Asynchronous Warfare, Part 4: OODA-Loop 2.0 and the Four Golden Rules

Asynchronous Warfare, Part 4: OODA-Loop 2.0 and the Four Golden Rules

By Dr. Dennis Prange and edited by Andy Norton

NOTE: This is part 4 of a 4-part series on Asynchronous Warfare. cyberwarfare strategy theory FI

In part 1 of this blog series, we described the roots of the cyberwar that we’re already fighting, which lie in proven, historic conventional warfare tactics that give the advantage to what appears to be an underpowered enemy. In part 2, we described the strategy behind asynchronous warfare usage and the three phases of protracted conflict that lead to ultimate victory. Then part 3 described how the asynchronous warfare strategies and tactics developed in conventional warfare apply to the cyber realm; what we call Asynchronous Warfare 2.0.

In this final post of the 4-part series, we explain how the OODA Loop, originally defined from a conventional warfare perspective in part 1, is adapted to the cyber realm. We also introduce the Four Golden Rules for detecting and defeating asynchronous warfare.

OODA-Loop 2.0 – Cyberwarfare Strategy Theory

Looking at the challenges the IT cybersecurity professionals are faced with today reveals remarkable resemblances when it comes to the four levels of cyberwarfare strategy theory. Again, a defender is confronted with actions that directly aim to break into his OODA-Loop.

Tactical: The attackers can choose time and place of an attack. When the Computer Emergency Response Team (CERT) arrives, the attack has already occurred. Vice versa, counter attacks are problematic because attribution is oftentimes hardly possible or even impossible. If it is impossible to identify an opponent, however, it is equally impossible to bring the fight to him. Therefore, defense is the only, if deficient, strategy.

Operational: The sheer number of attacks in different places can easily overwhelm the incident responders. While this was already the case in asynchronous warfare 1.0, with a constant lack of security personnel, it is much worse in cyberspace. Because there are markedly fewer cybersecurity operators than security forces while at the same time the possibility to attack is more numerous yet.

Strategic: The West once more appears to be disoriented in the face of his constant positioning in the defensive. Faced with the challenge to secure his networks, he is once more caught in an arms race whose existence he has not completely realized yet. This time, however, as long as he does not adopt a doctrine that includes retaliation, he needs to develop purely defensive strategies – an ardent task, for purely defensive strategies, have seldom been successful in history.

Grand strategic: In the mindset of organizations in the Western world, the focus usually lies on optimal function in a “normal” situation, which is perceived as one of peace and order. Security, in contrast, is not among the core aspects of organizational architecture. This leads to insufficient resources invested in developing robust and resilient organizations. The grand strategy is a continual attack that erodes both economic power through the simple, endless attrition of money and IP, as well as trust in the ability of government to secure its people, processes, and technology. Being under constant attack without realizing it leads to operations in perpetual crisis mode, to which Western organizations are unaccustomed and in which they are not as effective as they could be.

Four Golden Rules for Captains of Industry

The ever-increasing pace and scope of digitization is inevitable to keep our Western economies competitive. Without it, we will be outperformed in a heartbeat by economies leapfrogging stages of technical and organizational development.

However, if we continue with the digital revolution and increasingly use digital systems for organizing our life, our work, our production sites, and our defense, we will create a massive center of gravity in our IT systems. They are the hubs of societal coordination; they are the command & control systems of the 21st century. They will therefore increasingly be under attack.

Looking from an economic standpoint on the potential consequences of asynchronous warfare for the long-term productivity and prosperity of economies, it is probably fair to say that a further descent into Phase II gray zone conflicts cannot be in the interest of most. Western societies that rely on a stable, orderly, and secure economic and political environment are heading towards more uncertainty in their long-term interests. To address this, the following four “golden rules” might serve as food for thought.

1) Wake Up to the Situation

It is necessary to accept the fact that the economy has become a de-facto combatant in the ongoing conflict, and the conflict is on a global cyberwarfare scale. Corporations are used as pawns in the game to damage the population’s trust in the ability of the government to uphold order and guarantee societal function. Therefore, expenses for IT security in corporations are directly beneficial to the protection of your assets.

2) It’s All Just a Little Bit of History Repeating Itself

The Cold War was eventually won by a more or less stable societal consensus to infuse a substantial percentage of GDP into the development of new weapons systems at a pace the Soviet Union could not keep up with. This current conflict will also eventually be won by the side capable of introducing more sophisticated cybersecurity technology at a quicker pace – either on the offensive or defensive side of the equation.

3) Make Cyber Compliance Compulsory

IT security is costly, it is complicated, and it demands continuous action. These are just three reasons why even large corporations can be inclined to bypass the topic now and then. The situation is even worse when it comes to the supply chain, oftentimes spanning dozens of typically smaller companies on several continents. As an investor, however, you have a great interest that your investment is secure and that the corporations comply with the highest standards of IT security. It is therefore on you to demand (and price-in) systematic efforts to keep up to date. When considering new acquisitions, do your homework and conduct a thorough cyber due diligence of your acquisition’s supply chain and security capabilities.

4) Push For Ever More Sophisticated Defenses

Improving the sophistication and capabilities of IT systems and security capabilities is the best shot at getting ahead of the cyber warfare problem. Sophisticated defenses will eventually deny success to the rather large community of single hackers and non-state groups with limited resources, which is a great deterrence. If someone repeatedly fails in hacking a system, he will eventually stop trying. This, in addition, will reduce the number of potential attackers markedly and make attribution easier. The more sophisticated the attack, the more likely it will also be to find identifying patterns. As soon as attacks can be attributed to a relatively high degree of certainty, credible retaliation regimes can be established. Therefore, make it a principle to constantly push for better and more sophisticated solutions. Constantly raising the bar of security and IT sophistication eventually can drain the swamp.

Download the entire Asynchronous Warfare white paper, which includes all 4 parts of this blog post series.

What’s Next: Please watch for our upcoming blog post on Effective Response to Asymmetric Warfare, which goes into more detail on the Four Golden Rules described above.

Dr. Bjoern Dennis Prange

Dr. Bjoern Dennis Prange

In his role as Research Fellow and Analyst at various think tanks he has briefed many senior members of staff on Capitol Hill on transatlantic political affairs, security policy, applied research desiderates on questions of strategic vulnerabilities in the cyber realm, conducting international corporate investigations, He is the Deputy District Chair for the Foreign and Defense Policy, Munich Working Group, and a member of the German Council on Foreign Relations (DGAP), German Atlantic Society (DAG), and the Clausewitz Network for Strategic Studies. Dr. Prange completed his thesis “The War of Organizations – An Exploration of the Influence of Organization on the Success of Armed Forces in Hybrid Warfare.”The thesis provides a framework for methodically analyzing strategic security threats for large organizations that are faced with decentralized, highly adaptable aggressors.
Dr. Bjoern Dennis Prange
Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton