Agility Versus Security
Upon taking the reins of government, President Obama was introduced to the frustration felt by many leaders in the executive branch. The president’s widely publicized effort to keep his BlackBerry revealed to the public a phenomenon that is all too familiar to those in government: the struggle between agility and security in the cyber domain.
The president was eventually victorious, but the struggle continues. Federal leaders at all levels have flexibility in the physical domain to make the decisions that keep the country running, but they do not enjoy similar authority on the Internet.
Despite the struggle, some agencies have achieved cyber agility. For instance, the Patent and Trademark Office launched the Peer to Patent: Community Patent Review Project (a partnership with the New York School of Law’s Institute for Information Law and Policy) to harness the power of Web 2.0 and decrease the patent processing backlog through crowd-sourcing. The International Security Assistance Force (ISAF) in Afghanistan uses Twitter to accurately portray the battle space and outmaneuver the Taliban.
Organizations achieve cyber agility when leaders have the power to make risk decisions within the Internet domain. Typically, U.S. military commanders make risk decisions in the relevant physical domain (ground, air, sea, space) but lack equivalent authority in cyberspace. Gen. Stanley McChrystal, ISAF commander, received authority to make risk decisions in the cyber domain. He chose to use Twitter, and ISAF is more effective for it.
Twitter, like the invention of the rifle in the 1800s, is a tool for the modern age. Denying commanders the use of Twitter because their troops’ tweets may hurt the mission is equivalent to banning the rifle because troops may shoot themselves in the foot. An untrained soldier with a gun is dangerous, with Twitter no less so. The difference between excellence and peril is training, something commanders are already responsible for.
Security by Proxy
Cyber risk decisions have been delegated to the IT community in the name of security, which is enshrined in public law. For example, Title 10, Section 2366a states, “For milestone B, any major defense acquisition program must be signed by a senior defense department official.” The signature attests that all technologies have been demonstrated in the relevant environment. Because the Internet is a virtual environment, the IT community can control the conditions upon which federal leaders enter and thus preserve security by proxy. Ultimately, security is incentivized to the detriment of agility because the IT community takes control out of the hands of leaders.
The federal enterprise must achieve cyber agility to overcome future problems. Al Qaeda is a good example of a bad organization that has embraced the future. Al Qaeda leaders are trained to operate in the physical and Internet realms, and they are responsible for cybersecurity. There is no vast network or set of IT systems to maintain or rely on. Instead, they use the same Internet cloud that federal leaders use every day in their personal lives. In doing so, they achieve agility and security at a fraction of the approximately $80 billion spent annually by the federal government on IT.
So how can agencies best capitalize on the promise inherent in the Internet, while protecting against vulnerabilities? The answer is in treating the cyber realm more like the physical one. Training and education must prepare leaders to be agile and secure in cyberspace. As leaders lose their cyber innocence, the IT community must release its grip on Internet controls.
Feds must become cyber experts. This does not mean they need to become programmers — just Internet savvy. The head of the Food and Drug Administration must understand Facebook and identity cloaking as clearly as he or she understands drugs. Once transformed, these leaders must ultimately take over the reins from the IT community and make the trade-offs between agility and security that they already make in the physical realm.