Zenko4epub-cc-8

Modesty, Misimpressions, and the Future of Red Teaming

I have never learned anything from any man who agreed with me.

—Dudley Field Malone, defense attorney in The State of Tennessee v. John Thomas Scopes, 1925 1

Poliomyelitis, or polio, is an acute, infectious virus that is highly contagious, attacks the body’s nervous system, and has no known cure. The enduring consequence of polio varies widely: most victims have no, or very mild, symptoms. Paralysis results in less than 1 percent of cases, or, even more rarely, death if the paralysis strikes the respiratory muscles. While its most recognized victim, Franklin Delano Roosevelt, contracted polio at thirty-nine while swimming in the Bay of Fundy off Campobello Island in New Brunswick, Canada, it predominantly impacts children under five. Vaccines proved that it could be prevented, and by 1979 it was eliminated from the United States. However, polio has remained a scourge in developing countries where there is poor sanitation and hygiene because it can be spread through person-to-person contact.

In 1988, the World Health Assembly (WHA) unanimously endorsed the ambitious goal of “the global eradication of poliomyelitis by the year 2000.”2 At the time, more than 125 countries were considered endemic to the virus, with approximately 350,000 people, primarily children, stricken by it. Subsequently, the Global Polio Eradication Initiative (GPEI) was launched. It was led by a “cluster” of public health institutions: the World Health Organization (WHO), United Nations Children’s Fund, the Center for Disease Control, and Rotary International. The GPEI catalyzed a multilateral strategy that included an expansion of funding, reaching more than $375 million in 2000 and increasing throughout the next decade to more than $700 million, better coordination among the cluster, and a more effective delivery of vaccines—thereby decreasing the number of polio-endemic countries from 125 in 1988 to 20 in 2000.3 During that same time frame, the number of cases of polio declined 99 percent from 350,000 to 3,500, and as of 2014, the polio vaccine had saved the lives of approximately 650,000 people.4 Nevertheless, the mission remained incomplete. After vastly reducing new incidences of polio relatively quickly, progress unexpectedly stalled in the first decade of the millennium: by 2009, the number of cases was down to 1,600, but the eradication of that stubborn final 1 percent seemed ever more distant.5

To confront this problem, it took a person who could see the challenge through a red teamer’s eyes: Gregory Pirio, a renowned communications expert with a doctorate in African history from the University of California at Los Angeles, who was teaching at UFMCS, detailed in chapter 2. While there, he received hands-on training in red teaming, and co-taught a training seminar on how it could improve institutional performance for the US Customs and Border Protection, Kansas City Police Department, and the Kansas City Chiefs’ coaching staff, among many others. In 2010, while researching the history of communication strategies used in polio eradication for a journal article, he noticed patterns of groupthink, stagnation, and unwillingness of key decision-makers to question their underlying assumptions regarding polio eradication.6 The officials within the cluster were operating under the belief that whatever had successfully reduced new cases of polio by 99 percent should simply be continued and implemented more rigorously to eliminate the final 1 percent. As Pirio described the operating environment: “Everyone was cheerleading the orthodoxy. Nobody was questioning the strategy or the tactics.” Moreover, in-country experts and skeptical cluster officials were hesitant to challenge the conventional wisdom because they believed that doing so would put their annual funding streams at risk.7

Pirio relayed his concerns to his colleague Ellyn Ogden, the longtime worldwide polio-eradication coordinator at the US Agency for International Development, telling her, “I see tunnel vision.” It was only because Pirio was steeped in the red-teaming approaches and techniques taught at UFMCS that he quickly identified polio eradication as a quintessential case that should be subjected to alternative analysis. Ogden was initially somewhat reluctant because the public health field is hesitant to embrace concepts developed by, and associated with, the military. However, after meeting with UFMCS Director Gregory Fontenot and his colleagues to understand how liberating structures could be employed to challenge the stagnation and confirmation bias found within GPEI, Ogden embraced the concept. Shortly thereafter, three UFMCS instructors convened a two-day red-teaming session in Seattle at the Bill & Melinda Gates Foundation headquarters—a primary funder for global public health initiatives—where they challenged every assumption and goal of the polio eradication campaign through the Four Ways of Seeing and String of Pearls liberating structures described in chapter 5. The following day, the Gates Foundation held its annual meeting with the WHO to review funding proposals for the upcoming fiscal year. The Gates Foundation staffers had adopted the language and perspective of the red teamers, and “shook everything up with the WHO proposals by asking the sort of hard questions that they hadn’t in the past,” Ogden recalled.8

This is exemplary of how red teaming most frequently tends to spread: by happenstance. Pirio was exposed to red teaming only because he was teaching African and Islamic history at UFMCS at the time. He began investigating polio eradication solely because he was asked to coauthor an article on the subject. Finally, he brought his red teamer’s perspective on the topic to Ogden only because they were longtime professional colleagues. Ogden, in turn, found a receptive audience at the Gates Foundation for the UFMCS instructors to employ their liberating structures, in part because of the Gates staffers’ frustration with the lack of measurable progress toward eliminating the remaining 1 percent of new cases of polio.

Though the path to incorporating red teaming at the Gates Foundation was random, it has had a positive impact on operations. According to Ogden and Gates Foundation participants, the annual strategies and work plans that the cluster had once adopted by rubber-stamp consensus are now more rigorously questioned and challenged. In addition, in late 2010, the Independent Monitoring Board (IMB) was created at the request of the WHA and WHO Executive Board as a mechanism to independently evaluate progress toward the major milestones of the GPEI’s Strategic Plan. Members are experts from a variety of fields who are nominated by GPEI core partners, and appointed by the director-general of WHO.9 It is impossible to directly connect either the cluster’s enhanced skepticism regarding polio-eradication strategies or the formation of the IMB to the two-day red team engagement at the Gates Foundation headquarters, but it is credited as playing a major factor. There was no independent review of the plans conducted between 1999 and 2011 to identify weaknesses in assumptions, internal barriers to eradication, or alternative methods of delivery. The remaining few hundred new annual polio cases are no longer because the GPEI is not questioning assumptions, but rather are due to a lack of political commitment in unstable regions such as Pakistan, which prevents administering vaccines, or an unwillingness of parents to vaccinate their children in Afghanistan.10 That there was any impact on this complex challenge was by chance, and only a result of Gregory Pirio’s exposure to red teaming.

