Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Data Squid |
| Rubber-Hose Cryptanalysis »
October 27, 2008
Barack Obama Discusses Security Trade-Offs
I generally avoid commenting on election politics -- that's not what this blog is about -- but this comment by Barack Obama is worth discussing:
[Q] I have been collecting accounts of your meeting with David Petraeus in Baghdad. And you had [inaudible] after he had made a really strong pitch [inaudible] for maximum flexibility. A lot of politicians at that moment would have said [inaudible] but from what I hear, you pushed back.
[BO] I did. I remember the conversation, pretty precisely. He made the case for maximum flexibility and I said you know what if I were in your shoes I would be making the exact same argument because your job right now is to succeed in Iraq on as favorable terms as we can get. My job as a potential commander in chief is to view your counsel and your interests through the prism of our overall national security which includes what is happening in Afghanistan, which includes the costs to our image in the middle east, to the continued occupation, which includes the financial costs of our occupation, which includes what it is doing to our military. So I said look, I described in my mind at list an analogous situation where I am sure he has to deal with situations where the commanding officer in [inaudible] says I need more troops here now because I really think I can make progress doing x y and z. That commanding officer is doing his job in Ramadi, but Petraeus's job is to step back and see how does it impact Iraq as a whole. My argument was I have got to do the same thing here. And based on my strong assessment particularly having just come from Afghanistan were going to have to make a different decision. But the point is that hopefully I communicated to the press my complete respect and gratitude to him and Proder who was in the meeting for their outstanding work. Our differences don't necessarily derive from differences in sort of, or my differences with him don't derive from tactical objections to his approach. But rather from a strategic framework that is trying to take into account the challenges to our national security and the fact that we've got finite resources.
I have made this general point again and again -- about airline security, about terrorism, about a lot of things -- that the person in charge of the security system can't be the person who decides what resources to devote to that security system. The analogy I like to use is a company: the VP of marketing wants all the money for marketing, the VP of engineering wants all the money for engineering, and so on; and the CEO has to balance all of those needs and do what's right for the company. So of course the TSA wants to spend all this money on new airplane security systems; that's their job. Someone above the TSA has to balance the risks to airlines with the other risks our country faces and allocate budget accordingly. Security is a trade-off, and that trade-off has to be made by someone with responsibility over all aspects of that trade-off.
I don't think I've ever heard a politician make this point so explicitly.
EDITED TO ADD (10/27): This is a security blog, not a political blog. As such, I have deleted all political comments below -- on both sides.. You are welcome to discuss this notion of security trade-offs and the appropriate level to make them, but not the election or the candidates.
Posted on October 27, 2008 at 6:31 AM
• 60 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And these comments, which have nothing at all to do with the post Bruce made (ie. security, in all venues, is a trade-off), are probably why he avoids posts even remotely connected to current politics: even the mere mention of everyone's favorite/most-despised politician gets their hackles up, and they feel like they need to get the first shot in or defend their honor.
Accusing Bruce of failing to "cover" whatever story de jour you've been wishing the mainstream media would cover is disingenuous at best. This is a blog, not a media outlet, and I'm disturbed that some people can't tell the difference.
Political or not, it seems his name is “Barack Obama”, not “Barak Obama” -- you may want to correct that. :-)
Everyone who works for someone else is accountable for their job and has limits imposed on them. Just because you make the request to the President or Congress doesn't mean you should get everything you ask for.
A few years ago, there was a situation of military personnel not having body armor and armored vehicles. Everyone believes this was a travesty. I know everyone would want everyone to have those things. But I imagine there was a fair limited-resource argument to the contrary.
I'm fond of using sports metaphors for this kind of discussion, and one of the things our leaders seem to be fuzzy on is the balance of offense/defense. It's not enough to have a strong offense; you need defense, you need your 'special teams,' and -- above all -- you need to be able to adapt to those situations where you don't have the ball.
Obama's statement is very promising.
I also ask for a correction to the man's name.
There's one name correction left -- you only corrected the title. (Also, the URL is still wrong, but I guess fixing that would break links.)
I'm not sure the 'body armor' question was purely a resources issue. There are the additional factors of wanting to prosecute action against Saddam ASAP, and balancing armor vs. mobility/flexibility. (That is, yes, you could completely protect a soldier's throat at the expense of the soldier being able to turn their head.)
Perhaps one of the lessons about 'all security involves trade-offs' is being honest about your security objectives.
My brother was a peace keeper for the UN. He is just a grunt. They often opted out from the body amour provided because of weight etc. Also there are a *lot* of situations where your dead anyway, so the lack of mobility was seen as a major issue.
It's probably the first time you've heard it said so clearly because it's dangerous for politicians to speak so clearly. And he's only giving half the story... he's talking about the security trade-offs the general is making filtering up to become part of the security trade-offs he'd make as commander in chief. That, in turn, is a subset of the trade-offs he'd have to make as president. National security forms part of the trade-off a president makes for his job security. And it's not always clear that the two are positively correlated.
Whomever gets elected, they'd better ask Bruce to be a cabinet member (or at least a security advisor). We all need a voice of reason and objectivity at a high level to begin to undo some of the silliness and stupidity that has been done in the past seven years. On November 5th I'll begin writing the winner asking for them to, "Ask for Bruce" (everyone else please do likewise). And Bruce, if the winner asks you, PLEASE ACCEPT!!!
Attempting to correlate this with my business experience, without trying to make it "political" :
My CEO knows very little about computer systems. My CIO knows just a little about computer systems. (I know that's hard for some to understand, but it's fairly typical.) It's almost the opposite for those in the trenches. Most of my cohorts could develop a new compiler in a weekend, but haven't taken the time to learn to read financial reports.
The CEO and CIO are not always aware that they are even making trade-offs, because those lower in the organization don't know how to communicate the issues in terms their leaders understand.
And what happens if the people above the security people act irresponsibly? Case in point: the bankruptcy of Bear Stearns, Lehman Brothers, Indy Mac, and the nationalization of Fannie Mae, Freddie Mac, and AIG. What is worth guarding inside the banks when they have no money in the vaults? That's not even taking into account the intangibles such as loss of consumer and investor confidence. How is the government any better if it's broke as well and borrowing from the Chinese who may be a potential adversary in the near future? If there's no nation to defend because there's no economy, there's no need for national security or the trade-offs that go with it. My point is an extreme one, but we have just seen something extraordinary happen. Multinational financial institutions and one country destroyed financially due to poor, if not criminal, management, and lack of government oversight.
Shouldn't DHS be the agency deciding how best to use resources to protect the 'homeland'? The should be looking to find the best mix of money to help mitigate not just risks to the air transport systems but also trains and automobiles. And how much to spend on cargo entering the US and everything else.
DHS parallel -- Teresa Chambers:
Our former Durham (NC) police chief, Teresa Chambers left to become the Chief of the US Park Police. She realized that she was understaffed to discharge the duties of protecting national parks and monuments. When she didn't get a funds increase, she sought help with congress and (through a news interview) in the general public. Those actions got her fired, for which she is still seeking redress.
Her job view was the protection of parks and monuments. Her bosses had to protect a lot more things and a limited budget. So her bosses' positions would be analogous to the future president's and her decisions would be analogous to Gen. Petraeus.
>the person in charge of the security
>system can't be the person who
>decides what resources to devote to
>that security system.
On the other hand, the person in charge KNOWS what is required. In engineering (and elsewhere, I imagine), it is a best practice that the person who is going to perform a task is also the one who is allowed to make the effort estimation for it. A manager or customer can say "yes" or "no" to that estimate, but they can't argue with it, or mandate that "it may cost no more than X".
Encountering a decision maker who determined both what we will do AND how much resources we can spend is a nightmare scenario.
In this case, if Petraeus says he needs X more men to finish the mission, the CIC should only have two choices: Either give Petraeus X more men, or cancel the mission. Declaring he has to finish the mission AND do with Y (
I don't know if that was the point BO was making, but that's how I see it.
Look if the Boss Of The War, says we need this or that to win and his Boss says, "I understand, but you can't have 'this or that,' then game over. the Boss Of The War, then has to go out and do his best to win with what he has. No different than any major Corporation, except we're not talking about a Corporation, we're talking about a Nation and National Resources more important than working capital. We're talking about our fellow Amercians who are in harm's way.
True, it is ultimately the Boss Of The Nation's decision. I just hope that, whoever gets the job, they don't forget those folks over there... in both war zones. Either help them win or bring them home.
"This is a security blog, not a political blog. As such, I have deleted all political comments below -- on both sides."
And this is why I read your blog...
@ John Moore,
"Multinational financial institutions and one country destroyed financially due to poor, if not criminal, management, and lack of government oversight."
Ah not sure which of the failed countries you are refering to but last time I looked it was four going cap in hand to the IMF.
Which of course raises the question where does the IMF get it's money from to bail out failing countries...
The real problem was lack of oversite on new and rapidly developing financial instruments and venture capital etc taking 30-50% of the top in liquid assets.
Everybody has this kind of assumption that their insurance is going to bail them out...
Seriously if you look around you what has actually changed, your house is (physicaly) the same as is your neighbours. All the fixed assets that where there a year ago are still there and importantly the cost of raw comodities is actually falling.
It is mainly a lack of confidence by the big money organisations pulling back investments from other curencies and causing them to devalue, which causes more pull back untill the curancy colapses.
Should there have been more oversite on new financial instruments (such as hedge funds)? yes, will we get it? I hope so? Will it do any good? Not to our current situation the horse has left not just the stable but the paddock as well (and has been taken in by the nacker man).
Hopefully confidence will build again and after a period of equalisation real industry (ie manufacturing construction etc) will start the road to recovery.
As for the Politicos of whatever flavour, the should remember the closer security is to home the less it costs (and not just in short supply lines and decreased perimiter, empire building always costs more than it makes in the short term)...
Oh and maybe a few bean counters might wake up and realise that off shore outsourcing costs considerably more than it saves. That is those that end up on welfare etc where once their companies customers, who provided the companies income whilst also keeping the economy boyant...
It does not have to be only charity that starts at home, a little bit of common sense might do a lot more good.
> your job right now is to succeed in Iraq
I also notice that Obama used the word "succeed" rather than "win." That's an important distinction, and it highlights the importance of setting appropriate strategic direction.
What we're doing right now in Iraq is an 'occupation,' and occupations aren't won, they're simply concluded. We don't have a State enemy in Iraq - the Iraqi government is supposedly aligned with the U.S. - so there cannot be "victory," we cannot "win." But we can "succeed."
Likewise in Afghanistan, we have to set appropriate goals. Do we seek to permanently remove the Taliban as a political entity? Do we seek to eradicate opium production? I'd say both of these goals are impossible. Therefore before going IN to Afghanistan we have to set APPROPRIATE goals.
If we eradicate opium production, we will impoverish Afghanistan. We would need to provide an equally profitable alternative product for the Afghan farmers to produce (good luck).
Attempting to 'eradicate' the Taliban would simply drive them into the mountains again. History suggests it might make more sense to set the goal to bring the Taliban INTO the government in some manner that controls and ameliorates their most radical elements.
We can't achieve our goals if we don't know what they are, or if the goals are impossible or are counterproductive to our overall national interest.
Good. Now let's get working on getting the term "Security Theatre" into politicians' lexicons.
I'm surprised that Bruce is surprised.
Any father or mother or head of a family knows about making trade-offs. And children understand that they don't get all they want.
You don't have to look at the military or government to learn what you can learn just looking at a family. Surprised?
"We can't achieve our goals if we don't know what they are, or if the goals are impossible or are counterproductive to our overall national interest."
I disagree, we've been achieving plenty of goals that are counterproductive to our overall national interest for decades now.
I'm not sure whether this is a "political" comment.... I think this comment is about security tradeoffs in a political realm.
Most readers here have heard of Gene Spafford. If they haven't, they're probably reading the wrong blog or something.
Last July, at the CERIAS blog, Professor Spafford wrote about the summit session on security challenges for the 21st century that one of the candidates held at Purdue University.
Professor Spafford "found it rather ironic that security would be given as the reason for being at Purdue, and yet those of us most involved with those security centers had not been told about the summit or given invitations. It appears that the organizers gave a small number of tickets to the university, and those were distributed to administrators rather than faculty and students working in the topic areas."
Professor's Spafford's post is worth reading:
As is his followup post, where he discusses the lack of followup from the campaign:
Here's the security tradeoff:
Given limited campaign resources, is it better to generate some publicity about security problems, perhaps gaining some support from the wider population and the political class, at the cost of generating a sense among security professionals that it was all just a PR ploy?
Or is it better to not even devote PR resources to security problems?
I rather suspect that if Petraeus is any good at his job (and I suspect even more strongly that he is), then he's not going to present options along the lines of X troops deployed or failure. Rather, he'll probably make requests along the lines of:
we can succeed in N months with X resources, N+a months with X-p resources, etc. to how many resources are needed to hold things at the current level, and how rapidly things would deteriorate if those resources were underprovided to whatever degree.
If X troops are cited as necessary to succeed in Afghanistan, and Y troops necessary in Iraq, then it gets really important to know how many troops are needed to hold the line in one theatre while the other theatre gets sorted out (and its troops freed up for deployment in the first theatre).
As has been said before, Security is not a destination, it is a process. You are constantly balancing and balancing many different variables and trade-offs in security, and you have to realize that the situation is always fluid.
Far too many times I have seen people say "X is now secure", only to find out a day, or a month or a year later that some new technology or trick makes the whole setup as easy to compromise as a wet paper bag.
To have a CIC who realizes that the US will never be "secured", just made more less secure over a time period will be refreshing.
"the CEO has to balance all of those needs and do what's right for the company"
All too often, however, a CEO and CFO plead ignorance of details after security failures. They claim allocation was based on bad data.
This highlights a gap where execs must not only maintain leadership of allocations but also accountability for the failures of their appointees, etc.
An interesting recent commentary on security resource allocation was by Zbigniew Brzezinski in an article called "West Must Avoid Russia’s Mistakes in Afghanistan".
Obviously there is a trade-off, but what exactly would we be trading 25% of our defense spending for, homeland security and more TSA follies? We, the sheeple, know it won't go to tax cuts, so other than leaving us out of the middle east, what would this money buy?
Is this really a security only issue or something more along the lines of micro-managing? I find security (and IT) are usually so exciting and engrossing to people that don't understand it, they insist on making decisions about it when they really should rely on their subordinates. The world is not an issue of CSI or Numb3rs, but that won't stop the higher ups from telling me how to do my job instead of just listening to my arguments and making the overall guiding decisions.
I agree - the peson at the top has to make the ultimate decision as to how to allocate the resources at his/her disposal. At the same time, I think Gen. Petreaus also made a reasonable point - as the next President makes those decisions and allocates resources (based, one would hope, on the relative priorities and importance of the mission), they should explain to the General what (in terms of results) is expected, what resources are available, and what constraints are applicable - and within that framework give Gen. Petreaus (or his successor) the flexibility to operate. Hold him accountable, of course - but micromanaging is NEVER a good idea.
An analogy in civilian life would be that the CEO should not be dictating the specific firewall rules or IPS triggers - that is what the sysadmins/security analyists are paid to do.
Oops - I meant person not peson. My bad.
I have often pondered this issue as well, having worked at various levels of financial institutions handling executive security- and later when I worked as an alarm installer. I often think a guide on practical and affordable security (from the explicit to the abstract and philosophical) would be a handy thing to have, maybe even covering security trade-offs from a historical standpoint. I guess that will be my next novel. Any pointers Bruce? ;)
@kiwano "we can succeed in N months with X resources"
It's not just N (time) and X (resources), it's also for a given definition of "success" that contains elements C, D, E, F, G, etc.
For example, if success means that certain C government functions are being performed at E% effectiveness, that K amount of infrastructure is present (physical and financial), that P% of the population is engaged (as opposed to revolting), and the ongoing improvements in other areas have a Q% chance of being effective by T date, then we can reach that definition of success in N months with X resources (where X is a composite of troops, weapons, civilians, construction, cash, etc.).
