💾 Archived View for gmi.noulin.net › mobileNews › 5529.gmi captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
James A. (Sandy) Winnefeld Jr.
August 13, 2015
No sooner had my coauthors and I put the finishing touches on our Harvard
Business Review article that holds up the U.S. military approach to
cyberdefense as a model than news stories disclosed that there had been a
serious breach of the unclassified e-mail system used by employees of the U.S.
Joint Chiefs of Staff in the Pentagon. But the incident actually heavily
underscores our principal point.
Reportedly, the attackers used a spear-phishing e-mail to penetrate the system.
The Department of Defense has found that the lion s share of successful
cyberattacks are made possible by poor human performance. Indeed, a key element
of our thesis is that most organizations place too little emphasis on changing
behavior and too much on technical safeguards.
We suggest that companies should follow the U.S. military s example. It is
strengthening its cybersecurity by applying the methods used by the U.S. Navy s
nuclear-propulsion program, whose safety record is second to none. These
include a robust program of training, reporting, and inspections, as well as
six operational excellence principles. They are:
Integrity, a deeply internalized ideal that leads people, without exception, to
eliminate sins of commission (deliberate departures from protocol) and own up
immediately to mistakes.
Depth of knowledge, or a thorough understanding all aspects of a system, so
people will more readily recognize when something is wrong and will handle any
anomaly more effectively.
Procedural compliance, which entails requiring workers to know or know where
to find proper operational procedures and to follow them to the letter. They
re also expected to recognize when a situation has eclipsed existing written
procedures and new ones are called for.
Forceful backup, which means, among other things, having two people, not just
one, perform any action that poses a high risk to the system and empowering
every member of the crew even the most junior person to stop a process when
a problem arises.
A questioning attitude, which can be instilled by training people to listen to
their internal alarm bells, search for the causes, and then take corrective
action.
Formality in communication, which means communicating in a prescribed manner to
minimize the possibility that instructions are given or received incorrectly at
critical moments (e.g., by mandating that those giving orders or instructions
state them clearly, and the recipients repeat them back verbatim). Formality
also means establishing an atmosphere of appropriate gravity by eliminating the
small talk and personal familiarity that can lead to inattention, faulty
assumptions, skipped steps, or other errors.
The entire U.S. military is gradually embracing these methods as a central part
of its efforts to bolster its cybersecurity. Despite this recent embarrassing
attack, it has actually made good progress. With cyberattacks on the private
sector a serious problem, business leaders must also turn their companies into
high-reliability organizations. Technological safeguards, while vital, will not
alone make a company safe.
James A. (Sandy) Winnefeld Jr. was the ninth vice chairman of the U.S. Joint
Chiefs of Staff and an admiral in the U.S. Navy until August 2015, when he
retired.