In essence, what government faces is a trade-off between agility and scale. Agencies can be quick and responsive at a small scale, like the AMWG was, but growth often requires bureaucratic processes that stifle speed. The problem is that today’s cyber threats demand both agility and scale. Those threats operate on timescales that demand agility, and at the same time can touch so many aspects of life that they require significant coordination within and outside of government. An effective response to these threats may require input from law enforcement, intelligence agencies, telecommunications regulators, and private industry. Achieving that level of coordination on the timescales required to change the adversarial decision calculus puts government in a double bind: It can respond effectively, but late; or respond on time, but in a manner that is uncoordinated and likely ineffective.
The agility versus scale trade-off means that if government is to adopt an adversary focused approach to cyber, it must first start with some internal innovations that can break that trade-off. Government agencies and commercial companies alike have found ways to break the trade-off and be agile at scale.22 Those innovations can allow government to coordinate at the speed and scale required by the adversary focused approach.
The innovations that can break the trade-off
Innovations are not restricted to merely new technologies. One textbook definition of an innovation is anything that breaks a trade-off.23 The innovations government needs to achieve coordination at the speed and scale required for adversary focused cyber can be anything from new technologies to new strategies to new business practices.
Government has been slowly discovering some of those innovations as it tentatively explores scaling cyber missions. New doctrines such as “defend forward” and “persistent engagement” can be seen in the long tradition of doctrinal innovations in national security.24 Similarly, new organizations such as the Cybersecurity and Infrastructure Security Agency and US Department of Defense cyber mission teams helped to resolve difficult trade-offs as organizations assumed new cyber missions.
Yet, the innovations deployed so far don’t sufficiently address adversaries’ decision threshold. The adversary focused approach to cyber demands coordination across all government agencies that exercise national cyber power. But since the challenges of scale—complexity, fragility, fixedness, and vulnerability—stand in the way of achieving that coordination at the speed and scale required, government needs innovations that can tackle each one.
Reducing complexity: AI-human teaming
In older eras, commanders could use maps or spyglasses to easily see where their forces were and where the enemy was attacking. Today’s cyber leaders have the same need, but with billions of internet end points, no human mind can contain all of the information needed. What is needed is technological innovation bringing together artificial intelligence (AI) and data visualization to make vast volumes of cyber data digestible to human leaders. Tools such as Project IKE, a tool developed by the Defense Advanced Research Projects Agency (DARPA) that is newly deployed to US Cyber Command, can collate and curate the right data, allowing 3D visualization software such as Immersive Wisdom to literally ‘show’ human operators the nonphysical environment of cyberspace. With those tools, human operators can spend less time sifting through network data and more time making mission decisions much as intelligence analysts are beginning to do today with AI.25
Reducing fragility: A real-time shared picture for faster decision-making
Fragility is really a problem of agility. Highly efficient processes often cannot adapt quickly enough to changing circumstances. If government wishes to reduce fragility in cyber decision-making, it needs to speed the pace of its own decision-making, across all the agencies involved.
Countering fragility is really a two-step process: First, all agencies need a real-time shared picture of the world; and second, leaders need decision supports to help them formulate courses of action in such a complex world. Creating a real-time, shared picture of the cyber environment is difficult not only because of the complexity of the environment, as discussed above, but also because much of the data will be highly classified and hard to share. But solutions to these problems already exist. For example, cross-domain intelligence-sharing can help create an environment where agencies can seamlessly make data discoverable to those who need it and have a right to access it.26 Then, with a shared understanding of the operating environment, leaders need decision supports to help them understand how their actions will impact the adversary and even the plans of other agencies. For example, how will an offensive cyber operation impact the adversary or degrade ongoing influence operations? AI can again help with these questions, as demonstrated by DARPA’s Deep Green program more than a decade ago, but ultimate success depends on all cyber leaders working from a common picture toward a shared goal.27
Reducing fixedness: National leadership
If faster decision-making depends on leaders sharing a common picture and common goals, technology can help with the common picture, but common goals can come only from unified leadership. Some central cyber leadership structure is necessary, whether on the national security council staff or as a stand-alone executive position. This central leadership can produce a coherent vision for the exercise of national cyber power so that each agency can act quickly on its own initiative but still stay assured that their collective actions are helping achieve larger ends.
More than just a strategy document, cohering around common goals is about creating common organizational culture. Government is no stranger to creating common cultures from many diverse organizations. Organizations such as the Office of the Director of National Intelligence and legislation such as the Goldwater-Nichols Act have helped create communities out of individual agencies. National cyber leadership can serve a similar role in building social coordination on cyber via rotational assignments, joint duties, common training curricula, and more.28
Reducing vulnerability: Make vulnerabilities visible
A nation’s cyber vulnerabilities often arise from hidden interdependencies. Government may not be aware of who is making its technology, and companies may not be aware of whom they are depending on for their hardware and services. Making all of these interdependencies visible can help leaders in both government and industry take appropriate actions to mitigate the risk, essentially shaping the norms of the cyber environment.
Supply chain illumination tools can share details on government suppliers, and their suppliers in turn, down several tiers, to help see what is really going into their technology. Similarly, mandatory disclosure laws can help ensure that once vulnerabilities are identified in commercial products, they do not spread unseen and compromise even more organizations. These changes may be uncomfortable at first for both government and industry, but they represent the first steps toward a mindset of collective defense. The mindset that we are so interconnected we are all in this together is the cornerstone for reducing vulnerability in a complex cyber environment.
Technology is always advancing, and there will always be new vulnerabilities. What matters most is the capability and intent of adversaries to exploit those vulnerabilities. Therefore, long-term cybersecurity rests on government’s ability to coordinate all the functions of national power against the decision calculus of each adversary. But to do that coordination at the speed and scale required takes new innovations in government technology and organization. With those innovations, governments can do what today seems impossible: live in a world free of massive cyberattacks.