As a software developer, I always ask my clients to prioritize their lists of features, and to connect dependencies (can't have Y without X, don't need A until B, etc.). Only then do they get to attach deadlines or resources, which we then negotiate. Because success is never JUST about what you want, when you want it, or the price you're willing to pay. It's almost always about how truly you want it, and what you're willing to trade off in priorities.
The most important part of being a responsible adult is learning how to live and grow with less than what you want. And the most important step to acheiving that is knowing what your true priorities are.
"The analogy I like to use is a company: the VP of marketing wants all the money for marketing..."
How about "MDs want to use an ever-increasing fraction of our GDP for medicine, much of which isn't getting us better outcomes"?
Then there are those on the Board who say we don't need marketing at all, just use word of mouth. Or we don't need engineering any more, the product is done. Or we don't need HR...
After a while it dawns on you; They don't want it to be a going concern, they have a conflict of interest with some other investment. Or they just don't believe in the product. They aren't balancing resources, they are pulling the other way.
@John Moore, who makes a great point:
And what happens if the people above the security people act irresponsibly? Case in point: the bankruptcy of [list] ... What is worth guarding inside the banks when they have no money in the vaults?
Security is not just about the physical layer, is it? Reputation, trust, accountability . . . sounds like both government and industry have a lot of fence mending to do.
Here's an interesting thought. I know Bruce has said that TSA amounts to Security Theater rather than real Security. What if, at a STRATEGIC level somewhere, someone has decided that the theater aspect has value beyond the mission specifically to improve security at airports?
I'm just playing devil's advocate. In the months after 9/11 with people unwilling to trust, to fly, to travel in general, with a populace partially paralyzed by fear, perhaps investing a lot in security theater served a higher purpose of pulling people up out of the fetal position.
Still, that doesn't justify the continued investment in sham security operations.
"So of course the TSA wants to spend all this money on new airplane security systems; that's their job. Someone above the TSA has to balance the risks to airlines with the other risks our country faces and allocate budget accordingly."
One thing to be careful about is how this security principle is used against those who make the decisions behind balancing risk prevention. If a security problem ever occurs, you can almost always pick one or two things that if all of the company's security budget was put behind, that particular attack wouldn't have succeeded.
So when analyzing attacks to make corrections, sometimes the answer isn't just to add new forms of security, but rather to readjust the risk analysis and perhaps shift the priorities (and thus budget) accordingly.
At the risk of being political, this same tatic is used in governmental policies as well. i.e.: My opponent cut funding for X by $Y where X is some fund/project and $Y the amount X asked for (in their limited "I get all the funding" approach) minus how much the person balancing the budget actually granted.
The only reason I mention this, is that this tactic is used all the time by both sides to misrepresent how much their opponent wants to fund (or not fund) different projects (such as war efforts, surveillance, TSA, missile defense, etc.).
I agree with you on that- however the problem with TSA is that the security implementations were knee-jerk reactions to 9/11. The reality is that they could easily go through and adjust the procedures and save money. All that "new" security screening we all go through hasnt changed a bit. Its just the same as it was on 9/12. No one went back through and said "hey maybe we can make this a little more effecient." Instead we just stumbled forward. But yes, somewhere in the chain of command someone has a checks and ballance sheet with TSA on it.
An American soldier's mission is not set in stone. The soldier is charged with that mission via orders from superior authority. That authority can, if needs be, change the mission at any time.
When considering allocation of resources for war, Americans today seem to often assume (1) that the mission is fixed, (2) that the officer in command of the theater "knows better than anyone," and (3) that the civilian government must provide what he wants, or be guilty of some kind of treason. In this "open-loop model", it is as though the officer has command over his superiors.
It is the responsibility of a senior officer to inform his/her superiors as to what resources are needed to carry out a specified mission (feedback). In practice, those superiors may modify or cancel the mission, taking available resources into account, in a "closed-loop feedback model."
