In Cyber-Defense, Good Enough is Far Better Than Perfect - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps
Commentary
4/4/2018
02:00 PM
Col. Jeffrey Collins, Air Force CyberWorx
Col. Jeffrey Collins, Air Force CyberWorx
Commentary
50%
50%

In Cyber-Defense, Good Enough is Far Better Than Perfect

Agile and DevOps concepts help businesses get the basics of applications to market quickly, and those same concepts can help prepare the military for its challenges.

In 2015, the National Security Agency’s hacking group, Tailored Access Operations, lost code that it uses for spying to hackers working for the Russian government. Following the breach, the NSA had to develop new tools, patch newly-exposed vulnerabilities, and harden its systems swiftly, before Russia could use its own technology against it.

Today, those tools are still being developed and patches being applied. Many of the vulnerabilities are still there.

Why did swiftly not happen?

Because in government, as in much of business, cyber security software development and response times are too slow. The relationship between software development and software operations is still configured for the machine age. In this old environment, stakeholders conceptualize an ideal solution to a problem, write specs, discuss and analyze them, design the software, build it, test it, and then, finally, deploy it. This is called the waterfall method: everything flows downhill from the top.

The NSA had already been compromised by Edward Snowden’s massive leak in 2013. Yet a review of the NSA’s security improvements concluded in 2016 that although there had been some, the NSA had not effectively reduced the number of user accounts with privileged access, which provides them with more avenues into sensitive data than normal users, nor fully implemented technology to oversee these accounts’ activities.

There is a much better way to defend an organization against cyber-attacks: by deploying the rapid development techniques of DevOps.

Enabling Cyber-Security with DevOps

Real-time responses to real-time threats and opportunities demand a development model suited to the cyber age. It takes just a few days (if that) for our enemies to reverse-engineer a newly-released commercial software patch. Consequently, we must develop and apply patches and tools continuously. We can only do that if we design them to do the necessary job for the lowest cost – if we build the minimum viable product. Doing so frees engineers to work on the problem that needs solving, considering the people who will use it (this is called human-centered design), and not so much the specs. It allows them to develop the immediately-needed solution, not the perfect one. In truth, there are no perfect solutions – not for long – because the cybersecurity battleground is continually evolving.

If something breaks in this optimally configured and DevOps-enabled cybersecurity environment, it gets fixed. Swiftly. If something works, it’s scaled and improved. This accelerates the process and allows engineers and operators to work together to leverage new capabilities (such as artificial intelligence). A DevOps environment also increases cognitive diversity and encourages rapid innovation at the edge (not at headquarters) where warfighters and business people operate and need to innovate to win. 

The U.S. Air Force created CyberWorx in 2016 – a public-private design center at the Air Force Academy – to accelerate our DevOps environment in partnership with technology companies that could help us think differently and acquire new capabilities. For example, we needed a better way to report anomalies in cyberspace to our cybersecurity professionals – anomalies that could indicate a potential attack, or one underway. Working in agile sprints, three companies collaborated with us to provide our cyber pros with a more comprehensive, crowd-sourced picture of what was happening, and present it in a way that would make sense to a user – that is, a human-centered design that lets operators see changes fast.

The need for speed in the military is self-evident. In conflicts based on information (as they all are, to some degree), winning means moving faster than the opposition, improving the speed of sound decision-making while degrading the enemy’s. OODA loop speed (Observe, Orient, Decide, Act) is only increasing as machine learning and artificial intelligence support and secure operations faster and more effectively than humans working by themselves ever could.

In business, especially in finance, the speed of transactions (and the speed with which they can be disrupted by bad actors) requires that infiltrations be identified and responded to in moments. Global banks have recognized this and are becoming increasingly agile in their IT and security departments.

Unfortunately, in many businesses security is still based on people sitting in front of screens looking for intrusions. This is called “swivel-chairing” and, naturally, it’s slow and error prone. To respond quickly enough, and more quickly than humans can, cybersecurity must be automated. Netflix, for example, has built tools that monitor changes to security configurations, flag when a change should be more closely examined, and rank them according to the level of risk. “The only realistic way of maintaining security in an environment that grows so rapidly and changes so quickly is to make it automation first,” says Netflix director of engineering in cloud security Jason Chan.

Making cybersecurity responsive enough also will require that procurement professionals be rewarded for their agility, acquiring minimum solutions that apply at the bottom and middle edges of organizations, not behemoths applied from the top down. Agile procurement will help our airmen, soldiers, sailors, and Marines to innovate at speeds consistent with modern warfare and economic realities.

In the military, it has become axiomatic that you go to war with the weapons you are going to have tomorrow. Business calls this an innovation mindset.

Realistically, in both business and war, it should be called survival.

                                                                    

Col. Jeffrey A. Collins directs Air Force CyberWorx, a public-private design center at the Air Force Academy focused on cyber capabilities and melding military, academic and industry expertise to solve problems. Before his assignment to CyberWorx, Col Collins was Deputy Director for Air Force Cyberspace Strategy and Policy, at the Pentagon. The views expressed here are his own and do not necessarily reflect those of the Air Force or Department of Defense.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll