Adaptive Segmentationmicro-segmentation December 10, 2018

The State of the Cybersecurity Story: Signs of Progress – Leadership

Jonathan Reiber, Former Head of Cybersecurity Strategy

Read parts one and two of this series.

In the initial years of cyber policy in the Pentagon in 2009-2010, the government lacked cohesiveness around the threat and agency roles and missions. By the end of the first term of the Obama administration, however, progress increased rapidly. This was due to one thing: a rise in leadership. Cabinet officials and government staff always want to improve interagency coordination and drive results for the American public, but absent good leadership, it simply won’t happen.

What leadership lessons can we draw from the 2012-2013 period in cybersecurity, and what do those lessons offer organizations today?

ill_blog_hdr_reiber-on-cyber_v1-BK

Smart people like to work on hard problems. In 2012-2013, a group of leaders in the National Security Council, the Pentagon, and U.S. Cyber Command were driven by a desire to address the threat and make change. Their commitment led to a strategic decision that had a significant impact on international security affairs: the building of the U.S. Cyber Mission Force, a 6,200 force of elite cyberspace operators tasked to the defend U.S. interests against cyberattacks. 

 What qualities made these leaders effective? Here are a few:

  • Sound analysis, especially in U.S. Cyber Command and the Office of the Secretary of Defense
  • Good storytelling to persuade the government of the necessity of the force
  • Effective execution to drive results


These and other qualities (including the brilliance and self-control of key leaders) worked in a loop to build trust. Absent one and it wouldn’t have worked. Briefly, how did it play out?

Analysis and Storytelling

To make security investments in a resource-constrained environment demands balance. As President Dwight Eisenhower argued in his 1961 Farewell Address, every leader needs to “maintain balance in and among national programs – balance between the private and the public economy, balance between the cost and hoped for advantages...balance between the actions of the moment and the national welfare of the future." That means making hard choices: managing the operational challenges of the present while keeping an eye on the future, “thinking in time,” as Richard Neustadt and Ernest May said. That is the duty of any executive.  

Balance was the order of the day in the challenging period of 2012-2013. At the helm were Ash Carter, deputy secretary of defense, and General Keith Alexander, the head of U.S. Cyber Command and the National Security Agency. Under their leadership and thanks to the hard work of others, the Pentagon service secretaries and four-stars gathered in a room and agreed on the missions, shape, and funding for the force. It had three missions, would be comprised of 133 teams, and would reach “full operational capacity” in 2018.

The missions were to:

  1. Defend DoD data and networks so that the military can carry out its core missions.
  2. Defend the United States against cyberattacks of significant consequence from overseas to include loss of life or significant economic or foreign policy impacts.
  3. Deliver cyberspace capabilities to the military in theaters of operation to fight and win the nation’s wars.


What made this hard?

A new 6,200-person force would be a major investment in any scenario, but two historical drivers complicated the moment. The first was the ongoing conflicts in Iraq and Afghanistan. The second was a period of budget reduction following the global financial crisis of 2008. The Budget Control Act of 2011 forced every federal agency to shrink. In this environment, the women and men of the Cyber Mission Force had to be taken “out of hide”; they wouldn’t be replaced with new personnel, so every department would lose some capabilities. 

Budget cuts always make people uncomfortable. If the military invested in cyberspace capabilities and other advanced tech, like space and R&D, planners feared a loss of lethality in other areas. Fresh from the counterinsurgency campaigns in Afghanistan and Iraq, the Army and Marine Corps didn’t want to lose the knowledge and skills developed from the conflicts of the previous decade. Skills had to be maintained as the military decreased in size and invested in new areas.

This story should be familiar to any organization in a budget change – and analysis is the only way towards balance. The Office of Cost Assessment and Program Evaluation (CAPE) helps play this role in the Pentagon, and Christine Fox, the director at the time, was laser focused on cybersecurity. From Cyber Command’s first day in 2009, her program analysts traveled regularly to Fort Meade to assess the force and its capabilities.

A strong, fact-based story helped build trust in the investment. Pentagon leaders were in a better position to build partnerships with the White House, across the federal government, and Congress. Cyber Command had to spend the next years delivering the investment, of course – and that meant training the workforce, developing technical capabilities for missions, and exercising regularly – requirements for any cybersecurity organization.

This tiny history is a part of a much larger story. But lessons are clear for everyone: 
  • You need facts and strong analysis to identify missions and set a strategic course. Only then can you build support for change.
  • You need to tell your stories well. A good communicator matters; the evolution of the Pentagon’s "three missions" was a clarifying narrative.
  • You need leaders who can assess their organization’s strengths and weaknesses, focus relentlessly on execution, and stick with the mission over time.

Good leadership is the first step towards real progress. Striking a balance and making difficult choices is never easy – and that’s probably why we call it "work."

 

Adaptive Segmentationmicro-segmentation
Share this post: