By John Myers
In my first two posts, I covered two overarching points: first, the industry desire to recruit and retain cyber professionals who are “best in breed” as the initial cadre for cyber operations programs; second, the rationale behind hiring this talent: the need to build mission-tailored cyber security programs requires this initial cadre to have a breadth of experience and a direct connection to the mission.
In building its cyber force, the US military has not taken this approach. The initial cyber cadre was often recruited from non-cyber disciplines. Further, future cyber professionals are going through stovepiped training pipelines. In the commercial sector, stovepiping for cyber operations is strongly avoided. Multi-disciplinary personnel are heavily sought after. It is important to recognize, however, that stovepiped training pipelines may make sense for the military. The sheer number of personnel and multitude of missions make it near impossible to build meaningful numbers of multi-disciplinary individuals. This does increase the need for leadership with the breadth necessary to help formulate tangible strategy and translate it into operational guidance.
Trying to apply the core principles that forward-leaning tech companies use is non-trivial for the military. It is unreasonable to assume the military can easily recruit amazing talent and make an instant culture change to help ensure its cyber corps is integrating with mission owners and has all the tools necessary to build mission-tailored cyber programs.
There is, however, one concept that could be useful for the military to borrow: the increasing use of senior security architects in commercial industry. The security architect role grew from the need to figure out how to balance the use of off-the-shelf versus organic, homegrown capabilities. The cyber security industry is a very busy landscape, and companies are overwhelmed by the number of available vendors and whether or not these vendors could meet the needs of the company’s mission and environment.
Companies began to hire security architects to address this issue. The cyber architect is not usually an executive position; rather, they serve as the most senior cyber expert in the organization. In smaller companies, Chief Information Security Officers (CISOs) may serve both the role as the senior architect and as an executive. Senior architects are generally experienced personnel that have a substantial amount of security operations experience to include: incident response, software engineering, and technology acquisitions, as well as management and leadership. The senior architect retains the authority to purchase new off-the-shelf technology, build additional custom technology through organic software engineering, and hire the talent that will employ this technology. The primary roles and authorities that normally belong to a senior architect are:
- Serve as a point of contact to the mission or product owner, responsible for understanding what security or cyber requirements are needed
- Create a master plan that covers the primary functional requirements of the cyber security program
- Acquisition authority to research, test, and purchase off-the-shelf technology
- Hiring authority to identify what personnel requirements are needed and conduct recruiting and onboarding
- Product development and engineering authority. The senior architect may direct creation of custom tools that often help integrate off-the-shelf technology together or totally replace off-the-shelf technology, depending on the exact requirements
- Turn strategic policy into operational effects
Among these, the most import roles of the architect are to identify requirements and integrate solutions. Cyber capabilities are often purposely built for specific functions, such as: Firewalls, Endpoint Protection, Exploits, Command and Control modules, data transfer modules, interactive shells, advanced analytics, and big data storage/analytics platforms. These specific functions often have no knowledge of other tools being used. It is the architect’s job to identify the abstract requirements, procure the capabilities, and direct the construction and development of homegrown integrative technology, as needed.
The military could adopt this lesson by appointing senior architects or architecture offices to conduct the types of roles mentioned above. Defensive Cyber Operations would be a better pilot career field for this type of activity, because there are many requirements to be distilled out of the military cyber enterprise and no shortage of adversaries to engage.
Pilot sites could be selected, based on analysis of key-terrain and historical adversarial engagements. Senior architects could be recruited from within the military itself, recruited from the outside, or selected from the Reserves (to operate as a uniformed service member or a civil servant), where talent like this already exists, but is generally underutilized.
To illustrate this pilot concept, I’ll use a scenario I was involved with at the Air Force exercise, Red Flag, as an example. A Red Flag unit wanted to engineer a way to delay coalition operations and asked if cyber operations could achieve that. As no cyber capability existed yet that could do this, we decided it was best to first explore the details of the targeted operations. During numerous field trips and interviews, my team examined operational processes and systems, asking a lot of questions along the way (this is how product is developed and built in the commercial world). For the most part, the examined processes were tight enough that most offensive cyber operations would not cause delays. However, we did discover some systems that, if affected in a particular way, could produce a reasonable potential for confusion and resulting delays. In the end, we were able to create the desired effect to achieve Red Flag’s training objective, based on real-world operational details and backed by research and direct interaction with mission owners.
While this was done with offensive cyber effects in mind, a defensive security architect might take this concept and extrapolate it to broader questions for the Air Force. Is this a commercially available system that can be affected? Is it developed specifically for the government? Are there cyber defense sensors already in place monitoring data to/from the system? Does the system generate logs we can collect and analyze for threats? Is this system fairly ubiquitous across the Air Force? Could an attack on this system affect operations more broadly? Based on these answers, a security profile for that system could be created, built, deployed, and maintained by defensive cyber operators.
Senior architects and their teams can directly engage with mission owners to learn how the mission works, the current mission technologies and processes, and embed with the culture to learn existing risks and help identify new ones. The organic software engineering capabilities of the military services could be delegated to provide resources to the architects. Finally, rapid acquisition authority should be granted to allow architects to quickly evaluate and procure technology by partnering with organizations like DIUx.
With a basic toolkit like this, senior architects in the military could have the power to procure existing technology and even create new technology to provide security operations to vital mission areas. Architects can also be a vital source for developing a cyber corps culture by exposing new and emerging cyber personnel to a breadth of operational situations. They can make recommendations to commanders on how to best employ the pipeline of trainees that are leaving military cyber training and entering the operational force.
There is no question that building a cadre and culture for cyber operations is difficult. Both the talent and the culture is something that is bigger than the military itself. The military does not create cyber culture, because it is not solely a military occupation. Similarly, the military does not create or own the culture of the medical, religious, or legal professions either. It recognizes the need for those occupations and extends their base education with military-specific training to achieve military goals. From another perspective, cyber is not playing in the military’s world, the military is playing in the cyber world, and it needs to ensure that cyber operations is treated as a permeating entity not an isolated one. The concept of the security architect helped commercial companies build cultures and cyber programs that work very well. It has helped forward-leaning companies mature faster than their competitors and stay ahead of the risks and adversaries that are attempting to break in every day. Among the lessons the military could draw from industry, adapting the security architects to a military context may be one of the more useful.
John Myers is the co-founder and Chief Technical Officer of Efflux Systems, a cybersecurity startup. Previous to this, John served in the US Air Force as a Cyberspace Operations Officer. While on active duty, he led large scale cyber training, operations, planning, and exercises. He is also a graduate of the Department of Defense’s premier cyber operations development program: the Computer Network Operations Development Program.
Disclaimer: The views expressed are those of the author and do not necessarily reflect the official policy or position of the Department of Defense or the U.S. Government.