Preparing for the Next Game
December 10, 2008 — Speech given by Mark Gerencser (Booz Allen Senior Vice President) at the AFCEA Solution Series "Cyberspace: Challenges and Solutions for National Security" held in Washington, DC.
This speech was published in the February 2009 issue of "Vital Speeches of the Day."
Thank you for that kind introduction.
It’s great to be part of the AFCEA and this solution series. The series offers us a great opportunity to exchange views and work more closely together as we search for credible ways to improve our national security in the cyber arena.
As I share my own ideas, I look forward hearing your questions and other presentations so that we can build better cyber solutions together.
I plan to use a sports analogy to convey my message. So it would be helpful to know how many folks in the audience played organized football. Could I see a show of hands? How many played in High School? In college? Beyond college?
Like many of you, I played football in high school. I loved the highly structured nature of the game. It provided clear roles and responsibilities for each and every player, and unlike many other aspects of a teenager’s life, it seemed straightforward.
Play calling was linear and sequential. Basically you memorize your role and tactic for each play and then execute. The defense reacts synchronously to the offense—and vice versa.
My most notable football memory is playing against, as they were locally known, the great Jackson brothers. One brother, Kenny Jackson, became a wide receiver for the Philadelphia Eagles. I was in the defensive secondary and as a cornerback my job was to bump and cover Kenny. I remember him vividly. He was tall and fast; really fast. But I thought I was ready.
On their opening drive they had several consecutive first downs. Then it happened: Kenny went long and fast. He beat me by three steps, OK-it may have been five, and caught a perfectly thrown pass for a 40-yard touchdown. It took me a while to get my breath back and I’m not sure my football pride ever returned. On that day he, and I, in quite different ways, were game changers.
The New MORE Global Game
“Game changer” often implies a great performance by an individual or team that propels them to victory, just like Kenny did for South River High School in 1976. Rather than using “game changer” to describe an event or “play,” I’ll use it to describe a rapidly evolving game that comes with an incomplete set of rules and a constant changing set of players, many of whom, are often unknown. And that game is the cyber game.
This past quarter I attended the Defense Industrial Base, or DIB CEO forum that assembled a number of CEOs to discuss ways of improving the cyber security of our entire defense industrial base. Imagine securing the supply network that supports a multi-trillion dollar global defense enterprise.
Wow, what a task! Now extend that to the 17 other infrastructures that the Government has labeled as “critical” and the word complexity becomes an understatement, the problem almost intractable, and the value of what we’re talking about—about half of the GDP of the United States of America.
Einstein said, "The significant problems we face cannot be solved by the same level of thinking that created them." So, Yesterday’s mindset will not work today nor will it work tomorrow.
The cyber security challenge we now face as a Nation in large part results from an expansive network that we’ve created to meet the demands of our economy and our citizens.
Over the past two decades we have altered our business models on a global scale to take advantage of the so-called ‘network-effect.’ We have also introduced more cybernetic automation into our industries, our processes and our operations.
While these “game” changers have enhanced the performance of business, our military and our critical infrastructures, they’ve also created a more complicated operating environment. With increased complexity, unfortunately, comes increased vulnerability.
Addressing Our Cyber Vulnerabilities
At the Defense Industrial Base meeting, senior government executives shared their views on the compliance requirements and actions needed to address our cyber vulnerabilities.
These are great first steps – necessary, compelling, well considered – almost everything we would hope for to get started on a tough issue like cyber. But it also quickly became clear that we were talking fundamentally about a business competitiveness issue, even an American competitiveness issue; not just a compliance challenge. And this is where things become compelling for us in industry.
Our DIB hosts also addressed the need for integrating our military cyber capabilities. And that’s when it struck me—the situation was like fielding a US football team against a European soccer team, on a soccer field.
The game appears to be somewhat imbalanced. On our side, we cycle through offensive and defensive teams, and we use special teams and special capabilities under special circumstances. We think and act in linear ways against a networked world. In a sense, we operate sequentially under parallel external conditions. We try to play international soccer by our domestic football rules.
At first glance, there are enough similarities between the two sports that it seems like it might work. But as we look deeper, significant differences emerge.
First—let’s look at the players. With scads of heavy equipment, helmets, shoulder pads, chest protectors, thigh pads, tailbone pads, and sometimes braces, football players are well protected though a bit encumbered. Soccer players, on the other hand, just wear shin guards. Consequently, they have more maneuverability and are more agile. It also means that it’s cheaper to outfit a soccer team than a football team—so the entry costs to play have come down.
Other significant differences start to surface when play begins. When the US football team has the ball, we field the offense to execute a set of plays against a structured defense. Move and countermove occurs within the proscribed set of time limits under many well-established rules.
As possession changes, the game comes to a halt to allow in a different set of players, with different roles and skills onto the field. Compare this to the fluidity of the soccer team, where each player switches seamlessly from offense to defense. There’s a lot of cross-over, backup, and dynamic reaction as play progresses with the time clock constantly running. The soccer team has a clear cycle-response-time advantage over the football team.
The New Cyber Protocol: Convert Spectators Into Players
Today, the game gets even trickier. Unlike any other time before, the spectators are being pulled from their seats and put into the game. They, or more specifically, we in industry, can no longer sit passively watching the Departments of Defense, Justice or Homeland Security protect us.
Whether we like it or not, we are now in the game. Our adversaries’ actions bring us into “the game.” Our interdependencies with the Government bring us into “the game.” Our roles in critical infrastructures bring us into “the game.” So, we are ALL now in the game.
Bringing in industry partners into the cyber game to help address the cyber problem introduces challenges similar to getting the spectators to play a sport that they previously only watched. We haven’t actively trained with the teams; so we do not know the plays. We didn’t practice with the team; so we lack the skills.
Perhaps most importantly, we really don’t know each other well, so we lack mutual trust and understanding that could go a long way toward bridging the gaps of a new playbook. Some of the rules we now play under are obscure, maybe arcane or even undefined. Some make no sense to us, and a few, make no sense to anyone because we’re trying to apply football rules to soccer. As relative newcomers, we’re not sure of our precise role, our limits, or our obligations. Yet, regardless of these barriers and uncertainties, we must play together.
So far, the primary response to our cyber challenge has come from the Government. The Government is pursuing more effective ways to integrate capabilities and operational control authorities.
For example, The Secretary of Defense recently linked operational control authority between two functional components in different organizations. This promises to create a tighter linkage between our football’s defensive and offensive squads, and there are further thoughts of increased integration with our exploitation and intelligence capabilities. Maybe, more to come!
However, beyond the DIB activities, there hasn’t been a full-team integration—that is, with industry and society. The cyber security challenges can’t be won with a partial team. Nor can it be solved by organizational changes alone: merely moving lines and boxes around. Organization, accountability, and role integrity are necessary but insufficient.
We Need A Mindshift
The Unified Command Plan or UCP08 revisions and organizational realignments that integrate play are a first step, but we need much more. In order to play the game properly, we need a complete team. In order to win, we need a mindset shift that includes: an updated policy and legal foundation; bold new operating models; training and education for the whole team; willingness to share information, and; a commitment to align and use our collective resources.
In short, we need to execute in new ways that break through old boundaries and dispatch old paradigms; we have to find an approach that persists, adapts, and morphs to the changing game in an understood and effective way.
Since yesterday’s football game is today’s soccer game. And today’s soccer game might be tomorrow’s basketball game or some combination of games we’ve never seen before, we simply can’t reorganize each time the game changes. Why?
For one, it costs precious time. With that delay, the Government may lose secrets or operational capability and military effectiveness. In addition, we in industry may lose our intellectual capital or our proprietary research or trade secrets, or worse, maybe even our competitive viability.
Booz Allen recently chartered a survey conducted by the Economist Intelligence Unit (EIU) that reached more than 250 business executives and senior officials from all three sectors: Government, private business and non-profits. Seventy-seven percent of respondents said their organizations had experienced some form of cyber attack in the past year, and 65 percent expect to be hit again in the next 12 months.
Of the US government mangers’ response, only two percent of respondents have not seen attacks on their systems, and eight out of ten expect an intrusion over the next year. 90 percent of all respondents believe that we need to be working together on cyber. Yet, the evidence and actions on all our parts is to the contrary. We aren’t playing together.
And while we all know the game is on, I’m not sure we fully grasp the stakes. I am sure that we don’t have a sufficient mechanism in place to help move us forward.
The Megacommunity™: The New, Open, and Integrated Approach
While history does not exactly repeat itself, those that fail to learn from past mistakes put themselves at risk. This past Sunday was the 67th anniversary of Pearl Harbor. A surprise attack that unified our government, our people and industry like no previous event since the founding of the Republic. We should not and cannot wait for the so-called Cyber Pearl Harbor to take action.
This situation calls for a new type of collaboration now. One where the Government, business and society work together in a new, coordinated manner beyond traditional public private partnership arrangements. It requires a new paradigm of operating—one that adapts and grows with the changing game that we constantly face.
At Booz Allen Hamilton we call this a “Megacommunities” approach. We discovered this phenomenon while researching a book on globalization and executive leadership. We interviewed over 100 leaders from around the globe to include heads of companies and heads of state.
Instead of writing a book on globalization, we took a turn and wrote one to document our discovery. We wanted to understand and communicate the theory behind the practice we had observed.
And it took four authors from different educational backgrounds, and cultural perspectives to formulate the theory and its principles, because a diverse set of perspectives and skills were essential to see and understand the whole thing.
A megacommunity approach provides the persistent mechanism that includes all the players on the team and helps them adapt in a coordinated way to the new game. It does this by implementing a new form of leadership and a new organizational imperative.
Megacommunities are collections of organizations whose leaders and members deliberately come together across national, organizational and sector boundaries to attain the goals they cannot achieve separately.
In this construct, ideas and resources are shared, idle capacity put to use and community value is realized. Megacommunities exhibit the power of a network as defined by Metcalf—where the value of the network increases geometrically in proportion to the number of its members.
Thomas Edison understood the power of the network. While most famous for the invention of the light bulb, he also invented the dynamo and electric transmission lines. He actually wasn’t after the light bulb as much as he was seeking to construct something more: the electric utility.
Megacommunity: The Power of Multiple Perspectives
As we address cyber, we need to be thinking about networks, the supply chain, and global effects more holistically. It can’t be about just embracing one view.
We need to understand each dimension such as the physical, logical, virtual, applications, persona and human social layers that comprise it. We, like Edison, can’t rely only on the light bulb -- or in this instance, technology — to solve the problem. This is analogous to only considering the players’ equipment and not the entirety of the game.
A megacommunity is defined by the issue it seeks to address. It derives its value from the differing perspectives and different capabilities of its members.
Einstein observed, if you can’t solve the problem, make it bigger, not smaller. Einstein’s logic implies we need to be thinking larger and more holistically. Additional perspectives of the members make it bigger. They give us a larger view—a more complete view—a Megacommunity view! There’s a huge value in harnessing those perspectives and realizing the network value of the entire community.
One way of appreciating this approach is to imagine a three dimensional object—like a football. Now place the football in a sealed box and drill a hole through one side of the box. When peering through that hole an observer sees something round.
Now drill a hole in an adjacent side of the box, and when looking through that hole, one sees an ellipse. Now both observers could debate whether the object in the box is a circle or an ellipse.
The answer of course is that they are both right, but incomplete. It’s a football. And stakeholders will usually only arrive at this conclusion by sharing their different perspectives. To address cyber and fully understand the game, we need to understand, share and integrate all of our perspectives.
We recently learned that what stakeholders share is as important or, perhaps, even more important, than the sharing mechanism itself. That’s why it’s critical not to require stakeholders to “change their stripes” or lose their identity in order to fit in with the team. Maintaining stakeholder identity and expression is essential for long-term sustainability and success of the megacommunity.
Engagement enables members to converge on overlapping vital interest, to provide input on direction, and; to generate flexible structures, which manage participation and maintain momentum. Members engage and disengage based on their perceived value in the Megacommunity.
Building Megacommunities
All Megacommunities have inherent tensions that can be leveraged but need to be balanced. Identifying and understanding the overlapping vital interests among the stakeholders is critical to balancing these tensions.
In order for the Megacommunity to succeed and achieve broader, agreed upon goals for all stakeholders, it’s essential for members to focus on “mutual success” over maximizing their own immediate interests.
Several Megacommunities have spontaneously formed in reaction to disaster or crisis events. For example, one formed as a result of the Indonesian Tsunami.
But our premise was that maybe we could create a megacommunity before a crisis. This would mitigate its effects or possibly even preclude or avoid the event.
We’re learning that Megacommunities can be initiated. There’s the much-needed group that’s come together over the past year to focus on Alzheimer’s, a disease that’s the sixth leading cause of death and that strikes an American every 71 seconds.
The Center for Health Transformation initiated the creation of the Megacommunity by bringing together a diverse group of stakeholders. They launched a war game to attack Alzheimer’s that identified the overlapping vital interests, developed a strategic plan, and aligned members resources to address this dreaded disease.
Another Megacommunity created was one that increases the talent pool of cleared professionals in support of National Security. Yet another is being looked into with multi-national involvement to address and curtail the proliferation of weapons of mass destruction.
To me, it’s clear that Government, industry and society have much to gain from forming a Cyber Megacommunity. So how do we go about it?
The first step is to connect as many stakeholders as you can. The second step, share perspectives to understand the problem—or to recognize the ball. The third step helps stakeholders realize they have an overlapping vital interest and that they are all affected by the challenge: that is, understand the new game. The fourth step creates a mechanism for exchange, interaction, and collaboration or in other words it’s about developing the playbook.
And the fifth and final step? Commit to action. Members initiate activities as a consequence of mutual interest, incentives, or even regulation. Now they start playing, and playing to win.
After observing the functional power of Megacommunities, I’ve come to believe that this approach holds tremendous potential to address our cyber challenges. If nothing else, it provides a mechanism by which stakeholders, who’ve traditionally been spectators, can engage actively and meaningfully in the cyber game they face today and the new one they certainly face tomorrow.
In summary: the cyber game is always changing. It’s clear that the threat, players, rules and tools are constantly morphing and advancing. The cost of not addressing this problem is huge and growing. To win the game, we need both a complete team and a new mindset. So, the Government can’t do it for us nor can they do it alone.
A Cyber Megacommunity offers a way to assemble that team and provide that mindset. As a matter of fact, next week, the Business Executives for National Security, or BENS, will be conducting a Cyber War Game bringing together many key stakeholders from Government, business, non-profits and society with the hopes of initiating a Cyber Megacommunity. Stay tuned for those results.
In closing, I’d like to tell you that I have two sons who both have pursued sports that I did not. Things like ice hockey, cross country, and even pole vaulting.
My eldest son recently tried out and made the Langley HS wrestling team. I saw my first match last week. It’s a new game for us. He needs to learn the tactics and I need to learn the rules.
That said, I have observed that there are a fundamental set of elements at the foundation of all sporting games: physical fitness, flexibility, agility and strength. Extending that thought broader, there are a fundamental set of elements for all games: heart, passion, and the resolve to win.
I believe we as a Nation have the heart, passion, and resolve needed to win the cyber game. We just need a mechanism to bring together all the players so we can perform to our best ability.
The Megacommunity can be that mechanism. Remember, the stakes are high! We need to ensure our National Security; protect the freedoms that we value so dearly; and, maintain the global competitiveness as a world economy and leader.
Thank you for listening.
Additional Information
