The grandest of systems can often be derailed by just one petulant employee. Business Technology’s resident U.S. blogger Keil Hubert argues that effective security programs need to focus first and foremost on human behaviour.
We observed Memorial Day on Monday, 26th May this year. I started my day with a mug of strong coffee and a full inbox full of ‘thank you’ notes from friends and family members who had gotten up even earlier than I had in order to extend their personal thanks to me for my quarter century of military service. That made my whole holiday weekend excellent, put a spring in my step, and reminded me of a ridiculous cautionary tale from my days as a wisecracking squaddie.
Back in October 1994, the Iraqi Army deployed what looked like an invasion force right up to the Kuwaiti border. The US and UK responded with Operation VIGILANT WARRIOR, rapidly moving a bunch of heavy armour, warships, and attack aircraft over to Kuwait to make the tiny kingdom into a tactical challenge that the Republican Guard would just as soon leave be. I was posted to a medical battalion in Texas at the time, and got hand-picked by our team’s lead planner to join the operations staff of Task Force Novak (a.k.a., HQ, 1st Medical Group [Forward]). A bunch of funny things happened on this mission, but one in particular stood out.
Our Task Force Commander was already in Saudi Arabia when I got the order to join up with the ad-hoc planning team and board a C-141 that was headed east. I scrambled to get all of my immunizations, packed my bergen, read up on the mission parameters, and went to the gigantic supply warehouse on base to draw my required desert uniforms, armoured vest, and chemical survival kit… and was stunned to get turned away by the loggies.
The contractors running the warehouse apologized profusely, and explained that the logistics office at our higher headquarters had sent them a memo earlier in the day that in effect ordered them to turn us deployers away. Our G-4  had flat-out refused to transfer COSCOM  funds to ‘pay’ the warehouse for our deployment kit. I went back to my unit HQ, called the G-4 up, and demanded to know what in blazes he was up to… and was impolitely told to get bent:
‘I’m not wasting my budget on your lot,’ the Chief Loggie snarled at me. ‘There’s an enormous warehouse full of free uniforms and gear in Saudi. You can get what you need when you get over there.’
A dozen of us medical planners and three-dozen of our mates from the aeromedical evac battalion down the road climbed on the giant cargo bird (along with two of our UH-1 air ambulances) and flew over to Southwest Asia… in our European Forest Green field uniforms, with no flak vests or working gas mask filters. The uniforms were the worst part; the moment we walked off the plane in-theatre, we immediately started taking crap from the soldiers who had preceded us because we stood out on the installation like a sick cat’s scat on an otherwise-pristine beach.
Our TF Commander couldn’t meet us at the airfield, so he sent word over the radio for the next-most senior officer (my immediate boss) and me to report to him at the commanding general’s HQ at ‘Camp Lone Star’ somewhere out in the desert. We dutifully commandeered a truck and a map and set off, suspecting that the CO would be… unpleasantly surprised at our appearance.
Sure enough: as soon as we walked through the door of the Big Boss’s Bigger Boss’s HQ, we got blasted. Before our Major could say anything, the Brigadier that was in charge of the entire support operation took one look at us and demanded to know why we weren’t reporting to him in proper desert gear. My Captain explained the instructions that he’d been given back at home station to visit the ‘magic warehouse in the desert’ upon arrival to pick up our uniforms, vests, gas mask filters, etc. The Brigadier got positively incandescent with rage. There was no such thing as a ‘magic warehouse’, he told us, and never had been. Whoops…
Being the snarky little bastard that I was (and being utterly exhausted from the long flight), I smarted off. My Captain kicked me savagely as soon as I opened my mouth, but he wasn’t fast enough: I put on my best ‘innocent little lieutenant’ expression and said that the general’s own G-4 had refused to issue us our gear on the grounds that he didn’t think that the general’s mission was worth bothering with. He had, he’d said to us, better things to spend his money on than soldiers’ lives.
As expected, the Brigadier’s turned scarlet. He ordered us to report next door to his supply depot to get kitted out while he made some… heated phone calls back home. 
Of course, even the general’s personal supply hut was a joke. They had what the general might need, but next to nothing else in stock. We reported back to the HQ building an hour later in the exact same green uniforms that we’d arrived in… save that we were now sporting snazzy brown desert boots… that were about four sizes too large for us. We looked like poorly costumed circus clowns. The Major looked at us like we’d given him a migraine and told us to *$#& off back to the unit.
The next morning, our contingent was deployed right into what was expected to be the thick of the fighting: Kuwait City. Our Major (still smarting from the Brigadier’s temper) ordered us to do whatever we could to try and get ourselves ready for the upcoming battle. Not that we’d have more than a 24-hour life expectancy if Iraqi tanks rolled over the border into the city; our job was to stabilize and evacuate casualties up until we were overrun. We’d buy time with our lives to help everyone else get away. May as well look the part, so as to help drag things out as long as possible.
There wasn’t any uniform issue function at Camp Doha where we were billeted, so we started raiding the skips that were situated outside the giant warehouses where transiting units would billet before heading out into the sandy hinterlands. Knowing soldiers, we dug through the half-eaten field rations and scrounged up all of the cast-off uniform bits that the infantrymen didn’t want to have to carry when the fighting started. We managed to score a fairly decent pile of twenty-year old ‘chocolate chip’ style desert uniforms… in sizes that no serving soldier actually wore. I got a set of extra-extra-extra-large/extra-long shirts and trousers that complimented my oversized boots, and topped the mess off with an extra-small sized boonie cap. We spent the rest of the operation shambling around Kuwait, looking like kids playing dress-up in daddy’s uniforms. I looked like a right pillock for the entire mission.
Fortunately, we all made it back home, safe and sound, just in time for Christmas. No-one on our team died or was seriously injured. I put my ‘Dusty the Clown’ costume away in the back of my closet and (thankfully) never used it again. I think I still have it in a box in the attic.
I submit that this story is directly germane to the Business Technology crowd because it speaks to a central tenant of the cyber security discipline: you can have the greatest equipment, training, policies, and experience in the world, but your organization is (and will always remain) vulnerable to the actions of a single misguided or petulant employee.
Our short deployment to the desert illustrates that problem very well: the warehouse at Fort Hood had everything that we could possible need to survive in the desert, from special canteens to crates of sunscreen. One smarmy git (our penny-pinching senior loggie) undermined years of strategic investment and careful planning, simply because he petulantly refused (for reasons that made sense only to him) to follow established procedure when it came to outfitting deploying soldiers.
The same thing happens every single day in your business, too. Take physical security: You can invest in security cameras, auto-locking doors, and smart-card code keys to secure your buildings, but it’s all for naught when the smokers prop the loading dock door open with a brick so that they’re not inconvenienced when they step out to burn a fag. 
The same things goes for network security countermeasures: You can hide your production network behind a Maginot Line of firewalls, Intrusion Detection Systems, proxy filters, and network breach countermeasures, but they’re all of no help at all when a well-meaning employee connect his company laptop to his home broadband connection and execute the payload on a spear-phishing message.
It applies to emissions security, too: You can lock down your entire network so that only recognized company hardware can ask for a network address from the DHCP server, but that all goes out the window when one enterprising employee plugs a wireless broadband router into his LAN drop and configures the software to mimic his laptop’s MAC address.
The common thread to all of these examples is that it only takes one misbehaving clown in the ranks to undermine years of dedicated work and thousands of pounds of high-tech security gear. People are the number one security threat in the workplace. They always have been.
This is why I advocate for focusing all cyber security programs on people first, and on kit later, after you’ve started sorting the people. I realize that I’m preaching an uncomfortable path; too many of our contemporaries are uncomfortable confronting people – especially powerful people – about their behaviour. Hardware is so much easier to get along with. That’s a dangerously seductive (although understandable) path because kit can’t save you when people deliberately misbehave. If your cyber security program is going to be effective, you have to address the messy, angry, and frustrating headaches that constitute dealing with human conduct and beliefs.
To be sure, you can try to ignore the human factors element, but that approach is likely going to leave you both defenceless and looking foolish when things get painfully real. Better, I think, to attach the problem head-on. It may not be enjoyable, but it’s necessary.
 G-4 = the Senior-most logistics officer on the general’s special staff.
 COSCOM = Corps Support Command, the next-higher outfit that all us field medics reported to. I think they have a new name these days.
 Exactly as planned. I didn’t mind the uniform mis-match so much, but *#&$ that guy for sending us into a combat situation with no body armour.
 Translation for American readers: smoke a cigarette.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.