by Andrea Little Limbago
In the cult classic trilogy Back to the Future, Doc claims, “Where we’re going, we don’t need roads.” He’s referencing 2015, and his assertion reminds us just how difficult it is to forecast the future of modern technology. The movies also remind us how tempting it can be to reflect on how things might have been. The current cyber security landscape is ripe for such reflection. What if you could go back in time, knowing what you know today, and alter the armed forces’ approach to cyber security? This was the focus of a dinner I recently had the privilege of attending at the United States Naval Academy Foundation (USNAF), which addressed the specific question,
“Knowing what you know now about cyber threats, cyber espionage, etc., if you could go back to the year 1999 (15 years ago), what advice would you give the armed forces regarding what is needed to prepare for the future…which is now. And how are we doing compared to what you would have said?”
Below are some of the key themes that emerged from this lively discussion, which brought together a diverse range of military, academic and industry perspectives—though unfortunately without the assistance of a Delorean to facilitate implementation of the recommendations. But it’s never too late, and many of these themes and recommendations can help inform future capabilities and the structure of the cyber workforce:
Cyber-safe as a Precondition, Not an Afterthought
For the last fifteen years, cyber security has been treated as a luxury, not a necessity. This has created a technical debt that is difficult but essential to overcome. The acquisition process and all of its warts is a critical component for implementing cyber-safe requirements and ensuring that everything is built to a pre-defined minimal requirement of cyber-safety. Cyber-safe as a precondition would have produced many unforeseen, but beneficial, externalities beyond the obvious ones of improved cyber security. For example, users who demand modern web experiences but are currently stuck using archaic web applications would have greatly benefited from this approach. Too often, analytic solutions must be compatible with a five-year old web browser (not naming names) that currently lacks available patches. A key challenge in the cyber domain – and really across the analytic spectrum – is creating modern applications for the community that are on par with their experiences in the unclassified environment. But in a world with cyber-safe as a requirement, users could benefit from modern web applications and all of the user-experience features and functionality that accompany modern web browsers. Data storage, indexing, processing, and many other areas well beyond data analysis would benefit from an a priori cyber-safe requirement for all technologies. Cyber-safe should not be viewed as an afterthought, and the armed forces must overcome significant technical debt to achieve greater cyber security.
Revolutionary, not Evolutionary, Changes to the Cyber Mindset
In addition to the technology itself, cyber practitioners are equally essential for successful cyber security. During the discussion, we debated the opportunities and challenges associated with greater inclusion of cyber experts who may follow what are currently viewed as non-traditional career tracks (i.e. little or no formal computer science experience). Including these non-traditional experts would require overcoming significant gaps in both pay and culture to attract many of the best and brightest in cyber security. While this may be a longer-term solution, several near-term and more tangible recommendations also emerged. The notion of a military version of the Black Hat conference (which I wrote about here) gained some traction within the group. This type of forum could bring together cyber practitioners across the military, academic and industry spectrum to highlight innovative research and thought leadership and ideally bridge the gap between these communities. There was also interest in formulating analogies in the cyber domain to current practices and doctrine—likely more geared toward tactical application and technical training, but pertinent at the strategic and policy level as well. Frameworks and analogies are useful heuristics, and should be emphasized to help evolve our thinking within the cyber domain.
Redefining Cyberwarriors
The US government has not been shy about its plans to dramatically expand its cadre of cyberwarriors. However, this usually entails an emphasis on STEM-centric training applied to information security. This is the bedrock of a strong cyber security foundation, but it is not enough. Everyone, regardless of discipline, must become cyber competent. The USNA has already started down this path ahead of most other academic institutions. Upon graduation, every student will have completed two core cyber courses, many take additional interdisciplinary cyber electives, and this year will be the second in which graduates can major in cyber operations. We discussed the need to further expand upon this core, especially in areas such as law that will enable graduates to navigate the complicated legal hurdles encountered within the cyber domain.
As expected with any paradigm shift, there has been resistance to this approach. Nevertheless, the USNA continues to push forward with dual cyber tracks – one for cyber operations majors, and another track for other majors to maintain cyber competency. This will pay great dividends in both the short and long term. Having now spent a significant amount of time with diverse groups of people from engineering, humanities and social science backgrounds, it is clear that linguistic and cultural divisions exist among these groups. Bridging this divide has longer-term implications for cyber competency both at the policy and tactical levels, and it can also spark innovation in the cyber security domain. It will ensure that cyber security technologists understand how their work fits into the larger mission, while similarly elevating technical cyber competency among military leaders and decision makers.
Expanding the notion of what constitutes a cyber warrior may in fact be one of the most important recommendations we discussed. Cyber can no longer be relegated to a niche competency only required for a small percentage of the workforce. The situation reminds me of quite possibly my favorite quote. When releasing the iPad a few years back, Steve Jobs noted, “It’s in Apple’s DNA that technology alone is not enough. It’s technology married with liberal arts, married with the humanities, that yields the results that make our hearts sing.” Knowing what we know now about the great potential for innovation in solutions that draw from technology as well as other disciplines, perhaps this same sort of cross-disciplinary competency can be applied equally to cyber challenges, which will only become more complex and post even greater challenges to our national interests.