In Cyber-Defense, Good Enough is Far Better Than Perfect - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:00 PM
Col. Jeffrey Collins, Air Force CyberWorx
Col. Jeffrey Collins, Air Force CyberWorx

In Cyber-Defense, Good Enough is Far Better Than Perfect

Agile and DevOps concepts help businesses get the basics of applications to market quickly, and those same concepts can help prepare the military for its challenges.

In 2015, the National Security Agency’s hacking group, Tailored Access Operations, lost code that it uses for spying to hackers working for the Russian government. Following the breach, the NSA had to develop new tools, patch newly-exposed vulnerabilities, and harden its systems swiftly, before Russia could use its own technology against it.

Today, those tools are still being developed and patches being applied. Many of the vulnerabilities are still there.

Why did swiftly not happen?

Because in government, as in much of business, cyber security software development and response times are too slow. The relationship between software development and software operations is still configured for the machine age. In this old environment, stakeholders conceptualize an ideal solution to a problem, write specs, discuss and analyze them, design the software, build it, test it, and then, finally, deploy it. This is called the waterfall method: everything flows downhill from the top.

The NSA had already been compromised by Edward Snowden’s massive leak in 2013. Yet a review of the NSA’s security improvements concluded in 2016 that although there had been some, the NSA had not effectively reduced the number of user accounts with privileged access, which provides them with more avenues into sensitive data than normal users, nor fully implemented technology to oversee these accounts’ activities.

There is a much better way to defend an organization against cyber-attacks: by deploying the rapid development techniques of DevOps.

Enabling Cyber-Security with DevOps

Real-time responses to real-time threats and opportunities demand a development model suited to the cyber age. It takes just a few days (if that) for our enemies to reverse-engineer a newly-released commercial software patch. Consequently, we must develop and apply patches and tools continuously. We can only do that if we design them to do the necessary job for the lowest cost – if we build the minimum viable product. Doing so frees engineers to work on the problem that needs solving, considering the people who will use it (this is called human-centered design), and not so much the specs. It allows them to develop the immediately-needed solution, not the perfect one. In truth, there are no perfect solutions – not for long – because the cybersecurity battleground is continually evolving.

If something breaks in this optimally configured and DevOps-enabled cybersecurity environment, it gets fixed. Swiftly. If something works, it’s scaled and improved. This accelerates the process and allows engineers and operators to work together to leverage new capabilities (such as artificial intelligence). A DevOps environment also increases cognitive diversity and encourages rapid innovation at the edge (not at headquarters) where warfighters and business people operate and need to innovate to win. 

The U.S. Air Force created CyberWorx in 2016 – a public-private design center at the Air Force Academy – to accelerate our DevOps environment in partnership with technology companies that could help us think differently and acquire new capabilities. For example, we needed a better way to report anomalies in cyberspace to our cybersecurity professionals – anomalies that could indicate a potential attack, or one underway. Working in agile sprints, three companies collaborated with us to provide our cyber pros with a more comprehensive, crowd-sourced picture of what was happening, and present it in a way that would make sense to a user – that is, a human-centered design that lets operators see changes fast.

The need for speed in the military is self-evident. In conflicts based on information (as they all are, to some degree), winning means moving faster than the opposition, improving the speed of sound decision-making while degrading the enemy’s. OODA loop speed (Observe, Orient, Decide, Act) is only increasing as machine learning and artificial intelligence support and secure operations faster and more effectively than humans working by themselves ever could.

In business, especially in finance, the speed of transactions (and the speed with which they can be disrupted by bad actors) requires that infiltrations be identified and responded to in moments. Global banks have recognized this and are becoming increasingly agile in their IT and security departments.

Unfortunately, in many businesses security is still based on people sitting in front of screens looking for intrusions. This is called “swivel-chairing” and, naturally, it’s slow and error prone. To respond quickly enough, and more quickly than humans can, cybersecurity must be automated. Netflix, for example, has built tools that monitor changes to security configurations, flag when a change should be more closely examined, and rank them according to the level of risk. “The only realistic way of maintaining security in an environment that grows so rapidly and changes so quickly is to make it automation first,” says Netflix director of engineering in cloud security Jason Chan.

Making cybersecurity responsive enough also will require that procurement professionals be rewarded for their agility, acquiring minimum solutions that apply at the bottom and middle edges of organizations, not behemoths applied from the top down. Agile procurement will help our airmen, soldiers, sailors, and Marines to innovate at speeds consistent with modern warfare and economic realities.

In the military, it has become axiomatic that you go to war with the weapons you are going to have tomorrow. Business calls this an innovation mindset.

Realistically, in both business and war, it should be called survival.


Col. Jeffrey A. Collins directs Air Force CyberWorx, a public-private design center at the Air Force Academy focused on cyber capabilities and melding military, academic and industry expertise to solve problems. Before his assignment to CyberWorx, Col Collins was Deputy Director for Air Force Cyberspace Strategy and Policy, at the Pentagon. The views expressed here are his own and do not necessarily reflect those of the Air Force or Department of Defense.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll