Personal Lessons about Effective Cyber Policies and Strategies1
Major General John A. Davis (Retired)
Written on 11 September 2015
I recently retired from active duty after a 35 year career in the U.S. military, the past decade of which has been devoted to the sometimes mysterious cyber world. I’d like to offer some insight into the personal lessons that I’ve learned during my experience in helping to stand up U.S. Cyber Command and while working cyber policies and strategies at the Pentagon. Although I’ve learned many more lessons, the three that I’ve chosen to share in this article are, in my view, especially important for leaders in both the public and private sectors …because we are all becoming increasingly connected through modern information technology. This means we all share in the exploding opportunities as well as the escalating risks. Below are my top three lessons and I will attempt to add more context in subsequent paragraphs to help both government and industry leaders understand why all sectors of society should care about these key points:
Lesson number one is about a real need for teamwork and effective partnerships. If I had to come up with a motto for this lesson it would be, “Make friends … lots of friends…you’re gonna need them!” If you think you can go it alone in the cybersecurity business, think again. Many different organizations, both public and private, have critical roles and responsibilities in the cybersecurity environment, but no single organization has all the skills, talent, resources, capabilities, capacity or authority to act effectively in isolation. It truly does take a team approach and strong partnerships to operate effectively. However, creating trusted, credible partnerships requires significant dedication of time and energy from the leadership of an organization. It doesn’t happen overnight and must be continuously cultivated. I spent the biggest portion of my personal time as a cyber leader building teams and strengthening professional relationships with the leaders of other organizations who played an important role in our shared objectives. I also invested a considerable amount of time trying to reduce the inevitable bureaucratic friction that periodically pops up in the form of “turf battles” by using the trust that comes from strong personal leadership bonds developed carefully over time. These turf battles usually arose because the relatively new term “cyber” crosses so many legacy boundaries. In fact, it’s hard to find an organization these days that doesn’t think it has a key role to play when it comes to cyber. Sometimes this causes a clash of roles, responsibilities and equities. Good leaders figure out ways to navigate these rough waters.
So how does a leader develop and cultivate credibility and trusted relationships? In my experience there is no single answer, but one of the most important aspects of building trust and credibility involves the development of shared goals and objectives and making progress toward them. Every leader of every organization involved has to see not only what’s in it for themselves and their own organizational interests (often a competitive, win/lose view) but how the achievement of the larger outcome will contribute to what’s best for the collective effort while not significantly eroding internal interests (often a cooperative, win/win view). This is not easy to achieve, it takes long-term commitment, and the development of personal leader-to-leader bonds based on honesty and compassion can help significantly. I use the term compassion very deliberately. In my experience, an effective leader in a partnership must be able to see and feel things from the other leaders’ views and interests. However, that doesn’t mean you always have to agree. This is where honesty plays an important role, and as long as it is accompanied by genuine respect, I have found that respectful disagreements can sometimes even strengthen the partnership.
Within the Defense Department, one might characterize the types of partnerships we strove to build using four categories, that I sometimes referred to as the four “I’s”:
The first category was “internal” to the Department. If you want to be an effective member of any team and not sit out the game on the bench you have to first build credible capabilities internal to your own organization. In an organization as large and diverse as DoD, that meant creating a joint culture that provided the Army, Navy, Air Force, Marine Corps and dozens of other DoD agencies and unified commands with enough flexibility to address their individual, unique operational requirements while at the same time recognizing a climate of shared operational opportunities and risks. Establishing common joint operational objectives was key to keeping the teamwork strong across traditionally competitive barriers. In an environment of diminishing resources it also just plain made sense to reduce redundancy, eliminate waste and allow for everyone to share in a best of breed dynamic. The considerable effort required to build our internal team was best memorialized in DoD’s initial strategy for operating in cyberspace in 2011. This original strategy was recently updated in a new DoD Cyber Strategy which was unveiled publicly by Secretary of Defense Ash Carter at Stanford University last April, 2015. Beyond these strategies, an implementation process was put in place to routinely bring the broader team together, review progress, and identify issues to be resolved. This process produced recommendations for senior DoD leaders to make decisions and move forward in tangible ways to achieve the strategy goals and objectives.
The third category deals with “international” partnerships. Doing cybersecurity effectively requires
The second category was the cross governmental partnership known as the “interagency.” The U.S.
policy and approach is about a whole of government effort that is required to be effective. The U.S. policy includes several different types of oversight, including policy, operational, legal, and even congressional oversight in most cases. Within the Defense Department these types of oversight shape the way we organize, train and equip forces to perform DoD‘s role, but within the context of a much broader team approach. These types of oversight also shape the way we impose policy limitations on our military cyber forces and capabilities. However, in contrast to the restrictions imposed on the military role, this kind of approach actually provides a much broader range of options across all elements of national power for national leadership decision making. Military options are simply one part of a much larger and more comprehensive whole.
international partnerships and working together toward common goals and objectives. It also requires a great deal of real respect for the cultural differences that may exist, and finding credible ways of accommodating them in the development of common goals and objectives. We have had a concerted effort in the Defense Department to begin building those partnerships with a growing array of nations in addition to our longstanding, closest allies in NATO, and with the United Kingdom, Australia, Canada and New Zealand … particularly in the Middle East and Asia Pacific regions. The reason is that in order to fulfill our defense alliance obligations to each international partner we must rely on critical information technology infrastructure that we do not directly control. In order to understand what is happening in that environment so that it can be secure and support DoD’s mission, we have to establish these kinds of relationships. It is also worth noting that when DoD brings these international partnership forums together, we encourage not only our counterpart Ministry of Defense players to participate, but also recommend a whole of government approach from our partner nations. We do so in order to share our lessons in dealing with challenges not only within DoD, but also across our own various U.S. government and industry partners.
The fourth and last category has to do with “industry” teamwork and partnerships. In my view, this is the most important of all partnerships because industry owns and operates the vast majority of the worldwide information technology environment. This partnership is also sometimes the most complex. In the Defense Department, as in just about every other U.S. government agency that I know, we rely on many aspects of the information technology environment that we do not directly control in order to perform our vital national security mission. This requires effective partnerships with industry involving critical infrastructure cybersecurity standards for protection and defense, and information sharing about threat indications, warning, events and incidents, as well as our own vulnerabilities and effective response actions. We have taken a voluntary approach to these aspects of our partnership with industry. Further collaboration and developments are necessary to accomplish fully effective and comprehensive information sharing and adherence to a higher security posture. We have not yet solved that problem in the U.S., but we are making progress to develop information sharing mechanisms and cyber security standards, and promoting them through strong, expanding voluntary partnerships as well as the sharing of best practices.
As one can see, we have been casting an ever widening net to build and strengthen partnerships across not only the various organizations within DoD, but we’ve reached out to key members of the interagency, international and industry teams as well. This has been a very deliberate part of DoD’s policy and strategy, because without effective teamwork and trusted partnerships, we know it is impossible to achieve success. You simply cannot go it alone in the cybersecurity business unless you want to lose spectacularly.
Lesson number two is about the changing balance between opportunity and risk. If I had to come up with a motto for this lesson it would be, “It’s not if, but when!” The cybersecurity problem is going to get worse before it gets better, and our decision making process must adapt. Our exploding reliance on information technology for all that we do in today’s modern environment stands in stark contrast to the inadequacy of the security of that environment. Traditionally, technology has been driven by opportunity, while security and risk management have always chased from behind, trying to catch up. Some have said that for the longest time opportunity is “baked in” our information technology environment, while security is “bolted on” afterwards. In my experience, I believe this large imbalance between opportunity and risk is changing. It is changing slowly and unevenly, but I believe it is changing … in no small measure due to the alarm bell that the national security community has been ringing about the growing cyberthreat for the past several years. Getting a better balance so that security is woven into the fabric at the core of every IT project is important because of what’s at stake.
On one end of the balance is the need for an open, secure, and reliable internet. This end of the balance also includes the need for establishing responsible norms of internet behavior. It includes the need to protect freedom of expression, personal privacy and civil liberties as well. Finally, one of the most important factors underpinning the opportunity end of the balance is the need to drive economic innovation. These have been and always will be fundamental to our values and way of life as Americans, and it is very much the same with many of our international partners.
On the other side of the balance is a threat that is growing in scope and sophistication, and it is not just hacktivism, criminal activity and espionage. This growing threat has now moved into the realm of disruptive activities, sabotage, intimidation, threat of violence, and even destruction of both information and the associated systems and networks that can support critical infrastructure. This end of the balance needs everyone’s attention, because in my view lives can be at stake, and our national and economic security posture can be put at risk if we don’t achieve a better balance than the one we choose to live with today.
Let’s face it: We make it too easy for a wide range of threats in the cyber landscape to compromise our computing environments. We inadequately protect and defend our intellectual property and much of our critical infrastructure as a nation. We do even worse in protecting our personal information as individuals. We are simply not as careful about scrutinizing who’s knocking on our electronic front door in the same way we are very careful about who’s knocking on the actual front door to our house or business. I remember a time as a kid when we left our front door unlocked at night and left the keys in the car. Time and culture have changed all that, and perhaps we should consider a similar change to the way we implement some basic standards and discipline for our online behavior based on today‘s changing cyberthreat landscape.
This points to what I consider a very important aspect of the shifting balance between opportunity and risk, and that’s the human dynamic. While there’s no doubt that cybersecurity, and cyber operations in general, are very technically oriented activities, we should never forget the human dimension to the cyber environment. There’s a human brain behind the development of every malicious software code or technique used to deliver it, just as there’s a human hand on every keyboard executing decisions about what to do. In my personal experience, the bulk of our cybersecurity problems are not on the technical side, though there is a very important place for technical solutions that I will address in a moment. The bulk of our cyber problems can be traced to human issues… basic standards of conduct, discipline and accountability. As an organizational issue, this is also a leadership problem (or as we like to say in the military, this is Commanders’ business). As a result of recent events in the private sector, like Target, Niemen Marcus, Anthem, Home Depot, etc., this is becoming a Boardroom issue rather than something left to the sole purview of the IT staff or the Information Security Officer.
In fact, I cannot think of a single cyber incident or event in which I have personally been involved over the past decade as part of the Defense Department that was not primarily the result of a human deficiency in standards, discipline and accountability. Several key examples come to mind. First there was the 2008 malicious software infection of DoD’s classified networks, caused by the insertion of infected thumb drives by elements of our own forces because of the need to move information quickly against the terrorist and insurgent threats in Iraq and Afghanistan. Then a little over three years ago there was a damaging penetration of the unclassified Navy Marine Corps Intranet (NMCI) by a cyberthreat because a simple patch had not been administered, allowing a relatively unsophisticated structured query language injection technique to successfully penetrate a “hole” and spread, putting the entire system at risk. Finally, we had the Joint Chiefs unclassified email system breach over this past summer, caused by a clever spearphishing technique and one of our own “users” not carefully checking to see who was at the electronic front door. These examples don’t even include the most serious incidents of all … the Wikileaks breach and the Snowden disclosures, which we classify as “insider” threats … another human dimension problem.
As I mentioned earlier, there is definitely a place for technology on the risk side of the balance just as it certainly drives the opportunity end. Technology must be part of a comprehensive approach that includes indications and warning about the threats, cyber threat prevention-minded and layered defenses, resilience (and you MUST plan for breach - it is inevitable, but can be acceptably mitigated with solid planning and routine rehearsals), and response options (but most responses must come from government because of laws and authorities). However, technology is just one component, as are policies, people and processes. In my view, the most important part of the comprehensive approach is getting the human dimension right with better standards of conduct, discipline and accountability. This is the leader’s task.
