The cyber imperative: While the joint US private and public digital security ecosystem gains its ‘sea legs’, the cyber bad guys will continue to have their proverbial way with us.
The two prevailing gaps . . .
- A deep national bench strength of existing and next generation cybersecurity leaders and operators, spanning startups to large corporations and across the public-sector space, who possess the requisite skill set to compete and consistently win on the cyber battlefields of today and tomorrow. Our current bench is woefully short.
- A mechanism for funneling all the disparate data points—who’s doing what, what’s working, what’s not—that are percolating across our cyber ecosystem daily. Presently it seems we’re bouncing between two extremes, information overload and ignorance.
The macro solution is: transitioning from a burgeoning industry with still “wild west” market tendencies to a dynamic force that is vastly more interconnected and accessible—dare I say institutionalized?—and yet maintains its core entrepreneurial operating spirit. This is a new kind of war we’re collectively fighting. Unlike all prior engagements, sustained battlefield success will be achieved principally with the private/commercial sector leading from the front. Government agencies will be a key player, but in a primary supporting role.
We have our first ever Federal CISO, Greg Touhill, now in place. An incoming new Administration is seemingly reorienting to a strong security posture, presumably to include digital security. And the Commission on Enhancing National Cybersecurity just released its Report on Securing and Growing the Digital Economy. The stars seemingly are aligned for us to take a generational leap forward . . . now.
Three years ago, in A Call For A National Cyber CounterInsurgency, I challenged our cyber ecosystem to look to and replicate the spirit of Skunk Works, Lockheed Martin’s research and development unit that was stood up during WWII (and is still thriving, making meaningful impact today) to fast track priority national security assets.
Innovation, coordination, education . . . and investment. These are the key pillars that will support and sustain our relentless pursuit of a unified mission to consistently beat the bad guys. It may take a generation to get there. Doesn’t matter; eye on the ball.
Reflecting on Skunk Works’ legendary operating model, let me propose the following blueprint . . .
- The establishment of a National Center for Cybersecurity Coordination & Excellence (NaCCCEx) . . . nicknamed Triple-C. Structurally this would marry the commercial fundamentals of a Fannie Mae (independent, for profit, government sponsored entity (GSE)) with the interoperability of a Joint Terrorism Task Force (JTTF) with the cyber information sharing best practices of a Security Innovation Network (SINET). (Editorial note: For purposes here, let’s set aside what occurred at Fannie 2006-09 range—when politics and bad policy mucked up what had been a clear and soundly functioning mandate for 70 years. And while Fannie Mae is a publicly listed company, I’d advocate for remaining private over the long haul.)
- NaCCCEx will function as a dynamic commercial cyber engine of growth; one that is closely linked with traditional public sector entities, e.g. DHS, US Cyber Command, etc., but that is clearly separate and distinct from direct government ownership and intervention . . . and importantly is solely responsible for managing its own affairs. It is perhaps appropriate, on this 75th Anniversary of Pearl Harbor, to consider that without America’s massively powerful commercial engine steaming 24/7, militarily the Allies would have been woefully lacking in combating the Axis Powers.
- NaCCCEx will serve as an institutional hub to . . .
- Connect the reams of data points emanating from disparate sources and bridge private sector companies with public sector entities. A pure-play private sector model, with no linkage to the public sector (as is virtually the case today), is not sufficiently effective on a going forward basis.
- Develop and deliver to the market the most capable cybersecurity leaders for future years. This requires a mechanism to attract the best minds in cyber today to educate and train future cyberists. The majority of quality cyber folks are simply not going to work for the government, for a whole host of reasons; pay being a big one, but also a generally deep disinclination by many to work for “big brother”.
First and foremost, NaCCCEx is a commercial entity. A vibrant cybersecurity national effort must at its core maintain its commercial spirit. Private and for-profit is the best means to optimize and fast-track cutting edge capabilities. Organizationally it will embody a co-president leadership structure, comprised of a recently retired Technology CEO—less than four years out of a mid-cap or larger organization—and an active duty 3-star General/Flag Officer—uniform of the day is business attire—who will serve two-year tours, alternating off years. For initial launch, the civilian co-president will remain aboard for a third year.
It will also be staffed by permanent employees and those on secondment from a multitude of organizations emanating from our cyber ecosystem.