Realistic Outcomes of Red Teaming

The polio-eradication story shows how red team engagements can rarely be classified as outright successes or failures in achieving their ultimate goals. However, red teaming always achieves one of two outcomes. First, it delivers some new finding or insight that otherwise could not have been self-generated within the walls of the targeted institution. The institutions surveyed for this book all faced varying degrees of structural or cultural limitations, which effective red teaming can overcome. Almost every leader claims to value openness and creativity in order to bring into existence new ideas and concepts that add value to their institution. Yet, the same processes that are required to make an institution function smoothly—such as hierarchy, formal rules, unit cohesion, and behavioral norms—are precisely those that make differentiation and varietal thinking extremely difficult to achieve.11 This is not a criticism of anyone who works diligently at their job, but rather it is a consequence of the normal structural, interpersonal, and cultural dynamics that we all experience and cannot avoid.

The case studies detailed in this book show how properly resourced, situated, and empowered red teams overcome these inevitable limitations to produce revealing “a-ha!” insights or independent assessments that could not otherwise have come about. This may be done to simulate the likely reactions of an unnamed—but clearly Saddam Hussein-like—adversary to the military transformation concepts evaluated during the Millennium Challenge exercise in the summer of 2002; to independently estimate the probability of whether Osama bin Laden was living inside a high-walled compound in Abbottabad, Pakistan, in April 2011; or to examine the security of the Verizon femtocell by the iSEC Partners white hats in the summer and fall of 2012. In each instance, without utilizing a red team, senior decision-makers at the White House, Pentagon, and Verizon would have been far less informed about the probability of bin Laden’s whereabouts, the dependability of future military concepts and technologies, and the reliability and security of customers’ cell phones.

As for the second outcome, even when red teaming fails to have a demonstrable impact on a targeted institution, it reveals something about the thought processes and values of that institution. A primary cause of red-teaming failure lies in bosses’ belief that it is either unnecessary or irrelevant for their particular institution or, if the boss authorized the red team engagement, that its findings are unimportant. When pressed for an explanation as to why they believe this, bosses’—whether government officials, military commanders, or business executives—answers cluster around two theories: if something of consequence was going wrong they would either already know about it, or somebody working for them would have already told them. This first claim assumes a degree of awareness and omniscience that is simply unrealistic for any large institution. The second claim assumes that employees have the time or ability to identify shortcomings or blind spots and a willingness to present them to management. Bosses cannot take it for granted that they or their employees can grade their own homework, or envision what paths their competitors might take. And successful red teaming requires that senior leaders and middle managers be transparent and cede some degree of authority to the red team, which is not easy because they are often overconfident and have domineering personalities.

It is also mandatory that leaders value the red team’s findings. And if those findings are somehow truly irrelevant then the red team was most likely improperly scoped at the outset. In 1976, the Team B competitive-intelligence estimate of the CIA’s National Intelligence Estimate of Soviet Union nuclear weapons capabilities was disregarded by then-Director of Central Intelligence George H. W. Bush. Why? Because the Presidential Foreign Intelligence Advisory Board so wanted to roll back détente with the Soviet Union, that it pressed for the creation of a Team B that it assured was composed of biased red teamers. The result was a product that Bush would not even authorize for publication. Similarly, the pre-9/11 FAA red team was established without clear guidance as to how its findings would be used—such as through letters of correction or punitive fines—to pressure domestic airlines and airports to improve their security. The FAA red team uncovered and documented troubling vulnerabilities that any semiskilled and motivated adversary could have capitalized on to take over an airplane and kill its passengers and crew. However, the red team members believed they were unduly constrained and generally ignored by the associate administrator for Civil Aviation Security—the manager responsible for overseeing the red team’s operations.

Red-Teaming Misimpressions and Misuses

Mark Mateski has engaged in and thought deeply about red teaming for far longer than most people in the field. Of those few others who actively study or practice the concept, he is also the most respected reference point for articulating the current state of red teaming. Mateski became aware of the utility of red teams while running war-gaming exercises, leading him in 1997 to found the online Red Team Journal, which still serves as the best open-source repository for helpful hints and emerging practices in the field.12 Mateski later worked at the Information Defense Assurance Red Teaming, featured in chapter 4. As head of the Watermark Institute, he teaches military officials, information security professionals, and business executives how they should think about, structure, and utilize red teams. Classroom instruction and exercises on red teaming are critical because, as he describes it, “The best red teamers are intuitive systems thinkers. You’re in the flatlands while they operate in another dimension, and those people are just hard to find.”13

In becoming a distinguished instructor and philosopher of red teaming, Mateski has come to discover that the concept has developed a cachet and mystique among many who nevertheless lack direct experience in its application. “Red teaming has become both oversold and under-appreciated at the same time,” he says. This contradiction is often a consequence of how the problem that the red team is commissioned to investigate is framed upfront. Here, most red teams lack the self-awareness or humility to make explicit their “negative space”—meaning to know and articulate those areas or topics that they cannot plausibly assess or evaluate. If the red team is not conscious of its own blind spots and aware of its inherent limitations, it may diligently pursue its work, but do so while heading in the wrong direction. Alternatively, Mateski believes that red teaming’s “most interesting methods give you a competitive advantage that you don’t want to share with people. It is usually sensitive or proprietary, and that tends to stay hidden.”14

Since red teaming best practices often stay hidden, and because there is no comprehensive account of the concept, people understandably have a poor grasp of what those best practices are. Moreover, there is undeniably a fascination surrounding the term, which some practitioners capitalize upon to promote their services. Chris Nickerson, the security professional featured in chapter 5, relayed his concerns about how firms in his industry are increasingly using the term to cover virtually all their security assessments. “They say, ‘pen testing is kind of 2000, and red teaming is now,’ and then they can charge more money because they call it red teaming.” Although he is among the more prominent and respected red teamers, he says that, “my company doesn’t use the term much in public anymore because it has become so co-opted by so many people.”15

Even where the term itself is not specifically used, the notion is often deeply misunderstood, blindly embraced, or dangerously misapplied. As important as understanding what red teaming is able to do is the ability to acknowledge what it cannot, and should never be intended to, accomplish. Thus, it is worth taking the time to counter and correct five notable public misimpressions and worst-uses of red teaming: ad hoc approaches, mistaking red team findings for policy, freelance red teaming, shooting the messenger, and using red teams to decide rather than to inform.

1. Ad hoc devil’s advocate

Midway through the cinematic thriller World War Z, based upon Max Brooks’s novel of the same name, Brad Pitt’s character Gerry Lane meets Jurgen Warmbrunn, a fictitious high-ranking official in the Mossad, Israel’s national intelligence agency. Lane asks him how he anticipated the zombie pandemic spreading worldwide, and Warmbrunn tells him they received a communiqué from India saying they were fighting the rakshasa (“zombies”), an evil mythological spirit in Hinduism, which Warmbrunn translates to mean “undead.” Lane then asks, “You build a wall because you read a communiqué that mentions the word ‘zombie’?” Warmbrunn responds by explaining Israel’s “Tenth Man Theory,” created after the horrors of the Holocaust, the 1972 Olympics’ massacre in Munich, and the 1973 intelligence failure preceding the Yom Kippur War. “If nine of us look at the same information and arrive at the exact same conclusion, it’s the duty of the tenth man to disagree. No matter how improbable they seem, the tenth man has to start thinking with the assumption that the other nine were wrong.”16

There is a romantic appeal to this concept—that dissent can be assigned to just one person who will then be able to uncover hidden truths that others, collectively, simply cannot see. And based upon singular abilities found within that person, a country, organization, or even all of humanity itself will be saved—at least in the zombie apocalypse world of World War Z.

The problem with this story is that it is just that—a story. In reality, there is no Tenth Man Theory used within the Mossad itself, according to former and current Israeli officials. (How the Israel Defense Forces have actually employed the lessons they learned from the 1973 Yom Kippur War to institute red teaming is described in chapter 2.) Perhaps this notion evolved from a passage in the Babylonian Talmud, which suggests that in a capital case, if the Sanhedrin, or judges, unanimously find the accused to be guilty, then they should be acquitted.17 This concept has also been attempted in real life in the United States. In his memoir, Robert Kennedy described witnessing a cabinet officer “vigorously and fervently” change his own opinion while briefing President John F. Kennedy as the cabinet officer “quite accurately learned would be more sympathetically received by the President. . . . Thereafter, I suggested there be a devil’s advocate to give an opposite opinion if none was presented.” Robert Kennedy’s recognition for the vital need for dissenting viewpoints stemmed from the near unanimity that President Kennedy’s cabinet expressed while it reviewed and endorsed the wholly implausible and far-fetched Bay of Pigs invasion scheme launched in April 1961. Robert Kennedy went on to note that a designated devil’s advocate “was obviously not needed” during the Cuban missile crisis in October 1962 because, having learned from the Bay of Pigs fiasco, there was rigorous, authtentic dissent and disagreement expressed throughout the thirteen-day crisis.18

The notion that institutions arrive at better decisions by directing one person to produce a dissenting viewpoint and serve as a check against groupthink is deeply flawed. It assumes that the person selected, who is “the tenth” person only because he or she has refrained from offering an opinion yet, has the freethinking personality type needed to truly challenge the underlying assumptions or facts supporting the opinions of everyone else. It also assumes that the person is capable of identifying the typical flaws characterizing group decision-making processes, or has served as a devil’s advocate frequently enough to possess the sensitivity and finesse required for an opposing viewpoint to be heard and valued. Of course, it also assumes that this person can temporarily escape their immersion in the institutional pathologies experienced daily, and will re-experience, probably punitively, soon after having given a one-time authorized dissent. Finally, this notion presupposes that red teaming requires no training or guidance in its approaches or techniques, which is a dangerously misleading understanding of how true dissent actually improves institutional performance.19 Indeed, even the Vatican’s Devil’s Advocate (highlighted in this book’s introduction) was not a role assigned to just any Church official. Rather, the person was required to receive several years of instruction in Church law, undertake the equivalent of a two-year apprenticeship at the curia (the Catholic Church’s administrative body) and finally pass a special examination before being admitted to the position of Devil’s Advocate.20

Alternatively, leaders might dismiss authentic opposition by claiming that a dissenter was only acting like a devil’s advocate out of stubbornness rather than principle. In conversations with government and military officials, several disparagingly pointed to Under Secretary of State George Ball’s internal dissent to the Vietnam policies of the Lyndon B. Johnson administration. These officials remarked that a valuable red teamer should not become “just another George Ball,” meaning someone taking a contrarian viewpoint just for the sake of doing so. In one notable example, in 1965, President Johnson told his senior advisors that Ball was merely engaging in a “devil’s advocate” exercise when Ball wrote a memo proposing a negotiated withdrawal from Vietnam rather than further deepening US military engagement, an opinion that ran counter to the administration’s long-standing strategy.21 Johnson’s contention, however, was intentionally false. Ball claimed in his memoir that Johnson assigned the label to him only to sustain the appearance of consensus within the administration in case Ball’s memos leaked to the press:

To negate any impression of dissent among the top hierarchy, President Johnson announced that he would refer to me as the ‘devil’s advocate,’ thus providing an explanation for anyone outside the government who might hear that I was opposing our Vietnam policy. Though that ruse protected me, I was irked when some academic writers later implied that my long-sustained effort to extricate us from Vietnam was merely a stylized exercise by an in-house ‘devil’s advocate.’ Thus are myths made.22

President Johnson consistently used red teaming as a convenient cover to describe away what were authentically dissenting opinions. Johnson’s press secretary, George Reedy, later described how during White House debates “[devil’s advocate] objections and cautions are discounted before they are delivered. They are actually welcomed because they prove for the record that decision was preceded by controversy.”23 Ball was never actually directed to red team US strategy in Vietnam, though in 1965 this would likely have been a potentially consequential and beneficial undertaking. After he left his position in the fall of 1966, Johnson’s senior aide Bill Moyers temporarily assumed the sham role of White House contrarian. Yet President Johnson would infamously greet Moyers before meetings about Vietnam by saying: “Well, here comes Mr. Stop-the-Bombing.”24 Needless to say, Moyers was never actually empowered to provide a meaningful, dissenting viewpoint, and the bombing of Vietnam never stopped during the Johnson administration.25 The lesson is: be cautious of someone randomly designated as a devil’s advocate because their contrived dissent will have little impact counteracting group biases throughout the decision-making process.26

2. Mistaking red team findings for policy

Many of the biggest misimpressions about red teams are amplified by news reports lacking all context, and, by doing so, oversubscribe the significance of their findings. Over the past decade, enterprising journalists have frequently been able to obtain a classified alternative analysis produced by a military or intelligence community red team.27 However, the journalists’ reporting based upon the documents is often misleading and misinterprets an out-of-the-box analysis as being representative of mainline analysis, emblematic of senior officials’ thinking, or a precursor to a forthcoming policy change. By their very design, alternative analyses are not supposed to be any of these things, nor, obviously, are they usually intended for external release. But once leaked to reporters, they find their way into public debates via irresponsibly or necessarily one-sided reporting, and they elicit confusion and misunderstandings.

For example, in 2010, veteran defense journalist Mark Perry reported on a US Central Command (CENTCOM) “Red Team” report titled “Managing Hizballah and Hamas.” According to Perry, the CENTCOM red team had gone against US policy and suggested strategies to engage Hamas and Hezbollah politically and attempt to integrate them into the domestic politics and security services in Palestine and Lebanon. Perry wrote, “There’s little question the report reflects the thinking among a significant number of senior officers at CENTCOM headquarters.” In this case, Perry missed the entire point of the red teaming, which was commissioned for the sole purpose of questioning US foreign policy and proposing out-of-the-box ideas contrary to mainstream ideas. 28 In response, Middle East scholar Bilal Saab, based upon his own meetings and discussions with the CENTCOM red team, provided helpful and relevant vital context about the process by which the red team had operated. Saab did not dispute Perry’s characterization of the report, but rather pointed out that Perry “was more or less accurate about the content of the Red Team report, but not about its purpose.” As an advocate of negotiating with radical Islamist groups, the report’s analysis supported Perry’s ideas and made him believe that “his ideas have achieved credibility at high levels within the US policymaking community.” Rather, in fact, the report simply stemmed from an idea voiced by one analyst that it did not trigger follow-up, debate, or analysis.29

Red teaming is quite common in regional US military commands. From 2008 to 2010, when General David Petraeus was the commander of CENTCOM, he employed a number of “initiatives groups” that conducted alternative analyses that benefited from receiving total access to the command while also being independent from the command staff structure. These initiative groups provided their findings exclusively to Petraeus in the form of five- or six-page papers, including a range of worst-case scenarios that could occur after the 2007 surge of US combat forces or the surge anticipated to take place four years later.30 A lengthy August 2005 CENTCOM red team report for Petraeus’s predecessor, General George Casey, was described by journalist Michael Gordon as “one of the most important—and until now, unknown missed opportunities of the war.”31 Casey, in turn, called Gordon’s claim “a contrivance that is not supported by the facts on the ground,” pointing out that the red team was supposed to offer alternative views, which were just one of many sources that US civilian and military officials used to refine policies in Iraq.32 Similarly, for many years, analysts in the intelligence—or “2”—section of US Pacific Command (PACOM) based in Honolulu, Hawaii, produced a regular series of alternative-analytical reports under the theme, “From the Diary of Kim Jong-il.”33 These were intended to help PACOM officials and staffers imagine how the reclusive former North Korean leader might be perceiving his sheltered world, which could provide clues for his unpredictable behavior.

None of these aforementioned red team reports reflected what the military commanders or civilian officials necessarily believed, nor were they indicative of any forthcoming changes in policy. Indeed, truly out-of-the-box analysis should by its nature be vastly different from what commanders and officials believe, given their immersion in the mainline analytical products they read daily, which are intended to chronicle and interpret reality. Moreover, alternative analysis almost never directly results in a concrete policy change the likes of which requires extensive meetings among various stakeholders to develop new plans and then to coordinate and ensure their implementation.

So the next time that a red team report from the military, government, or private sector—as in the cases of the 1976 Team B report or the 2002 Millennium Challenge exercise—finds its way into the press, be skeptical about any importance assigned to it by journalists and uninformed commentators. They almost assuredly do not know what the red team’s structure, scope, or purpose was, nor what its written products were intended to accomplish for the targeted institution.

3. Freelance red teaming

In January 2014, news station KSDK in St. Louis, Missouri, conducted an undercover investigation to assess safety protocols at five schools in five local districts. At Kirkwood High School, a KSDK staff photographer entered through an unlocked door and roamed unimpeded through hallways and past classrooms for several minutes before asking a teacher for directions to the main office. Upon arrival at the main office, the photographer asked to speak to the school resource office, but the secretary notified him that no one was available. He left a business card with his name and work cell phone number, and then, to determine whether he would be escorted, asked where the restroom was located. After merely receiving verbal directions, the photographer exited the building the same way he had entered. Shortly thereafter, the school called his work cell phone number on the card, only to receive a voicemail, prompting the school’s communications director, Ginger Cayce, to call KSDK directly. Inexplicably, however, the news channel refused to confirm or deny the man’s affiliation with KSDK. “I told them, ‘I’m going to have to go into lockdown if you can’t confirm that this was a test’,” Cayce said. “When we couldn’t confirm or deny it, we had no choice.”34 This triggered a forty-minute lockdown of the school, and, unsurprisingly, sparked a lively debate about media ethics.

Parents, teachers, and students panicked when the photographer’s identity could not be confirmed, and those inside the school were forced to huddle against the walls with the doors locked and lights off while police searched the building. An angry parent, after learning of KSDK’s involvement, vented, “If someone else did this, they’d be arrested. It’s just not smart, with all the things that have happened in our country.”35 In its news report that evening, KSDK admitted that it was one of its reporters who had conducted the test, asserting that this investigation was based on one premise: “Are the security systems set up by school districts in St. Louis really working to keep our students safe?” The anchors acknowledged the angry calls they had received, and apologized for any “emotional distress” caused by the lockdown. They went on, however, to state that they “will continue to be vigilant when it comes to the safety of our schools and our children.”36

Although this test revealed apparent gaps in the school’s security measures, it also exposed glaring problems with the station’s ad hoc red teaming. The photographer’s business card was meant to serve as a means of contacting KSDK to discuss the findings of the test, but a lack of responsiveness immediately afterward only induced panic and disrupted school functions. “We learned some things from this, but we are still dismayed that a call was not given after to let us know this was a test,” Cayce said. “We could have prevented the alarm to our parents, students and staff.”37 Although the district reviewed all its safety protocols after the incident, the lack of basic communication between the school and news station, coupled with the immediate publicizing of the security test, only served to leave the school’s leadership embarrassed and unreceptive to any of KSDK’s relevant findings.

Freelance red teaming such as this—conducted without the knowledge of the targeted institution or without appropriate mechanisms in place to prevent panic—is generally a poor idea. The news station did not conduct any research or reconnaissance to learn the security systems in place, nor did it even disclose what the photographer was doing when requested. For a few thousand dollars, KSDK could have hired a professional physical penetration tester with extensive experience in conducting security assessments. It would have alerted relevant district officials beforehand, and been prepared to address any situations or questions that emerged. Indeed, news organizations commission outside experts to assist them with vulnerability probes all the time. For example, in 2012, NBC hired Jim Stickley, a security expert, to test the vulnerability of Onity electronic locks—then used on four million hotel doors worldwide. Using a small screwdriver-like electronic device hidden in a magic marker, Stickley simply plugged it into a port found on the bottom of the lock and opened the door. The device is built using open-source hardware and following instructions posted on YouTube. Although Onity had known about the problem for months and stated that “1.4 million locks and all customer requests for this solution have been fulfilled or are in the process of being fulfilled,” Stickley found that most hotels remained wholly vulnerable. Moreover, Stickley easily picked the door locks in front of several hotel managers so that they could see precisely how unprotected their customers were.38 Compared to KSDK’s embarrassment of Kirkwood High School, and itself, NBC showed how a responsible news organization can red team to serve the public without needlessly causing panic and confusion. It is crucial that red teaming, especially unauthorized vulnerability probes like the one detailed above, be conducted in a manner that does not cause collateral damage or unnecessary panic.

4. Shooting the messenger

In 2009, a Marine Corps colonel with an infantry background and two Army majors—both graduates of the elite School of Advanced Military Studies—were brought to Afghanistan to serve as a small red team, known as the “effects cell.”39 The three officers operated independently from the chain of command and traveled into the field to assess the robustness of partnerships between NATO’s International Security Assistance Force (ISAF) units and those of the Afghan National Army (ANA). At the time, “partnering” in the field was the primary approach toward building a professional Afghan military, which would presumably then begin to take the lead in independently securing areas where they operated. In 2009, Secretary of Defense Robert Gates said during a House Committee hearing, “Making this transition possible requires accelerating the development of a significantly larger and more capable Afghan army and police through intensive partnering with ISAF forces, especially in combat.”40 If the partnering mission was not working on the ground, then the overall campaign strategy would not be either.

The effects-cell officers were deeply disturbed by what they witnessed—with little variation—at more than a dozen combat outposts. They found that ISAF troops were living completely separately from the ANA forces that they were supposed to be training. This was even before the outbreak of so-called green-on-blue attacks that began in 2012—violent attacks by actual or disguised Afghan security forces against ISAF personnel.41 The effects cell noticed, in particular, that ISAF perimeter machine-gun nests were perched high above their Afghanistan counterparts, with the heavy weapons pointed directly toward where their Afghan colleagues slept and ate. Moreover, the daily security patrols conducted by both forces were poorly coordinated and integrated. Also, on some days, literally no training or advising events took place. The Marine colonel recalled how the company and platoon leaders had developed a “FOB mentality”—a derogatory reference to ISAF forces hunkering down in their forward operating bases—and were “just counting the days until the next guys came in to replace them.”

The Marine colonel briefed the effects cell’s findings, first to senior ISAF staffers and eventually in front of General Stanley McChrystal, the commander of all US and international forces in Afghanistan. The Marine colonel was, and is, a gruff and brutally honest person, which an ISAF staff officer contended “couldn’t have been more different than how the general [McChrystal] liked to run things.”42 The colonel described in detail instances where the effects cell found that ISAF units were not implementing the commander’s strategic guidance. To drive his point home, the colonel graphically stated, “Sir, if they aren’t shitting together, they aren’t partnering together.” Aides to McChrystal contend that the commander objected to both the tone and content of what he was being told, and, at one point, he berated the colonel, saying, “It sounds like you’re telling me how to run my war.”

The briefing ended soon after, and the impact of McChrystal’s vocalized opposition was soon echoing throughout other staff sections. Ultimately, the ISAF’s plans and operations staffs did not accept what the Marine colonel had revealed, nor did they adjust their campaign plans to reflect the findings. Moreover, the effects cell had difficulty getting traction in the remaining few months that it operated in Afghanistan. This 2009 effects cell study exemplifies an instance when red teaming was rigorously conducted to independently evaluate a plan, but then was ignored by senior leaders and their staffs. It was pointless red teaming, and its assessment was disregarded in part because it conflicted with how the ISAF command hoped things would be going. But, unfortunately, the blunt manner in which the Marine colonel delivered the effects cell’s recommendations undoubtedly made the ISAF command’s senior leadership even less receptive to the bad news. Shooting the messenger accomplishes nothing other than signaling to the entire staff that dissenting viewpoints are neither wanted nor welcomed. The red team is there for a reason, to help improve the targeted institution’s performance, and the boss, general, or leader, whoever they are, should be open-minded toward the red team’s purpose and message.

5. Red teams should inform, not decide

Related to public misimpressions of red teams is the tendency of government or business officials to knowingly misuse them. An adept red team will inform decision-makers by challenging conventional wisdom, identifying blind spots, revealing vulnerabilities, presenting alternative futures, and considering worst-case scenarios. Throughout this book, leaders have described how red teaming helped them “envision failures,” “stretch our imaginations,” or “ask ‘what if?’, and challenge assumptions and facts.” However, what red teams should not be authorized to do is to go far beyond this supporting role, and actually be expected to make final decisions on its own.

It is understandable that it may be tempting to pass the buck where partisan gridlock and executive clashes prevent a necessary and timely decision. But this would be a mistake, and, thankfully, there are no prominent examples of red teams directing the decision-making process, even though they have been portrayed as needing such influence. A 2014 TechCrunch article describes the role of devil’s advocate as someone who should point out all the reasons a strategy will fail and who has “the power to kill or postpone a [product] launch.”43 While a devil’s advocate, or any form of red team, should be tasked to point out vulnerabilities, it must not be empowered to decide strategies on policies.

