The Militarization Of Information Security

Does something like this sound familiar? "We need to find, fix, finish, exploit, analyze, & disseminate this intrusion set along the kill chain via force multipliers so we can observe, orient, decide, and act according to tactical, operational, and strategic priority intelligence requirements." I bet that part of it does. 

These days it seems that we cannot escape military concepts making their way into information security strategy. Firms are attempting to implement the kill chain, and vendor-marketing headlines these concepts. I've contributed to it as well. See: "Force Multipliers - What Security & Risk Professionals Can Learn From Special Forces.

I think that it is important to keep in mind that we aren't the military and don't have the resources of the military. While military concepts can be useful, buzzwords won't secure your environment; you could become distracted and utilize your limited resources in the wrong manner. As I was sorting out my Black Hat calendar tonight, I fortuitously saw a talk that is very applicable to this topic: "The Library of Sparta," with David Raymond, Greg Conti, and Tom Cross. Here is part of their abstract: 

"Many people in the computer security community use words like "OPSEC," "Kill Chain," and "intelligence-driven" without fully understanding the underlying concepts. Even worse, many show their ignorance by using military jargon incorrectly, thereby alienating clients, customers, and colleagues. These concepts are powerful and should not be ignored, but they must be well understood before they can be leveraged in your network."

I couldn't agree with these statements more and I look forward to listening to their talk. If you attend the session, look for me; I will be securing the perimeter in MOPP Level 4 (joke for military and fellow veterans).

Image source: Wikipedia


Milthink > compliance think

I was pondering that very question a while ago (e.g. see here and came to realize that while there are risks in over-militarizing infosec, milthink is better than compliance think that many still hold on to.

That might be an interesting

That might be an interesting debate for an infosec conference. We have the advantage 20/20 hindsight on compliance, but we don't have that for milthink in the private sector. Milthink has its problems too.

Interesting indeed

>that might be an interesting debate for an infosec conference

Very much so -- maybe we can submit a panel for something upcoming [maybe even RSA 2015?]

I suspect the whole "think about adversary / threat this or that" has no equivalent in compliance thinking which tends to be "assets and vulns" only.