Opinion

How a pandemic can kickstart cyber lessons

I used to work for a crusty four-star general who, in times of intense combat activity, often asked “what are we learning today?” The general was asking the question as he wanted us to focus on what was working and what wasn’t. His intent was to keep us agile and always look for better ways of executing our mission and protecting our troops. If the old way wasn’t meeting our needs, we had to rethink and find a new and better way to get the job done; even in combat. Now, with COVID-19 causing a wholly different type of stressful activity, we should be asking ourselves that general’s simple question, “what are we learning today?”

The lessons learned during the COVID-19 shelter-in-place are piling up and should prompt us to rethink how we operate, train and equip our organizations as we look to move forward. Just because we survived today, doesn’t necessarily mean we will survive tomorrow if we embrace today’s thinking and solutions too tightly. The Department of Defense needs to be as agile in intellectual maneuver now as it demands itself to be in combat.

Perhaps more than any other organization, the DoD has the most difficult organizational inertia confronting the opportunity to rethink everything. This is especially true for DoD information technology and cybersecurity organizations. Nevertheless, now’s the time for leaders at all levels to pause and ask, “What are we learning today?” Now is the best time to challenge conventional thought and rethink everything.

Rethink your strategy

Current cybersecurity strategy is built on the perimeter-based defense-in-depth security strategy, which arguably is the same strategy employed by Alexander, Sun Tzu, Clausewitz and countless other generals for centuries. While that strategy worked for them, they didn’t have the Internet. Because we do, we need to rethink our cybersecurity strategy. Those organizations that adopted the Zero Trust security strategy are demonstrating greater resilience and agility, reduced cost of operations and better performance during this crisis. The DoD has been “analyzing” Zero Trust for years and needs to overcome organizational “paralysis by analysis.” Stop talking about implementing the Zero Trust security strategy. You are late-to-need. Be decisive and start implementing it.

Rethink your architecture

The Internet is not a static domain constrained by and reliant on DoD Architectural Framework standards. During this COVID-19 crisis, I have been paying close attention to a social media-hosted group of Air Force cyber officers, who are engaged in a highly charged conversation on how to get their mission accomplished from home despite the architectural and technical barriers presented by the DoD’s antiquated technology architecture. Some have called these barriers a “self-induced denial-of-service attack.” These officers, who are highly trained and skilled cyber specialists, find it incredibly difficult to configure their systems and operate in today’s environment. Imagine the chagrin of the non-technical personnel trying to get their job done! Many of these cyber officers were amazed to discover the capabilities of Zoom, WebEx, Teams and other collaboration platforms that industry has been employing for years while DoD architectures cloistered them from use. We need to rethink our DoD architectures in the original spirit of the Internet: design so that you can securely execute your duties regardless of where you physically are and on any device. We need an agile military that can freely maneuver in any domain. Today’s military is shackled by an architecture that results in our troops having greater ability to maneuver in cyberspace at home on their own systems. Now is the time to rethink our architecture while rapidly testing and adopting new technologies and operational cyberspace employment constructs.

Rethink your team

Our DoD does a great job of developing officers to be experts in the profession of arms yet our military and its culture are becoming increasingly insular and reliant on what President Dwight Eisenhower called the “military-industrial complex.” In most cases, our bases, posts, camps, and stations have become gated communities surrounded by “company towns.” We need a military, including its invaluable civil servant workforce, that has breadth and depth beyond the “military-industrial complex” bubble. We ought to rethink how we train and educate our teams, such as investing significantly more in education with industry programs while redefining professional military education to largely a continuous online model. We ought to rethink the size and composition of our cyber teams, which are framed by traditional military organizational structures rather than dynamic mission needs. We need to better integrate the skills and experiences of our reserve and Guard workforce into our cyber teams, rather than as an independent adjunct to them. We also should deliberately consider broadening the composition of our teams to foster diversity of thought by actively seeking and encouraging contrarian views.

Bolstered by the tenets of the Goldwater-Nichols Act and successes on the battlefield, our DoD enjoys great amiability and esprit de corps. This should make us wary because as Irving Janis observed, “The more amiability and esprit de corps there is among the members of a policy-making ingroup, the greater the danger that independent critical thinking will be replaced by groupthink, which is likely to result in irrational and dehumanizing actions directed against outgroups.” Within the DoD we have too many organizations that are comfortable with the status quo and content to continue to “pave cow paths.” Groupthink is difficult to see from the inside, so leaders need to be on guard. Now is the time to rethink our teams, broaden our intellectual and observational aperture outside of the “military-industrial complex” bubble, and foster more critical independent thinking

Rethink your information sources

I recently met an outstanding senior Army officer while discussing the Zero Trust security strategy. She was very enthusiastic about Zero Trust and advised she and her team had gone to Silicon Valley to learn all about it. While there they visited the home offices of the companies that have dedicated sales personnel assigned to her unit. When I asked whether her team considered visiting businesses that had already successfully implemented the strategy instead of making the pilgrimage to Silicon Valley companies that were trying to sell her organization something, she looked at me as if I had a third eye growing out of my forehead (as someone accused of heretical thinking, I get that a lot, by-the-way.) All too often, we limit our frame of reference by falling into the trap of going with who and what you know. During my time in the military and in government, I saw too many senior executives and officers traipsing out to California in search of innovation.

News flash: innovation comes from people and not places! Innovative people creating new ideas and capabilities are everywhere. When we continue to tap the same sources, often we get the same answers despite the questions changing. DoD leaders at all levels should continually rethink their sources of information and develop the next generation of leaders to do the same. Great ideas aren’t just found in California or solely in the United States. Our DoD culture should reward inquisitiveness, investigation, and actively seek non-traditional sources of information that leads to opportunity.

I’m now about the same age that crusty four-star general was when he asked me and my peers, “What are we learning today?” I am asking you the same question. Now is the time for leaders at all levels to take a critical look at the current environment with an eye to our desired future. It is time to rethink everything.

Retired Air Force Brig. Gen. Greg Touhill was the first federal chief information security officer for the United States government. He is the president of AppGate Federal.

Recommended for you
Around The Web
Comments