Small Wars Journal

Black Swans in a Cyber Forest: ‘FARness’ Needed In Future Information Technology Acquisition

Mon, 08/24/2015 - 10:10am

Black Swans in a Cyber Forest: ‘FARness’ Needed In Future Information Technology Acquisition

Bryan Leese

Former Secretary of Defense Robert Gates stated, "Our record of predicting where we will use military force since Vietnam is perfect–we have never once gotten it right. . . We need to have in mind the greatest possible flexibility and versatility for the broadest range of conflict."[1] U.S. joint operations rely on consistent access to the cyber domain. It is in the complexity of the cyber world, and our new found reliance on it, that cyber black swan events are most dangerous to our security.

The cyber domain is a 'forest' dense with complications and operational implications. Cyber black swan events will happen; we must prepare to deal with them. As the United States enters a reality where efficiency may trump effectiveness, it must be careful not to make cyber infrastructure decisions today that remove flexibility, adaptiveness, and robustness from the U.S. military in the future.

The Department of Defense (DoD) is looking at maintaining and improving its cyber domain access with limited funds. The U.S. Navy, for example, began reducing the number of data-centers it operates, taking advantage of virtualization or "cloud-computing" technology.[2] Virtualization allows one server to service many customers and the “cloud” is the networked data center's servers storing and providing access to data from many locations. These new technologies increase speed and the efficiency of the operating system by distributing and utilizing processing power across the network.[3],[4] The Navy may be underestimating the need for flexibility, adaptiveness, and robustness (FAR) in its cyber infrastructure. Risk consideration to the Navy cyber infrastructure appears to be focused toward information and network security and financial savings than toward the redundancy and resiliency needed to overcome catastrophic black swan events.

Current DoD acquisition risk assessment methodology uses pattern analysis and previous experience, but focuses on single-failure scenarios. This "what if" versus "how can (it happen)" analysis is more often used because multi-failure scenarios have a low probability of occurrence. Searching for the black swan scenarios, or "how can" scenarios, as part of the risk analysis is critical to creating layers of protection that have the ability to prevent the event, if possible, but recover from it when necessary.[5] But, FAR costs money and our quest for economy may be reducing the capacity needed to overcome black swan events.

The DoD acquisition system is a top-down process that has its own institutional inertia and sometimes lacks critical thinking, innovation, and adaptation. The current acquisition process considers low-probability events and scenario-based planning, but constrains them to what it believes is plausible and fundable, limiting the inclusion of creative and critical thinking.[6] It is necessary to think “bigger” about the risks.

Defense forecasting, or predicting the future operational environment, is used in DoD's planning, programming, budgeting, and execution system (PPBES), and is, "generally static, linear, and reasonably mechanical" in its approach.[7] It focuses on a capabilities versus risk approach.[8] The Joint Capabilities Integration and Development System (JCIDS) and PPBES, one could argue, is similar to the single-failure scenario based analysis described earlier. It is not necessarily suited toward multiple-failure scenarios needed for the complex cyber systems of the future.

The future will demand the balance of technology maturity and cost. In the early stages of the defense acquisition process for cyber technology, leaders must ensure that a risk management approach and not just a capabilities approach is used. The cyber infrastructure key performance parameters (KPP) and key systems attributes (KSA) should represent a possible future multi-failure and cyber black swan environment. Additionally, network-ready key performance parameters (NR-KPP) must measure survivability and recovery, not just operation. Testing of KPP, KSA, and NR-KPPs will require a new lens from which to develop testing and assessment methodology.

Recommendation

The DoD must accept that black swan events will likely accelerate in the growing complexity of the cyber domain. The analysis used at the strategic level to make cyber infrastructure decisions must shift from a single-failure to multi-failure view. Emphasizing "FARness"–that is flexibility, adaptiveness, and robustness in acquisition decisions is key.[9] To identify "FARness" attributes, the use of brain-storming and subject matter experts focusing on developing multi-failure scenarios for a proposed cyber infrastructure should be used. This "how can" approach creates robust scenarios approaching black swan type events and can identify ways the system could recover from a catastrophe–a type of "war-gaming." Identifying common recovery methods or needed attributes through “how can” scenarios would help decision makers think about the system within the context of a future environment and the "FARness" needed to survive.

Conclusion

In an effort to become more efficient and save money, the strategic leadership may not see the potential for black swans hidden in the cyber domain forest. Layered protections and redundancy are needed to survive a cyber-black swan event and must be considered in the analysis and decision making for future virtualization, cloud-computing, and data-center consolidation. It is with regard to probabilities that decision making based more on fiscal conservation makes the future force vulnerable. While history shows that black swan events will occur, it is up to the leadership to equip the future force with cyber systems that have "FARness"–yet fit within today's budget.

End Notes

            [1]William R. Burns and Drew Miller, "Improving DoD Adaptability and Capability to Survive Black Swan Events," Joint Forces Quarterly, 1st Quarter 2014, 32.

            [2]Christopher Perry, "Security for Cloud Computing," DON IT resources, May 18, 2010, http://www.doncio.navy.mil/ContentView.aspx?id=1744 (accessed February 1, 2015).

            [3]Department of the Navy Chief Information Officer, "How Will DON Data Center Consolidation Cut Costs? Published, March 5, 2012," March 5, 2012, http://www.doncio.navy.mil/ContentView.aspx?ID=3793 (accessed January 29, 2015).

            [4]Eric Griffith, "What Is Cloud Computing?" PC Magazine, March 13, 2013, http://www.pcmag.com/article2/0,2817,2372163,00.asp (accessed April 17, 2014).

            [5]John F. Murphy, Beware of the Black Swan: The Limitations of Risk Analysis for Predicting the Extreme Impact of Rare Process Safety Incidents (Houston, TX: 8th Global Congress on Process Safety, April 1-4, 2012) http://www.allriskengineering.com/library_files/AIChe_conferences/AIChe_2012/data/papers/P243053.pdf (accessed February 1, 2015): 2-7.

            [6]Ibid., 34-35.

            [7]Dan Cox and Michael Mosser, "Defense Forecasting in Theory and Practice: Conceptualizing and Teaching the Future Operating Environment," The Small Wars Journal, January 4, 2013, http://smallwarsjournal.com/jrnl/art/defense-forecasting-in-theory-and-practice-conceptualizing-and-teaching-the-future-operatin (accessed January 20, 2015).

            [8]Ibid.

            [9]Burns and Miller, "Improving DoD Adaptability and Capability to Survive Black Swan Events," 35.

 

About the Author(s)

CDR Bryan Leese is the Carrier Strike Group TWO N2. A graduate and instructor at the U.S. Army War College, Carlisle Barracks, PA. He has served as an analysis branch chief in USAFRICOM's J2-Molesworth, UK. Other tours include BATAAN ESG, N2 and other operational and shore tours.