Employing the OODA Loop to Proactively Maneuver Chuck Brooks Cybersecurity Actions List

History

Chuck Brooks recently published a Cybersecurity Actions list for defending data and intellectual property in the constantly changing threat environment. It got me thinking the list is “fundamentally” tactics to be used in the employment of an organization’s cyber defense plan. ?

?The cyber security environment today can be seen to be analogous to the requirements of maneuverability in a kinetic war environment. Such maneuver warfare is defined by characteristics like swiftness of action, cycles of dispersion and concentration, deception, surprise, fluidity, shock, and flexibility. Recently, it has become the favored model for conducting cyberwarfare.

The Defense-in-Depth model, used in kinetic wars for years, has been adopted for fighting cyberwarfare. This model was used by Napoleon and the majority of subsequent wars where attrition was the objective. Achieving this objective was dependent on the two variables of force and firepower.

American generals, in the early years of the cold war, maintained this mindset perspective of attrition through more ever-increasing weapons of power as being the best strategy to maintain parity with the enemy. Such action is much like the current technology solutionism mindset that permeates cyber defense!

This attrition mindset often fails to see quickness as a differentiating variable and, subsequently, the potential advantage it might provide. Lt. Col. John Boyd’s insight regarding the value of this variable was the basis for the development of the Energy Maneuverability Theory[1] that subsequently led to the development of the OODA Loop strategy model.

A prescient 1996 article for the Journal of Foreign Affairs, explained the future of warfare this way:

“Instead of attrition and the conduct of set piece battles along a continuous front such operations will give way to ‘non-linear operations’ [. . .] involving high-tempo attacks conducted simultaneously against key tactical, operational and strategic targets throughout the length, depth and breadth of the battlespace.”

The kinetic wars of the 21st century have borne out this prediction and, in this author’s opinion, are applicable to the cyberwarfare environment confronting all industries and the organizations within those industries. The thread that ties kinetic war and cyberwarfare together is the understanding that the key to success in the uncertain, modern world is not a specific belief, but the ability to rapidly change beliefs based on a rapid changing and uncertain environment.

As I studied the action list of tactics, I felt the OODA (Observe, Orient, Decide, Act) Loop strategy model would be of great benefit to the effort to employ these tactics. The OODA Loop is designed to be a continuous process. As such, at the completion of the action step, the success and/or challenges of those actions become the information to begin the process again. Each iteration of the loop will enable the organization to, at a minimum, maintain a pace equal to the threat environment evolution.

In this article, we will explore this belief, and the concept of using the OODA Loop strategy model for rapidly and proactively executing the actions of this list.

The OODA Loop Applied to Chuck Brooks Cybersecurity Action List

The OODA loop is often seen as a decision-making model, but can be more accurately described as a model of individual and organization learning and adaptation.

Observe

Observe means more than just “see;” it’s something more like “actively absorb the entire situation.” Observation includes your own situation, your opponent’s situation, and the environment more broadly. It includes all the dimensions of that environment: the physical, mental, and moral dimensions. In a sense, it is the step Sun Tzu advocates with “Know the other.”

The observation phase is data gathering in the broadest possible sense of the term: You are not just looking at your own numbers on a screen, you are looking at the emotional context, industry trends, and your adversary’s moves.

In the context of Brook’s list, observation involves both external and internal observation.

·?????? External observation includes: Identify Top Cyber Threats to Organization’s Operating Environment

o?? Malware (also Polymorphic)

o?? Social Engineering

o?? Phishing

o?? Ransomware

o?? Insider Threats

o?? DDOS attacks

o?? Botnets

·?????? Internal observation involves: Recognize Evolving Challenges

o?? AI enabled cyber attacks

o?? IoT – Exponential connectivity

o?? Vulnerable supply chains

o?? Transition to cloud, Hybrid cloud, and Edge platforms

o?? Quantum computing

Orient

Orientation is the most important part of the OODA loop. It includes understanding your genetics, cultural heritage, and previous experiences, then analyzing and synthesizing that with all the observations you made. In this stage, you are adhering to Sun Tzu’s “Know Yourself” directive.

The orientation phase is where creativity and innovation happen. Consequently, you are encouraged to have people with diverse education disciplines, experiences, and cultures as these highly creative and innovative people will look at the same reality, but they will orient their observations differently leading to decisions that might not otherwise be considered in the decision step.

