The West Has Forgotten How to Keep Secrets

My CEPA article about the intelligence vulnerability open access, open government, and open data can create if left unaddressed and not in sync with national security – The West Has Forgotten How to Keep Secrets.
From the text:
“But OSINT, like all other intelligence, cuts both ways — we look at the Russians, and the Russians look at us. But their interest is almost certainly in freely available material that’s far from televisual — the information a Russian war planner can now use from European Union (EU) states goes far, far beyond what Europe’s well-motivated but slightly innocent data-producing agencies likely realize.

Seen alone, the data from environmental and building permits, road maintenance, forestry data on terrain obstacles, and agricultural data on ground water saturation are innocent. But when combined as aggregated intelligence, it is powerful and can be deeply damaging to Western countries.

Democracy dies in the dark, and transparency supports democratic governance. The EU and its member states have legally binding comprehensive initiatives to release data and information from all levels of government in pursuit of democratic accountability. This increasing European release of data — and the subsequent addition to piles of open-source intelligence — is becoming a real concern.

I firmly believe we underestimate the significance of the available information — which our enemies recognize — and that a potential adversary can easily acquire.”

 

 

Defending NATO in the High North

Defending NATO in the High North

 

The invitation and entry of Sweden and Finland into the NATO alliance radically improve the Alliance’s ability to defend the High North. Sweden and Finland will provide NATO with operational depth and logistic routes that the Alliance lacked earlier. With Sweden and Finland outside of the Alliance, the route to move NATO reinforcement to Finnmark, the Northernmost part of Norway, follows the single coastal road E6 along the Norwegian shoreland. Any Russian stand-off weaponry, or special forces, could, with limited engagements, strike the E6 route and cut off Northern Norway, leaving it open to a rapid Russian advance.

This lack of operational depth and NATO’s reliance on a single route to reinforce the High North has been an opportunity for a Russian fait accompli attack early in an evolving conflict with NATO.

A sustained fight to defend an area needs a land-based supply route to maintain the flow of equipment, logistics, and reinforcements, as these represent thousands of tons to be hauled into the operational area. Airborne or air transported troops can only sustain a fight over a limited time. The recent battle for Hostomel Airport outside of Kyiv, where Russian airborne troops lost against Ukrainian ad hoc formations, shows the short duration airborne forces can sustain a fight without a land-based logistic trail that follows.

The fastest way to move ground units from Germany, Denmark, and the U.K. to Northern Norway is through Sweden, which has several roadways leading to the far North. Meanwhile, coastal Norway has fjords, deep-cut valleys, mountainous terrain, and numerous bridges that could be destroyed and hinder a NATO movement; Sweden offers a straighter route to the North.

A Russian military planner, creating a case for assault plans on Northern Norway, had to focus on the Western edge towards the defending NATO forces along the Norwegian coast. The High North engagements Southern flank towards Sweden and Finland was “protected” by the Swedish and Finnish decision to be neutral and not be a part of the conflict. So the Cold War case, and until now, for a USSR/Russian attack on Northern Norway went from East to West without considering the Southern flank.

The NATO defense of the Norwegian High North will also benefit from the opportunity for NATO with the Swedish and Finnish entry into the Alliance to base and prepare rapid build-up of air assets on Swedish and Finnish airfields when a conflict is on the horizon. The Swedish towns of Kiruna and Gällivare have civilian airports, and any airport can also be used for military purposes. There are also several airfields in Finland; Enontekiö airfield is almost on the Norwegian Finnmark border. These added airfields and assets give NATO a stronger ability to establish air superiority in the Far North and less reliance on a few Norwegian airports that can be struck in the initial stages of the war.

The development of modern anti-ship missiles, with a range of 100s of kilometers, in combination with an enhanced ability to base and use operational space in the North, also ensures NATO a broad ability to prevent the Russian Northern Fleet from reaching the Atlantic Ocean and intercept the movement of U.S. and Canadian formations to Europe.

The entry of Sweden and Finland gives NATO more opportunities to defend the High North by providing logistic pathways, operational space and depth, and the ability to base air assets which would combine strengthen the deterrence posture against Russian aggression. Deterrence translates to a higher threshold for conflict, not only the NATO’s objective but also Sweden and Finland’s, and a gain for both parties.

Jan Kallberg, Ph.D.

 

 

My article for 19fortyifive: “Free War: A Strategy For Ukraine To Resist Russia’s Brutal Invasion Of Ukraine?”

 

I wrote an article for the national security web-based venue 19fortyfive that addresses resistance operations seen in the light of the Swedish Fria Kriget (Eng.: Free War) concept.

The full text can be found here.
(Picture UK MOD)

 

Business leaders need to own cyber security

Consultants and IT staff often have more degrees of freedom than needed. Corporate cybersecurity requires a business leader to make the decisions, be personally invested, and lead the security work the same way as the business. The intent and guidance of the business leaders need to be visible. In reality, this is usually not the case. Business leaders rely on IT staff and security consultants to “protect us from cyberattacks.” The risk is obvious – IT staff and consultants are not running the business, lack complete understanding of the strategy and direction, and therefore are unable to prioritize the protection of the information assets.

Information security has a few foundational pieces. Information resources are classified according to their importance to the business, an acceptable level of risk is established for the company, and then security solutions are developed to mitigate risk down to an acceptable level. Parallel, these mitigation strategies are implemented with minimal disruption to the workflow and the business. The information security program ensures that information and functionality can be restored after an incident as part of the process.

These basic steps may sound like an elementary exercise – something that consultants can solve quickly – but the central question is risk appetite, the acceptance to take an understood risk, which can jeopardize the entire business if too high or too low. What is the wrong level of risk appetite? The business’ IT operations are prepared to take risks that the business management did not even dare to dream of or, conversely, the IT systems will slow down the business, stand in the way, and the failure to prioritize due to risk aversion. Risk, which is central to information security, can only be controlled by the business leader. IT staff and consultants can be advisors, produce information, and sketch solutions, but the decision is a business decision. What risk we are prepared to take cannot be an open issue and is left to arbitrary interpretation.

Just as the management has an influence and controls what is an acceptable risk when information security is structured, management is central when things go wrong. A business management team that is not involved in information security, and gains a conceptual understanding, will be too slow to act in a crisis. Cyberattacks and data failures occur daily. The financial market, customers, government authorities, and owners rightly expect these damages to be dealt with quickly and efficiently. Confusion when a major cyber crisis occurs, by attack or mistake, undermines confidence in the business at a very high rate. In a matter of hours, a trust that has taken decades to build can be wiped out. In the digital economy, trust is the same as revenue and long-term customer relationships. Business management that lacks an understanding of how cyber security is structured for their business, at a managerial level, has not made the intellectual journey of prioritizing and will not lead or have relevant influence in a crisis.

Managers have premium pay and are recruited because they have experience, insight, and character to navigate when a crisis hits and is challenging. If the business management cannot lead when the business is under major cyberattacks, then management has left it to the IT staff and consultants to lead the business.

In a smaller and medium-sized business, the need for committed business management is reinforced because the threat of long-term damage from a cyberattack is greater. A public company can absorb the damage, which smaller players often in niche industries cannot do in the same way.

If business management can engage in sustainability and the climate threat, as many do with both energy and interest, the step of engaging in vulnerability and the cyber threat should not be that far to go. The survival of the business will always be a business decision.

Jan Kallberg, Ph.D.

Inflation – the hidden cyber security threat

 


Image: By Manuel Dohmen – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=185802

In cyberspace, the focus is on threats from malicious activity — a tangible threat. A less obvious threat to cyber is inflation which undermines any cyber organization by eroding budget and employee compensation. Inflation can create unseen resignation rates if not addressed, and jeopardize ongoing cyber efforts and the U.S. Defense Department’s migration to cloud-based services. The competition for cloud security talent is razor-sharp in the private sector already.

There are different ways to build and maintain a cyber workforce: recruit, retrain and retain. The competition between the DoD and the private sector for talent will directly affect recruitment and retainment. Inflation and the shortage of skilled cyber professionals create increasing competition between the federal and private sectors for much-needed talent. Retraining professionals to become a part of the cyber workforce is costly, and if the incentives are not in place to stay in the force, it is short-lived as retrained cyber talent moves on. Inflation creates a negative outlook for recruiting, retraining, and retaining cyber talent.

The inflation expectations in 2022 are the highest in decades, which will directly impact the cost to attract and retain a cyber workforce. Even if the peak inflation is temporary due to COVID-19 as well as disruptions in the supply chain and the financial markets, the pressure on increased compensation is a reality today.

What does it mean in practical terms?

According to the Wall Street Journal, salaries will increase in 2022 for white-collar professionals in the range of 10%, and the federal workforce can expect an increase of less than a third of the gains in the private sector. These signs of growing salary gaps are likely far more severe and exacerbated in the cyber workforce.

For example, by browsing the current jobs ads, a manager for incident response in Rhode Island offers $150,000-$175,000 with the ability to work from home with zero commuting. A fair guess would be there’s a federal GS pay scale at 20-30% less, with work taking place from 8:30 a.m. to 4:30 p.m. in a federal facility; not to mention cloud security, where large players such as Amazon Web Services are actively recruiting from the federal sector.

An increasing salary gap directly impacts recruitment, where the flow of qualified applicants dries up due to the compensation advantage of the private sector. Based on earlier data, the difference in salary will trigger decisions to seek early retirement from the DoD, to pursue a second civilian career or to leave federal service for the private sector as a civilian employee.

The flipside of an all-volunteer force is that in the same way service members volunteer to serve, individuals have the option at the end of their obligation to seek other opportunities instead of reenlistment. The civilian workforce can leave at will when the incentives line up.

Therefore, if we face several years of high inflation, it should not be a surprise that there is a risk for an increased imbalance in incentives between the public and the private sectors that favor the private sector.

The U.S. economy has not seen high inflation since the 1970s and the early 1980s. In general, we all are inexperienced with dealing with steadily increasing costs and a delay of adjusted budgets. Inflation creates a punctured equilibrium for decision-makers and commanders that could force hard choices, such as downsizing, reorganization, and diluting the mission’s core goal due to an inability to deliver.

Money is easy to blame because it trespasses other more complex questions, such as the soft choices that support cyber talent’s job satisfaction, sense of respect, and recognition. It is unlikely that public service can compete with the private sector regarding compensation in the following years.

So to retain, it is essential to identify factors other than the compensation that make cyber talent leave and then mitigate these negative factors that lower the threshold for resignation.

Today’s popular phrase is “emotional intelligence.” It might be a buzzword, but if the DoD can’t compete with compensation, there needs to be a reason for cyber talent to apply and stay. In reality, inflation forces any organization that is not ready to outbid every competitor for talent to take a hard look at its employee relationships and what motivates its workforce to stay and be a part of the mission.

These choices might be difficult because they could force cultural changes in an organization. Whether dissatisfaction with bureaucracy, an unnecessary rigid structure, genuinely low interest for adaptive change, one-sided career paths that fit the employer but not the employee, or whatever reason that might encourage cyber talent to move on, it needs to be addressed.

In a large organization like the DoD and the supporting defense infrastructure, numerous leaders are already addressing the fact that talent competition is not only about compensation and building a broad, positive trajectory. Inflation intensifies the need to overhaul what attracts and retains cyber talent.

Jan Kallberg, Ph.D.

Our Dependence on the top 2 % Cyber Warriors

As an industrial nation transitioning to an information society with digital conflict, we tend to see the technology as the weapon. In the process, we ignore the fact that few humans can have a large-scale operational impact.

But we underestimate the importance of applicable intelligence, the intelligence on how to apply things in the right order. Cyber and card games have one thing in common: the order you play your cards matters. In cyber, the tools are mostly publically available, anyone can download them from the Internet and use them, but the weaponization of the tools occur when they are used by someone who understands how to use the tools in the right order.

In 2017, Gen. Paul Nakasone said “our best [coders] are 50 or 100 times better than their peers,” and asked “Is there a sniper or is there a pilot or is there a submarine driver or anyone else in the military 50 times their peer? I would tell you, some coders we have are 50 times their peers.” The success of cyber operations is highly dependent, not on tools, but upon the super-empowered individual that Nakasone calls “the 50-x coder.”

There have always been those exceptional individuals that have an irreplaceable ability to see the challenge early on, create a technical solution and know-how to play it for maximum impact. They are out there – the Einsteins, Oppenheimers, and Fermis of cyber. The arrival of artificial intelligence increases the reliance of these highly capable individuals because someone must set the rules and point out the trajectory for artificial intelligence at the initiation.

But this also raises a series of questions. Even if identified as a weapon, how do you make a human mind “classified?” How do we protect these high-ability individuals that are weapons in the digital world?

