To Operationalize Cyber, Humanize the Design
Patrick Duggan
“The proper study of mankind is the science of design”[1]
Herbert Simon—Nobel Prize Laureate
Cyberspace…the military riddle of the modern age. Despite well-intentioned talk across the U.S. Army to ‘operationalize cyber,’ the indispensable means for doing so, is to ‘humanize’ the design. Conventional U.S. Army wisdom proclaims cyber a ‘war fighting domain,’ and its networks the war-fighting platform.[2] However, the problem with this linear logic is, where do humans fit? This article asserts the need to expand the discussion about operational cyber, and challenges the convenience of simply wedging offensive and defensive notions into an artificial domain. Instead, it advocates an accelerated cycle of learning and sharing, to build enterprise trust, and humanize the design. Operationalizing cyber is not about linear thinking and lines of operation; it is about building trust in a process that speeds the cycle of individual education and branch collaboration. Humanizing cyber requires every soldier to become cyber-aware and every branch to adapt cyber to its own distinctive cultures, missions, and needs. The days of relegating cyber-thinking to communication and intelligence communities are over. Cyber is a team event now, and requires as much creativity, diversity, and proliferation the U.S. Army can muster.
Design in an Information-Rich World[3]
In 1978, renowned American computer scientist, economist, political scientist, psychologist, painter, pianist, and one of the most original thinkers of the 20th Century,[4] the late Dr. Herbert Simon, was awarded the Nobel Prize for his contributions to the field of economics. A quintessential polymath, Herbert Simon was an early pioneer in numerous fields of study, and in his lifetime, contributed many new theories, organizing principles, and ways to ponder a world rapidly inundating with information, computers, and technology. Simon was ahead of his time, exploring cyberspace before the word was coined, and even co-authoring the first publication on artificial intelligence in 1956,[5] long before the field was created.
However, what makes Herbert Simon so singularly unique, was his unshakable focus on the centrality of humans, their decisions, and interactions, in whatever field he examined. Exploring how organizations, businesses, and government agencies could best operate in an ‘information-rich’ 1971 world,[6] Simon asserted that true progress comes not from building ever-more powerful technology, but by humanity’s ability to conceive better designs as they conjointly evolved.[7] Meaning, despite today’s fixation on connectivity and cognification of inert things, we must never forget about humans in cyber’s design. So as cyberspace emerges as the military riddle of the modern age, the true implication of the riddle is, what do humans do about ourselves?
Operational Cyber
U.S. Army Branch examples. In less than a decade, Special Forces (SF) Battalions will deploy to remote and austere locations, where there will be no power and all military communications will be jammed. SF teams will employ their own conceptualized cyber-enabled Unconventional Warfare (UW) tactics, like using adhoc wireless meshed networks for communication with their local surrogate partners. These indigenous-compatible, multi-protocol mesh, will be solar powered and encrypted, and ride Rasberry Pi nodes run on hastily written Python code. Cyber-enabled UW networks will relay voice and data in near-time, and enable SF soldiers wearing augmented reality goggles to call fire support for their indigenous partners miles away.
Nearby, there will be an Infantry Division fighting to establish a foothold in a sprawling cyber-contested urban environment. Infantry companies will employ their own conceptualized cyber-enabled Movement to Contact tactics, like enroute rolling pen-tests to probe local and wireless networks, and in-extremis exploitation of the sector’s Internet of Things (IoT). Along their advance, cyber-enabled Infantry tactics will decrease the probability of enemy ambush, and enable the companies to make contact with the smallest element possible, so that they can fix, maneuver, and relay calls for fire to micro-drones hovering in support.
Just off the coast, there will be hundreds of armored vehicles, tanks, and cargo stuck floating on transport ships. In the port, a Logistics Battalion will be scrambling to remediate malware and localize cyber-attacks against dilapidated industrial controls and SCADA devices. Inside the city, there will be cyber-linguists advising and assisting the host nation on methods to counter cyber-attacks against the country’s remaining critical infrastructure. All the while, cyber-operators will be scripting and translating open-source code while remaining sensitive to the culture.
So what? This scenario is one the U.S. Army could soon face, and one for which every soldier and branch must be prepared. But what is the thinking to get it there, more importantly, a design to prepare?
Cyberspace is NOT a Military Domain
The argument. In Martin C. Libicki’s seminal paper, Cyberspace is Not a Warfighting Domain, Libicki correctly argues that cyberspace should not be confined to a warfighting domain, and that doing so, “is misleading, perhaps even pernicious.”[8] While understandably expedient for militaries to train, organize, and equip soldiers around, the danger of treating cyber as a military domain is that it incorrectly imposes artificial boundaries around an abstraction that simply do not exist. While military cyber-doctrine is rife with curated categories, the truth is cyber-operations are based on intent, thus require context and perspective. In reality, cyber-operations are extremely difficult to label, as some of the same tools, methods, and architecture used for defense can also be employed for offense. Traditional Westphalian notions of territorial integrity and sovereign authority have limited value due to cyber’s ambiguous nature.[9]
No single entity owns cyberspace. While every physical component of cyberspace may be owned individually, as a whole, cyber is not owned or controlled by any single nation, individual, or organization.[10] With 90% of the world’s Internet owned by the private or commercial sectors,[11] no single military has the capability or capacity to secure the entire space, or even a mandate to try. Further, there are countless other ephemeral networks and dynamic typologies which come and go daily, along with over 5.5 million new things being connected to the IoT everyday.[12] In fact, the entirety of cyber infrastructure is a hodgepodge of public and private networks lacking standardized security or access controls,[13] which spawn incessant vulnerabilities and breed situations for more.
Military terms and concepts shouldn’t be forced. Labeling the unknowns of cyberspace with familiar military terms may be comforting, but it pre-emptively hobbles human creativity. Wedging military jargon like key terrain, cyber-superiority, and network liberation, into an essentially non-military space is an intellectual easy way out. Military terminology cannot convey cyber’s true character and complexity, and it simply encourages refashioning the ambiguous and unclear into the familiar and trite. Proclaiming cyber a military domain undermines its expansive private nature, infers accepted limits, and conveys the dangerous preconception of shared martial norms with potential enemies. Ultimately, viewing cyber as a warfighting domain undermines its true nature and undercuts the critical thinking of humans in the design.
A Human Design to Operationalize Cyber
Modern militaries have incorporated operational design into campaigns, strategies, and battles since the days of Carl von Clausewitz. Interior and exterior lines, lines of operation, lines of effort, and logical lines of operation are all linear in nature, and have served to arrange and link spatial, temporal, and physical objectives to a greater purpose or a grand design. According to Army Doctrine Reference Publication 3.0, lines of operations and lines of effort link objectives to an end state, and commanders may use one or both, to describe the operational design.[14] In short, linear designs and thinking have dominated Western military thought for hundreds of years and continue to pervade.
While the value of linear design to military operational art is well beyond the scope of this paper, this paper does advance an unorthodox approach to operationalize cyber. Figure 1 depicts an example of traditional lines of effort, as reflected in the U.S. Army Cyber Center of Excellence’s 2015 Strategic Plan. Figure 2 depicts a non-traditional approach that iteratively emphasizes humans in the design.
The real contrast between the two is not in their specific objectives, but in their orientation, as Figure 2 emphasizes the centrality of humans in continuous cycles of effort. Humanizing cyber requires the acceleration of every single soldier’s cyber-education and the velocity of every branch’s collaboration. Individually, soldiers must internalize and adopt cyber in their daily lives. Organizationally, every branch must develop its own concepts and adapt cyber to suit its distinctive cultures, missions, and needs. Ultimately, an iterative human design builds enterprise-wide trust and pushes cyber to the heart of soldier identity—themselves as individuals and themselves as an organizational branch.
Every Soldier Cyber-Aware
Every soldier must become cyber aware. The U.S. Army must demystify cyber by accelerating enterprise-wide education. Similar to the rifle marksmanship training every new recruit receives upon initial entry, cyber proficiency builds in degrees of comfort and skill throughout a soldier’s career. Blocks of cyber-education must be incorporated into all NCO and Officer Professional Military Education courses, perhaps culminating in a yet to be established Department of Cyber Warfare at the U.S. Army War College, or a new National Cyber War College for the entire Department of Defense.
Cyber-education could be categorized into three distinct levels: foundational for every soldier, generalist for junior officers and NCOs, and specialist for both open and closed-circuit officers and NCO tracks. Civilian cyber-security certifications could also be aligned to rank, experience, and education levels, as intimated by DODI 8570, with junior soldiers completing A+, junior NCOs and officers completing GSEC, and specialists acquiring CISSP certification.[15]
Must build a bench of cyber-soldiers. While the U.S. Army recently built 41 active-duty cyber mission force teams and 21 National Guard and Reserve teams,[16] they will still not be enough. As described in the scenario earlier, to be successful, the U.S. Army must build more capacity, capabilities, and deepen its cyber-bench. As every soldier becomes increasingly more cyber-aware, the U.S. Army could establish three new cyber-tracks for soldiers to pursue. The first track would be for all soldiers as they ascend their respective branches. The second, would be for non-traditional cyber-talent in an open-circuit track, and the third would be for traditional cyber-talent in a closed circuit, similar to the U.S. Army Special Force’s recruitment, selection, and training.
In the open-circuit track, branches would select and send soldiers to attend specialized cyber-schools at the U.S. Army Cyber Center at Fort Gordon. These soldiers would remain assigned to their parent branch, and after completing 6-12 months of training would be closely-managed by an Additional Skill Identifier. Open-circuit soldiers would return to their respective branch and infuse new perspectives, new methods, and insights for best tailoring cyber-practice inside their branch. Cyber-trained, branch-practitioners would stimulate an explosion of fresh and diverse ideas across all U.S. Army branches. By recruiting the best of the best from open-circuit graduates, the Army would also expand its pool for closed-circuit cyber-talent.
Every soldier must develop an increased sense of control over cyber. As every soldier’s cyber-education accelerates, and training opportunities increase, cyber will become less of a thing at all, and more of a verb. Cyber the verb will engender countless new actions, as soldiers learn to develop a sense of control over it and forge new emotional bonds by using it in their daily lives. Cyber-exposure is the key to feeding the simultaneous and independent innovation of tens of thousands of soldiers, and enabling them to seize control over some of the millions of devices being connected to the IoT daily. This important shift will gradually change the conversations from how many soldiers it takes to run a machine, to how many machines a soldier can run.[17] For the Army, the IoT isn’t about ‘things’ at all, but about changing its organization and culture.[18]
As the barriers of entry drop for controlling devices in an exploding IoT, the decentralization of once abstract notions and technical concepts is inevitable. Thus, soldiers must be trusted more to self-regulate in this rapidly changing environment. The IoT will provide a myriad of new attack vectors such as: surveillance cameras, thermostats, monitors, automobiles, and wearable technology, just to name a few. Soldiers must be given greater input to customize unique solutions for accomplishing their respective missions, as it will soon be impossible to exercise centralized command and control. Fortunately, the U.S. Army’s long experience with Mission Command provides a useful template for fostering individual initiative within a broad framework of overall intent. Ultimately, a soldier’s ability to internalize and adopt cyber-technology is essential to driving the new concepts every U.S. Army branch requires, but more importantly, provides the confidence to do it.
Branch-based Cyber
Subcultures. Every U.S. military service possesses distinctive organizational cultures and subcultures, and within every sub-culture there are different norms and comfort levels for hierarchal control. Some U.S. Army subcultures prefer more rigid hierarchy, referred to as high ‘power-distance,’ [19] while other branches prefer less. Power-distance is the degree to which a soldier’s branch expects power to be distributed; if distance is high, leaders expect higher obedience, more hierarchical decision-making, and less collaboration.[20] In essence, organizations with high power-distance exhibit less autonomy, flexibility, and creativity when operating in ambiguous environments. At the opposite end of the spectrum are subcultures characterized by low power-distance, like the U.S. Army Special Forces, where there is a widely held view that power-distance “is significantly less than the regular Army,”[21] and have “a reputation across the military community for being flexible, adaptive, and assertive.”[22]
Unfortunately, as the U.S. Army contemplates operationalizing cyber, it also wrestles with the paradox of an enduring culture that gravitates towards centralized control and linear thinking, while actually needing more decentralized innovation and thinking ‘out of the box.’[23] Meaning, if the U.S. Army is to be successful at operational cyber, it must dissipate high power-distance subcultures that perpetuate linear thinking and retard new ideas, while emulating subculture climates that embrace adaptation and learning. [24]
Every U.S. Army Branch must develop its own cyber-concepts. As certainly as every U.S. Army Branch exhibits its own distinctive culture, missions, and notions for warfare, each branch is also in the best position to envisage its own cyber-concepts. Branch-conceived concepts will create as many diverse ideas and fields of application as there are disciplines and units in the U.S. Army. The arsenal of ideas will feed non-linear thinking, fuel collisions of ideas, and offer a market of fresh options to explore cyber’s inherently non-military space for new ways of warfare. Even more, this vibrant renaissance of branch-based contemplation will produce new knowledge and better harmonize subculture differences as ideas are exchanged.
As cyber-thinking evolves, a form of subculture determinism will independently square branch notions of warfare against the ambiguity of cyber. By decentralizing the thinking, human trust is engaged, and soldiers will become more willing to develop and implement change. This form of decentralized branch adaptation is critical because when innovation does not align with distinctive subcultures or concepts for warfare, innovation is resisted.[25] Every-branch, Infantry, Armor, Aviation, Logistics, Special Forces, et al., must do its own thinking, develop its own concepts, and project its own unique missions in cyber, to fully operationalize the space.
Harness the collective power of solider-branch identity. Every soldier in the U.S. Army is categorized by his or her branch, and every branch conveys a sense of identity to the individual soldier. While power-distance plays a role in the degree of attachment a soldier has for his or her assigned branch, branches still convey significant meaning for how soldiers define their identities. This ‘identity imperative,’ is a natural occurring component of the U.S. Army and an innate element to all professions.
Instead of de-emphasizing its occurrence, the U.S. Army should leverage identity imperative’s collective power by igniting branch cyber-initiatives to kindle pride, and encouraging every branch to take ownership of cyber-problems. All branches must use cyber to amplify core aspects of their identities and use it to increase organizational strengths while mitigating their weaknesses. By taking ownership, the collective power of soldier identity is engaged and decreases any institutional compulsion of foisting cyber-thinking on closed-circuit organizations.
Increase concept collaboration. Humans are natural designers and “have a surprising and infinitely expandable ability to create stories, forms, and concepts.”[26] This innate human ability to design can be improved by focusing on three crucial processes: improving concept expandability, designing new learning devices, and looking for new forms of social interaction.[27] Luckily, the U.S. Army can accelerate concept generation by engaging all three processes. Specifically, it can offer new forums to test concept expandability, it can decentralize authorities for branches to proto-type and build cyber-garages, and the U.S. Army can prompt new forms of interaction by fueling something known as the ‘Medici Effect.’ The Medici Effect is a phenomena of innovation that occurs at the intersection of multiple fields, disciplines, and cultures, by combining existing concepts to create extraordinary new ideas.[28] As the U.S. Army develops new concepts, it can then remix the technology it already has to innovate even better ones. This is because most innovative new technologies are simply combinations of earlier primitive technologies that have been rearranged and remixed,[29] thus only need the seed of a new idea to conceive new tech-births.
Conclusion
The indispensable means to operationalize cyber is to humanize the design. Simply wedging soldiers into a contrived war-fighting domain is not enough. Instead, we must recognize human centrality to conceive better designs. To do this, we must think less linearly and stop forcing military notions into an inherently non-military space. We must accelerate the cycle of learning and sharing, build enterprise trust, and push cyber to the heart of soldier identity—themselves as individuals, and themselves as an organizational branch. This iterative process requires every soldier to internalize cyber and every branch to adapt cyber to its own distinctive culture, missions, and needs. For the U.S. Army to operationalize cyber, it must maximize the autonomy of individuals, while amplifying the power of branches. In the end, to paraphrase Herbert Simon, the proper study of cyber, is the human in the design.[30]
End Notes
[2] The U.S. Army Stand-To Web Page, “Operationalizing Cyberspace,” September 27, 2016. https://www.army.mil/standto/2016-09-27 (accessed November 13, 2016)
[3] Herbert Simon, “Designing Organizations for an Information-Rich World,” in Computers, communications, and the public interest, ed. M. Greenberger (Baltimore, MD: Johns Hopkins Press, 1971) http://digitalcollections.library.cmu.edu/awweb/awarchive?type=file&item=33748 (accessed November 13, 2016)
[4] Fernand Gobet, “Herbert Simon Obituary,” International Computer Games Association, vol.24, no.1 (March 2001) http://ilk.uvt.nl/icga/journal/contents/content24-1.htm#HERBERT%20A.%20SIMON (accessed November 13, 2016)
[5] Allen Newell and Herbert Simon, “The Logic Theory Machine A Complex Information Processing System,” (Santa Monica, CA: RAND Corporation, 1956). http://shelf1.library.cmu.edu/IMLS/MindModels/logictheorymachine.pdf (accessed November 15, 2016)
[6] “Designing Organizations for an Information-Rich World,” 1.
[7] Ibid., 46-47.
[8]Martin C. Libicki, “Cyberspace is Not a Warfighting Domain,” Journal of Law and Policy for the Information Society, vol. 8, no.2 (Fall 2012): 335. http://moritzlaw.osu.edu/students/groups/is/files/2012/02/4.Libicki.pdf (accessed November 13, 2016)
[9] U.S. Army War College, Strategic Cyberspace Operations Guide, (Carlisle, PA: Center for Strategic Leadership, June 1, 2016), 6. http://www.csl.army.mil/usacsl/Publications/Strategic_Cyberspace_Operations_Guide_1_June_2016.pdf (accessed November 13 2016)
[10] Ibid., 6.
[11] Lilly Pijnenburg Muller, “Securing Cyberspace, Coordinating Public-Private Cooperation,” Norwegian Institute of International Affairs Policy Brief, (20/2015): 2. https://brage.bibsys.no/xmlui/bitstream/handle/11250/285462/3/NUPI+Policy+Brief-20-15-Muller.pdf (accessed November 13 2016)
[12] Rob van der Meulen, “Gartner Says 6.4 Billion Connected Things will be in Use in 2016, Up 30 Percent from 2016 Press Release,” November 10, 2015” http://www.gartner.com/newsroom/id/3165317 (accessed November 13 2016)
[13] Strategic Cyberspace Operations Guide, 6.
[14] U.S. Department of the Army, Unified Land Operations, Army Doctrine Reference Publication 3-0 (Washington, DC: U.S. Department of the Army, May, 2012), 4-4. https://fas.org/irp/doddir/army/adrp3_0.pdf (accessed November 13, 2016)
[15] Defense Information Systems Agency Web Page, “Information Assurance Support Environment DoD Approved 8570 Baseline Certifications,” July 8, 2016, http://iase.disa.mil/iawip/Pages/iabaseline.aspx (accessed November 13 2016)
[16] Sean D. Carberry, “Army Cybercom Looks to Boost Training,” November 3, 2016. https://fcw.com/articles/2016/11/03/army-cyber-command-carberry.aspx (accessed November 13, 2016).
[17] Mark Pomerleau, “For the Military, the Internet of Things isn’t About Things,” Defense Systems, November 12, 2015, 1. https://defensesystems.com/articles/2015/11/12/internet-of-things-dod-cartwight-csis.aspx?m=1 (accessed November 13, 2016)
[18] Ibid., 1.
[19]Stephen J. Gerras, Leonard Wong, and Charles D. Allen, Organizational Culture: Applying A Hybrid Model to the U.S., (Carlisle Barracks, PA: U.S. Army War College, November 2008), 14. http://www.carlisle.army.mil/orgs/SSL/dclm/pubs/Organizational%20Culture%20Applying%20a%20Hybrid%20Model%20to%20the%20U.S.%20Army%20Nov%2008.pdf (accessed November 13, 2016)
[20]Ibid., 14.
[21]Ibid., 14.
[22]Ibid., 14.
[23]Ibid., 15.
[24]Ibid., 15.
[25]Andrew Hill, “Military Innovation and Military Culture,” Parameters 45, no.1 (Spring 2015): 86-87. http://www.strategicstudiesinstitute.army.mil/pubs/parameters/Issues/Spring_2015/10_HillAndrew_Military%20Innovation%20and%20Military%20Culture.pdf (accessed November 13, 2016)
[26] Armand Hatchuel, “Towards Design Theory and Expandable Rationality: The Unfinished Program of Herbert Simon,” Journal of Management and Governance, 5:3-4 (2002): 9. http://users.csc.calpoly.edu/~csturner/courses/300f06/readings/Simon1.pdf (accessed November 13, 2016)
[27] Ibid., 9.
[28] Frans Johansson, The Medici Effect: What Elephants and Epidemics Can Teach Us about Innovation, (Boston, MA: Harvard Business Review, 2006) 2-3.
[29] Kevin Kelley, The Inevitable: Understanding the 12 Technological Forces that will Shape our Future, (New York, NY: Viking, 2016) 193.
[30] The Sciences of the Artificial, 138.