If the Commander-in-Chief has a primary duty to protect the security of the U.S., this does not directly dictate any specific military action or policy. For example, if we define
A = U.S. security
B = continuing U.S. military participation in Iraq for the nominal purpose of improving security within that country
then clearly A and B are not identical. Commentators and analysts have a variety of views on the relationship between A and B. The present policy is based on the belief that B is necessary to A. The truth might well be that B is fairly neutral, cumulatively neither benefiting nor harming A; the case can reasonably be made that B is detrimental to A.
Whoever may be the next Commader-in-Chief to General Petraeus, that civilian commander will dictate the mission of the General's forces, and out of practical necessity will be compelled to respect resource limitations.
In the reality of military operations, the defining of missions is, with rare exceptions, balanced against available resources.
You can be a dealer or a user... pick one, you can't be both and expect any sort of success...
Having said that, however, I'd have to say that if a proper risk analysis had been performed to begin with, we would have ended up with one of two scenarios that would have led to a measure of success:
1. A set of defined success criteria and the tools to get us there.
2. A decision not to undertake the action because the costs outweighed the value of the return. In this case, an alternative approach could have been used to mitigate the threat.
It seems to me, that the lack of quality risk-analysis led us to where we are, and it's easy to play Monday-morning QB and make glib statements like "if you had given me the money I would have made sure it got used right" or "we've sunk enough into this money-pit; it's time to get out", but without proper analysis of the risks weighing the options with the current situation in mind, even when you are hip-deep into something someone else started, you are doomed to fail before you've even assumed control of the project.
I have never seen lasting success built on blame; only data, analysis, and decisive action based on clear objectives will lead to success. I certainly hope whoever ends up in charge can display the maturity and leadership to get us there. Frankly, I don't see it. I see a couple of bonehead politicians playing the popularity/blame game. I agree fundamentally with Bruce's opinion of BO's comments, but those comments do little to separate him from his opponent. I have yet to see anything close to a rational, well thought-out, justified plan of action from either of these jokers... something that most of us are required to have when promoting anything from a technology architecture and/or engineering perspective.
Oh, wait... is this about the war in Iraq or a common situation in almost any large corporate IT department with a large budget? :-)
An interesting post that makes a good point. Points for having the cajones not to ignore an interesting point raised by a politician, while keeping the forum from being derailed at the same time. Well played.
The point that there should be some sort of separation between the decision makers and the security implementation is a nice thought in theory but generally unrealistic in practice. In most organizations its simply the people that know security the best that will allocate resources and do the implementation at the same time. By creating this dichotomy between decision makers and implementors is simply encouraging more internal politics that get in the way of security. Realisitcally there are too many political factors that get in the way of this principle. As in most cases its the security implementors that get blamed for the decision makers oversights. The approach should be much more pragmatic and adaptable to the situation and the organization. In many senarios it is better for security overall if the allocators and the implementors are the same. IMHO
This is a vital counterpoint to the trend of specialization and compartmentalization.
This is not only true within IT itself; but also the wider organization.
Companies I deal with struggle to understand the context of the risk management of IT, resulting in them stumbling from one arbitrary expenditure to the next.
The most cohesive piece of the strategy ends up being regulatory compliance.
"If the Commander-in-Chief has a primary duty to protect the security of the U.S., ..."
If I understand correctly the Commander-in-Chief's primary role is to defend the constitution.
This implies that there will be trade-offs where lives will be lost so that the constitution is protected (such as letting bad-guys walk on legal technicalities).
People seem to have forgotten this, shredding the constitution willingly for (the illusion of) safety.
I would like Bruce as top security person. Bruce, would you like the job? I am not in any position to offer it, but if offered, would you refuse? And do you think you could do a good job? And if not top, where do you think you could contribute best?
@Sean: I wonder if this week's XKCD will culminate in the revelation that BHG is in fact Bruce. It makes sense.
I see another poster already made this point, but to add to the list: most military theorists flatly disagree with this point of view.
For example, according to Sun Tzu:
Now there are three ways in which a ruler can bring misfortune upon his army:
When ignorant that the army should not advance, to order an advance or ignorant that it should not retire, to order a retirement. This is described as 'hobbling the army.'
When ignorant of military affairs, to participate in their administration. This causes the officers to be perplexed.
When ignorant of command problems to share the exercise of responsibilities. This engenders doubts in the minds of the officers.
