A series of Medium posts based on my new book, “An Approach to Machine Learning in Cyber Defense for the DoD”.
“It’s much cheaper to make a much bigger effect.”
The last post in this series discussed how the Department of Defense and the commercial industry tech sector can come together in complementary ways rather than as opposing forces. This post will pivot a bit to discuss where the Department of Defense might find itself knee deep (with rising waters) in technological risk.
Previously, I had mentioned risk in the context of age-old security checklists and audits as the primary approach the DoD takes to securing its cyber systems. The unfortunate truth is the DoD is rapidly building “tech risk debt” in ways far beyond gaping vulnerabilities in DoD infrastructure waiting to be exploited by state and non-state actors.
The Next Generation Asymmetric Threat
“You know ISIS isn’t out there worried about federal acquisition regulations. It’s an asymmetrical threat that the DoD is losing badly.”
Conducting cyber warfare is now a grossly inexpensive activity for anyone with a destructive streak and squishy morals to execute. Cyber warfare is not only cheap from the funding perspective, but from the resources perspective (from personnel to computational resources) as well.
The concept above contributes to the overarching area of asymmetric threats. Except now, we aren’t just talking ISIL and the Syrian Cyber Army.
We are looking at nation state level disturbances, such as the compromise of US and other western nations’ voting systems that might have not led to any significant tangible effects. While the Russian troll farms and minor cybersecurity incursions on “just a handful” of detectable US electronic voting systems, the level of distrust in voting enablement systems now as we approach another presidential election season in the United States is STILL felt today. For very little cost and very little highly skilled labour, the Russian government managed to shake the heart of the western democratic empire of today- the integrity of the vote at the ballot box. In its silent wake, these online operations have left western nations not only questioning the integrity of their democratic systems, but their own governments charged with ensuring those systems and rights remain secure and infallible.
The Cyber Cold War
We are talking about a cold war that is invisible, brewing amongst nations building cyber power. The tension is near-invisible, but will mount to a cyber power that, when unleashed, can have catastrophic impacts.
Hospital systems, DMV electronic systems, and many other government owned systems in countries such as the US and UK have already been silently held for ransom (literally and figuratively, cyber attack speaking) for many years in the recent past (CITATION). And yet, somehow this building of attacks going for what might immediately appear as non-sensitive systems in the grand scheme of National Security may in fact have catastrophic effects when someday the handful of coders on the other side of an exploit decide to go for the power grid of a small town or city. But until then, nation states will continue to hold back their true cyber power… until absolutely needed. Only then will they show their hand, if they must.
Falling Behind Old Technology
“At some point I think the Defense Science Board said you’re going to get so far behind you’ll never catch up.”
Last but not least… The DoD tends to compile its own tech risk debt by being… risk adverse. I discuss this concept a lot in my book, and we will touch upon it here.
The line between catching up to current technologies and complete irrelevance is thin in the field of technology.
At the DoD, we often find systems being maintained “because they still work and get the job done.” The exploration of new and unconventional technologies is more oftentimes than not avoided because the act is uncomfortable, or explores unchartered space. Perhaps it is also due to the potential for failure (GASP!) or the concept of hard work to get new ideas integrated (a rough ride, I assure you) into the age old institution of national defense. Or maybe, it is because a government civilian wants to make it just to the next step of promotion, in order to hit the minimum of ten years to earn a forever- pension, and exploring a high-barrier-to-entry new technology is just not on the list of that middle manager’s career goal list.
There are absolutely no excuses for this practice to be in existence. The Defense Department, with its vast resources and colossal budget, has the potential to amass a center of gravity of technical resources so great it could prove to be an actual contender in the cyber space. The DoD should not be forcing the engineer to work on antiquated systems. If technical practices, systems and resources are not at the pace of technical development today, then technology and security practices together become irrelevant at the same speeds.
All of the factors above, but especially the last factor lend very seriously to a follow on topic that will be addressed… the issue of technical talent recruitment and retainment.