Along with assuring everyone that red teamers will not be making decisions, leaders should be reasonable and realistic in what they call upon red teams to do. Over the past fifteen years there has been a proliferation of Congressional members requesting that some federal agency activity or defensive system be subjected to a red team assessment. In part, this reflects the exponential overall growth in Congressional reporting requirements for federal agencies. While Congress required only 470 reports in 1960, that number multiplied by nearly five times to 2,300 by 1980, and has since doubled, reaching 4,637 expected reports in 2014—few of which will ever be read.44 However, it also reflects the relatively recent awareness and appeal of the concept. There were zero legislative requests for government red teaming before September 11, 2001. Since then, there have been thirteen legislative requirements for red teams within federal agencies, three of which were passed into law.

For example, the 2003 defense bill mandated that Department of Energy labs establish red teams to challenge intra-laboratory assessments and perform inter-laboratory peer reviews. This was removed before the final version was passed because the annual reviews already taking place were considered to be sufficient.45 In 2004, during debates over the landmark Intelligence Reform and Terrorism Prevention Act (IRTPA), senators introduced a provision that would have mandated the creation of an Office of Alternative Analysis in the not-yet established Office of the Director of National Intelligence (DNI).46 The Office of Alternative Analysis would have been required to red team each National Intelligence Estimate, and any intelligence document, at the request of the director of the DNI.47 When Senate and House leaders met behind closed doors to reconcile competing versions of the IRTPA, this proposed language was removed and replaced with a watered-down requirement for the DNI to assign the responsibility for alternative analysis of intelligence products to just one individual or entity.48 Between 2005 and 2009, there were no fewer than eight attempts to mandate that the Department of Homeland Security (DHS) conduct a red team vulnerability probe of the defenses of some critical infrastructure system. Of these, only one was signed into law.49 Most of these mandated red teams were removed at the request of DHS officials, who contended that they were a strain on agency resources and duplicative of security assessments and reviews already in place.

For a more revealing instance of congressionally mandated red teaming, in May 2013, Senator Angus King and Senator Marco Rubio cosponsored the Targeted Strike Oversight Reform Act of 2013. This legislation would add an additional level of review to US drone strikes against US citizens “knowingly engaged in acts of international terrorism against the United States.” The DNI, fifteen days after receiving notification of a citizen having been targeted, would have to “complete an independent alternative analysis (commonly referred to as ‘red-team analysis’) of the information.” Senator King claimed that the bill would “ensure that an independent group—or ‘red team’—reviews the facts and that the details of that review are shared with the Congressional Intelligence Committees.”50 The provision was placed into the classified annex of the Intelligence Authorization Act and was signed into law in July 2014.51 The two senators asserted that this red teaming would “provide an additional layer of accountability within the decision-making process.”52 Yet this required alternative analysis would almost assuredly not have a demonstrable impact on whether or how a US citizen suspected of terrorism is killed or not. According to congressional Intelligence Committee staffers, committee members already could, and routinely do, receive the same amount and granularity of information that they would receive from any red team. Moreover, these staffers acknowledge that they will never know what individuals, methods, and rigor were used in the DNI’s internal review, nor will they see the complete findings.53 For these reasons, this red team’s effectiveness will be limited.

Recommendations for Government Red Teams

The strengths and weaknesses of red teaming have been explored over the past few chapters, as well as several of its most enduring lessons in the previous pages. But there are even more specific recommendations about how it can be applied. These takeaways focus primarily on the US government since it remains the setting and inspiration for most red teaming. However, the following five recommendations could definitely be tailored to the private sector too. They include the following:

1. Red team the biggest decisions

Before intervening militarily in a new country, White House officials bring in analysts and journalists for an off-the-record discussion, to share their thinking and offer strategic guidelines for an upcoming decision. But such events are mainly about socializing with and charming them in an attempt to influence how they write or speak about the upcoming intervention. Similarly, when asked about subjecting a big decision to rigorous and critical assessments, senior administration officials recount long debates where everybody was “free” to voice their opinions. However, having the same officials and staffers who developed the strategy over many weeks and who are deeply vested in it, then reverse course and poke holes in it does not count as a valid critical assessment.

Instead, the White House should establish a temporary red team of former officials, academics, and experts with the requisite security clearances to receive the latest intelligence, task it with asking one-on-one questions of the relevant civilian officials and military planners, and have it evaluate and critique the proposed strategy. This would take only one or two weeks, with the results presented directly to the president and whomever else the president decides should read it. For example, in the rushed decision to initiate airstrikes against ISIL in the summer of 2014, a red team could have evaluated the strategy at any time between the conclusive National Security Council Principals Committee meeting on August 28 and President Obama’s strategy speech on September 10. Obviously, as the commander-in-chief, presidents are free to incorporate or reject the alternative analysis as they see fit. However, given that initiating wars is among the most costly and consequential decisions ever made by presidents, an independent review of the information and proposed strategy by a red team deserve strong consideration.54

2. Compile US government red team efforts

In interviews with government employees who either currently or have previously served on red teams, a re-occurring issue raised was their lack of awareness of other government red-teaming efforts, and a genuine curiosity about what they could learn from them. Indeed, for all of its uses and misuses within the military, intelligence community, and homeland security agencies, there has never been a comprehensive governmental study and evaluation of what this management tool is, how to create a red team, or how it should best be employed. There was a single 2003 Defense Science Board red-teaming report, but it was narrowly scoped to examine only the use of red teams in the Department of Defense at the time.55 Government red teams occasionally share best practices informally through chance encounters, e-mails, and ad hoc video teleconferences, but these insights have not been captured, catalogued, or disseminated.

It is crucial to get this information out. The existing Defense Science Board report needs to be expanded and updated to assess all permanent or semi-regular US government red teams. Given that many red teams work on classified programs there would likely need to be a classified internal version of this as well as an unclassified “for official use only” or public one. This study should be conducted by the Government Accountability Office, or perhaps one of the Congressional committees on Government and Oversight Reform. With an up-to-date repository of active red-teaming efforts, and what tends to work and what does not, government employees would be better able to learn from their colleagues when forming their own red teams. Ideally, such a study might be supplemented with a wiki-sharing platform that can be continuously updated and utilized by as many government agencies as possible.

3. Expand red team instruction

Red team training and educational opportunities should be made broadly available for nonmilitary government agencies. Given that all agencies have training and education elements, this will not require establishing new offices or spending much in the way of additional money. Based upon interviews with officials and staffers in the State Department and USAID, to give just two examples, there would be tremendous demand if this professional development opportunity was offered. The current educational offerings for government employees tend to be centered narrowly on acquiring incrementally updated technical or administrative certifications. These are useful for bureaucrats, but they do not improve upon or broaden the critical thinking skills of those midlevel officials who actually make the micro decisions that allow the federal government to function. Senior personnel and management officials should make two-week red-teaming courses available to meet this overwhelming demand and need. Just as important as offering red team instruction for staffers, brief, two-hour training sessions for their bosses—whether they are program managers or more senior officials—should be mandated in order for them to best understand what red teams can offer and how they should be used.

4. Review military red team instruction efforts

Despite more than eight years of red team instruction at UFMCS and Marine Corps University (MCU), there is no study that has measured its impact on the students, their professional careers, or their future positions when they become red-teaming practitioners. Surveys conducted after Army and Marine students graduate overwhelmingly demonstrate a strong satisfaction with the red-teaming approaches and techniques that they learned and a willingness for others to take similar courses. What is needed to complement these individual impressions is a comprehensive survey of how impactful the classroom instruction and practiced techniques learned have been at later appointments in their career. In particular, this survey would need to evaluate whether, how, and how often the graduates applied approaches and techniques later in their careers as part of a red team. The feedback provided could be applied to fine-tune and revise the courses taught at UFMCS and MCU, and allow the Army and Marines to recalibrate what they should expect from military red teaming.56

5. Make red teaming meaningful, not a rubber stamp

The structure, conduct, and composition of government red teams should include truly divergent and creative thinkers, and not just former officials who most likely reflect the accepted thinking of the targeted institution. This notably occurred in the case of the National Defense Panel (NDP). Since 1996, the secretary of defense has commissioned a comprehensive examination of national defense strategy, force structure plans, and budget proposals in order to determine future defense programs. This Quadrennial Defense Review, or QDR, absorbs a great deal of senior Pentagon officials’ time since it provides broad strategic guidance for the armed services and various Department of Defense elements. Subsequently, for both 2010 and 2014, Congress mandated an additional independent review of the QDR in the form of an NDP. The panel received clear legislative guidance about the structure and scope of its activities—“conduct an assessment of the assumptions, strategy, findings, and risks of the [QDR].”57 The NDP’s shortcoming, however, was in its composition. The secretary of defense appointed the chair and vice chair, which in 2014 consisted of retired Secretary of Defense William Perry and retired Army General John Abizaid, while congressional oversight committees appointed the other members, which included all former military officers or Pentagon officials, and one former senator—all of whom had ties to defense or aerospace industries.58 Moreover, the NDP consulted almost exclusively with serving military and civilian officials, or their retired counterparts.59

Unsurprisingly, the 2014 NDP’s findings did not directly challenge any core assumptions of US military strategy. Its primary recommendation was simply to vastly increase defense spending without providing a roadmap for how this could be achieved given the largely bipartisan support for flat or declining defense budgets. Subsequently, the 2014 NDP had little impact upon the targeted institution—the Pentagon—since it re-endorsed the continuation of what the US military was already doing. That the NDP’s findings and recommendations would closely reflect the conventional wisdom was to be expected. Future NDPs must be composed of fewer political strategy- and force-planning experts who are professionally or financially tied to the Pentagon or the defense industry.60

The Future of Red Teaming

After spending five rewarding and fascinating years meeting with and learning from more than two hundred red teamers operating in a wide variety of fields, the most difficult challenge is to remain as skeptical and honest as possible in evaluating their utility—that is, to maintain the distance and open-mindedness of a red teamer, while also becoming intimately acquainted with their fascinating work. This book opened with a warning to readers about the inherent difficulty that institutions face in identifying their own shortcomings, and in realistically understanding how competitors or adversaries might behave; in short, their inability to grade their own homework. This caution applies equally to the author, who has been immersed in the personalities, experiences, and confidences of a group of people who, by nature, tend to be divergent thinkers, somewhat proprietorial of their well-honed tradecraft, and skeptical of outsiders pigeonholing their profession. In relaying their stories and assessing their value, this book has attempted to remain as honest and analytical as possible. Yet the overall conclusion is that red teamers are so interesting and engaging that there is no need to hype or mythologize them. Indeed, almost everybody in the field rejects the over-exaggeration of their unique skills or influence. As retired Brigadier Tom Longland, head of the UK’s Development, Concepts and Doctrine Centre red team, declared, “The misconception is that red teaming is magic, secrecy, or wonderful. Most of the time, when we are briefing people, I tell them, ‘This is just the application of common sense from a different perspective’.”61

Nevertheless, red teams do make a demonstrable difference on their targeted institutions—especially when they are correctly scoped, adequately structured, and sufficiently empowered to carry out their objectives without undue influence. To reiterate: red teaming is a structured process to better understand the interests, intentions, and capabilities of an institution—or those of a potential competitor—through simulations, vulnerability probes, and alternative analyses. Senior government officials, admirals and generals, and business executives acknowledge that they are increasingly unable to process the complexity of the information before them, in a limited time frame, to make consequential decisions. There are simply too many factors informing each decision and too many actors to account for, whether they are foreign militaries, industry competitors, or malicious hackers.

Red teaming has its limits and there are times when it should be avoided. Red teams cannot—and should not—supplant an institution’s embedded planning and operational components. Yet, they can provide a valuable check on those constraints that—in a red team’s absence—would make well-informed strategic decisions and properly configured defensive systems less likely to be developed or to succeed.

Like any management tool, red teaming is only effective when it is embraced, resourced, and tailored to the needs of the targeted institution. This requires being cognizant of its strengths and weaknesses. When red teams are empowered to select their engagements, they should reject those where the problem set is undefined—and cannot be clarified in successive scoping conversations with the targeted institution—or when the intended objectives are simply unachievable. Red teaming is not a cure-all for every problem, but rather is a conceptual approach combined with specific tactics to prevent, mitigate, and respond to specific challenges.62

There is no single blueprint for how leaders and program managers can accomplish this because red teaming’s very nature makes it impossible to devise rigid instructions that would be practical. Nevertheless, the research conducted for this book shows that a red team’s success generally depends on the extent to which the following six best practices are adopted.

1. The boss must buy in

Leadership must value, provide adequate resources for, and want red teaming, and make this clear to the rest of the institution. Otherwise, the entire process will likely be unsupported and the findings will be ignored.

2. Outside and objective, while inside and aware

Red teamers need to be at least semi-independent to effectively conduct assessments, and the targeted institution’s structure, processes, and culture must be taken into consideration when constructing the team.

3. Fearless skeptics with finesse

Red teaming requires a distinct personality type—open-minded, creative, confident, and a little odd, while maintaining the ability to relate to and communicate with the targeted institution without coming across as antagonistic.

4. Have a big bag of tricks

Variety is inherently the lifeblood of red teaming. Methods cannot become predictable or institutionally ingrained—this requires practitioners to be able to think on their feet and always have new tactics and techniques up their sleeves.

5. Be willing to hear bad news and act on it

Targeted institutions that are genuinely unable to hear and integrate a red team’s findings as faithfully as possible should not bother doing it in the first place.

6. Red team just enough, but no more

Red teaming should not be a one-off event because undetected vulnerabilities will likely go unaddressed and blind spots will inevitably arise. However, red teaming too often is disruptive to the targeted institution and its employees and does not allow adequate time to make adjustments based on previous red team findings.

As business war-gamer Mark Chussil observed in chapter 5: “Nobody has data about the future.” Yet, ideas about where red teaming is heading have already begun to emerge. Like many other human-intensive endeavors, this will include replacing people—who are expensive and have physical limits—with sensors, communication links, algorithms, and automation, which are increasingly becoming cheaper and ubiquitous. Cyber penetration testers have touted the ability and eventuality of being able to conduct lower-cost and largely autonomous pen tests. Automated red teaming has been pursued by university and private-sector researchers for more than a decade and involves the integration of computational intelligence, evolutionary algorithms, and multiagent systems to better understand competition. In support of decision-making and planning, computer models and methodologies are used to carry out red-teaming exercises in order to help explore alternative strategies, identify cyber and physical vulnerabilities, uncover the evolving tactics of a competitor or adversary, and reveal biases.63 Of course, there are certain limits to making automation the default approach to cyber vulnerability probes.64 Former NSA official and current cyber-security executive Samuel Visner believes that stand-alone penetration tests cannot uncover the vulnerabilities built into larger, more integrated, and increasingly complex digital environments. Therefore, the future of cyber-vulnerability probes are trending toward more continuous and automated testing and analysis, while recognizing that only humans will determine what those models and algorithms will look like and judge whether they work.65

Researchers at several security firms are also spending their set-aside research and development time to more precisely calculate the “adversary work factor”—a measurement of the time and effort that a red team requires to breach different configurations of a defensive system.68 If security managers could better quantify what it takes for a plausible adversary to break into a system, they could much better inform what personnel and resources should be preventively committed to defend that system. Moreover, it would allow red teams to better tailor each of their vulnerability probes for defensive systems over time, and to facilitate comparing similar defensive systems in different fields and industries.

The intelligence community’s research arm, the Intelligence Advanced Research Projects Activity, has funded projects measuring cognitive bias and attempts to reduce that bias through gamification.69 In 2012, this resulted in a video-game platform—“Macbeth” (or Mitigating Analyst Cognitive Bias by Eliminating Task Heuristics)—that trains participants to recognize and mitigate cognitive biases and measure their progress over time. Modeled after the board game “Clue,” Macbeth presents a series of suspects and provides information to help players determine who committed the crime. Players must then decide whether that information was affected by cognitive biases—such as anchoring, projection, or representativeness.70 According to a senior intelligence official, the project can demonstrably reduce analysts’ cognitive biases and measure how much of that reduction is sustained over time with subsequent testing.71 Permanently mitigating the impact of bias in the work of intelligence analysts should make the need for alternative analysis less pressing, because their products—memos, reports, and briefings—would be less bound by the anchoring effect of mainline analysis.

There will always be barriers to eliminating human beings from the red team process. While computers might pass the Turing test to mimic human behavior, they will likely never be able to fully contend with the skills, out-of-the-box thinking, and instant agility required to interpret tense situations and adjust courses of action on the fly any time soon. Only Marine majors have the necessary intuitive feel, understanding of the stresses that an operational planning team faces, and internalized doctrinal terminology and slang that will make criticisms of an evolving operational plan be listened to; only skilled white-hat hackers are able to sense, based upon their reconnaissance and scanning of a network, where and how to prioritize time and effort in order to make an engagement the most beneficial for a client; and only human physical penetration testers are able to embody a human adversary and behave outside of the constraints and limits of industry regulations and best practices.

Finally, much of what makes red teaming effective and causes its results to be acted upon is its practitioners’ ability to explain findings in the form of stories that resonate with senior leaders. Across all fields, red teamers emphasized how storytelling and personal vignettes, tailored to spark and hold the interest of their intended audience, are critical. As longtime security professional Nicholas Percoco described it, you have to “make it personal” in order for a red team’s findings to be heard and acted upon. Rather than presenting the technical details of a critical vulnerability in a mobile device, Percoco would show his clients, “Here’s exactly how I could steal your personal photos or download your calendar off your phone.” Cyber penetration test findings told by way of personally relatable anecdotes free of technical arcana are simply much more likely to be listened to and acted upon than pages of screenshots and malware script.72

Where red teaming is heading will ultimately depend upon the perceived value among government, military, and business leaders that it delivers to their targeted institutions. As the number of red team practitioners grows, as awareness is disseminated, and as those who have been exposed to it ascend to senior positions, its utilization as a management tool will undoubtedly become more prevalent and widespread.

The preceding pages have shown how simulations, vulnerability probes, and alternative analyses, when used correctly and heeded by superiors, are increasingly relevant to helping leaders confront and mitigate the challenges and threats that characterize all competitive environments. Red teaming is not a silver bullet that can solve every problem, but then again, nothing is. Embracing a red teamer’s mindset can help almost anyone think more critically and divergently about the complications they face in their jobs and everyday lives.

As the astronomer Carl Sagan eloquently put it: “People in power have a vested interest to oppose critical thinking. . . . If we don’t improve our understanding of critical thinking and develop it as kind of a second nature, then we’re just suckers ready to be taken by the next charlatan who ambles along.”73 Likewise, red teaming is similarly beneficial, and even empowering, for those of us who are willing to learn from and appreciate all that it has to offer.