What should happen is that the ruler devises policy; the general devises the least costly operation that can achieve that policy, and reckons the cost of the operation as accurately as possible before beginning; the ruler approves (or abandons) the enterprise; and then the ruler gives the general the resources he asked for, buts out and lets the general run the campaign.
Yes, it is true that this relies on generals making accurate assessments of the cost of the campaign. It is frequently emphasised that this is a critical skill for generals and their staffs to have ("amateurs talk tactics, professionals talk logistics".) But in any case, even if the general is wrong -- who is in a better position to make that assessment?
It is true that the ruler has responsibility both for setting over-arching policy and for sharing resources between all aspects of the nation (or enterprise.) But in war, that responsibility MUST occur before the decision to act. If (when) circumstances change and it transpires that you cannot adequately fund all of your campaigns, then you must **abandon** the less attainable or valuable campaigns, not interfere with the running of individual campaigns.
Just because you can only afford to fund 2/3 of the estimated cost of your campaigns, does *NOT* mean that any campaign should be given only 2/3 of its requested budget; in war this alternative is very likely to result in "defeat in detail", and in the long run will prove far more costly than abandoning lesser goals. Rather you should abandon those goals and concentrate effort in the places where you can win. A pretty strong case can be made that this is a major factor in how the current situation in Iraq arose in the first place.
All of the above is pretty conventional wisdom with regard to war. While many commentators try to apply the principles of war to security (or even to business in general), I am really not sure whether this carries over to corporate security too. The common factor between the principles of war and those of security is, of course, that both deal with sentient, actively malicious opponents. A major difference though is that the state of war generally implies that one or both parties have concluded that their objectives can best be met by doing the other as much harm as possible, at least until he is unable to forcefully respond; hence the risk of defeat in detail. In security, the opponent's objectives are generally far more limited. For example, a burglar trying to steal your petty cash tin probably does not care that he could cost you far more money, at less risk to himself, by spreading a rumour that your product is offensive to a racial minority.
However, it is probably the case that funding of security is somewhat different in principle to funding other divisions of the corporation. If the VP of Marketing announces that due to price hikes, marketing either needs a 14% budget increase, or else will have to stop advertising one day per week, then a refusal may well hurt the company, but it is unlikely to bankrupt you (at least, not in the short term.) Whereas if VP of security says that due to wage increases, security either needs a 14% budget increase, or else one day a week you have to go without store-walkers; boy, you're going to lose a lot of stock on that one day.
>Americans today seem to often assume (1) that the mission is fixed,
Because it is true. The first principle of war: selection and maintenance of the aim.
True, you may sometimes get involved in a conflict and then realise that your chosen mission is completely wrong and needs to be changed; then obviously you have to change it. However, to get into such a state in the first place is a blunder of the highest order, a disaster from which you can only recover -- at tremendous cost -- if overwhelmingly superior to the enemy. Even then it may not be enough; a strong case can be made, and has been made, that this is why America lost the Vietnam War.
> (2) that the officer in command of the theater "knows better than anyone," and
Because it should be true. If it is not true, then once again, you have made a severe blunder. In this case, it isn't quite as fatal as incorrect selection of the mission; compared to changing the mission, it is relatively easy to replace an inept general. At the end of which process, it should be approximately true that 'the officer in command of the theater "knows better than anyone,"'
>(3) that the civilian government must provide what he wants, or be guilty of some kind of treason. In this "open-loop model", it is as though the officer has command over his superiors.
No, wrong. The civil government is in control, because they set the policy. Having decided upon the policy (to set the people on the costly and dreadful path of war), then failing to give the people the best chance of victory, whether by starving the war effort of required resources,or amateur meddling in tactical detail, is monstrous. To choose war at all, that is a choice of dreadful moment; but having chosen it, or been forced to that exigency, to then *play* at it -- that is vile, vile, vile.
The last war that I can think of where one side (Iran) consistently tried the same tactics again and again was Iran vs Iraq, with half a million dead.
