If you don't know where you are going, any road will get you there.

—Lewis Carroll

What is a strategy? It is a plan for achieving a specific goal, that which connects the ends to the means.

Strategy is in contrast to tactics, the specific actions taken during the plan's execution. In football (or basketball or soccer), strategy is developing the play-book. Tactics are calling the play. Strategy is determining which players to draft. Tactics are picking who starts a particular game.

The two terms are often used interchangeably, and admittedly, the differences can be clouded. But in CNE, there is a clear demarcation line: the moment the Attacker attempts to gain initial access. Strategy is everything done in preparation for this moment and the resulting operational life cycle. Tactics embody the execution after this moment.

Why does defining this line matter? Because it forces you to look beyond the tactic of the moment, the thing that will be irrelevant 6 months from now, and ask questions like, “What training programs should be developed?” or “Where is redundancy necessary and where is it wasteful?” These are important questions to answer to build a program of operations, and they are above individual tactics.

Crafting a successful strategy requires a clearly defined goal. As detailed in Chapter 2, “The Attacker,” CNE goals are human in nature. With Stuxnet, the goal was the frustration of the Iranian nuclear program. With the attack on Sony Pictures, ...