In Cyber-Defense, Good Enough is Far Better Than Perfect
Agile and DevOps concepts help businesses get the basics of applications to market quickly, and those same concepts can help prepare the military for its challenges.
In 2015, the National Security Agency’s hacking group, Tailored Access Operations, lost code that it uses for spying to hackers working for the Russian government. Following the breach, the NSA had to develop new tools, patch newly-exposed vulnerabilities, and harden its systems swiftly, before Russia could use its own technology against it.
Today, those tools are still being developed and patches being applied. Many of the vulnerabilities are still there.
Why did swiftly not happen?
Because in government, as in much of business, cyber security software development and response times are too slow. The relationship between software development and software operations is still configured for the machine age. In this old environment, stakeholders conceptualize an ideal solution to a problem, write specs, discuss and analyze them, design the software, build it, test it, and then, finally, deploy it. This is called the waterfall method: everything flows downhill from the top.
The NSA had already been compromised by Edward Snowden’s massive leak in 2013. Yet a review of the NSA’s security improvements concluded in 2016 that although there had been some, the NSA had not effectively reduced the number of user accounts with privileged access, which provides them with more avenues into sensitive data than normal users, nor fully implemented technology to oversee these accounts’ activities.
There is a much better way to defend an organization against cyber-attacks: by deploying the rapid development techniques of DevOps.
Enabling Cyber-Security with DevOps
Real-time responses to real-time threats and opportunities demand a development model suited to the cyber age. It takes just a few days (if that) for our enemies to reverse-engineer a newly-released commercial software patch. Consequently, we must develop and apply patches and tools continuously. We can only do that if we design them to do the necessary job for the lowest cost – if we build the minimum viable product. Doing so frees engineers to work on the problem that needs solving, considering the people who will use it (this is called human-centered design), and not so much the specs. It allows them to develop the immediately-needed solution, not the perfect one. In truth, there are no perfect solutions – not for long – because the cybersecurity battleground is continually evolving.
If something breaks in this optimally configured and DevOps-enabled cybersecurity environment, it gets fixed. Swiftly. If something works, it’s scaled and improved. This accelerates the process and allows engineers and operators to work together to leverage new capabilities (such as artificial intelligence). A DevOps environment also increases cognitive diversity and encourages rapid innovation at the edge (not at headquarters) where warfighters and business people operate and need to innovate to win.
The U.S. Air Force created CyberWorx in 2016 – a public-private design center at the Air Force Academy – to accelerate our DevOps environment in partnership with technology companies that could help us think differently and acquire new capabilities. For example, we needed a better way to report anomalies in cyberspace to our cybersecurity professionals – anomalies that could indicate a potential attack, or one underway. Working in agile sprints, three companies collaborated with us to provide our cyber pros with a more comprehensive, crowd-sourced picture of what was happening, and present it in a way that would make sense to a user – that is, a human-centered design that lets operators see changes fast.
The need for speed in the military is self-evident. In conflicts based on information (as they all are, to some degree), winning means moving faster than the opposition, improving the speed of sound decision-making while degrading the enemy’s. OODA loop speed (Observe, Orient, Decide, Act) is only increasing as machine learning and artificial intelligence support and secure operations faster and more effectively than humans working by themselves ever could.
In business, especially in finance, the speed of transactions (and the speed with which they can be disrupted by bad actors) requires that infiltrations be identified and responded to in moments. Global banks have recognized this and are becoming increasingly agile in their IT and security departments.
Making cybersecurity responsive enough also will require that procurement professionals be rewarded for their agility, acquiring minimum solutions that apply at the bottom and middle edges of organizations, not behemoths applied from the top down. Agile procurement will help our airmen, soldiers, sailors, and Marines to innovate at speeds consistent with modern warfare and economic realities.
In the military, it has become axiomatic that you go to war with the weapons you are going to have tomorrow. Business calls this an innovation mindset.
Realistically, in both business and war, it should be called survival.
Col. Jeffrey A. Collins directs Air Force CyberWorx, a public-private design center at the Air Force Academy focused on cyber capabilities and melding military, academic and industry expertise to solve problems. Before his assignment to CyberWorx, Col Collins was Deputy Director for Air Force Cyberspace Strategy and Policy, at the Pentagon. The views expressed here are his own and do not necessarily reflect those of the Air Force or Department of Defense.
The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Cybersecurity Strategies for the Digital EraAt its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.