Sick one day and I miss all the hubbub. While I agree with Bruce's deletion of the political commentary, I'd like a tarball of it so that I can see what (if any) the regular visitors contributed :)
For those people asking Bruce if he would accept a government job, you may have missed this:
No offense, Bruce, but if it came down to you vs Felten for CTO of the U.S., I'm going with the elections expert :)
As Greenspan just said, the CEO just "has to" look after his own interests. That was his "little" mistake about Randian philosophy.
Decisions have to be made by multiple parties with conflicting interests.
Your point pretty much depends upon the generals (yes, there are more than one) being in complete agreement about the costs of the operations.
As can be seen in the run up to the Iraq invasion, they were not.
The ones who disagreed were dismissed. Politics.
> The last war that I can think of where one side (Iran) consistently tried the same tactics again and again was Iran vs Iraq, with half a million dead.
I'm not sure why you addressed this remark to me; I do not disagree that tactics should evolve constantly.
This is a completely different thing to altering the mission.
> Your point pretty much depends upon the generals (yes, there are more than one) being in complete agreement about the costs of the operations
I refer you to the sixth principle of war: unity of command.
> As can be seen in the run up to the Iraq invasion, they were not.
At the risk of starting a political argument, I believe this to be at best an exaggeration. The generals differed greatly from administration officials, but (at least within the army, who are the "subject matter experts" on this) largely agreed among themselves: that occupation would be much more costly than invasion, and even more costly if it wasn't done right. It is not surprising that there should be widespread concurrence on this, because there are traditional formulae to help estimate these sorts of things, and occupation is one area where technology has had negligible impact.
Most famously, the man on the spot at the time, Chief of Staff of the US Army General Shinseki made estimates which have proved to be pretty accurate.
Even if there had, in fact, been deep divisions among army leadership about the cost of occupation, that doesn't mean that the correct response is to get a politician to come up with a figure. That's just crazy; it's as though two doctors can't agree on whether you require major surgery, so you decide to ask a lawyer instead.
> The ones who disagreed were dismissed. Politics.
Which is just the error we were just discussing.
The flip side of this "tradeoffs" discussion is the "professionalism" discussion:
As noted above, there's a lot of situations where the subordinate understands the costs and trade-offs on his level, but his boss doesn't -- but the boss is dealing with trade-offs on a different level. In such a case, the basic rule is, if the boss doesn't like what a professional subordinate is telling him, his options come down to (1) believe the subordinate and adjust his own plans accordingly, (2) or fire the subordinate, and take responsibility for both the firing, and the choice of replacement.
Unfortunately, ShrubCo instead picked (3) treat their professional subordinates as disposable flunkies. At that point, disaster was already inevitable.
PS: If the same person is doing tradeoffs and allocation (as discussed above), than what you have is an executive professional, who normally still has to report to somebody, but has wide latitude for performance of their duties.
"I refer you to the sixth principle of war: unity of command."
That's great. It ignores just about every aspect of human nature, but it's still great.
It fails every single real world test, but it's still great.
I'm sure that Bruce will be happy to know that he can retire now that "security" is solved by having someone sign a piece of paper saying that they won't do anything wrong.
"Which is just the error we were just discussing."
Maybe you were. But I was pointing out that the THEORY that you are advocating fails the "Real World" test. The person you CLAIM has the best knowledge of the situation can (and does) act in a manner to further his own agenda.
Whether that agenda matches "national security" or "winning" or whatever cannot be assumed. Because too often it can be shown that it does not.
One of my fondest daydreams involves President Obama offering Bruce Schneier the position of director of homeland security -- and Bruce accepting. It would be SO GREAT to have knowledgeable and sane leadership in this area!
I hope this view gets down to the layer of our government just above the "professional public servants." Two often, and especially in an agency I deal with, the political layer (played by Obama in the story above) tells the implementation layer (played by Petraeus in the story above) that they "must reduce risk to zero." They don't leave room for, let alone understand the need for, trade-offs. We need Obama's level of understanding these trade-offs to reach all the way down.
Dear Mr. Schneier, as this and other writings show, you have a keen grasp of the largest and most critical security issues. I hope you would consider an appointment such as CTO in the new administration. I am urging the president-elect to contact you regarding this matter.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.