healthcarereimagined

Office of the Chairman of the Joint Chiefs of Staff Public Affairs

Watch his farewell video message to the Joint Force:

By Chairman of the Joint Chiefs of Staff Gen. Joe Dunford

In the coming days, I will complete over four decades of active service and my tenure as the Chairman of the Joint Chiefs of Staff.  Before taking off my uniform for the last time, I wanted to tell you what an honor it has been to serve alongside you and to represent you here in Washington, D.C. and across the globe.  More importantly, I wanted to take a minute to simply thank you for who you are and what you do.

Those of you in uniform active, guard, and reserve represent less than one percent of the American people and you’ve answered the call to serve our nation during a time of war.

You chose to challenge yourself to excellence and to be a part of something greater than yourself.

You chose to make a difference.

Across the globe, you stand the watch on sea, air, and land as we simultaneously tackle the challenges associated with Russia, China, Iran, North Korea, and violent extremism. 

And you are driving change to deal with the challenges of the 21^st century to include those in space and cyberspace.

Like your predecessors, you are ordinary men and women who hail from across the 50 states and U.S. territories but you routinely demonstrate extraordinary courage, honor, commitment, loyalty, and self-sacrifice.

It’s because of you that I am confident that we can defend the homeland and our way of life. It’s because of you that we have earned the trust and confidence of allies and partners around the world.

It’s because of you that people believe in America.

Over the past four years, I have spoken a lot about the need for our nation to maintain a competitive advantage over any potential adversary. You are our most important competitive advantage and any adversary would think twice about committing an act of aggression because of you.

And all of these words apply equally to our great civil servants who are an integral part of the team.

I’d also like to take a minute to recognize our families.  My wife, Ellyn, and I know the unique challenges and sacrifices of military families.  But we also know that the U.S. military is strong because of our foundation and our foundation is our families.  One of the most rewarding experiences of the last four years has been meeting with military families across the force. Thank you for welcoming us into your homes. Thank you for your willingness to sacrifice and support and thank you for your resilience. 

Let me close by saying that as I depart active service, I depart with incredible pride and gratitude, not because I’m a general or the chairman, but simply because I have stood in ranks with the Soldiers, Sailors, Airmen, Marines, and Coast Guardsmen who wear the cloth of our nation.

 Please know that I will remain in proud over watch following my retirement.

God bless you all and Semper Fidelis.

FALLS CHURCH, Va. — The Department of Defense is preparing for the next major step in consolidating military hospitals and clinics under a single agency, one of the largest organizational changes within the U.S. military in decades.

On Oct. 1, the Army, Navy and Air Force begin the final two years of a multi-year transition to shift administration and management of their medical facilities to the Defense Health Agency by October 2021, changes that are “transformational and far-reaching,” said Navy Vice Adm. Raquel Bono, the DHA Director (Retiring Navy Vice Adm. Bono is the former DHA director. Army Lt. Gen. Place assumed command as DHA Director Sept. 3, 2019)

“For the first time in our modern military’s history, a single agency, the DHA, will be responsible for all the health care the Department of Defense delivers to our 9.5 million beneficiaries,” Bono said. “Whether you receive your care at an on-base facility or through our TRICARE civilian networks, DHA will oversee your care. This consolidation will drive higher levels of readiness for operational and medical forces and integrate health care services to standardize practices across the entire Department, which means patients will have a consistent, high-quality health care experience, no matter where they receive their care.”

The primary driver for this change is the National Defense Authorization Act of 2017. Congress mandated that a single agency will be responsible for the administration and management of all military hospitals and clinics to sustain and improve operational medical force readiness and the medical readiness of military members, improve beneficiaries’ access to care and experience of care, improve health outcomes, and eliminate redundancies in medical costs and overhead across three separate Service-run systems. DHA will be responsible for health care delivery and business operations across the Military Health System including budgets, information technology, health care administration and management, administrative policies and procedures, and military medical construction.

Bono said that even though congressional directives mandate this change, “it’s the right thing to do.”

“We have more than 40 years of independent studies and internal reviews that demonstrate the current structure of the Military Health System is unsustainable,” she said. “What makes us unique from other health systems is that we are heavily embedded with combat forces around the world focused on operational medical readiness and the health of our warfighters. The transformational changes underway will improve that focus, support the DoD’s priority for a more lethal force, and improve our ability to deliver high quality health care to all of our beneficiaries. Improving medical readiness is the key driver of the overall effort.”

During this transition, the quality of care won’t change for beneficiaries of the Military Health System. More important, Bono said, is that over time, it will improve that care by enabling changes to improve access, patient experience, and outcomes.

“Ultimately, what this transition means for all of us in the Department of Defense is a more integrated, efficient and effective system of readiness and health, and integration of health care services that leads to a more standardized and consistent experience of care for patients,” Bono said. “Central to that is having one agency oversee MTF operations while supporting the Services’ effort to focus more on readiness.”

Since October 2018, the DHA has been operating eight hospitals and clinics as part of the first phase of what was at first a four-year transition period. In June, the overall timeline adjusted to three years to reduce the amount of duplicative management by the Military Departments and the DHA, said Dr. Barclay Butler, the DHA’s assistant director for management and MTF transition head. “The primary driver of that is to measurably and precisely coordinate the reduction of the Military Services’ Medical Department support and oversight of the MTFs to the DHA,” Butler said. “We want to create a simple and clear transfer of authority that positively impacts healthcare for our patients.”

From Oct. 1 of this year through October 2021, the transition will focus on four primary objectives:

Centralized administration and management: On Oct. 1, all hospitals and clinics in the continental United States transition to the DHA, with the Army, Navy and Air Force medical departments maintaining a direct support role. Butler said this means that while DHA assumes overall management, the existing intermediate commands of the Military Departments will continue management duties until the transfer is complete to ensure uninterrupted medical readiness operations and patient care. The Military Departments and the DHA are currently working out final plans to maintain continuity of operations.

Establish Health Care Markets: At the center of the reorganization is the creation of health care markets. The DHA will stand up 21 large markets during the transition period to manage MTFs in local areas. A market is a group of MTFs in a geographic area – typically anchored by a large hospital or medical center – that operate as a system sharing patients, providers, functions, and budgets across facilities to improve the coordination and delivery of health care services. “These markets are really key to the entire reorganization,” Butler said. “Market offices will provide centralized, day-to-day management and support to all MTFs within each market.” Readiness support is at the heart of a market’s responsibilities, Butler added, and they will ensure the clinical competency of all MTF providers within the market. The 21 large markets will collectively manage 246 medical facilities and centers of excellence.

Establishment of a Small Market and Stand-Alone MTF Organization: For stateside hospitals and clinics not aligned to a large market, this office, referred to as SSO, will provide managerial and clinical oversight. As with the large markets, the Military Departments will continue managing the MTFs until they are realigned under the SSO. There are 16 small market MTFs and 66 stand-alone MTFs assigned to the SSO.

Establish Defense Health Regions overseas: The transition period for standing up Defense Health Regions in Europe and Indo-Pacific begins in 2020. All MTFs overseas would then report to their respective DHA regional offices. The Indo-Pacific region has 43 MTFs, while the European region has 31.

(For a complete list of markets and their assigned MTFs, go to the MHS Transformation web page at www.health.mil/mhstsransformation.)

“Change can be challenging, and this is a complex transition,” Butler said. “We will see changes in reporting relationships and communication channels while instituting standardized clinical policies and procedures and business practices. We place a premium on communicating often as we move through this together with the Military Departments.”

Bono said that from a patient perspective, these changes should be transparent. “Our patients expect the same high quality care regardless of who is in charge. Doctors, nurses, and technicians will continue to focus on practicing medicine and improving their skills and readiness. In the end, this really is about the patient – integrating into one system will improve readiness for our medical professionals and result in better care and better health outcomes for our patients.”

For more on the DoD’s medical reorganization, go to the military health web site at www.health.mil/mhstransformation for fact sheets, an informational video, and more articles.

About the Defense Health Agency (DHA)
The DHA, established on Oct 1, 2013, is the nation’s military medical Combat Support Agency, a joint, integrated organization that enables the Army, Navy, and Air Force medical services to provide a medically ready force and ready medical force to Combatant Commands in both peacetime and wartime. In cooperation with the Joint Staff Surgeon and Military Department medical organizations, DHA leads the Department of Defense’s integrated system of readiness and health through a global health care network of military and civilian medical professionals, including nearly 450 military hospitals and clinics around the world, to improve and sustain operational medical force readiness and the medical readiness of the Armed Forces. The DHA supports the delivery of integrated, affordable, and high-quality health services for 9.5 million active duty service members, retirees, Reservists and Guardsmen, and their families at military hospitals and clinics or through the TRICARE network.

