If This is Saturday, It Must be Singapore
By blogsadmin on Nov 21, 2006
Some of you are probably wondering why I have been radio silent for a matter of weeks, not days. Chalk it up to excessive travel in the months of October and November. As much as you like to think you can be on a plane all day, meet and greet customers, and talk at events, and still keep up with your day job; as the old song goes, "something's gotta give." I don't usually get to the point where I feel I have to have a vacation, but I did take some time off to surf on Kaua'i. (I was unplugged for a week, as I did not take a laptop, and I highly recommend it. It's not a vacation if you are checking email. I note that Oracle got along quite nicely in my absence, which is the virtue of a wonderful team and the miracle of delegation.)
I can say after an exhaustive study of how many time zones you can physically go through in a week that at one point, my body clock could only be described as "confused and bordering upon thoroughly muddled." In one week, I was in Singapore, San Francisco, and a couple of other cities on the East Coast whose names temporarily escape me due to extreme sleep deprivation and repeatedly getting up at 3:30am to catch a 6am flight.
As I flew into Singapore, it was not difficult for me to see why it has historically been considered an extremely strategic piece of real estate. Singapore is perched at the end of the Malay Peninsula, guarding the Sunda Straights between Indonesia and Malaysia. A tremendous amount of shipping passes through that part of the ocean. Singapore has the second largest port in the world (Hong Kong is larger). If you've never seen it, there are ports, and then there is Singapore. Many of us fly from A to B, even over the ocean, but few of us ride on container ships on a regular basis, so you forget that most goods travel by ocean long before they get to your favorite retail outlet. Some of the container ships are so big now that they can barely get into, for example, the port of Long Beach. (This actually creates a security risk in that these ships are so big that, should one be deliberately or accidentally run aground, it would severely impact the flow of goods and thus the US economy.)
Singapore capitulated all too rapidly to the Japanese in World War II; as a result, the fall of Singapore justly ranks among the worst defeats in British military history. When discussing the fall of Singapore, I've been known to apply epithets that I won't use in polite company or in a G-rated blog entry to Gen. Percival, the commanding general who--in military terms--wussed out and surrendered Singapore to Japan with barely a whimper. (Wuss, wuss, wuss. He should have been cashiered and then some. There, I said it.)
I had read a bit about the fall of Singapore before the first time I visited there, that I learned in the course of reading a really good history of WWII by John Keegan. Some of what people "think they know" about Singapore is actually incorrect, e.g., "the guns were facing the wrong way." (No, they were facing out to sea to defend Singapore from an attack from the sea, and they did that very well; supremely well, in fact.) As it turns out, much of what I learned may also be wrong, as historians have recently revisited "the lessons of Singapore." And yes, I am going to relate this back to security, mai maka'u (don't be afraid)! In fact, regardless of whether you look at "received wisdom" about Singapore or the "revisionist version," there are good lessons for cyber security.
The popular version of the fall of Singapore is that the British did not think the Japanese could possibly negotiate their way down the densely jungled Malay Peninsula to attack Singapore. Hence, the received wisdom goes, the gun embankments that defended Singapore were facing out to sea instead of towards the Malay Peninsula. (As stated earlier, the guns were placed to defend against an attack by sea; which they did very well.) It's also true that many in the West (before getting some serious whupping by Japan between December 1941 (Pearl Harbor) and June 1942 (Midway)) underestimated the fighting spirit and capabilities of Japan for what can, in retrospect, only be called racist reasons. One underestimates one's enemy at one's own peril; the Japanese were ferocious warriors and, in general, meticulous war planners.
What has come out of recent historical analysis is more complex than the received wisdom. As it happens, there was a war plan to defend Singapore from an attack through the Malay Peninsula (codenamed Operation Matador), and the plan was approved by the British military command structure. However, execution of the plan relied on resources that never materialized. Indeed, it was Winston Churchill who stalled Operation Matador repeatedly because he wanted scarce men and materiel to go to Russia and the Middle East. The received wisdom blames local British commanders but largely absolves Churchill of any role in the defeat of Singapore.
Mind you, nobody ever gets all the men and materiel they want in war. Or in business, either. We all know that even if you are a great planner and manager, at some point, you can't "do more with less," you can only do less with less. The battle was lost before it even began because the approved plan to defend Singapore was never implemented. In this case, as one historian put it, Churchill gambled, and lost. I leave it to professional historians to determine if taking scarce resources and sending them to North Africa and Russia, whilst starving Singapore (militarily speaking) was the optimal strategy. We will never know what might have been.
Security, as we know, is about risk mitigation and calculating the "expected value" of payoffs for various risk mitigation strategies. The lesson of Singapore for enterprises is that part of your risk analysis needs to be expected payoffs if your worst fears happen. In short, can you live with sacrificing part of your empire? (In the IT case, can you live with sacrificing part of your network, enduring reduced availability or some data loss?) There are few strategies that provide zero risk of all bad things that could possibly happen at anything like an acceptable cost. Figure out what your worst nightmare looks like. What would it take to mitigate that? What are you left with? What can you actually afford in terms of mitigation, and in terms of loss caused by an unmitigated chicken coming home to a risky roost, to bungle the metaphor?
From a management standpoint, if you are facing a potential catastrophic loss you can't live with or mitigate, you need to let your management know that, professionally, but in words of one syllable. In fact, if you can't live with the numbers, you better scream--well, "point out the risk emphatically"--until the equation (inputs) changes or the answer (output) does. Security professionals actually have a better option than the generals defending Singapore had; at some point, if you aren't listened to about what you need to "get it done," you can resign on principle. (The generals who pled the case for Singapore could not resign, without effectively deserting their troops, and their honor would not permit that.)
There is a second sort of planning lesson for IT security as regards Singapore. I've traveled all over the world for Oracle and have been privileged to see many great cities. So many densely populated cities have a cramped feel. (I'm particularly sensitive to it because I spend a lot of time in the wide open spaces of Idaho (population, 1.4 million in the entire state, not including deer, elk, moose, bear, foxes, and noisy, bossy, Siberian huskies). Singapore, despite having a relatively small land mass and a relatively high population density, still has a spacious and "easy" feel. There is a mix of new, gleaming buildings, smaller buildings built in British colonial style, and far more greenery and plants and trees than you would ever think possible. All this took planning--some really good long-term planning (like the US Defense Department's Five Year Defense Plan, or FYDP). Singapore is a comfortable city, a lovely city. It was no surprise to me that much of the plan for the city has been laid out over a period of years. The capable citizens of Singapore took over where the British planners left off. They have made a jewel with what they have. (Diamond, as we know, is just coal under pressure for a long, long time.)
I am in the middle of working on some long term goals for my team. (The long term goals are taking longer to do than I thought, alas.) The point of the exercise was to think not merely about the next 2 weeks of crises or the five tactical things we all need to do before Thanksgiving, but to thing strategically. What kind of city do we want to build? (Not merely, "Dang, there is another pothole to fill by Friday.") The problem with the hurry up, multi-tasked world of IT is that it is hard to step back and think about the "important, not urgent" things when there are so many "urgent but not necessarily important" things crowding your time. I say often that my goal is, in a way, to do myself out of a job because development becomes so good at security they don't need my team anymore. (Realistically, there will always be a need for a compliance function to verify that we did what we said we would do.)
Long term planning is also--and always--a good time to think about whether you are doing the right things with the resource you have, or is there something more valuable you could be doing with those (5, 100, 1500) people? The corollary to not getting enough resource--and nobody ever gets absolutely everything they want and probably shouldn't--is stepping back and looking at what you are doing with what you have. Needs change. People change. Threats change. Even if your title stays the same, your job content probably needs to change in security, because the security world changes, fast.
There's one last thought I have on Singapore, and it needs to be put in the larger context of the rapidity and ferocity with which Japan captured so much of the Western Pacific. Prior to WWII, large parts of the Far East were colonial possessions of European powers. After the war, the fact that the British and Dutch colonial powers had capitulated to Japan so quickly was proof to many colonies that their (former) colonial overlords were not invincible and that maybe, just maybe, they were better off--if not far better off--governing themselves. The Dutch and British (and others) discovered after WWII when they tried to reassert colonial rule that the forces of nationalism were inexorably working against them. The security lesson is that sometimes there is no going back.
For more information: John Keegan's The Second World War
Why one historian blames Winston Churchill: