11 January 2017

CYBER BEYOND THIRD OFFSET: A CALL FOR WARFIGHTER-LED INNOVATION

JACQUELYN SCHNEIDER AND NINA KOLLARS

As the Obama administration comes to an end, so does the innovation-focused tenure of Ashton Carter as secretary of defense. Under his leadership and the guiding precepts of the third offset, the Department of Defense initiated a series of Silicon Valley-inspired innovations. From chief innovation officers to the Strategic Capabilities Office and Defense Innovation Unit-Experimental, Carter’s Pentagon has focused on institutionalizing innovation. Unfortunately and as many other commentators have noted, this focus on top-down innovation may have unwittingly created innovation architectures that bypass the warfighter. As a result, critics question whether warfighter-led innovation can thrive in the third offset.

Nowhere is this critique more relevant or more concerning than in cyberspace, a domain characterized by prolific users, rapid evolution of capabilities, and persistent confrontation. The Department of Defense has launched a whirlwind of initiatives in response to these challenges: the vast majority of which have focused on top-down processes that resolve inter-organizational competition for budget, manning, and policy authorities. This emphasis on centralized top-down innovation within cyberspace has largely overlooked cyber warrior led innovation, while a general stovepiping of cyber capabilities away from traditional warfighting units means that without careful consideration, the link between the warfighter and the Pentagon or Fort Meade may be increasingly innovated away. As we transition from a Carter-led Department of Defense, how can we enable warfighter-led innovation in cyberspace?

Why Warfighter-Led Innovation Matters

The academic literature on military and business innovation tells us that bottom-up processes are pivotal to the success of organizations that operate in rapidly changing environments. In order to respond quickly and effectively to these challenging scenarios, successful organizations build structures that allow workers at the bottom level to identify challenges, put forth solutions, and then implement. How do organizations do that? Somewhat simplistically, they create bottom-up structures with strong horizontal and vertical components. Horizontal components aid in knowledge and resource transfer across practitioners at the practitioner-level. For instance, CompanyCommand.mil and PlatoonLeader.net are examples of horizontal components that were created and utilized by warfighters to facilitate real-time tactical and operational lessons on and off the battlefield.

Conversely, vertical components are vetting procedures that pull practitioner-identified solutions and problems upward instead of waiting for a push. Robust vertical components help organizations make decisions about whether solutions and problems are best handled through horizontal systems or should be addressed as a whole-of-organization effort. These horizontal and vertical features enable organizations to share information and facilitate learning from the outside in and from the bottom up. The net result is organizations that can adapt faster to rapidly shifting environments.

In wartime, the military organizations that are most likely to succeed are those that feature adaptation from these types of bottom-up processes. During the Vietnam conflict and again during Operation Iraqi Freedom, for example, transportation units on the battlefield pushed for innovation when they found themselves vulnerable to ambush without offensive tactics or sufficient protection. While foresight might have avoided the issue, transportation units in each war found ways to solve their own issues and teach their parent organizations how to deal with the threat by creating strong ground networks to relay resources and information. In Vietnam in particular, the 8th Transportation Group utilized horizontal connections to other transportation units — often truck to truck — in order to transfer the technologies and tactics that ultimately became known as the “hardened convoy concept.” Though decidedly unorthodox, these horizontal transfers were supported by commanders in theater to solve ambush problems.

In contrast, the U.S. military’s experience with the improvised explosive device (IED) problem demonstrates the vertical structure approach to bottom-up innovation. The adversary’s ability to adapt IED tactics and capabilities was rapid and highly responsive to U.S. attempts to counter the weapons. As soldiers discovered how to counter pressure plates, the IEDs shifted to cell-phone systems and then to heat detonation and so on, creating an inevitable adaptation cycle. In that circumstance, the only solution is to adapt faster than the adversaries — and to do so relentlessly. This condition resulted in the creation of the Joint Improvised Explosive Device Defeat Organization (JIEDDO, now JIDO). JIEDDO used the knowledge and instincts of practitioners accustomed to the IED threat and paired those with scientists and test labs in the United States to engage this process. Beyond IEDs in Iraq, vertical resourcing and solution development was enabled through rapid acquisitions programs like the Rapid Equipping Force or REF. REF worked directly with soldiers down range to develop immediate solutions to meet the challenge at hand. At no time were these solutions developed independently of the warfighter but instead, as driven by warfighter need. These vertical components allowed insights to be pulled from the battlefield, honed, and then pushed back down to complete a full innovation cycle.

What would these horizontal and vertical components for bottom-up innovation look like for cyberspace? In terms of horizontal systems, successful innovation will require mechanisms that foster interaction among practitioners through information and knowledge transfer — not just from agency to agency — but from warfighter to warfighter (akin to the aforementioned CompanyCommand or Platoon Leader). Rapidly changing threats and environments require information to be shared among practitioners, rather than waiting for knowledge to move up the chain of command and down again. On the vertical side and particularly as these organizations develop their programs, warfighter-led innovation will require systems that pull lessons learned from warfighter operational experimentation and provide the resources to implement lessons learned from this experimentation.

The Current State of Cyber Innovation

The scope of cyber innovations over the last six years within the Department of Defense is incredible. The Defense Department has sprinted full-speed ahead to respond to the near-constant threats of ongoing adversary cyber intrusions and attacks, innovating as quickly as manning documents and budget outlays will follow. From its initial fielding in 2010 to the present, Cyber Command grew to over 6,000 employees with a budget of roughly a half a billion dollars. It includes 133 teams delegated to the Cyber Mission Force and serves as the joint command over four service cyber forces, all of which have their own headquarters. At the same time, across Fort Meade, the Defense Information Systems Agency (DISA) employs 15,000 civilians, active-duty personnel, and contractors with a budget of $9.4 billion and reports to the Chief Information Officer at the Pentagon. If those two organizations did not seem like large enough institutional presences, in 2015 Cyber Command and DISA stood up the Joint Force Headquarters-DODIN (Department of Defense Information Networks). This is manned by DISA, delegated to Cyber Command authority, and sub-divided into geographic components that align with the current geographic component commands. Finally, Secretary Carter also created the Defense Digital Service and Defense Innovation Unit-Experimental, the latter of which includes cyber capabilities as one of its core focus areas. Ultimately, cyber initiatives over the last six years have resulted in a proliferation of institutions. Institutional growth can itself increase military effectiveness, especially when the institutions act as bridges between practitioners and resources. So, have these new institutions built the horizontal and vertical components necessary for warfighter-led innovation?

Warfighter-led innovation in cyberspace manifests in two ways. First, innovation can occur from cyber warriors who operate on-net in a variety of defensive and offensive cyberspace missions. For these cyber warriors, bottom-up innovation requires having the authorities and capabilities to explore new tactics, acquire resources, and man missions with the appropriate talent. Secondly, innovation can occur within conventional or combined-arms warfighting units. For this kind of innovation to occur, innovation needs to build bridges between conventional warfighters and cyberspace operators. Our survey of the state of Department of Defense cyber innovation suggests that the first may have the potential to occur in the future but that the second is not happening and, with the current direction of innovations in cyberspace, is increasingly unlikely to occur.

In terms of cyber warriors, the explosion of operational cyber mission teams within Cyber Command suggests that the institution has the potential to provide the funding and authorities required for cyber warriors conducting national missions under Cyber Command’s leadership. There is, however, still a fundamental problem — these cyber warriors are generally non-existent below the headquarters, or component, level. The Cyber Mission Forces, which comprise the main mass of the “warfighter” element of cyberspace, reside at the geographic or component commands and are not embedded within service warfighting elements. The onus of that responsibility, therefore, is on the services to develop cyber warriors for the warfighting unit. Unfortunately, the services have made few inroads at integrating cyber capabilities at the warfighter unit level. This is partly because of a lack of talent and funding to create the quantity of warriors required to staff this level of warfighting. It is also because the services have placed the majority of their cyber initiatives within the institutional stove pipe of cyber-specific organizations: 24th Air Force, 10th Fleet, 2nd Army, instead of placing smaller cyber teams within conventional warfighting organizations.

The Army may be an exception. Notably, the Army has experimented with cyber SWAT teams (Expeditionary Cyber Electromagnetic Activity Teams) integrated with conventional brigade combat teams. For the Army, these teams and the larger effort, called Cyber Support to the Corps and Below, are meant to fill the tactical-level hole left by the Army Cyber teams that man the primarily component- and national-level missions of the Cyber National Mission Force. In addition, the Army has been working to integrate cyber threats into their conventional operations experimentation. This year’s annual warfighting assessment, run by the Army Brigade Modernization Command, featured a live cyber opposing force complete with social engineering, system exploits, and phishing in order to stress the cyber components of potential future conventional conflict.

For the conventional warfighter, there are almost no horizontal or vertical mechanisms to enable innovation in cyberspace. In fact, untangling the delegations of “supported” and “supporting” responsibilities between these increasingly prolific cyber institutions makes it very difficult for anyone within a conventional warfighting unit to adapt to the cyberspace environment (we doubt even many general officers can distinguish between JFHQ-DODIN, DISA, and CNMF). Barring programs like “Hack the Pentagon” or “Hack the Army,” which are one-off special initiatives, the warfighter has no medium to communicate cyber flaws or cyber solutions to the organizations that have the authority, budget, or capability to facilitate bottom-up innovation.

The implication is that “cyber” becomes increasingly separate from conventional warfighting. This is despite the fact that perhaps the largest uncertainty for U.S. cyber power is its understanding of its own key cyber terrain. What are the various software, hardware, network, or cyber personnel nodes vital to accomplishing the conventional warfighter’s mission? These conventional warfighters at the unit level may not be computer science experts. They may not know that there are zero-day exploits in their mission planning software or that an adversary is supplying infected components that plug into the networks enabling their mission operations. They may not even consistently conduct basic cyber hygiene. But, what these conventional warfighters do know is the array of components that are vital to accomplish their mission, whether that be access to a link, a website, a piece of software, or a data distribution facility. This is something that the handful of cyber protection teams fielded by the Cyber Mission Forces cannot know because they are not embedded with the warfighting unit nor do they have (or will ever have) the capacity to integrate at the tactical level. Without the means or technical capability to communicate this knowledge about their cyber key terrain, the conventional warfighter is unable to innovate to protect against cyber attacks much less use offensive cyber capabilities as a normalized weapon within their tactical warfighting arsenal. The Department of Defense needs warfighter-level innovation in order to understand and protect the cyber terrain that has evolved from the use of digital capabilities in conventional modern warfighting.

Beyond Offset

Where do we go from here? First, the expansion of some of Carter’s top-down digital initiatives may provide useful bridges between the warfighter and these larger cyber institutions. Cyber Command and DISA may be unable to quickly acquire and field cyber capabilities or identify cyber vulnerabilities at the warfighting level. However, organizations like Defense Innovation Unit-Experimental, the Defense Digital Service, and the Army Cyber Institute have begun smaller initiatives that creatively source and fund solutions for cyber challenges. While these organizations are nascent and lack formalized connections to the warfighter, they offer a potential vertical component for warfighter-led innovation in cyberspace.

Second, the Department of Defense needs to think more about cultural barriers to warfighter-led cyberspace innovation. Years of separation between functional communities (intelligence, operations, and communications) mean the staff structure has dis-incentivized conventional operations from thinking about “cyber” as an operational problem, let alone as an opportunity. Most warfighting units are culturally reticent to think of the “6” (those with communications responsibilities) as a front-line operations element and instead cognitively separate information technology (and onerous password requirements, patching, and information assurance training) from the weapons they use to fight wars. Debates in these areas are beginning to occur. The Navy has taken a potential first step at overcoming this staff barrier by integrating these functions underneath one core information specialty. More needs to be done to fully break down these cultural barriers to warfighter led-innovation.

Finally, and more concretely, the Department of Defense needs to integrate the cyber mission at the unit level. This starts with the service initiatives that we see from Nakasone’s Army cyber elements, but it extends beyond exercises and cyber experiments to integration within the core unit of warfighting. The Department of Defense needs to train not only the cyber warriors but also the conventional warfighter to understand how cyber affects their mission (and I do not mean another information assurance computer-based training). There is a general perception that cyber is too technical a field for the conventional warfighter to be able to contribute to its own cyber defenses. This is despite the fact that many warfighters with no former education or experience have become experts on highly technical elements of their weapons — whether that is radars, datalinks, navigation, or munitions. The Pentagon needs to do a better job of providing mission-related cyber training to the warfighter.

Ultimately, the value of bottom-up thinking is that it enables success in rapidly changing environments. To this end, cyber innovations cannot be separate from the physical battlefield or the warfighter perspective — be they cyber or conventional. While top-down stovepiped approaches aim at creating the institutional systems, military innovation is all about process improvement — providing a service that increases security and the chances for victory in conflict. This means evolving beyond institutions to the very tip of the spear.

No comments: