Yesterday’s War Part 2: Real World Context

My Time in Iraq

“The situation in Iraq is unacceptable to the American people — and it is unacceptable to me ... Where mistakes have been made, the responsibility rests with me.”

- George W. Bush

I was deployed to Iraq in support of Operation Iraqi Freedom from March of 2004 through April of 2005. By traditional accounts, the war was over, Saddam Hussein had been captured, the government was under the control of the United States and its allies, and the Iraqi army had been totally defeated. However, the insurgency that followed lasted more than a decade and gave rise to the most devastating terrorist organization the world has ever seen, and the first one to ever declare itself a state and control significant territory. This was a very interesting time period. Many of my observations come from lessons the United States military didn’t learn effectively until much later. My comparisons are based on my personal observations, public reports from official channels, and anecdotal experiences from my friends who deployed later.

The problem wasn't that we didn't have enough firepower, manpower, or spend enough on equipment and technology, the problem was that we were winning yesterday's war, but losing the war we were fighting, which was asymmetrical and based on the ability to operate in the shadows and control the population rather than engage armies on the field of battle and control territory.

Note: Most historians would argue that it was the surge led by General David Petraeus that turned the tide of the war, and I believe they are correct. However, it was not sheer numbers of troops that delivered those results, but the fundamental ways in which General Petraeus changed how the war was being fought that yielded those results. More on that later.

This is similar to information security in the age of Digital Transformation. Many organizations are effective in protecting perimeters that don't, while completely failing to protect sensitive information that no longer resides within their perimeter. Many security teams have taken an adversarial stance by building a structure where they can say “no” to the business and stop behaviors they don't like while the business has decided that digital transformation is so important and urgent that completely bypassing the security team if they are slowing down the transformation process is acceptable. Many security teams are desperately trying to retrofit technologies built for yesterday's cybersecurity challenges to the new world rather than evaluating the challenges and opportunities associated with the modern business landscape and designing a new security paradigm to solve tomorrow's problems.

The purpose of writing this is not to comment on the Iraq war. I have my personal feelings, as do most Americans. I imagine the same is true for most Iraqis. It is also not designed to give outsized importance to my personal experiences. I am one person in a sea of people who were shaped by the conflict at that time. However, I cannot escape the general feeling right now as an executive in a cyber security service provider that I had when I was training to deploy to Iraq. There I felt I was training to fight the Soviet Army knowing in the post-September 11th world I would not be fighting a traditional war with armies on a field of battle. At that time, I had no idea what it would actually be like fighting an incredibly asymmetrical war, but I was relatively certain that learning how to identify the heat signature from a T-55 Russian tank through the thermal system on an M1 Abrams SEP 2 main battle tank was not likely to help me to survive what was ahead.

Similarly, hearing clients and industry experts talking about firewalls, Intrusion Prevention Systems, and Endpoint Protection Platforms seems irrelevant in the world we’re moving towards which is predicated on bring your own device and cloud services, which render perimeter, network, and endpoint controls largely irrelevant. I was struck with an extreme case of deja vu, where 15 years after the fact, I again felt I was being positioned to fight yesterday’s war, while my enemy was several steps ahead of me, winning a war that I had not yet figured out how to effectively measure. The average soldier or company in this case, thought they were winning, until they realized, often very publicly, that they weren’t. While watching a documentary about Vietnam and reading a book called How to Measure Anything I was struck that what I was feeling was likely felt by many people involved with prosecuting the Vietnam War.

Vietnam

McNamara Fallacy: The first step is to measure whatever can easily be measured. This is ok as far as it goes. The second step is to disregard that which can't be easily measured or to give it an arbitrary quantitative value. This is artificial and misleading. The third step is to presume what can't be measured easily isn't important. This is blindness. The fourth step is to say what can't easily be measured really doesn't exist. This is suicide.

-Charles Handy, The Empty Raincoat 

During a speech given to Vietnam veterans in 2011, President Barrack Obama stated “Let it be remembered that you won every major battle of that war. Every single one.” It could be argued that depending on your definition of a major battle, there were a few that the United States lost, but the United States generally did win more than it lost on the fields of battle in Vietnam. However, the war was not a traditional war of attrition where battlefield success was the proper metric, it was a new type of war, a very publicly prosecuted political war. For the first time in history, citizens of both countries had a front row seat to the horrors of war, and the war itself was not seen as an existential conflict for the American public like wars past. Therefore, the public relations campaign was far more important than victories on the battlefield. This was a concept the North Vietnamese understood well and the United States did not.

The United States lost the war because they had the wrong metrics and the wrong success criteria. They were measuring success as if they were fighting a war of attrition but doing so against a guerrilla enemy who blended into the population and whose success was predicated on turning the local population against the American military. The United States military was gauging success by body count, which while striking and barbaric when you say it out loud, was the actual name they gave to the metric that they used to report about progress in Vietnam. In a way the more “success” the Americans had by their own standards, the more they were actually losing the war by the measurements that mattered, which was the sentiment of the average person residing in Vietnam and the United States.

The North Vietnamese ultimately won the war by not only turning the Vietnamese against the American military but also turning Americans against their own military to the point where they demanded an end to the war and caused long lasting damage to an entire generation of American service members that went far beyond any casualties sustained on the battlefield. This was a master stroke and among the most stunning political victories to a military conflict that I have ever encountered. How did it happen?

