Sun Tzu, the famous ancient chinese warrior/philosopher wrote the “The Art of War” about 2,500 years ago and his work has been greatly admired by many politicians, businessmen, military etc in modern days. His original masterpiece outlined the warfare strategies that is applicable not only for military, it can be used in business and security. One of his famous quotes is “Know yourself, know your enemy. A hundred battles a hundred victories.”. It means that generals who know themselves and their adversaries will triumph in all its battles. A general who knows only themselves or the adversaries, will face failures (Scott A Watson, 2007).
When applied to modern security environment, institutions must know its security measures well, including both its strengths and weaknesses. On top of that, institutions should also understand about its adversaries. They should identify them and know their motives and possible modus operandi.
There are many different ways to “know yourself and your enemy”. Some of these methods include security risk assessment, security audits, training, exercises, tests, intelligence gathering etc.
One effective way to know about oneself and the enemy is to think like an enemy. By using this critical thinking approach, one can “wear the hat” of the enemy and look at the institution from an outsider perspective. This may require detachment of emotions and associations with the institution and may be better achieved by an external party of the institution. The thinking process is then translated into action plan. This method is known is “Red Teaming” (Zenko, 2015).
What is Red Teaming?
In layman term, red team can sometimes be referred to as devil advocate. When someone says he plays devil advocate during a discussion, he acts the role of the “bad guy” or sceptic who takes on the opposing view with the rest. He challenges assumptions and throw “spanners”. Such actions will stir up the emotions, thinking and assumptions of the team and seek to gain different perspectives from the norm, with the aim of making better informed decision.
Red Teaming was popularized by the US military around 1950s during the Cold War (Zenko, 2015). It is now adopted by military, commercial and industrial entities around the world.
The Federal Aviation Authority (FAA) is one prominent organisation that leverages on the red teaming program to enhance airport security. FAA was directed by a 1990 Presidential Commission to develop “measures to improve testing of security systems” after the bombing of the Pan Am 103 in 1988. This led to the implementation of Red Teaming by FAA.
In Singapore, the use and application of Red Teaming was gradually implemented at various government entities after the 911 terror attack. Other non-government organisations with critical functions or facing high terrorist threats also follow suit to implement red teaming.
In 2018, the application of red teaming gained further traction when the Singapore Police Force (SPF) included red teaming as a criterion in the annual grading of all security agencies in Singapore. TODAY reported that “Operational procedures will be validated through red-teaming exercises, which use different scenarios to assess the effectiveness of security measures” (Ng, 2018). This strategic move by the SPF would lead to more institutions benefiting from the Red Teaming program.
PS: This is an extract of my upcoming new book “Red Teaming 101”. Look out for more posts and articles on the red teaming concepts, applications and stories.
References
Ng, K. (2018, February 13). Grading for security agencies tightened to improve industry standards. Retrieved from Today: https://www.todayonline.com/singapore/grading-security-agencies-tightened-improve-industry-standards
Scott A Watson. (2007). The Art of War for Security Managers. Elsevier.
Zenko, M. (2015). Red Team – How to succeed by thinking like an enemy.