DoD must act like a startup to meet cyberthreat [Commentary]


We are operating in an environment that has a blend of old and new. While the new has begun to impact the old, all of this is impacting our mindsets and our traditional operational models. No one should argue the implications of cyberattacks on the political environment as it relates to a nation’s conflict. After covering the cyber conflict domain for more than 15 years, arguably the greatest area of impact based on what we have seen so far is economic. Each and every year, new and more troubling information comes out about the expansion of the cyber domain and the increase in the number of cyberthreats, as well as the increase in frequency of cyberattacks.

To say things are changing is a huge understatement when you look at all that is going on these days in the national security space. Look at the current threat environment and the numerous threat actors that are out there and that we must defend against. Look at the widespread availability of advanced weaponry and the ease with which they can be acquired give the internet, especially the dark web. Look at the all the advanced cyber weapons that are currently available, and put that in context to the cyber target-rich environment we have today, which is rapidly expanding due to emerging technologies. Clearly this is the most dynamic time that I have experienced in my lifetime, and chances are that you feel the same.

Given the dynamics of the cyberthreat environment, we must change and adapt to this environment immediately — or risk failing and falling behind. Perhaps part of the answer to this issue is for the defense and intelligence organizations and industry players to think and act like a startup! To do so, out-of-box thinkers must be embraced and used on a continuing basis by all of the defense and intelligence organizations. While participating at a recent event, the insightful, intelligent, frequently heated banter and out-of-the-box thinkers were far from being embraced by many of the participants from the military and intelligence organizations. They looked down upon this, and their facial expressions were quite telling. The interactions did not fit into the nice, orderly fashion that is associated with traditional thinking around military defense and intelligence collection by the established entities.

The mindset of one out-of-boxer was quickly dismissed and considered by many as being disruptive — he was quickly cut off. At that point, a glimmer of light surfaced. An individual in the national security space interrupted the interrupter and said: “No, let’s hear him out. I want to hear more about this idea.” That stuck in my mind, and it became clear that the innovative and creative construct that was being offered was highly disruptive to well-established mental models that are in use today within the military and intelligence communities. It was extremely evident the out-of-box thinker was not the most articulate individual, and that added to the issue! It was evident to some after further thought that the idea showed great promise. It was truly innovative and departed from traditional thinking — a significant departure. A small group informally discussed this over lunch, and it was clear the idea that was presented was a cyber-force multiplier. It addressed the budget constraints as well as the growing shortage of properly skilled cyber resources that is plaguing the defense and private sector and is only projected to get worse.

Recent analysis indicates that due to the highly expansive cyber operating space, the shortage of skilled cybersecurity workers hit 1 million in 2016 and is projected to grow to about 1.5 million by 2018. Note: This is driving up the cost of highly qualified resources, and that trend is not likely to change anytime soon. This will drive the overall costs of national cybersecurity higher, and the organizations need to respond applicably.

Given the figures above, a cyber-force multiplier is a necessity for all those in the military, intelligence, government and private sector. The advice rendered to individuals that have the mindset to bring up the construct was to at least submit it as a Small Business Innovation Research application to the Department of Defense and the intel community — since it was an out-of-box approach, he may have to force-fit into one to their predefined categories. Let’s all hope they evaluate it on its merits and the value it brings from helping to mitigate the human resource crisis we have entered in cybersecurity from a national security space. Perhaps one of the biggest threats we face is resistance to out-of-box thinking and the change those ideas could bring!