These minds are different because they see an opportunity to exploit in a digital fog of war when others don’t see it. They address problems unburdened by traditional thinking, in innovative ways, maximizing the dual-purpose of digital tools, and can generate decisive cyber effects.

It is this applicable intelligence that creates the process, that understands the application of tools, and that turns simple digital software to digitally lethal weapons. In the analog world, it is as if you had individuals with the supernatural ability to create a hypersonic missile from materials readily available at Kroger or Albertson. As a nation, these individuals are strategic national security assets.

Systemically, we struggle to see humans as the weapon, maybe because we like to see weapons as something tangible, painted black, tan, or green, that can be stored and brought to action when needed.

For America, technological wonders are a sign of prosperity, ability, self-determination, and advancement, a story that started in the early days of the colonies, followed by the Erie Canal, the manufacturing era, the moon landing and all the way to the autonomous systems, drones, and robots. In a default mindset, there is always a tool, an automated process, a software, or a set of technical steps, that can solve a problem or act. The same mindset sees humans merely as an input to technology, so humans are interchangeable and can be replaced.

Super-empowered individuals are not interchangeable and cannot be replaced, unless we want to be stuck in a digital war. Artificial intelligence and machine learning support the intellectual endeavor to cyber defend America, but humans set the strategy and direction.

It is time to see what weaponized minds are, they are not dudes and dudettes; they are strike capabilities.

Jan Kallberg, Ph.D., LL.M., is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy, or the Department of Defense.

CV

Current Position

Army Cyber Institute at West Point
Research Fellow /Scientist

United States Military Academy (West Point)
Assistant Professor, Department of Social Sciences

Education

University of Texas at Dallas
Post Doc, Research Scientist, Cyber Security Research and Education Institute, Erik Jonsson School of Engineering and Computer Science, the University of Texas at Dallas

University of Texas at Dallas
PhD Public Affairs. Dissertation: “The Internet as a Proxy for Democratic Accountability and Transparency – A Comparative Test of Waldo’s Five problems Areas in Five Advanced Democracies”.

University of Texas at Dallas
M.A. Political Science – Public Management major, IR minor

Stockholm University – Juridicum Law School
J.D./LL.M. Thesis: “Reputational Risks on the Internet – a Pragmatic Study of International Cyberlaw”

Brief about Dr. Jan Kallberg

Dr. Kallberg’s research is focused mainly on cyber-supported strategic surprise, accelerated warfare, cyber defense, and how cyber impact societal stability/destabilization.

Dr. Jan Kallberg is an Assistant Professor of Political Science at the Department of Social Sciences at the United States Military Academy at West Point and a Research Fellow at the Army Cyber Institute at West Point. He was earlier a researcher at Cyber Security Research and Education Institute under the guidance of Dr. Bhavani Thuraisingham, the University of Texas at Dallas, an Assistant Professor at Arkansas Tech University, and part-time faculty at George Washington University. Dr. Kallberg is certified CISSP and CISM. He also serves as the Managing Editor for the Cyber Defense Review.

Dr. Kallberg’s research is focused mainly on cyber-supported strategic surprise, accelerated warfare, cyber defense, and how cyber impact societal stability/destabilization.

Dr. Jan Kallberg is an Assistant Professor of Political Science at the Department of Social Sciences at the United States Military Academy at West Point and a Research Fellow at the Army Cyber Institute at West Point. He was earlier a researcher at Cyber Security Research and Education Institute under the guidance of Dr. Bhavani Thuraisingham, the University of Texas at Dallas, an Assistant Professor at Arkansas Tech University, and part-time faculty at George Washington University. Dr. Kallberg is certified CISSP and CISM. He also serves as the Managing Editor for the Cyber Defense Review.

When he registered cyberdefense.com as his personal domain in 1997 there were four (4) references on the Internet (Altavista) to cyber defense. Today it is a million.  A small claim of being ahead of time.

Dr. Kallberg has been published in Joint Forces Quarterly, Strategic Studies Quarterly, Air and Space Power Journal, Military Review, IEEE IT-Professional, IEEE Security & Privacy, IEEE Technology & Society, and IEEE Access. Dr. Kallberg is on the editorial board for IEEE Access.

Read Jan Kallberg, Ph.D., latest column in Fifth Domain (Defense News).