How does a leader get people in the organization to care about this? Again, there are no magic solutions in my experience. It takes a combination of education, making the issues more personal and closer to home, and getting the people in the organization to see the risks and how to assess them against other competing interests. It also takes a willingness to establish and enforce real consequences to unacceptable behavior. This takes creativity and ingenuity, instead of an unrealistic, extremist regime that can undermine morale, effect productivity and result in a counterproductive environment.
Once a leader gets the human dimension right, an organizational culture of strong standards and discipline and enforced accountability follows. In my experience, the result is that any organization can use improved standards and discipline to wipe 80% of the “noise from the radar screen” and focus the rest of the comprehensive approach on the 20% of the challenge that counts. This includes prioritizing application of the most sophisticated technology solutions for threat indications and warning, prevention and protection, and resilience and recovery to support what is most important to the organization’s success (in military terminology that means the mission). A prioritized approach is much more effective than trying to protect and defend everything against all threats (which means that you‘re strong nowhere). This kind of comprehensive approach should speak to business leaders just as much as it does those in government. It allows leaders to balance opportunity and risks using all the tools available to make wise decisions about the allocation of resources and assets while managing risk in ways that protect only what’s most important while not breaking the bank.
What’s at stake in getting the opportunity/risk balance right? From my perspective, U.S. and global critical infrastructure and key resources are at stake. National security, international stability and economic viability are at stake. Public health and welfare interests are also at stake. Public and private sector leaders have to think hard about the balance and make it a priority to get it right and keep it right as things change in a very dynamic information driven world.
Lesson number three is about the need for greater clarity and transparency. If I had to come up with a motto for this lesson it would be, “Don’t expect the cavalry for every problem, so be ready to do your own part!” I believe we need to shine more light on what the world‘s militaries are doing in cyber so that we set accurate expectations and avoid a range of dangerous miscalculations. Cyber can be a scary term, evoking a mysterious virtual world that has its own terminology, culture, values and norms. I agree with what the Chairman of the Joint Chiefs, General Dempsey, once said about the need to demystify cyber and speak with much more clarity and transparency as a military and as a nation. There are both principled as well as practical reasons for doing this, so let me explain my personal perspective on why this is so important.
Historically, many of the world’s most sophisticated organizations and capabilities in the cyber arena grew up in the underground. They matured in darkness and anonymity. Political activism, crime and espionage are characteristic of activities which seek the darkness so that they can flourish in the face of governmental efforts (both legitimate and corrupt) to counter them. However, in recent years we’ve witnessed a growing number of nation state militaries, including our own, that are building military forces and capabilities. When you talk about the use of uniformed military forces and capabilities in the cyber world, in my view we should shine a bit more light on what they are doing and why they are doing it … including our own U.S. military cyber forces.
Why is that important? It is absolutely critical to reduce uncertainty and the chances of making a mistake. It is also important to increase stability and control escalation. In the past several years those of us working cyber in national security have witnessed an alarming growth of activities within our nation’s systems and networks, including some of our most sensitive critical infrastructure such as transportation, electricity and power, oil and natural gas, telecommunications, and even in our most sensitive military networks. When we see activity that is attributed to sophisticated capabilities, with no explanation of intentions … well, that’s something that keeps national security professionals up at night. This is especially true when the observed activity and capability appear to have nothing at all to do with criminal or espionage intentions, and may be viewed as an act of preparation for something much more serious. It is extremely destabilizing because of the level of uncertainty, and the chances of misperception and a resulting mistake are unacceptably high.
Clarity and transparency from the U.S. military is also important to interagency, international and industry partners alike, for practical reasons. This is because we need to be clear about creating accurate expectations of what the U.S. military cyber missions are, and just as importantly, are not. As a result of the U.S. cyber policy deliberations over the past several years, and keeping in mind the notion of teamwork, partnerships and a whole of government approach that the U.S. cyber policy embodies, the Defense Department cyber mission has been clarified in the recently published DoD Cyber Strategy. While two of the three DoD cyber missions have always existed and remain constant (defending DoD’s own information networks and combat systems, and providing cyber operational capabilities alongside traditional land, maritime, air and space capabilities to support the contingency plans and operations of our Combatant Commanders), a new mission for DoD has emerged within the context of the broader U.S. government approach. This new mission describes how DoD is responsible for being prepared to defend the nation and it’s vital interests in all domains, including cyberspace.
What should be clear to our various partners? This new role is not about DoD riding to the rescue of any private sector entity that has a routine, criminal cyber incident, or even one that doesn‘t involve serious national security interests. Just as important, this new role is about DoD gaining an exquisite understanding of the significant foreign cyberthreat intentions, operational posture, research and developmental activities, cyber capabilities, supporting infrastructure, operational activities and their potential impact. It is also about being in a position to take action - when authorized by the highest level of national authorities - to counter that cyberthreat if it is assessed as going to cause, or already causing, significant consequence. The term “significant consequence” has specific meaning in the form of loss of life, significant disruption or destruction of critical infrastructure, or other significant national or economic security consequences such as adversely impacting a military response or risking economic collapse. It is extremely important for our industry and international partners to understand DoD’s roles and responsibilities, as well as those of other U.S. government agencies, so that they can plan their own roles and responsibilities more effectively as part of a collective effort.
During my time working cyber at the Pentagon we made a deliberate decision to begin to more clearly explain what we are doing as a U.S. military, why we are doing it, and how we are exercising very careful control over what we are doing as a responsible nation. In fact, it may surprise some to know that we included nations such as China and Russia in this discussion, and I had the opportunity to participate directly with my military counterparts. While more clarity and transparency are needed, especially from the growing array of nations that are building cyber forces in their militaries, there is also a need for some balance in the decision about how much transparency is required. After all, when you are in the business of the military you do not want to give away an operational advantage. However, I believe that we do need to talk more openly about what we do and you are seeing a more open and transparent posture from DoD continuing today. We are setting an example of how a responsible nation’s military acts, and we expect others to follow this example. Another practical benefit in being more clear and transparent is that you can use military cyber capabilities more effectively in a deterrent role by doing so, and I think we are just beginning to tackle that issue within DoD and the U.S. government.
As I mentioned at the start, there are many more lessons that I’ve learned over my tenure at the Defense Department. The three lessons that I share in this article are meant to help leaders in both the public and private sectors focus their attention on those things that I’ve seen make the biggest difference in effective cyber policies and strategies:
1 I acknowledge the assistance of Clif Triplett, Managing Partner at SteelPointe Partners, in the development of this article. Clif is a dear old friend, a 1980 West Point classmate, and a highly successful and well respected leader in the information technology field within industry. I asked Clif to help me articulate my personal lessons in ways that would be most meaningful to leaders in the private sector, and I’m ever grateful for his insight and edits.
About the Author: John A. Davis
Retired U.S. Army Major General John A. Davis is the Vice President and Federal Chief Security Officer for Palo Alto Networks, where he is responsible for expanding cybersecurity initiatives and global policy for the international public sector and assisting governments around the world to successfully prevent cybersecurity attacks.
Prior to joining Palo Alto Networks, John served as the Senior Military Advisor for Cyber to the Under Secretary of Defense for Policy and served as the Acting Deputy Assistant Secretary of Defense for Cyber Policy. Prior to this assignment, he served in multiple leadership positions in special operations, cyber, and information operations. His military decorations include the Defense Superior Service Medal, Legion of Merit, and the Bronze Star Medal.
John earned a Master of Strategic Studies from the U.S. Army War College, Master of Military Art and Science from U.S. Army Command and General Staff College, and Bachelor of Science from U.S. Military Academy at West Point. He also serves as an advisor of the MCPA.