Beware the Double Cyber Gap

I’ve somehow been invited onto yet another star-studded panel in Washington DC – on October 11 at the 2016 AFCEA DC Cybersecurity Summit. I don’t recommend many cyber conferences or events, as they’ve become overly frequent and unfocused. This one’s different, and brings together acknowledged senior experts from multiple federal agencies, including the Department of Homeland Security, Department of Defense, intelligence community and others from industry. If cyber’s your game you should be there, the line-up of speakers is truly impressive.

(It’s too late to register online, but on-site registration is available for the first day at the venue, DC’s Grand Hyatt on H Street downtown. The second day, which is classified sessions at TS/SCI at a separate location, is already sold out, but Day 1 still has a few seats left.)

I realize, though, that most of my readers will not be in attendance, so I thought I’d share a few highlights which I expect from my own panel, titled “Partnering with Industry for Innovation – DIUx” and focusing on DoD’s new Defense Innovation Unit Experimental (now in Version 2.0!) and its partnerships in government and the private sector.

Our session participants:

  • Moderator: Francis Rose, Host, Government Matters on ABC 
  • Charles Nelson, Deputy Director for Outreach, U.S. Cyber Command Capabilities Development Group (CDG)
  • Lewis Shepherd, Private Consultant on Advanced Technologies and Strategic Innovation
  • Sean Singleton, Director of Engagement, DIUx
  • Russell Stern, CEO, Solarflare Communications
  • Maj Gen Robert “Wheels” Wheeler (Ret.), Senior Advisor, DIUx

We intend to cover the DIUx approach to work with innovative companies (in Silicon Valley and across the United States) for new solutions and technologies for warfighters.

But I also intend to discuss a certain two-sided disparity: the Double Cyber Gap.

If you’re of a certain age, you can’t help thinking about national security strategy as momentary scenes from “Dr. Strangelove” flicker by in your mind. I’ve always loved Stanley Kubrick’s 1964 satirical nuclear black comedy, which answered the question, “What would happen if the wrong person pushed the wrong button in a nuclear-armed world?” One of the many classic moments is a send-up of the era’s bipolar worry about superpower equipoise, with a “Doomsday Machine Gap” and its inevitable successor, a “Mineshaft Gap.”

Kubrick was skewering the mindset of the “Missile Gap” controversy, which was fresh in his mind as he wrote the screenplay during President Kennedy’s term; JFK had won office in 1960 in part by attacking Vice President Richard Nixon for ignoring an imminent Soviet “Missile Gap” superiority. As Wikipedia summarizes, “Kennedy is credited with inventing the term in 1958 as part of the ongoing election campaign, in which a primary plank of his rhetoric was that the Eisenhower administration was weak on defense. It was later learned that Kennedy was apprised of the actual situation [no actual gap] during the campaign, which has led scholars to question what the (future) president knew and when he knew it. There has been some speculation that he was aware of the illusory nature of the missile gap from the start, and was using it solely as a political tool, an example of policy by press release.”

You can read the New York Times retrospective look (it popped the Missile Gap bubble originally in a 1961 story), and go through a valuable collection of the CIA’s now declassified documents from the era. But what’s relevant is the notion of early warning about a perceived or real disparity between opposing forces. Unfortunately that’s what I see developing, in a couple of very significant ways.

The Double Cyber Gap

Picture in your mind both faces of a double-sided coin. The Double Cyber Gap consists of two linked phenomena:

  1. The Post-Snowden Gap: there’s a newly demonstrable political or ideological cleavage between Silicon Valley commercial technology companies and their erstwhile innovation partners in DoD and the US intelligence community. The Apple/FBI dispute over decrypting the San Bernardino bombing-case iPhone was only one dramatic example; others aren’t played out in open media. I’ve written and spoken about that gap for the past few years as I’ve watched it yawn open, and have tried to limit its width in my government advisory roles and while consulting for tech firms. DIUx works to that goal as well, though the Secretary of Defense himself acknowledged that its first highly-touted incarnation was a failure.
  2. The Capability-Adoption Gap: Those same commercial companies aim their innovations to the widest possible market – meaning globally. For advanced cyber capabilities (dual-use as defensive or offensive) or other digital disruptions, very predictably we know that early adopters will include nation-state government agencies (including in Russia and China), hacking communities, and individual cyber criminals working on their own illicit agendas.

You can practically draw a cyclical diagram of the progression of advanced cyber techniques and technologies, with their adoption passing rapidly from commercial bleeding-edge users to foreign actors and malevolent individuals… and then, tardily if at all, to mainline US government agencies, long after their potency is being exploited by adversaries, or reverse-engineered and exceeded.

The Double Cyber Gap presents DoD with nearly a Hobson’s Choice. DoD can rely increasingly on commercial cyber technologies because of their rapid innovation and disruption – but only while realizing that it won’t be gaining any advantage over foreign adversaries, who are adopting the same commercial capabilities and likely deploying them even faster. It’s deeply problematic for US cybersecurity strategy, and a potentially fatal flaw for DoD’s related “Third Offset” strategy as well.

Let me illustrate that “no-choice-at-all” dilemma with an intriguing behind-the-scenes story, an excerpt from a new profile of Silicon Valley entrepreneur (Y Combinator co-founder) Sam Altman, who is now not only driving his YC startups but also the new OpenAI artificial intelligence research company he has co-founded with Elon Musk and others. The excerpt presents the AI vector of what I’m calling the Double Cyber Gap:

This spring, Altman met Ashton Carter, the Secretary of Defense, in a private room at a San Francisco trade show. Altman wore his only suit jacket, a bunchy gray number his assistant had tricked him into getting measured for on a trip to Hong Kong. Carter, in a pin-striped suit, got right to it. “Look, a lot of people out here think we’re big and clunky. And there’s the Snowden overhang thing, too,” he said, referring to the government’s treatment of Edward Snowden. “But we want to work with you in the Valley, tap the expertise.”

“Obviously, that would be great,” Altman said. “You’re probably the biggest customer in the world.” The Defense Department’s proposed research-and-development spending next year is more than double that of Apple, Google, and Intel combined. “But a lot of startups are frustrated that it takes a year to get a response from you.” Carter aimed his forefinger at his temple like a gun and pulled the trigger. Altman continued, “If you could set up a single point of contact, and make decisions on initiating pilot programs with YC companies within two weeks, that would help a lot.”

“Great,” Carter said, glancing at one of his seven aides, who scribbled a note. “What else?”

Altman thought for a while. “If you or one of your deputies could come speak to YC, that would go a long way.”

“I’ll do it myself,” Carter promised.

As everyone filed out, Chris Lynch, a former Microsoft executive who heads Carter’s digital division, told Altman, “It would have been good to talk about OpenAI.” Altman nodded noncommittally. The 2017 U.S. military budget allocates three billion dollars for human-machine collaborations known as Centaur Warfighting, and a long-range missile that will make autonomous targeting decisions is in the pipeline for the following year. Lynch later told me that an OpenAI system would be a natural fit.

Altman was of two minds about handing OpenAI products to Lynch and Carter. “I unabashedly love this country, which is the greatest country in the world,” he said. At Stanford, he worked on a DARPA project involving drone helicopters. “But some things we will never do with the Department of Defense.” He added, “A friend of mine says, ‘The thing that saves us from the Department of Defense is that, though they have a ton of money, they’re not very competent.’ But I feel conflicted, because they have the world’s best cyber command.” Altman, by instinct a cleaner-up of messes, wanted to help strengthen our military—and then to defend the world from its newfound strength.

Altman is patriotic, and thoughtful – very. But his conversation with Secretary Carter might best have begun with that private reluctance he shared only with the reporter later.

Even though the Double Cyber Gap is palpable, in Altman’s thinking and elsewhere, there are ways around that Hobson’s Choice dilemma. I share those with my consulting clients and we’ll be addressing them and new ideas at the Cybersecurity Summit as well. I hope to see you there, but I’d be interested in hearing your thoughts also  (comments below or email).

5 Responses

  1. Lewis, thanks for sharing this. I was unaware of the event, I’ll now attend and register at the door.

    B.t.w., I guess there are no Jews in cyber security at AFCEA–oct 11 is Yom Kippur.


    Sent from my iPad


  2. Does the double cyber gap phenomena actually describe a lack of understanding and a failure of asking questions based on the reality of separate but equally important physical and virtual worlds?

    – How do we apply the “old” ideas of privacy, protection, security, and value a dynamic global enterprise?
    – What is the role of government in cyber? We seem to be thinking like the story of big brother in a world where all of us are big brother.
    – How do people decide who and what to trust?

  3. Lewis,
    You and I have had several conversations on this topic so you know I agree with your premise that is it is a hopeless tail chase trying to catch commercial driven innovation when that innovation will be commercially available to all will be funded by DoD/IC dollars. Some will recall the frustration I expressed over ten years ago when I saw the US investing billions in highly secure C4RISR systems while Al Qaeda was using the internet for this function and holding its own against US forces on the battlefields in Iraq and Afghanistan.
    One obvious (at least to me) way out of looking to Silicon Valley for innovation is to incentivize the DoD labs, FFRDCs and UARCs to be the engines of innovation for national security customers only that they have been in the past (proximity fuse, phased array radar, missile defense, etc.). When it comes to the private sector I wonder if we have been as creative as possible with CRADA’s and insuring that government funded R&D outcomes are controlled by the US government for a defined number of years. Then there are the acquisition processes (not the FAR) with all its internal checks and reviews that need to be modernized for the information age, but more important than anything, DoD needs to change its approach adopted in the peace dividend years of the early 1990’s that seeks to have the private sector assume most if not all of the risks associated with fielding new capabilities. The less risk the government assumes, the weaker is its case for asserting control over private sector innovation. Could encouragement here from OMB, GAO, and Congressional Committees of Jurisdiction help here – – – – I think so


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: