ArchiveOODA Original

The Cyber Moscow Rules: Trust no one. Trust no device.

Lessons learned from US agents who operate in enemy territory have been captured for years and transformed into a code of conduct popularly known as “Moscow Rules.” Those old rules existed for a reason. Real-world experience proved their effectiveness when agents had to operate in the presence of adversaries.

Since modern cyber defenders are also frequently required to operate in the presence of adversaries there are lessons from these old Moscow Rules relevant to cyber defense.

With that as an introduction, the following is a modified list of the old Moscow Rules designed to help the cyber defender under fire.

Consider these as “Moscow Rules for Cyber Operations”

  • Do not trust your gut. Your gut is not used to the manmade creations of cyberspace.  Instrument, measure, monitor and seek to confirm everything.
  • Do not trust any single source of information. Seek multiple sources, especially sources from outside your organization.
  • Design your cyber defense monitoring system to bring all sources together for analysis. This includes structured network and computer derived information and also unstructured feeds from advisory reporting, vulnerability reports, social media and specialized cyber intelligence feeds.
  • Backup everything of importance to your mission, and keep unalterable logs. This will save you, again and again.
  • Understand your actions are being observed. Your adversary is watching you watch them; you are never completely alone.
  • Trust no one. Trust no device. Every device in your system is potentially under opposition control. Your computers, networks, VOIP phone, your Telepresence system, your laptop, tablet and even cell phone, are all potentially compromised. Architect your enterprise to ensure penetrated systems are detected, isolated and their comms grounded.
  • Even in the complex heterogenous world of modern enterprise IT you can find boundaries and control points. Know where they are and how to leverage them to your advantage. Establish rules at every gate.
  • Protect your most important information, but seek to lull your adversary into a sense of complacency.
  • Don’t harass the opposition. You want to enhance your defenses and keep them out. You do not want to embolden/encourage hatred. You want them to go away. More than likely you are not good enough at defending your own enterprise to even think of doing anything offensive. Save that for the government.
  • There are psychological dimensions of cyber operations. This goes for both your cyber defender team and the adversaries and should inform your plans.
  • Keep your options open. Understand your adversary is a thinking, creative entity that will react and surprise you. The team you push out of your system may be replaced by a much more sophisticated team.
  • Know your tradecraft and make sure your entire team does as well (many exemplars and best tradecraft practices are available, a favorite of mine is the community produced Consensus Audit Guidelines).
  • Training and education of your workforce is important, but it will fail you. Even with all the training in the world your workforce will eventually be deceived by creative, determined adversaires. Know that right now a user somewhere in your organization is doing something they should not be.
  • Be careful about outside consultants. The cyber defense field, unfortunately, attracts charlatans who assert that they have special knowledge of how to defend. The only way to vet experienced cyber defenders is to have either observed their past performance first-hand or to get first-hand reports by those you trust.
  • Pick the time and place for action. Move fast to protect your most important info. Take actions to keep your adversary off balance. Build plans in well thought out ways to raise all other info defenses on your schedule.
  • Understand the human tendency to forget about the threat as soon as the current attack has been mitigated. Do not fall victim to this cyber threat amnesia. When not under visible attack, study, prepare, and test your own defenses.

Have you had responsibilities for defending an enterprise in the face of adversaries? Does the list above resonate with you, or is any part of it out of whack with your experiences? I would appreciate your thoughts.

Till the, remember:

Trust no one. Trust no device. Every device in your system is potentially under opposition control.


Additional Resources:

A Practitioner’s View of Corporate Intelligence

This post is part of a series providing insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making.

Organizations in competitive environments should continually look for ways to gain advantage over their competitors. The ability of a business to learn and translate that learning into action, at speeds faster than others, is one of the most important competitive advantages you can have. This fact of business life is why the model of success in Air to Air combat articulated by former Air Force fighter pilot John Boyd, the Observe – Orient – Decide – Act (OODA) decision loop, is so relevant in business decision-making today.

In this business model, decisions are based on observations of dynamic situations tempered with business context to drive decisions and actions. These actions should change the situation meaning new observations and new decisions and actions will follow. This all underscores the need for a good corporate intelligence program. See: A Practitioner’s View of Corporate Intelligence

Mental Models For Leadership In The Modern Age

The study of mental models can improve your ability to make decisions and improve business outcomes. This post reviews the mental models we recommend all business and government decision makers master.

Optimizing Corporate Intelligence

This post is part of our Intelligent Enterprise series, which providing insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making. The first post provided foundational insights into A Practitioner’s View of Corporate Intelligence. This one dives into actionable recommendation on ways to optimize a corporate intelligence effort. It is based on a career serving large scale analytical efforts in the US Intelligence Community and in applying principles of intelligence in corporate America. See: Optimizing Corporate Intelligence

OODA On Corporate Intelligence In The New Age

We strongly encourage every company, large or small, to set aside dedicated time to focus on ways to improve your ability to understand the nature of the significantly changed risk environment we are all operating in today, and then assess how your organizational thinking should change.

As an aid to assessing your corporate sensemaking abilities, this post summarizes OODA’s research and analysis into optimizing corporate intelligence for the modern age. See: OODA On Corporate Intelligence In The New Age

Useful Standards For Corporate Intelligence

This is the third post in our special series on the Intelligent Enterprise. The first, titled, A Practitioner’s View of Corporate Intelligence, provided foundational insights to kickstart any corporate intelligence program. The second, titled Optimizing Corporate Intelligence, provided best practices and actionable information you can use to improve and professionalize your corporate intelligence activities. This post discusses standards in intelligence, a topic that can improve the quality of all corporate intelligence efforts and do so while reducing ambiguity in the information used to drive decisions and enhancing the ability of corporations to defend their most critical information. See: Useful Standards For Corporate Intelligence

Bob Gourley

Bob Gourley

Bob Gourley is the co-founder and Chief Technology Officer (CTO) of OODA LLC, the technology research and advisory firm with a focus on artificial intelligence and cybersecurity which publishes Bob is the co-host of the popular podcast The OODAcast. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency. Find Bob on Defcon.Social