💾 Archived View for gmi.noulin.net › mobileNews › 5529.gmi captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

➡️ Next capture (2023-01-29)

-=-=-=-=-=-=-

What the U.S. Military Has Learned About Thwarting Cyberattacks

James A. (Sandy) Winnefeld Jr.

August 13, 2015

No sooner had my coauthors and I put the finishing touches on our Harvard

Business Review article that holds up the U.S. military approach to

cyberdefense as a model than news stories disclosed that there had been a

serious breach of the unclassified e-mail system used by employees of the U.S.

Joint Chiefs of Staff in the Pentagon. But the incident actually heavily

underscores our principal point.

Reportedly, the attackers used a spear-phishing e-mail to penetrate the system.

The Department of Defense has found that the lion s share of successful

cyberattacks are made possible by poor human performance. Indeed, a key element

of our thesis is that most organizations place too little emphasis on changing

behavior and too much on technical safeguards.

We suggest that companies should follow the U.S. military s example. It is

strengthening its cybersecurity by applying the methods used by the U.S. Navy s

nuclear-propulsion program, whose safety record is second to none. These

include a robust program of training, reporting, and inspections, as well as

six operational excellence principles. They are:

Integrity, a deeply internalized ideal that leads people, without exception, to

eliminate sins of commission (deliberate departures from protocol) and own up

immediately to mistakes.

Depth of knowledge, or a thorough understanding all aspects of a system, so

people will more readily recognize when something is wrong and will handle any

anomaly more effectively.

Procedural compliance, which entails requiring workers to know or know where

to find proper operational procedures and to follow them to the letter. They

re also expected to recognize when a situation has eclipsed existing written

procedures and new ones are called for.

Forceful backup, which means, among other things, having two people, not just

one, perform any action that poses a high risk to the system and empowering

every member of the crew even the most junior person to stop a process when

a problem arises.

A questioning attitude, which can be instilled by training people to listen to

their internal alarm bells, search for the causes, and then take corrective

action.

Formality in communication, which means communicating in a prescribed manner to

minimize the possibility that instructions are given or received incorrectly at

critical moments (e.g., by mandating that those giving orders or instructions

state them clearly, and the recipients repeat them back verbatim). Formality

also means establishing an atmosphere of appropriate gravity by eliminating the

small talk and personal familiarity that can lead to inattention, faulty

assumptions, skipped steps, or other errors.

The entire U.S. military is gradually embracing these methods as a central part

of its efforts to bolster its cybersecurity. Despite this recent embarrassing

attack, it has actually made good progress. With cyberattacks on the private

sector a serious problem, business leaders must also turn their companies into

high-reliability organizations. Technological safeguards, while vital, will not

alone make a company safe.

James A. (Sandy) Winnefeld Jr. was the ninth vice chairman of the U.S. Joint

Chiefs of Staff and an admiral in the U.S. Navy until August 2015, when he

retired.