www.guerilla-ciso.com/archives/249
I’‘ll probably put one more in this series up if I get some time over the next couple of days. The big missing space is tying all this BRM stuff back into a set of baseline security requirements.
That’s a great point- I was focusing on the military side more than the NIST side. The 800 series is really great stuff, and I highly recommend it as background material, if nothing else.
I haven’‘t seen that model… you should definitely blog it.
Hi Rich
I’‘m not a bank, either, so don’‘t push your compliance junk software at me. =)
http://www.guerilla-ciso.com/archives/212
Like I tell people all the time, the government way is to focus on confidentiality and leave the integrity and availability to banks and service providers. Yes, there are some exceptions, but where we got our start was in the classified world—it’s TS, now what does that mean we can and can’‘t do with it?
Common Criteria (and I’‘ll end up eating this statement one day, my friends at NIST will probably beat me over the head when they see me next time) is OK, but really at this stage of the game it comes down to a government-wide preferred vendors list. Not entirely useless, but then again, not as helpful as we would have liked.
The value that you can get from the government is in free frameworks (8500.2, SP 800-53) and tools (DISA STIGS and SRR Scripts) that are completely free to use but need to be tailored and adapted.
The other “little” thing that people never see is this thing called the Business Reference Model—I should blog it one of these days—which gives you a huge list of data types and their relative importance government-wide. There’s some kind of value in there for business to take and build their own version of “The Cookie Jar” and start defining what activities are important to them.