As it turns out, metrics matter, and they matter a lot. Finding the right metrics also matters. If something is important at all, it can be measured. If it truly cannot be measured, it is not important. What is the parallel to cyber security? You have to measure your ROI. It isn’t easy but it is necessary. You don’t need perfect information. There is a book called How to Measure Anything by Douglass Hubbard which should be essential reading for anyone who is in charge of an Information Security program. It details not only how you can measure abstract concepts like ROI on a cybersecurity investment, but also dispels many myths related to measurements. Here is my favorite:

“There is a myth that says if you have a lot of uncertainty, you need a lot of data to tell you something useful. In reality, if you have a lot of uncertainty, it doesn’t take much to reduce uncertainty significantly. In other words, if you know almost nothing, almost anything will tell you something.”

The lesson of the Vietnam War is all about measurement. Making decisions based on the wrong measurements is disastrous. Not measuring at all is blindness. Pretending something doesn’t matter because it is difficult to measure is suicide. I don’t want to belabor this point, but I want to strongly make it. You must measure ROI for your security investments. I have been challenged strongly and openly ridiculed for making this statement. I have been told it was impossible. I have been told it is too expensive. I have been told a lot of things by a lot of people who don’t want to do the work to gather the measurement or who don’t know how and don’t want to admit it. Read the book. If you still don’t think measuring ROI for security is possible let’s talk. Don’t tell me it’s impossible until you’ve read the book. It might just change your professional life.

One of the core premises is a fundamental misunderstanding of what measurement means. It does not mean gathering an exact value to answer every question. It is really about reducing uncertainty. Rarely is gathering perfect information necessary or cost effective, however, making good assumptions and gathering some information is vital. Measurement isn’t all or nothing, its about gathering enough data to make good decisions. Too many organizations make bad investments in good technology in the cybersecurity field. The technology is very effective, but the investment is not worthwhile because the cost outweighs the benefit, in the words of InteliSecure CEO Steven Drew, “You shouldn’t spend a dollar to protect a nickel.” How could you possibly know if you aren’t measuring the anticipated benefit of a security measure?

Recently, I have participated in a forum for technology founders and public and private equity investors. I’m still trying to figure out how I got invited, but I find an amazing amount of useful insight from talking to people like Grant Wernick, Andrew Peterson, and Michael Coates. Michael Coates is the former CISO of Twitter who left to found a company named Altitude Networks in order to solve specific problems that vexed him as a CISO. Michael has a real talent for putting concepts in simple terms where they are easily understood and one of the quotes I like the most is ““A good security solution is equal parts efficacy and usability.” I would go so far to say one without the other is useless.

Take the military example. The AK-47 is by no means the most accurate weapon in the world, it’s far less accurate than other weapons. It doesn’t have the best range, but it is estimated to be the most used piece of military equipment in the world with over 75 million of them estimated to be in service. Why? Because it is simply made, easy to maintain, easy to operate, inexpensive, and reliable. Conflicts around the world have tragically proven that you can teach a child how to maintain and operate an AK-47 whereas far more technologically superior weapon systems require precise maintenance and rigorous training.

With the global shortage of cyber security talent, solutions that are intuitive and elegant in their simplicity will win in the marketplace. Solutions that require a programmatic element or are inherently conditional and complex like Data Security and Cloud Security Solutions, must have good services partners, particularly Managed Services partners, in order to be successful. Manufacturers could also choose to offer the necessary services themselves, but that model is often less attractive to technology manufacturers than building effective partnerships.

General Petraeus and a New Approach

There are many concepts I believe to be applicable that we’re lessons learned in the Iraq war, and sadly I see many companies repeating similar mistakes in Chicago, Minneapolis, and Virginia in cyberspace that the US military made in Baghdad, Mosul, and Fallujah.

In 2007, General David Petraeus introduced a completely new strategy which turned the tide in Iraq, and the types of tactics he deployed ultimately taught the world how to fight a new enemy. An enemy that operates in the shadows, strikes fear into the hearts of the local population, and seamlessly blends into local society and culture. These lessons and insights would prove to be valuable in the subsequent fight against ISIS, the most dangerous and most powerful (at the time) terrorist organization the world has ever known. Regardless what you think of the general and what he has done since leaving his command, history is likely to remember him as one of the great military thinkers of our time.

In the coming posts in the series, we will compare and contrast many of my observations from my time in Iraq with my observations from the last decade I have spent helping organizations around the world protect critical information. As I reflect on the last decade of cybersecurity, I am reminded of the previous decade of military operations. While it is frustrating to see some of the same mistakes cause significant harm, I am encouraged that we have solved some of these problems before, and if we make the proper adjustments, we can solve them in cyberspace. Success isn't defined by the end of cyber-attacks, as that is an unrealistic expectation. However, it is realistic that we can prevent cyber adversaries from operating with impunity and raise the barriers to entry to cyber-crime in terms of skill and resources to significantly limit the harm that comes to the legitimate global economy by shifting the way we think and the way we defend our critical data assets.

Follow the Series!

This is the second of a six part series. Each new part from the series will be published Tuesday until all six parts are available.

You can access part one here: 

https://www.dhirubhai.net/pulse/yesterdays-war-jeremy-wittkop-cissp       

You can access part three here:

https://www.dhirubhai.net/pulse/yesterdays-war-part-three-jeremy-wittkop-cissp

About the Author

Jeremy Wittkop is the Chief Technology Officer for InteliSecure, the world's leading Managed Services Provider focused on the protection of critical information assets. Jeremy was also InteliSecure's first Managed Services Director. Jeremy has also written a book about securing critical information assets called Building a Comprehensive IT Security Program available from Apress publishing on Amazon at https://www.amazon.com/Building-Comprehensive-Security-Program-Guidelines/dp/1484220528/