In 2015, the National Security Agency’s hacking group, Tailored Access Operations, lost code that it uses for spying to hackers working for the Russian government. Following the breach, the NSA had to develop new tools, patch newly-exposed vulnerabilities, and harden its systems swiftly, before Russia could use its own technology against it.
Today, those tools are still being developed and patches being applied. Many of the vulnerabilities are still there.
Why did swiftly not happen?
Because in government, as in much of business, cyber security software development and response times are too slow. The relationship between software development and software operations is still configured for the machine age. In this old environment, stakeholders conceptualize an ideal solution to a problem, write specs, discuss and analyze them, design the software, build it, test it, and then, finally, deploy it. This is called the waterfall method: everything flows downhill from the top.
The NSA had already been compromised by Edward Snowden’s massive leak in 2013. Yet a review of the NSA’s security improvements concluded in 2016 that although there had been some, the NSA had not effectively reduced the number of user accounts with privileged access, which provides them with more avenues into sensitive data than normal users, nor fully implemented technology to oversee these accounts’ activities.
There is a much better way to defend an organization against cyber-attacks: by deploying the rapid development techniques of DevOps.
Enabling Cyber-Security with DevOps
Real-time responses to real-time threats and opportunities demand a development model suited to the cyber age. It takes just a few days (if that) for our enemies to reverse-engineer a newly-released commercial software patch. Consequently, we must develop and apply patches and tools continuously. We can only do that if we design them to do the necessary job for the lowest cost – if we build the minimum viable product. Doing so frees engineers to work on the problem that needs solving, considering the people who will use it (this is called human-centered design), and not so much the specs. It allows them to develop the immediately-needed solution, not the perfect one. In truth, there are no perfect solutions – not for long – because the cybersecurity battleground is continually evolving.
If something breaks in this optimally configured and DevOps-enabled cybersecurity environment, it gets fixed. Swiftly. If something works, it’s scaled and improved. This accelerates the process and allows engineers and operators to work together to leverage new capabilities (such as artificial intelligence). A DevOps environment also increases cognitive diversity and encourages rapid innovation at the edge (not at headquarters) where warfighters and business people operate and need to innovate to win.
The U.S. Air Force created CyberWorx in 2016 – a public-private design center at the Air Force Academy – to accelerate our DevOps environment in partnership with technology companies that could help us think differently and acquire new capabilities. For example, we needed a better way to report anomalies in cyberspace to our cybersecurity professionals – anomalies that could indicate a potential attack, or one underway. Working in agile sprints, three companies collaborated with us to provide our cyber pros with a more comprehensive, crowd-sourced picture of what was happening, and present it in a way that would make sense to a user – that is, a human-centered design that lets operators see changes fast.
The need for speed in the military is self-evident. In conflicts based on information (as they all are, to some degree), winning means moving faster than the opposition, improving the speed of sound decision-making while degrading the enemy’s. OODA loop speed (Observe, Orient, Decide, Act) is only increasing as machine learning and artificial intelligence support and secure operations faster and more effectively than humans working by themselves ever could.
In business, especially in finance, the speed of transactions (and the speed with which they can be disrupted by bad actors) requires that infiltrations be identified and responded to in moments. Global banks have recognized this and are becoming increasingly agile in their IT and security departments.
Unfortunately, in many businesses security is still based on people sitting in front of screens looking for intrusions. This is called “swivel-chairing” and, naturally, it’s slow and error prone. To respond quickly enough, and more quickly than humans can, cybersecurity must be automated. Netflix, for example, has built tools that monitor changes to security configurations, flag when a change should be more closely examined, and rank them according to the level of risk. “The only realistic way of maintaining security in an environment that grows so rapidly and changes so quickly is to make it automation first,” says Netflix director of engineering in cloud security Jason Chan.
Making cybersecurity responsive enough also will require that procurement professionals be rewarded for their agility, acquiring minimum solutions that apply at the bottom and middle edges of organizations, not behemoths applied from the top down. Agile procurement will help our airmen, soldiers, sailors, and Marines to innovate at speeds consistent with modern warfare and economic realities.
In the military, it has become axiomatic that you go to war with the weapons you are going to have tomorrow. Business calls this an innovation mindset.
Realistically, in both business and war, it should be called survival.
Col. Jeffrey A. Collins directs Air Force CyberWorx, a public-private design center at the Air Force Academy focused on cyber capabilities and melding military, academic and industry expertise to solve problems. Before his assignment to CyberWorx, Col Collins was Deputy Director for Air Force Cyberspace Strategy and Policy, at the Pentagon. The views expressed here are his own and do not necessarily reflect those of the Air Force or Department of Defense.