27 Articles for the Ongoing Counter CyberInsurgency Matthew Dosmann

What Makes a CyberInsurgency? Cyberspace and human agency Physical world analogs Nature of Insurgency, cyber or otherwise What to do about it

27 Articles Cybersecurity is complexity. Neither Cartesian systems analysis  nor the next great widget alone will be the solution. Don’t make it worse. Subversion of cyber is not a coherent effort. We don’t want to drive people into the arms of the insurgency. Therefore the “minimum force, maximum discrimination” mandate is in effect. Make it harder to be bad. Programs that deny future insurgents are decisive (even is they take time and aren’t sexy). Break the Cycle. Whatever model is used (Infection, Contagion, and Spread or Intervention, Rejection, Crime, Monetization, Laundering or something else) the aim is the same: “to displace the enemy network”. Ignore operational fundamentals at your own risk. Learn from those who have made a study out of conflict and competition. Sun Tzu and Clausewitz had it right and General Staffs have since refined it. Disaggregate the threat. A comprehensive, tailored approach is needed. Clausewitz’s Trinity: Passion, Creativity, and Reason. Learn your business. And it isn’t IT or cybersecurity. Cyberspace exists to support missions, business, and other human interactions. If you are going to be effective, you will need to know how the core business works. Learn who your users are. Put the human and the human experience of the system at the core of your thinking. Get allies. Coordinate with others; build and nurture relationships. There is no “cowboy” solution to this issue.

27 Articles Develop the environment. Determine what adjustments can be made to make it easier for you to practice cybersecurity. Keep an eye on the environment external to your networks and influence what you can. Develop subordinates. Get their skills to where they need to be, empower them, and hold them accountable. COOP, COOP, COOP Bad things will happen, not all of them in cyberspace. Rational metrics . The only way to know if you are doing well or losing your shirt is to measure what’s going on. There is no single silver bullet metric. Seek the initiative. Remember that a fundamental of predatory behavior is to go after the easy target. Adjust and adapt . Standard operating procedures are valuable tools, but they need to be regularly evaluated and adjusted in order to make best use of new tools and to avoid becoming predictable. Learn your networks. Map them, know what’s on them and keep track of what changes. Learn what the cyber threats are that likely to affect your business. What is most likely? What would be most dangerous? You are not going to solve cybersecurity, or world hunger, alone so focus on your portion of it and do it well. Learn how resources are allocated in your organization. In order to get what you need, you have to be able to work the process and present a business case that resonates.  

27 Articles Know who the legal authorities are. Who you do you call and when? Coordinate with them prior to something happening. Know what your operating authorities are. If there are gaps between those authorities and what you have to do, fix that. Know what your forensic needs are. Know what the standards are and ensure you can meet them. Communicate. Both up and down the chain. Give leadership relevant or actionable information. Keep users and subordinates informed because trust is lost when you keep people in the dark. Definitely know what warrants waking up te boss. You are part of the global society. Cyberspace is global, so everyone’s gripe is globalized. Develop an appreciation for how events will be perceived and reacted to elsewhere. This can be a valuable tool that keep points of friction from becoming points of conflict. Don’t ditch the Westphalian model out of hand. It took a while but in the end it did well with some other thorny problems, e.g. piracy and slavery. The current structure can provide some benefit but it will need augmentation. Police vs Army. There is a BIG difference. They can and should coordinate their efforts, but they are not interchangeable. Develop and gain buy-in for the rules of cyber warfare. This will be difficult, but the discussion needs to occur. We need Peel’s Principles for cyber police.

27 Articles Yeah, I cheated a bit. PRINCIPLE 1 “The basic mission for which the police exist is to prevent crime and disorder.” PRINCIPLE 2 “The ability of the police to perform their duties is dependent upon public approval of police actions.” PRINCIPLE 3 “Police must secure the willing cooperation of the public in voluntary observance of the law to be able to secure and maintain the respect of the public.” PRINCIPLE 4 “The degree of cooperation of the public that can be secured diminishes proportionately to the necessity of the use of physical force.” PRINCIPLE 5 “Police seek and preserve public favor not by catering to the public opinion but by constantly demonstrating absolute impartial service to the law.” PRINCIPLE 6 “Police use physical force to the extent necessary to secure observance of the law or to restore order only when the exercise of persuasion, advice and warning is found to be insufficient.” PRINCIPLE 7 “Police, at all times, should maintain a relationship with the public that gives reality to the historic tradition that the police are the public and the public are the police; the police being only members of the public who are paid to give full-time attention to duties which are incumbent on every citizen in the interests of community welfare and existence.” PRINCIPLE 8 “Police should always direct their action strictly towards their functions and never appear to usurp the powers of the judiciary.” PRINCIPLE 9 “The test of police efficiency is the absence of crime and disorder, not the visible evidence of police action in dealing with it.”

Questions?