Istanbul '09 Workshop
Cyberspace—A New Area of Knowledge
Mr. Terry Morgan
Chairman, Executive Council, Network Centric Operations Industry Consortium;
Director, Net-Centric Strategies, Global Government Solutions Group at Cisco
Earlier today, the Minister of Defense of Slovenia said that ministers need to get and to hear new knowledge. The issue of cyberspace is probably a “new” area of knowledge. It is an interesting one. It might become a separate instrument of power and it is at least an element impacting all of the classic instruments of power.
A study that was done about ten years ago by KPMG found that a number of IT projects—Information Technology projects and command and control projects—were failing. The leaders did not understand why they were failing. As they dug into the problem, KPMG discovered that the technical speak between the technical community and the leadership community was a hurdle. The technical community would come up with all this techno babble and those who signed the checks and approved the projects were not able to make the best decisions because there was a lack of understanding; and going forward, there was a lack of communication. Leadership abrogated responsibility to the technologist. This is critical in cyber security, not just in the defense community and not just across government but across industry and society as well. For example, at Cisco-and I am sure it is very similar at Microsoft-we run a coalition network. There are more people on our network at Cisco who are not employees than we have employees of Cisco. These individuals are our supply chain and outsourced capabilities supporting corporate functions. These are the people that need the information to work with us; these are the people who deliver their information to Cisco with the idea that as company number one provides information, company number two will not be able to see the information. Why is this important? Company one is competing with company two for the same business.
Let us take that into the coalition environment: It is much the same. We have common information, and we have information that is segregated. There are a lot of interesting “parts and pieces” of coalition operations that are being approximated in the commercial world. We can take these commercial capabilities and apply the necessary and additional bits of security, environmental protection, etc. to rapidly and more cost effectively develop government solutions. Cisco’s Global Government Solutions does this with our partners and customers. Understanding the possibilities comes from getting out to industry and spending time understanding what is the realm of the possible-the terms I like to use from my military background is to conduct strategic technical, technology trend, and business process reconnaissance. This is not looking at what is here today but understanding where corporations are investing in research and development and with mergers and acquisitions; how the successful corporations operate in business coalitions; and understanding their business process so that we are aware of what is being done and are better able to make decisions.
DEALING WITH THE REALITY OF CYBERSPACE
Now to address cyberspace and its reality: Cyberspace will always be a work in progress. In his work, technology visionary Ray Kurzweil talks about the “accelerating rate of technology change.” If you read Kurzweil’s publications, an eight year program now will be three to four generations behind in its technology when fielded. If you are unable to change your procurement specifications, as technology moves forward and as that acceleration occurs, then in just a few years you will find that the eight years to buy the system will give you a system that is fifteen generations behind in technology when fielded. The critical aspect of cyber security is that it will probably change even more rapidly than other aspects of technology. The processes by which we acquire and certify capability needs to keep pace with the accelerating rate of technology change. We know that if the government’s processes do not keep pace, the young soldier, sailor, airman, and marine will do his best to keep pace outside of the official process. We have to bring our processes forward, to have quicker acquisitions, and to be faster at technology delivery.
The biggest hurdle can be explained by a ten-year-old study prepared by a European government that asked, Why are we not making the progress that we should be making to become an e-government? The answer was: 49 percent of the reason we are not changing is cultural, 40 percent is due to procurement, 36 percent is due to government coordination to make projects work, and 9 percent has to deal with technology. The technology is not an unchallenging engineering problem but a fairly graspable one. It deals with physics and with physical things and we can more easily address that part. The others are more difficult.
As we get into the operational world, the capability to move information and to move it securely, the need to know where the information is, that it is valid, and that it has not been tampered with, and similar concerns must be considered. Of course, these all apply to any of the elements of power, (not just defense, but political, economic, informational issues). These are questions that are part of every decision when you are using information that has been moved by a network.
We are in a battle of measure-counter measure. If you go back to the Cold War, it was a battle of measure-counter measure but one fought in industrial time. From the technical perspective, the current battle is going to be fought at “run time”—as fast as our computer and our adversaries’ computers run. We talk about the physical devices that protect our networks, the firewalls and all sorts of equipment. The equipment is needed; defense is needed. But the true essence in the way we protect our networks-certainly at Cisco Systems-is more the sense of the network, similar to a “coup d’oeil”: as Clausewitz calls it, the commander’s intuition. The security of our network is about maneuver, not static defense. It is having that sense of our network, of what is right and what is wrong, and in being able to react to what is wrong instantaneously in a machine-to-machine battle. Sensing and responding cannot be done when the technical community must come to the leadership community and explain what is happening. By the time that conversation happens, we are four or five waypoints down the road in the run time-machine versus machine-technical battle.
The point is that, as we move forward in this business of cyber security, network resiliency, or whatever descriptive term we want to use, we need to address the issues of cyberspace and we must remember that it is a work in progress. We must define it much better than it is currently defined. What is cyberspace? Some talk of the links-the wires, the cable cuts; others about the network-the denial of service attacks; we talk about the data and its reliability; we talk about applications and their vulnerabilities; however, there are other parts of cyber security. One question in our discussion concerns the security of the supply chain. Cisco and the entire IT industry have had problems because there is big money in counterfeiting. In our experience, the counterfeiting we have encountered has all been for criminal financial reasons. There are also the questions of the supply chain’s provenance-the companies, who owns them, and who the investors are. The globalization of the IT industry and its many components all impact the supplier base.
The commercial IT industry is not part of the classic defense industrial base. The commercial electronic industry is an entirely new set of players to deal with in the defense industrial base. The commercial IT industry is cooperating to defeat the problems that we all have in securing our nations and businesses. There are two additional major problems to address from the government’s perspective: the first has been alluded to-procurement; the second is certification. With the rate of change that we are dealing with in the IT industry, it is nearly impossible to get through a certification cycle with the current certification regime.
Now that we have merged voice, video, and data, governments require sequencing of these certifications. As we go through the required sequence-number one to number two and so on, frequently what was certified in number one has already changed when we start certification number two. Industry and government cooperate in working through the current process. But that day-to-day collaboration is working through the old processes. The world continues to march, things continue to happen, and the battle of the networks continues to be fought. Government and industry need to come together in a forum that will allow us to learn government’s pain points, but just as importantly, for government to learn industry’s pain points; then to work to an AGREED arrangement addressing the concerns of the supply chain, the procurement process and the certification issue.