Article

Security lessons from the military

The military is an organisation that takes security seriously and does it very well. What lessons can we learn from the military that can be applied to the modern business?

By Shirley Siluk

Tue 18 Jul 2017 @ 13:30

Cybersecurity is important for organisations of all kinds. But it takes on a special level of significance in situations where safeguarding data is literally a life-or-death responsibility… as in military organisations.

What separates the best military operations from other types of enterprises isn’t necessarily the technology: it’s the mindset and the culture. And that’s where businesses can learn some valuable lessons for their own cybersecurity practices.

Among the top takeaways:

  • A commitment to security starts at the top, but must extend throughout the organisation
  • Continual training and testing is vital
  • Mistakes must be corrected and vulnerabilities must be patched promptly
  • Honest mistakes should be quickly acknowledged, but dishonesty must be strongly discouraged
  • Most of all, human error needs to be recognised as a leading security risk.

“Nearly all past successful network penetrations can be traced to one or more human errors that allowed the adversary to gain access to and, in some cases, exploit mission-critical information,” then-U.S. Secretary of Defense Ash Carter and Chairman of the Joint Chiefs of Staff General Martin E. Dempsey wrote in their 2015 introduction to the Defense Department’s Cybersecurity Culture and Compliance Initiative.

That initiative, they said, aimed to transform the department’s security culture “by improving individual human performance and accountability”.

A 2015 Harvard Business Review article about cybersecurity lessons from the Pentagon credited Admiral Hyman Rickover – known as the “Father of the Nuclear Navy” – with shaping much of today’s military security mindset.

Rickover had a reputation for strict attention to detail, testing, safety and performance. Over his 30-plus-year career, the Navy’s nuclear fleet maintained an accident-free record.

When asked to help investigate the 1979 Three Mile Island nuclear reactor incident, Rickover explained his philosophy this way:

“Any successful programme functions as an integrated whole of many factors. Trying to select one aspect as the key one will not work. Each element depends on all the others.”

The key to maximising safety and security, especially in situations where errors can cost lives, is establishing a “high-reliability organisation,” according to Harvard Business Review authors retired US Navy Admiral James A. (Sandy) Winnefeld Jr, former special assistant to the Chairman of the Joint Chiefs of Staff Christopher Kirchhoff and University of Oxford business professor David M. Upton.

Such organisations, they note, operate on six principles that together work to “weed out and contain the impact of human error”.

Those principles are:

  1. Integrity
  2. Depth of knowledge
  3. Procedural compliance
  4. Forceful back-up
  5. A questioning attitude
  6. Formality in communication

“Cybersecurity breaches caused by human mistakes,” Winnefeld, Kirchhoff and Upton wrote, “nearly always involve the violation of one or more of these six principles.”

For example, they said, an unsupervised network admin who updates a system without reading instructions acts without the required depth of knowledge, procedural compliance and back-up.

A team of authors from the US Pacific Northwest National Laboratory also find helpful cybersecurity advice in the military strategies used to fight counterinsurgencies. In a 2009 book on “Collaborative Computer Security and Trust Management,” they cite an essay by US General David Petraeus to show that the lessons taken from the Iraq War “are strikingly applicable to collaborative cybersecurity”.

Among the key pieces of advice from Petraeus that they highlighted was: “Try to end each day with fewer enemies than when you started.” Another was: “Equip and use junior leaders in the strategic rather than just the tactical fight.”

“In contrast to the other warfighting domains... intrusions in cyberspace may not always result in visible, physical damage,” the 2015 cybersecurity initiative document states.

“It can be easy for users to underestimate the harmful effects of an intrusion enabled by human error – whether caused by inaction or inappropriate action.”

To work as well as every other aspect of the military, the document adds, cybersecurity and access to networks also needs to be treated “with the highest standards of individual knowledge, accountability and reliability”.

That’s a lesson that can clearly be applied to any organisation outside the military as well.