|C-Level Security: When your team uses military analogies, are they using the wrong narrative?
For years, I have bristled when people would use medieval military descriptions in an attempt to convey concepts within the network security business. Bastions, firewalls, moats, drawbridges, countermeasures; all of these descriptions give way to a more accurate and detailed explanation of what was really taking place.
Well no, it's not really a wall holding back network fire. It's more like a, uh…uh…a filter?
Could we not have started with a more accurate explanation in the first place? How did we get here?
While working in a lab outside of Boston in the late 1980s, I happened to overhear a conversation our administrator was having with someone on the phone. The person calling was interested in finding an engineer that knew about the ARPANet. Being the only one there at the time, our admin looked at me and asked if I would like to talk to a "Colonel Campbell" about the ARPANet. Would I? Yes, I would!! As Woody Allen said; '80% of success is showing up'. What he failed to mention was where you need to show up. On that day, it was the administration office.
I took the call and had a great chat, he was a former Colonel (Army Intel retired), and ran a small consulting office in DC. He provided security assessments for government contractors doing business with government agencies and had a certain level of compartmentalized access. Think top secret. He explained he needed a 'contractor' from the lab where I was working to assist him. However, he could not tell me what it was about until after I was 'under contract'. We proceeded to get the paperwork on both sides complete and I was briefed into the program.
Turns out this small consulting company had a very lucrative business in verifying that companies engaging with government entities were actually complying with the security agreements that were executed. This consulting company needed to verify the security of a UUCP** connection to the ARPANet for a large New York City bank.
In meetings prior to the engagement, we discussed what they normally delivered as a result of their work product, the construct of the engagement, the activities, the presentation, etc. The conversation veered towards the gatekeeping activity of electronic networks. Though the packet concept on which the internet is based was innovative at the time, electronic networks were not new. Every computer manufacturer had a networking product that allowed machines to communicate though most in a rudimentary manner. So my new military trained friends were aware of networks, and were interested in learning more about the UUCP connection to the ARPANet.
The discussion then drifted to characterizing network security. Being military guys, they started to frame the discussion in terms that they were comfortable with, descriptions that describe the tactics and strategies used in the military. Though there were some parallels, I found the discussion then and now to be a bit hollow. At the core of this thought is the packets we battle with having, unlike traditional warfare. No mass, no inertia. They are the definition of ethereal. Is there a better narrative?
Today, just today, there is a new cybersecurity startup that is completely formed in the military mold. Perhaps this is the correct and surviving model? Too early to tell, however, I believe that there can be a more accurate narrative when engineers are engaged with the C-level. In this posting, I would like to explore with you the development of a more accurate narrative, one that might better describe and hence communicate the world we live in when trying to manage and mitigate cyber engagements.
To start this discussion, is 'firewall' still the best term for our security devices installed at your private networks edge? Is a bigger, more expensive firewall a better door analogous to a vaults door being more secure than a screen door? IDS/IPS systems, are they not low performing discriminators? Perhaps the lexicon might be more accurate if signaling terminology was used? Perhaps describing these events in a semaphore paradigm would be more accurate?
Please post your thoughts as replies, and thank you very much for all of the terrific responses to my last C-Level posting.
**For those that are not familiar with the migration of services that eventually formed the Internet, the Unix-to-Unix-Copy-Protocol (UUCP) was used to transfer email and news services in the early days of what emerged to be the Internet.