The Give & Take Between the Department of Defense and the Tech Industry: Myths and What they Share

A series of Medium posts based on my new book, “An Approach to Machine Learning in Cyber Defense for the DoD”.

An Approach to Machine Learning in Cyber Defense for the DoD,” available on amazon.com

The relationship between the Department of Defense and the tech industry on the subject of applied machine learning and artificial intelligence continues to be a contentious subject. I have had the pleasure and privilege of having one foot in each camp as an active member and participant for the past three years, and my conclusions can be summed up in two statements:

Both need one another in order to make machine learning and other advanced technologies actually make it to market/ mission, and

Each side’s understanding of the other is based off of gross misconceptions and ill informed opinions.

The DoD and many large tech companies are some of the largest targets for cyber attacks globally.

The DoD and many large tech companies have extremely diverse and widespread missions that affect the world in profound ways.

The DoD and many large tech companies deal with a ton of data that will continue to grow exponentially over the coming years.

Great. So if these are some similarities, then what is the big deal with their differences? And where, if it is even possible, can the two forces meet in the middle?

The first question will be addressed in this post… the second, in a later post.

I would first ask the reader to consider whether the two forces should meet in the middle. Then, after much pondering, I would ask the reader- with the government constituting the largest spender on technology, is meeting in the middle inevitable? There is no right answer here, however is always top of mind for me as I continue to form my opinions on the subject. Let’s gather information in the meantime to give us something to work with.

Here are their differences, and misconceptions:

The nature of the respective businesses differ, at least at first glance.

A company like Google, for example, states their mission to be a variation of organizing the world’s data and making it readily accessible to everyone.

Source

The nature of the DoD’s mission… is hard to define. Some would say to protect the United States from foreign threats and keep the homeland (borders out) safe. But as we have seen after almost 18 years of being in various states of war… the US DoD, whether we like it or not, has become a form of global police force as well.

Source

So, both entities have a global reach when it comes to mission.

In order for Google to truly accomplish its mission, people need access to its services. People need access to the internet, preferably unfettered access. Which means internet infrastructure needs to be in place. It also means that issues like human rights and government censorship also need to be addressed in order for data to truly be free flowing and borderless. All of us know very well how a situation like this ends up for large companies if that is not the case (China’s relationship with large tech companies, for example, has been contentious at best in the past).

The world has a ways to go to get everyone online. Source.

You see where I am going here? In order for the world to produce more data and access all of it, the world needs to be a safer place altogether, with fundamental infrastructure, unfettered human rights to freedom of speech and the reduction of government censorship- are all elements that will profoundly affect the ability of a company like Google to accomplish its mission and reach true market potential.

So, your very very opinionated opinions aside… are the two sides more similar to one another? Or are we just dependent on each other for success?

Most hacked (attempted and data breaches) entities in the world. See full visualization here.

Why this is wrong: Consider the OPM breach in 2015 and the recent DISA breach in 2020. Had this occurred to, let’s say, Google’s Gmail accounts with the same widespread compromise in terms of % of accounts hacked, do you think Gmail would still be around? Check out Microsoft and Amazon Web Service’s publicly known client list. If their cloud hosted data was compromised (and no, we are not talking about customers leaving their S3 buckets unencrypted for the whole world to see) would those companies and their clouds still be in business?

No, probably not.

Security, it can be argued, might actually surpass the government’s need for security for one simple reason:

If a commercial entity’s services in the tech sector are considered compromised or breached, that company risks no longer existing in a handful of years. The government? Life goes on. It does not disappear.

Companies like Google have vested interests- for the purpose of survival- to keep their Ad clicks going in a secure environment. Or else, most of their revenue disappears.

Why this is wrong:

While lethality is definitely what pops up in the movies the most when it comes to the subject of the Armed Forces, in fact, the lethal option is often the last option that anyone in the DoD wants to exercise when it comes to accomplishing the mission.

Think about it.

Why would any ranking officer in the DoD willingly put themselves and young soldiers in their charge at the risk of death if they knew there was another option to solving the problem?

Even during training, safety first. Lifejackets always.

Why would any ranking officer want to take the risk of civilian casualties resulting from a failed mission as reputation to attach to their names, only to follow them around for the rest of their careers?

The answer is: they don’t.

These situations tend to happen when the DoD is not armed with all of the data it could possibly have to enable fully informed decisions. Or, rather, they might have the data, but not the infrastructure, technology, or talent to put the data to use for them. Sounds like a common problem we hear about in the commercial sector, too. Except for a handful of DoD members and units, this oftentimes means lives on the line.

Notice the total % of lethal, combat specialty personnel in the DoD was estimated at 15% (post the height of the surge). Source.

Also consider the large apparatus that surrounds the DoD to make it function as a defense body. In order to be prepared for every possible catastrophe that could not only hit the nation but the world as a whole, about 60% or more of the DoD force could be safely labeled as “support”. These are your intelligence analysts, your doctors, your civil engineers, your cooks, your truck drivers, your IT helpdesk people (cheers!). And while all of them must be constantly prepared to go to war, when they are not at war, they have plenty of tasks to attend to at home. Like preparing to mobilize against natural disasters, building bridges and roads, and keeping the force healthy.

For curiosity’s sake- the % of support vs. combat functions in armies across the world. Source.
A day in data, handled mostly by large tech companies. See full infographic here.
The closest thing I could find to show how much data the DoD *might* have. Source.

Why this is wrong: I would not say this statement is outright wrong. It would be hard to compare the amount of data the DoD handles due to the issue of classified data volume being hard to measure in an unclassified setting.

What many tech companies and their employees do not realize is how data rich the DoD and surrounding communities are. Eighteen years of war is no joke, let alone records and other data types that span back to before the internet was even around.

What might be the differentiator between the two entities is how they manage, deal with, organize, and consume their data sources. But when it comes to how much data… this might be a tough call for a winner.

While many at tech companies might not be able to fathom the data diversity and scale at the DoD, I also need to caution DoD members from underestimating how much data large tech companies might face.

One network engineer I interviewed for this study, working at a large tech company, mentioned that network security is almost never handled at the device level.

Because there are so many devices on the network, the tech company handles security and management of networked devices (thousands, if not millions) in an abstracted and automated manner. Nodes fade into abstracted clusters grouped by characteristics, traits, and behaviors.

Because there could never be enough engineers to handle watching each and every node on the network.

Stay tuned, and read my next post on how the tech industry and the Department of Defense could come together in a multitude of ways to not only bolster each other, but ensure neither one ceases to exist or is compromised in the future.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store