Gen. Keith B. Alexander, Commander, U.S. Cyber Command and Director, National Security Agency/Chief Central Security Service shares insights on leading for success in the mobile frontier and amid the rapid evolution of technologies and threats:
This article originally appeared in the latest edition of CGI Initiative for Collaborative Government‘s Leadership journal. For more news and insights on innovations at work in government, please sign up for the AOL Gov newsletter. For the quickest updates, follow us on Twitter @AOLgov.
Q: October 31, 2011, marks the one-year anniversary of US CYBERCOM active operations. You had to stand up a new organization quickly with multiple major changes happening simultaneously across very senior stakeholders. What do you feel were the biggest challenges you faced in standing up CYBERCOM? And how did you overcome them?
A: Fundamentally, CYBERCOM represents a new approach. The scale and rapid evolution of technology requires a resilient, flexible approach, changing our conduct and culture to one that features a dynamic, active cyber defense – using our understanding of adversary capabilities to dynamically and rapidly defend military networks. Our military relies on its networked systems for every facet of force projection and, when establishing CYBERCOM, we were keenly aware of the gap between the sophisticated capabilities available to exploit and degrade those networks and the defenses in place to protect them.
There were several significant challenges on the ground to achieving that vision. First, we had to merge the two legacy organizations (Joint Functional Component Command for Network Warfare [JFCC-NW] and Joint Task Force for Global Network Operations [JTF-GNO]), representing the military’s cyber “offense” and “defense” to operate effectively as one unified force – CYBERCOM.
Then, we focused on merging their actual operations. We established a Joint Operations Center, transferred operational control of the JTF-GNO mission set to Ft. Meade, Maryland, and stood down JTFGNO’s 24/7 watch center in Arlington, Virginia.
That task involved careful planning to ensure that the daily functions of the Department of Defense’s networks were unimpaired, given that they are constant targets. We also established effective operational command and control processes for the consolidated mission sets.
Once we had begun to operate as one synchronized force, we focused on serving our customer requirements and building relationships with key partners. We trained and embedded liaison officers at the Combatant Commands and began working closely with the Commands to help understand and define their requirements for operating effectively in cyberspace. We also worked to ensure that these liaison officers were setting the foundation to grow into larger Cyber Support Elements over time.
We were able to accomplish these critical milestones because we have great people. Thanks to their exceptional efforts, we were able to stand up and lay the foundations for our vision of a rapidly evolving and effective active defense.
Q: What advice would you have for other executives who are faced with similar complex and rapid changes in their organizations?
A: In one sentence, I will share the best advice I’ve learned from one of my mentors: communicate, communicate, communicate. CYBERCOM represents a new way of operating in a rapidly adapting domain. We needed to communicate the core principles of our strategic vision and then work closely with the leaders and staff of the Command to get the Command to full strength and capacity as rapidly as possible.
Q: What are some core management principles and approaches that you have relied on in standing up CYBERCOM?
A: First, teamwork. We knew that this command would have to operate as part of a cohesive and comprehensive team- Team Cyber. I firmly believe in teamwork – within the Command, and with our interagency and international partners. We must marshal all of our respective talents to develop innovative solutions for mutual concerns.
Second and perhaps most important: people. Amazing people are capable of amazing achievements. Let your people know how amazing they are, support them and step back. The military and civilian personnel of CYBERCOM have challenging jobs. Their creativity and ability to rapidly innovate and execute are what have underpinned the Command’s achievements in its first 18 months.
Q: What experiences in your life were major influences for you in shaping your management style? Why?
A: Over the past three decades, I have served in a wide variety of Joint and Army positions, including 15 years in command. I have served as the Deputy Chief of Staff of Intelligence, Headquarters, Department of the Army; Commanding General of the U.S. Army Intelligence and Security Command; Director of Intelligence, United States Central Command; and Deputy Director for Requirements, Capabilities, Assessments and Doctrine, J-2, for the Joint Chiefs of Staff. These roles of increasing responsibility provided the set of experiences and relationships I draw upon each day.
“Extending our information reach through new technology gives us great capability, but it also extends our vulnerability.”
Perhaps most importantly, I have had exceptional mentors throughout my career. While I learned a great deal, technically, from them, the most important lessons they taught me were those of leadership. People are our greatest assets, and I believe they perform the best in a positive leadership environment.
Focusing more exclusively on cyber, the knowledge gained serving as Director, National Security Agency, Chief, Central Security Service and Commander, Joint Functional Component Command-Network Warfare (JFCC-NW) were instrumental in shaping my vision of how the military needs to operate effectively in cyberspace. NSA’s cryptologic work in SIGINT/Computer Network Exploitation, Information Assurance and Network Threat Operations is superb and foundational to the nation’s future success in the cyber domain.
That knowledge has led me to champion NSA’s work and greatly value the outstanding professionals and expertise at NSA/CSS.
Leading for Success in the Mobile Frontier:
Q: What do you see as the most critical challenges in achieving the right balance between taking advantage of mobile technologies to gain a communications advantage over the enemy and making sure communications are secure from enemy interception or interference?
A: I am an advocate for using mobile technologies. As I said, the key to managing complexity, from the battlefield to the office, is to communicate – which means access to, and movement of, information.
Extending our information reach through new technology gives us great capability, but it also extends our vulnerability. We’ve all seen the significant increase in malware focused on mobile devices as the new frontier. Today’s mobile devices are targeted as access points to enterprise networks and the valuable information stored either in e-mail, on the device or on the home network.
The Department of Defense, and government, writ broadly, have all learned that technology built only for government use is not a cost-effective or rapid way to deploy information technology. Rather, leveraging commercial technology while implementing careful configuration and best practices to maximize security is the best approach.
And as the technology across government and industry converges, we are also seeing a similar convergence of mission interest in security. Corporations are worried about threats to their intellectual property and the integrity of their networks via mobile devices, and so we are seeing a move to incorporate security into commercial devices. We are actively supporting that via our information assurance partnerships with industry and across the USG.
Q: What is CYBERCOM doing today to create a team approach with the military services to secure the use of mobile devices?
A: The addition of mobile devices to DOD’s inventory does create some unique challenges, but they’re ones we face regularly. CYBERCOM is leveraging work that NSA is doing to secure mobile devices and championing these efforts for the services. The key is to leverage this new technology, ensure it is secure and work with the services so that we can acquire and deploy these technologies for best operational and defensive effect.
We also have to remember that security (or insecurity) is fundamentally a system level problem. The adversary attacks the system where it is weak. So we have to secure not only the mobile device, but also the transport of information, the infrastructure at the back end that supports it, every partner in the system, and everything in between. So the notion of team is much broader than ever before.
Q: How do you view the future for network defense with the influx of mobile devices, particularly in regard to mobile security and network situational awareness?
A: We believe that both the private sector and the USG value secure mobile devices – devices that protect the corporate and personal data resident on the devices and on the enterprise networks they access. As greater and greater capability moves to mobile devices (e.g., banking), security becomes more and more valued. We are working closely with the private sector to ensure that the lessons learned from the last two decades of PC security are applied to mobile devices.
We believe that the future of network defense is a much more dynamic problem than in the past. New technologies and devices will continue to appear in our environment. So we can never secure the defense one device at a time. We need to improve the whole ecosystem through standards, best practices and improvement to the supporting infrastructure.
Q: How will Cyber Command work with the department to grow the cyber workforce of the future to defend and secure mobile networks?
A: The Department must grow the cyber workforce to operate and defend both mobile and fixed networks. Working with our Service Component Commanders, we have identified the base set of personnel resources needed to meet a subset of Operational Plans in support of the Geographic Combatant Commands. The Chairman, Vice Chairman and Service Chiefs are working together to generate the forces we need.
“We believe that the future of network defense is a much more dynamic problem than in the past.”
More broadly, we are leveraging the work of government partners like DHS to increase the nation’s overall cyber workforce capacity through programs like the Centers of Academic Excellence in Information Assurance (CAE-IA) and the National Initiative for Cybersecurity Education (NICE). We also fully support efforts to interest American teens in science and technology. Various states and not-for-profits have launched contests and scholarships to interest American high school students in S&T. Attracting the nation’s best and brightest to science will ensure our finest minds drive the nation’s economic growth and national security.
Q: What key challenges have you seen that you expected? That you didn’t expect?
A: The key challenge is, of course, the threat. The cyber threat continues to mature, posing risks to the nation. Our leaders- from President Obama on down- have emphasized this point, and for good reason. Our nation now depends on access to cyberspace and the data and capabilities residing there; we are collectively vulnerable to an array of threats ranging from network instability to criminal and terrorist activities to state-sponsored capabilities and actions that are continually evolving. While I emphasize that we have not suffered disastrous or irreparable harm in cyberspace from any of these risk categories, we must be prepared to counter this evolving threat. Building a common understanding of the threat is key to achieving a whole-ofgovernment and whole-of-nation effort.
On a more tactical level, what we have found as we improve our common operating picture, our intelligence and our operations to create effects is that DOD does not have the capacity to do everything we need to do to defend our military networks. To put it bluntly, we are very thin, and a crisis would quickly stress the military’s cyber forces.
The problem has two facets-there are too few trained service personnel out there in the first place, and the services need to hold on to as many of them as they can. Thus, the biggest issue I see is the need for collaborative force development- including joint standards, recruitment, training, deployment, sustainment, and retention across the services.
Q: How have you overcome those challenges? And what lessons have you learned that will reshape your approach in the future?
A: First and foremost, we are communicating the threat to educate key decision makers on our nation’s vulnerabilities to cyber threats and the steps that we need to take to protect our critical networks. It will take a team – across the government and private sector – to measurably improve the nation’s security in cyberspace. At CYBERCOM, we are focused on working with NSA, DISA and the services – our core partners – to measurably improve the security of military networks.
Q: What recommendations do you have for other senior leaders as they work to take advantage of mobile technology while securing its use?
A: I recommend we challenge our people to push the envelope in using commercial technologies while working to configure and use them in the most secure ways possible.
I also urge senior leaders who are considering mobile technology (or any technology) to stand back and realize that their mission needs are not likely unique. We need to think of these as enterprise-level problems – shared problems requiring shared solutions. We cannot afford to have every organization independently chasing the latest technology. By working together, we can bring together our best minds in technology and security, bring critical mass to the marketplace, put in place enterprise-level security infrastructure and help improve security at national scale.
Q: How is managing cybersecurity programs different from other programs you have led?
A: The information technology environment is the fastest-changing environment in the DoD and the nation. Conventional approaches will not work. To adapt, we work our efforts in 90-day spins, leveraging what we have done, constantly trading technical advances and adjusting our plans. We have had tremendous success with this approach, which we are now applying in our IT efficiencies and effectiveness programs.
Hardware Security and Supply Chain Risk Management:
Q: With the proliferation of mobile devices, what is your perspective on how U.S. organizations can best secure their mobility supply chain to prevent bad actors from inserting hardware components containing malicious software code and the like (mobile devices, servers that operate mobile applications, etc.)?
A: Supply chain risk mitigation is a national effort under the Comprehensive National Cybersecurity Initiative. The global technology supply chain affects mission-critical aspects of the DOD enterprise, as well as core U.S. government and private-sector functions, and its risks must be mitigated through strategic public/private-sector cooperation. DOD is supporting interagency efforts to increase assurance in our information and communication technology supply chain. (Public Affairs Guidance DOD Strategy for Operating in Cyberspace July 2011)
Q: Mobile computing poses different hardware security challenges than desktop environments, with two leading platforms (iOS and Android), and more platforms continuing to mature (e.g., Windows and BlackBerry). How can we best secure mobile device hardware in an extremely heterogeneous environment?
A: First, there is great value in leveraging the lessons learned from the work done to improve the security of PCs over the last decade. The private sector began incorporating roots of trust in devices (e.g., Trusted Platform Modules [TPMs]) over the last decade, providing a “root” for further security to build upon in the device.
The second is to evolve our thinking from securing devices and systems to securing data – ensuring that the most valuable IP, whether source code or R&D designs, is protected and kept on networks where access controls are carefully managed. I think roots of trust and smart data will help reduce these risks.
We must recognize that there has been a fundamental change in our information environment. New devices and technologies will appear rapidly, so we must plan for that. Everything from our gathering of requirements, acquisition and security decision-making must be more rapid and nimble. We must also reshape the entire ecosystem through standards, better security infrastructure and improvements “upstream” in the life cycle with key vendors. We cannot get what we need by waiting for it to appear, then trying to secure it.
Q: How are you shaping DOD partnerships to incent innovation and arrive at solutions that are platform neutral and trusted, while building in supply chain security?
A: The evolution of commercial technologies like cloud technology and smart data offer tremendous opportunity in ensuring the security of our infrastructure. They give us the opportunity to implement and manage security at enterprise-level scale, in addition to the IT benefits. DOD is aggressively pursuing these technologies in our IT effectiveness program. We also strongly support the evolution and use of open standards to enable us to choose “best of breed” security solutions and integrate them more effectively.
In today’s fiscally constrained environment where cyber operations and threats are global and exponential in growth, we cannot afford to rely solely on Department of Defense resources. We must leverage partnerships with other governmental agencies, countries, industry and academia to form a comprehensive defense against cyber adversaries.