The added value of the OODA loop to cyber security - part 2/3

Last week, I provided an introduction into the OODA loop: some background on the OODA loop and its creator and high-level applications of the OODA loop. The next step is to analyse the OODA loop in detail. There are a number of interesting elements and characteristics about the OODA loop. But what do they truly mean? How should we interpret them against the backdrop of cyber security? This week is all about the nitty-gritty details of the OODA loop.

(note: numbering of headers and references is continued from last weeks article)

4 The OODA loop – Detailed analysis and interpretation

Before evaluating its added value to cyber security, it is vital to thoroughly understand the OODA loop and the way it resulted from previous ideas by Boyd. Thus, it is important to look beyond the high-level stages of the OODA loop (observe, orient, decide, act) and examine the details of the loop and their meaning.

The figure below shows the detailed OODA loop.

The phases of the loop will be explored in detail in the next paragraphs.

4.1 Phase 1: Observe

Observe is first phase of the OODA loop. Its definition is as follows: “Observation is the task that detects events within an individual’s, or group’s, environment. It is the method by which people identify change, or lack of change, in the world around them.” (Osinga, p.271).

In this definition, the importance of the environment is stressed. There are 4 main inputs into the observations activity:

• Outside information. This is information about the opponent. As indicated in the introduction of this article, threat intelligence deals with this type of information and is both applicable to the military- and the cyber domains.
• Unfolding circumstances. Basically, this is the activity of the opponent and its impact on our own operation. The environment as a whole needs to be considered here. The unfolding circumstance is a combination of the unfolding interaction with the environment (next bullet), which is a result of actions taken and the actions taken autonomously by the opponent.
• Unfolding interaction with the environment. As stated in the previous section, these unfolding circumstances are results from the actions taken in the previous loop. Any action will have an effect, which should be observed to eventually determine the next action to take.
• Feedback. This is feedback from the ‘decide’ and ‘act’ phases of previous iterations of the OODA loop.

Another arrow points towards ‘observations’: the ‘implicit guidance & control’ arrow. Implicit guidance and control is not so much input into observation, but shapes the way we observe. 

“[…] a harmony, or focus and direction, in operations is created by the bonds of implicit communications and trust that evolve as a consequence of the similar mental images or impressions each individual creates and commits to memory by repeatedly sharing the same variety of experience in the same way” (Osinga, p.238)

Implicit guidance and control originates from a similar way of thinking and reaction. As opposed to explicit guidance, implicit guidance allows different teams (or individuals) to make similar decisions in an autonomous way. This helps to accelerate the decision cycle, as explicit guidance would require instructions that need to be waited for.

Implicit guidance influences observation, and action, but will likely affect all phases of the OODA loop. To create implicit guidance & control, it is important to train regularly and standardize the approach of dealing with observations. This training is as relevant to the cyber security domain as it is to the military domain.

Another example of implicit guidance is the view of Boyd on feedback, learning and self-organisation of teams. According to Osinga, “Boyd allows uncertainty to exist and he want (sic) commanders not to impose a certain course of action but to set the boundaries of behaviour, the overall direction and to develop relevant organizational orientation patterns” (Osinga, p.154). It is clear that implicit guidance is meant here. According to Boyd, ‘orientation patterns’ are mental models and a form of doctrine that need to be developed and trained. This is an important realisation, because changes to these mental models are driven by the feedback from the ‘decide’ and ‘act’ phases, making the whole system a double-loop learning system. Double-loop learning systems are highly adaptable but introduce variations in the form of change and lack of control [9]. This matches the OODA loop, as uncertainty is a major factor and lack of control is countered by establishing implicit control.

4.2 Phase 2: Orient

Orient is the most important phase in the process, and the most elaborate one. Its definition is the following: “Orientation is an interactive process of many sides implicit cross-referencing projections, empathies, correlations, and rejections that is shaped by and shapes the interplay of genetic heritage, cultural tradition, previous experiences and unfolding circumstances.“ (Osinga, p.237). As orientation sits between observation and decision, this is where ideas are formed about what exactly is going on and what responses could be mounted. Boyd stresses its importance by calling it the ‘schwerpunkt’ of the OODA loop. 

The orientation phase has 5 elements, 4 of which shape the orientation process and one of which generates the output from the orientation phase. The four elements that shape the orientation process are:

• Cultural traditions. This includes both personal cultural traditions and the cultural traditions of the organisation.
• Genetic heritage. Genetics play a role in the way we process information too. This is a static element, as genetic heritage cannot be changed.
• Previous experiences. Previous experiences shape the way we process information and generate ideas. Note that experience can be beneficial (accelerate analysis & decision making), but also harmful as they can create a certain pattern of thinking that is predictable or outdated.
• New information. New information can be taken into the orientation phase as well. In fast tactical OODA looping, it is unlikely that new information will arise in the orient phase.

The element that generates the actual output from this phase is ‘synthesis & analysis’. For Boyd, synthesis and analysis is not a simple and straightforward process. It is covered in detail in his essay ‘destruction & creation’. The ideas here are summarized as follows: “[…] general-to-specific is related to deduction, analysis, and differentiation, while, specific-to-general is related to induction, synthesis, and integration” (Osinga, p.178). 

Thus, the process of breaking down information (destruction / analysis) and rebuilding it to form new ideas (creation / synthesis) or recognize patterns in adversary behaviour (that can be used to predict outcomes and next steps) is important to understand. The previously mentioned elements influence both the analysis and the synthesis performed in the orient phase. The value here lies in understanding and recognizing that these factors play a role in analysis & synthesis and thus influence the decision-making process. And that these factors are personal and may change over time (excluding genetic heritage).

Note that the orient phase itself also contains a double-loop learning system, in which the mental model is continuously shaped by experience (learning) and the analysis & synthesis process itself.

 4.3 Phase 3: Decide

The third phase in the OODA loop is the ‘decide’ phase, defined as: “[…] the component in which actors decide among action alternatives that are generated in the Orientation phase” (Osinga, p.271). This definition confirms that the result of the Orient phase is the synthesis of a number of alternatives. In the decide phase, a decision is made between these alternatives. Note that Boyd views this as a hypothesis that must be evaluated (acted on). Basically, in the ‘decide’ phase, the course of action is determined. That course of action is then executed in the last phase: Act. Note that the decide phase also feeds back into the observation phase. This means observations change as decisions regarding alternative courses of action are made. Thus, observations are not static and absolute, but part of the mental model.

4.4 Phase 4: Act

The final phase in the OODA loop is the ‘act’ phase. In the act phase, the hypothesis that was selected in the previous step is acted upon or implemented. In other words, the course of action is executed. This course of action is again directed by implicit guidance & control. Actions taken shape the entire environment, which will affect the adversary and the executor’s observation of that environment. Additionally, the actions themselves shape observations through altering the mental model (double-loop learning), just like in the ‘decide’ phase.

Next week, I will outline how the OODA loop can be used in cyber attacks.

References

[9] https://en.wikipedia.org/wiki/Double-loop_learning