The goal you should be striving for in the orientation phase is to prove your previous beliefs wrong by finding mismatches: errors in your previous judgement or in the judgement of others. This goal is best achieved through the mindset perspective of the diverse group as they will be more inclined to identify mismatches, than looking for ways to confirm what has already been determined.

This approach is key to eliminating the confirmation bias which is a well-researched cognitive bias of human nature. It causes people to look for and filter information which confirms pre-existing beliefs in order to confirm their decision-making instead of looking for mismatches.

Regarding Brook’s list, this would include:

·?????? Identify digital assets to be protected – Data (at rest and in motion)

o?? Network (firewalls, servers, routers, switches, WIFI)

o?? Devices (PC and Mobile)

o?? Facilities

o?? People

·?????? Key Cyber Pursuits

o?? Prioritize cybersecurity as a company imperative

o?? Create a risk management & vulnerability framework

o?? Obtain C-suite leadership and employee engagement

o?? Create Incident Mitigation and Continuity Plan

The results of the actions taken, based on decisions made in a preceding loop, will aid in the identification of such mismatches.

As a rule, bad news is the best kind because if you catch it in time, you can turn it to your advantage.

Decide

The Decision stage is the transition into the final stage of acting. The Observe and Orient stages have provided you with the ability to “Know yourself; know the other” and enables you to begin to prioritize and consider options for remedies.

For organizations, the decision stage may require a series of meetings or discussions to adjust the strategy and roadmap based on the new orientation.

Activities performed in this stage relative to Brook’s list include:

·?????? Explore Remedies

o?? Cyber Hygiene and Strong Passwords

o?? Access Control

o?? Pen Vulnerability Testing

o?? Encryption

o?? Antivirus software

o?? Threat intelligence

o?? New automated tools

o?? Quick response teams

o?? Incident response

o?? Red Team, Blue Team, Purple Team

A suggested remedy not on this list is the continued evolution of the cybersecurity training program as the organization moves from its current “comfort zone” and executes training to intentionally improve and increase individual and emotional engagement, of the entire workforce, in their individual role relative to the enterprise cyber defense plan.

Decisions to be taken based on the information must include the “Tempo”[2] in which these decisions are acted upon.

Getting inside your adversary’s OODA loop creates a tangle of threatening events and generates mismatches between what an adversary expects you to do and what you actually do. This makes your adversary feel trapped in an unpredictable world of doubt, mistrust, confusion, disorder, fear, panic, and chaos.

You adversary is stretched beyond his/her moral-mental-physical capacity to adapt or endure and can neither divine your intentions nor focus his efforts to cope and collapses. Getting inside your adversary’s loop creates moral and mental distress.

Act

Acting is carrying out the decision.

Then the OODA loop starts all over again. Your action(s) and results, in the just concluded loop, are assessed. A new iteration of the loop begins with these observations and a new orientation, based on this new information leads to the Decide and Actions steps of the succeeding loop.

Conclusion

If the objective is to create a cyber defense plan with characteristics like swiftness of action, cycles of dispersion and concentration, deception, surprise, fluidity, shock, and flexibility causing the adversary to respond to your actions enabling the defender to control any attack event, the OODA Loop is an excellent strategy model for achieving these results.

I submit this article as “food for thought” as you continue your efforts to seize the advantage, from the attacker, in your unique cyber war environment!

?

?

?

?

?

[1] Energy maneuverability theory, as originally conceived, is a concept specifically tailored to the realm of aviation and the physical maneuvering of aircraft. It primarily deals with principles related to the exchange and management of kinetic and potential energy in the context of aerial combat. While energy maneuverability theory itself does not directly translate to cyberwarfare, its underlying principles of analysis, optimization, adaptability, and resource management can inform cybersecurity strategies and tactics. The cyber domain is fundamentally different from the aerial one, but the principles of effective maneuvering and energy management can still be applied to enhance cybersecurity efforts.

[2] Tempo is relative speed in time. War is a series of moves and countermoves in which the tempo of execution is important. The competitor who can respond faster than the opponent can identify opportunities and make decisions that force the opponent into a constant state of reaction. The constant state of reaction results in breaking the opponent’s will to continue the attack and causes a move to another target.