nCircle.com >> 360 Security

« Public, Unpatched DoS in Microsoft Server Service | Main | SCADAGard SIG To Be Established »

BlackHat 2006 Panel on Col. Boyd's OODA "Loop"

At the recent BlackHat 2006 in Las Vegas, I attended a panel discussion regarding Col. John R. Boyd's OODA "loop". The conference program billed it as "Meet the Feds: OODA Loop and the Science of Security" including panelists from the US Postal Service, FBI, DOD, GAO, CIA, SRA and other various federal agencies. The objective of the panel was to discuss

... the governments efforts to try to get inside the cyber adversaries' OODA Loop and survive another type of potential cyber lethal engagement.

The understanding of Col. Boyd's work varied, one who admitted to becoming familiar with the OODA loop a few days prior, another who understood it and had applied it in their organization, but no one seemed to have possessed both an understanding of the OODA loop together with a deep understanding of IT security. Worse, they were giving IT examples of its application that were wrong! I kept thinking to myself during the session, if Col. Boyd were here to see his work misrepresented, he would have been in a rage.

I am sure these panelist were well qualified for their roles in their organizations but they either did not know the OODA "loop" concept or they had no operational knowledge regarding the dynamics of IT security. With the upmost respect for these panelists and the organizers of BlackHat, I'd will clarify the OODA loop and offer my opinion on how the OODA loop applies to IT security. My time spent here is not to poke anyone in the eye but to raise your interest enough to explore the amazing work of Col. John Boyd.

Col. Boyd developed a series of briefings, the central theme of which was a time-based theory of conflict. He delivered an hour long briefing called "Patterns of Conflict" and years later as a civilian, he delivered a two day briefing entitled "A Discourse on Winning and Losing". In this work, Boyd leaves us with the Observe-Orient-Decide-Act cycle: the OODA "loop".

The OODA loop is often portrayed as a simple sequence of Observation, Orientation, Decision, and Action. The emphasis is always placed on speed and while this is an important factor, it is not enough of an understanding to win against one who truly understands Col. Boyd's concept. The panelists went as far as crediting Col. Boyd and explaining the acronym but in my opinion, failed to communicate its true power and beauty. The audience would have been better served by just going to Google and doing the research.

First of all, the OODA loop is not a loop at all, it is a concept that contains many possible loops. As shown in diagram 1, multiple arrows connect O.O.D.A sections with a detailed breakdown of Orientation. The first two components of the loop -- Observation and Orientation -- supply the necessary intelligence; the last two components of the loop -- Decision and Action -- deliver the operations.

Diagram 1 (click to enlarge)

c-diag01.gif

In summary, the two most important factors missed in this panel discussion was the multiple loops of OODA and a detailed discussion on the Orientation phase. The opponent who is well oriented is able to compress time by cutting through with 'Implicit Guidance & Control' thus allowing the ability to get 'inside' the opponents OODA cycles and dominating the conflict. The power of the OODA loop is difficult to explain, Col. Boyd's briefing was said to contain 185 slides. Nevertheless, the one who takes the time to truly understands its power will be able to dominate the competition.

The panelists shared with the audience how OODA applies to government efforts but did not attempt to answer how OODA might apply to the private sector. Let me first point out that the biggest difference between the public and the private sector is that the latter will favor 'business continuity' over 'catching crooks'. It is much more important for the Fortune 500 to keep the business flowing than it is to build up an offensive that is able to act upon the adversary. This will be an important factor in the discussion below.

In Diagram 2, let's make the blue team the good guys and the red team the bad guys in this conflict.
Red acquires through Observation, critical information about Blue. Red orients itself by considers all of the observation in context. Red has the Intelligence needed for operation. Red makes a decision and takes action upon Blue. If Red is turning this loop faster and leverages some of the smaller loops described in Diagram 1, Blue is left reactive in it observation, disoriented, making their decisions and actions less and less accurate and effective.

Diagram 2
b-diag02.gif


The Blue team acts upon the Red team and here is where we start to run in to problems when applied to the IT security strategy of most if not all private sector organizations. Lets make the Blue team one of the Fortune 500 and the Red team an adversary somewhere on the Internet. The Blue team cannot act upon the Red team: Blue's IT security does not have any offensive means. In fact, given the choice between the continuity of the business and conflict with the adversary, you'd be hard pressed to find the latter popular at the leadership level of any organization.

In researching Boyd's work, I continuously asked myself, if Boyd was a CISO, how would he apply his OODA loop. Clearly, the OODA loop can be applied in Sales, Marketing, and other competitive business functions because they can act upon the opponent but how does it apply to IT security? Then it came to me: prior to any conflict, create a system where both OODA loops were always present - move a reactive defense to a proactive defense by taking the position of your adversaries OODA loop upon yourself.

Diagram 3
b-diag03.gif

Create a strategy whereby you are able to get in to the mind of your adversary and understand what intelligence (OO) is most important to their operations (DA). When done correctly:

you will continuously raise the cost of their observation leaving them the choice of becoming more exposed or waiting for a low cost opportunity
you will be in a state of continuous change to your adversary but internally stable
your opponent will be operating on observations that are a cycle or two out of date

I was the first to raise my hand in the question and answer section of this panel. I thought it was unprofessional when the panelist that answered my question began with "well, my answer will not nearly be as long as your question" and another panelist applauding him for saying that to me. I raised the issue of organizations represented in the audience not having the offensive means to act upon the adversary. They agreed and said that a stronger partnership must be formed between private and public in order to gain this capability. While this may be true, we need to find a way to leverage Col. Boyd's work today! I'd go as far as saying that the bad guys are using Col. Boyd concepts better than the good guys at this point in time and if Col. Boyd were with us today, he would have no tolerance for this nonsense.

References to Col. John R. Boyd's work
http://www.fastcompany.com/magazine/59/pilot.html
http://www.d-n-i.net/index.html
http://www.codeonemagazine.com/archives/1997/articles/jul_97/july2a_97.html
http://www.arlingtoncemetery.net/jrboyd.htm
Boyd: The Fighter Pilot Who Changed the Art of War by Robert Coram
http://www.belisarius.com/modern_business_strategy/hammond/essential_boyd.htm
http://www.belisarius.com/fighter_pilot.htm

Posted on August 15, 2006 11:19 AM |

Search


About

This page contains a single entry from the blog posted on August 15, 2006 11:19 AM.

The previous post in this blog was Public, Unpatched DoS in Microsoft Server Service.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]