How Do We Succeed in the Cyber Security Battle? – EPISODE II (Modified Weinberger-Powell Doctrine)

EPISODE II – Modified Weinberger-Powell Doctrine

20 MAY 2016

Reading Note: Given the ultimate length of this Episode, I have shattered all Star Wars canon and split this piece into Episode II and Episode II.5 (available next week).

For those familiar with the Weinberger-Powell Doctrine (“WPD”), a first thought that may cross the mind is: “will application of this doctrine be used to determine whether to launch an offensive cyber capability?”  This thought is sound, but this is not how I intend to apply the WPD to cyber security.  The below explains why.

A Brief History

Before proceeding further (and for those unfamiliar with the application of the WPD), here is a very brief history.

Commentary Note: Please note that I will not be discussing the validity, support, or opposition of the doctrine in any context.  I am only bringing up the history of the WPD so the reader understands the path on how I came to apply a Modified WPD to cyber security.

When Caspar Weinberger was serving as Secretary of Defense under President Reagan, the United States wanted to ensure it did not entangle itself in quagmires, avoiding the experiences of the Vietnam War.  The Weinberger Doctrine stated that:

  1. The United States should not commit forces to combat unless the vital national interests of the United States or its allies are involved.
  2. U.S. troops should only be committed wholeheartedly and with the clear intention of winning. Otherwise, troops should not be committed.
  3. U.S. combat troops should be committed only with clearly defined political and military objectives and with the capacity to accomplish those objectives.
  4. The relationship between the objectives and the size and composition of the forces committed should be continually reassessed and adjusted if necessary.
  5. U.S. troops should not be committed to battle without a “reasonable assurance” of the support of U.S. public opinion and Congress.
  6. The commitment of U.S. troops should be considered only as a last resort.

How these questions were answered determined whether or not to commit troops.

Not too long after, in the lead up to the 1991 Gulf Golf War, General Colin Powell, while serving as Chairman of the Joint Chiefs of Staff, further modified his old boss’ doctrine into the following questions:

  1. Is a vital national security interest threatened?
  2. Do we have a clear attainable objective?
  3. Have the risks and costs been fully and frankly analyzed?
  4. Have all other non-violent policy means been fully exhausted?
  5. Is there a plausible exit strategy to avoid endless entanglement?
  6. Have the consequences of our action been fully considered?
  7. Is the action supported by the American people?
  8. Do we have genuine broad international support?

The logic behind the doctrine stated that all questions must be answered in the affirmative before the United States would commit to military action.

As indicated in Episode I, you can find more on the WPD here.

Why Modify the Weinberger-Powell Doctrine?

How I came to decide to use the WPD for cyber security began when I started to realize we may actually be in a quagmire right now, a type of “cyber quagmire” per se.  In a later Episode, I examine how the cyber/information infrastructure we created is in virtual opposition to the nation-state model we have been accustomed to for nearly 350 years.  This conflict between the two systems, I believe is, in large part, why we are having such difficulty in the cyber domain.

When I began to loosely apply the WPD to cyber security issues (because I have not seen the doctrine used much – if at all – in relation to cyber security), I began to realize that with some modification, the WPD could actually be a very effective tool; but not necessarily to decide whether or not to launch an offensive cyber capability.

Rather, I found that a Modified WPD could be used to evaluate your own cyber security solution, both at the personal and enterprise level.

With some changes, the Modified WPD works like this, in two-parts:

  1. If the first question is answered in the affirmative, you/your organization requires some type of cyber security solution; and
  2. If any of the following seven questions are not answered in the affirmative, a part (or parts) of your cyber security solution is/are deficient.

Essentially, the Modified WPD acts as a type of gap analysis to see where your strengths and weaknesses are in your cyber security solution, especially at the strategic level (an area often overlooked).

Modified Weinberger-Powell Doctrine

  1. Is a vital personal/organizational interest threatened?
  2. Do I/we have a clear attainable objective?
  3. Have the risks and costs been fully and frankly analyzed?
  4. Have all other non-technical means been fully exhausted?
  5. Is there a plausible strategy that avoids excessive cost?
  6. Have the consequences of our action been fully considered?
  7. Is this an action I/my organization will support?
  8. Will I be able to gain the support/assistance of those I rely on?

Effectiveness of the Modified Weinberger-Powell Doctrine

Like in all gap analyses, their strength rests on how well they are conducted (and who conducts them).  I will declare my bias by stating that these questions need to be answered from an interdisciplinary perspective and through a strategic lens.  When answering these questions, the wrong perspective, and the wrong people, could easily (or further) lead you and your organization into a cyber quagmire.

In Episode II.5, I will go through questions 2-8 and demonstrate that these questions are actually quite difficult to answer, but before I sign off for this week…

TEASER

Question 1: Is a vital personal/organizational interest threatened?

SPOILER ALERT!  Unless you are living in some dark depth of the world, still hunt for/grow your food, and operate strictly on a barter system with a clan of people who have no other known connections to the rest of the world we know, I would suggest to you that you do have a personal or organizational interest threatened.

Therefore, since this question will almost certainly be answered in the affirmative (and in the interests of brevity now well past) you/your organization will require some type of cyber security solution.

See you next week in Episode II.5!

PS – To all Canadians, Happy Victoria Day! Stay safe this long weekend!

Special thanks to all those that have been helping to spread the word of this serial!