Article link: https://health.mil/News/Articles/2019/08/26/DoD-to-begin-next-major-phase-of-military-hospital-consolidation

Launching major transformation efforts is a common way that business leaders try to get a leg up on the competition, or just keep their heads above water. But too many of these efforts fail. Change is difficult, and many people not only resist it but seek to undermine it. Unsurprisingly, then, a McKinsey study found that merely 26% of transformation initiatives succeed. Most successful transformations have one thing in common: Change is driven through empowerment, not mandated from the top.

In my research of transformative political revolutions, social movements, and organizational change, successful efforts not only identify resistance from the start but also make plans to overcome those who oppose the transformation. And it’s done not with bribes, coercion, shaming, or cajoling, but by enabling others within their organizations to drive change themselves. Here’s how they do it.

Start with a small group. Typically, leaders launch transformation efforts with a large kickoff. It makes sense: They want to build momentum early by communicating objectives clearly. This can be effective if a ready consensus already exists around the initiative. Yet if the desired change is truly transformational, it is likely to encounter fierce opposition; inertia can be a powerful force, even more powerful than hope or fear. So by starting with a large communication campaign, essentially presenting the initiative as a fait accompli, you are very likely to harden the opposition of those who are skeptical of the change.

Most successful transformations begin with small groups that are loosely connected but united by a shared purpose. They’re made of people who are already enthusiastic about the initiative but are willing to test assumptions and, later, to recruit their peers. Leaders can give voice to that shared purpose and help those small groups connect, but the convincing has to be done on the ground. Unless people feel that they own the effort, it’s not likely to go very far. For example, when Wyeth Pharmaceuticals set out to drive a major transformation to adopt lean manufacturing practices, it began with just a few groups at a few factories. The effort soon spread to thousands of employees across more than a dozen sites and cut costs by 25%.

Identify a keystone change. Every change effort begins with some kind of grievance: Costs need to be cut, customers better served, or employees more engaged, for example. Wise managers transform that grievance into a “vision for tomorrow” that will not only address the grievance but also move the organization forward and create a better future. This vision, however, is rarely achievable all at once. Most significant problems have interconnected root causes, so trying to achieve an ambitious vision all at once is more likely to devolve into a five-year march to failure than it is to achieve results. That’s why it’s crucial to start with a keystone change, which represents a clear and tangible goal, involves multiple stakeholders, and paves the way for bigger changes down the road.

That gap between aspiration and practical reality was the challenge that Barry Libenson encountered when he arrived at Experian as CIO in 2015. In his conversations with customers, it became clear that what they most wanted from his company was access to real-time data. Yet to deliver that, he would have to move from the company’s traditional infrastructure to the cloud, an initiative that raised serious concerns about security and reliability. He began by developing methods for accessing real-time data for internal use, rather than going straight to customer-facing features. That required his team to engage many of the same stakeholders and develop many of the same processes that a full shift to the cloud would have required and allowed him to show some early results.

“Once we developed some internal APIs, people could see that there was vast potential, and we gained some momentum,” Libenson told me. Experian not only successfully moved to the cloud but also launched its Ascend platform based on the new infrastructure, which is now the fastest-growing part of its business.

Network the movement. All too often we associate any large-scale change with a single charismatic leader. The U.S. civil rights and Indian independence movements will always be associated Martin Luther King Jr. and Mohandas Gandhi, respectively. In much the same way, turnarounds at major companies like IBM and Alcoa are credited to their CEOs at the time, Lou Gerstner and Paul O’Neill.

The truth is more complicated. King, for example, was just one of the “big six” of U.S. civil rights leaders. Gerstner gained allies by refocusing the company around customers. O’Neill won over labor unions by making a serious commitment to workplace safety. These examples show why, in his book Leaders: Myth and Reality, General Stanley McChrystal defines effective leadership as “a complex system of relationships between leaders and followers, in a particular context, that provides meaning to its members.”

Every large-scale change requires both leadership at the top and the widening and deepening of connections through wooing — not coercing — an ecosystem of stakeholders.

Consider the case of Talia Milgrom-Elcott, cofounder of 100Kin10. When she set out to start a movement to recruit and retain 100,000 STEM teachers in 10 years, she knew there was no shortage of capable groups working to improve education. In fact, she had worked with many people who were building myriad approaches to the issue. But they had never met one another. And so she created a platform for collaboration that brings together nearly 300 partner organizations through conferences, working groups, and networking. Today 100Kin10 is ahead of schedule to meet its goal.

Surviving victory. Often the most dangerous part of any transformation effort is when the initial goals have been met. That’s why successful transformation leaders focus not only on immediate goals but also on the process of change itself. If Wyeth had stopped at a 25% cost reduction, it would have soon found itself in trouble again. But because its employees embraced the lean manufacturing methods, the company was able to keep moving forward. In much the same way, if Experian had been satisfied with merely shifting to a new technology infrastructure, little would have been gained.

In some cases, the benefits of a successful transformation can last for decades. Remembering Gerstner’s IBM turnaround in the 1990s, one of his top lieutenants, Irving Wladawsky-Berger, told me, “Because the transformation was about values first and technology second, we were able to continue to embrace those values as the technology and marketplace continued to evolve.” After a near-death experience, the company remains profitable today.

Editor’s note: An earlier version of this article misidentified Barry Libenson as the CEO of Experian. He is the company’s CIO.
Greg Satell is an international keynote speaker, adviser and bestselling author of Cascades: How to Create a Movement that Drives Transformational Change. His previous effort, Mapping Innovation, was selected as one of the best business books of 2017. You can learn more about Greg on his website, GregSatell.com and follow him on Twitter @DigitalTonto.

Article link: https://hbr.org/2019/08/4-tips-for-managing-organizational-change

Racing to protect the most important network of the 21st century

Tom Wheeler and David SimpsonTuesday, September 3, 2019

Editor’s Note: Tom Wheeler recently appeared on the Lawfare Podcast to discuss the cybersecurity of 5G networks with Brookings Fellow Margaret Taylor. You can listen to the podcast episode here.

“The race to 5G is on and America must win,” President Donald Trump said in April. For political purposes, that “race” has been defined as which nation gets 5G built first. It is the wrong measurement.

We must “fire first effectively” in our deployment of 5G. Borrowing on a philosophy Admiral Arleigh Burke coined in World War II: Speed is important, but speed without a good targeting solution can be disastrous.[1]

5G will be a physical overhaul of our essential networks that will have decades-long impact. Because 5G is the conversion to a mostly all-software network, future upgrades will be software updates much like the current upgrades to your smartphone. Because of the cyber vulnerabilities of software, the tougher part of the real 5G “race” is to retool how we secure the most important network of the 21st century and the ecosystem of devices and applications that sprout from that network.

Never have the essential networks and services that define our lives, our economy, and our national security had so many participants, each reliant on the other—and none of which have the final responsibility for cybersecurity. The adage “what’s everybody’s business is nobody’s business” has never been more appropriate—and dangerous—than in the quest for 5G cybersecurity.

“As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications.”

The new capabilities made possible by new applications riding 5G networks hold tremendous promise. As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications. To build 5G on top of a weak cybersecurity foundation is to build on sand. This is not just a matter of the safety of network users, it is a matter of national security.

HYPERFOCUS ON HUAWEI

Effective progress toward achieving minimally satisfactory 5G cyber risk outcomes is compromised by a hyperfocus on legitimate concerns regarding Huawei equipment in U.S. networks. While the Trump administration has continued an Obama-era priority of keeping Huawei and ZTE out of domestic networks, it is only one of the many important 5G risk factors. The hyperbolic rhetoric surrounding the Chinese equipment issues is drowning out what should be a strong national focus on the full breadth of cybersecurity risk factors facing 5G.

The purpose of this paper is to move beyond the Huawei infrastructure issue to review some of the issues that the furor over Huawei has masked. Policy leaders should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation. This should be followed by an honest evaluation of the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation.

Such a review of 5G cyber threat mitigation should focus on the responsibilities of both 5G businesses and government. This should include a review of whether current market-based measures and motivations can address 5G cyber risk factors and where they fall short, the proper role of targeted government intervention in an era of rapid technological change. The time to address these issues is now, before we become dependent on insecure 5G services with no plan for how we sustain cyber readiness for the larger 5G ecosystem.

The after-the-fact cost of missing a proactive 5G cybersecurity opportunity will be much greater than the cost of cyber diligence up front. The NotPetya attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks did not exist at that time, of course, but the attack illustrates the high cost of such incursions, and it pales in comparison to an attack that would result in human injury or loss of life. We need to establish the conditions by which risk-informed cybersecurity investment up front is smart business for all 5G participants.

China is a threat even when there is not Huawei equipment in our networks. From the successful exfiltration of highly sensitive security clearance data in the Office of Personnel Management breach commonly attributed to China, to the ongoing China-linked threat actor campaign against managed service providers, many of China’s most successful attacks have taken advantage of vulnerabilities in non-Chinese applications and hardware and poor cyber hygiene. None of this goes away with the ban on Huawei. We cannot allow the headline-grabbing focus on Chinese network equipment to lull us into a false sense of cybersecurity. In a world of interconnected networks, devices, and applications, every activity is a potential attack vector. This vulnerability is only heightened by the nature of 5G and its highly desirable attributes. The world’s hackers (good and bad) are already turning to the 5G ecosystem, as the just concluded DEFCON 2019 (the annual ethical “hacker Olympics”) illustrated. The targets of this year’s hacker villages included key parts of the 5G ecosystem such as: aviation, automobiles, infrastructure control systems, privacy, retail call centers and help desks, hardware in general, drones, IoT, and voting machines.

5G EXPANDS CYBER RISKS

There are five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors:

1. The network has moved away from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, however, that activity is pushed outward to a web of digital routers throughout the network, thus denying the potential for chokepoint inspection and control.
2. 5G further complicates its cyber vulnerability by virtualizing in software higher-level network functions formerly performed by physical appliances. These activities are based on the common language of Internet Protocol and well-known operating systems. Whether used by nation-states or criminal actors, these standardized building block protocols and systems have proven to be valuable tools for those seeking to do ill.
3. Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
4. The dramatic expansion of bandwidth that makes 5G possible creates additional avenues of attack. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets. Functionally, these cell sites will use 5G’s Dynamic Spectrum Sharing capability in which multiple streams of information share the bandwidth in so-called “slices”—each slice with its own varying degree of cyber risk. When software allows the functions of the network to shift dynamically, cyber protection must also be dynamic rather than relying on a uniform lowest common denominator solution.
5. Finally, of course, is the vulnerability created by attaching tens of billions of hackable smart devices (actually, little computers) to the network colloquially referred to as IoT. Plans are underway for a diverse and seemingly inexhaustible list of IoT-enabled activities, ranging from public safety things, to battlefield things, to medical things, to transportation things—all of which are both wonderful and uniquely vulnerable. In July, for instance, Microsoft reported that Russian hackers had penetrated run-of-the-mill IoT devices to gain access to networks. From there, hackers discovered further insecure IoT devices into which they could plant exploitation software.

   Fifth-generation networks thus create a greatly expanded, multidimensional cyberattack vulnerability. It is this redefined nature of networks—a new network “ecosystem of ecosystems”—that requires a similarly redefined cyber strategy. The network, device, and applications companies are aware of the vulnerabilities and many are making, no doubt, what they feel are good faith efforts to resolve the issues. The purpose of this paper is to propose a basic set of steps toward cyber sufficiency. It is our assertion that “what got us here won’t get us there.”

 

5G service providers are the first ones to tell us that 5G will underpin radical and beneficial transformation in what we can do and how we manage our affairs. At the same time, these companies have publicly worried about their ability to address the totality of the cyber threat and have described the future challenge in disturbingly blunt terms. The president’s National Security Telecommunications Advisory Committee (NSTAC)—composed of leaders in the telecommunications industry—told him in November, “The cybersecurity threat now poses an existential threat to the future of the [n]ation.”

The nature of 5G networks exacerbates the cybersecurity threat. Across the country, consumers, companies, and cities seeking to use 5G are ill-equipped to assess, let alone address, its threats. Placing the security burden on the user is an unrealistic expectation, yet it is a major tenet of present cybersecurity activities. Looking to the cybersecurity roles of the multitude of companies in the 5G “ecosystem of ecosystems” reveals an undefined mush. Our present trajectory will not close the cyber gap as 5G greatly expands both the number of connected devices and the categories of activities relying on 5G. This general dissonance is further exacerbated by positioning Chinese technological infection of U.S. critical infrastructure as the essential cyber challenge before us. The truth is that it’s just one of many.

WHAT HAVE WE LEARNED THUS FAR?

5G has challenged our traditional assumptions about network security and the security of the devices and applications that attach to that network. As officials of the Federal Communications Commission (FCC), the authors struggled to deal with these challenges only to be confronted by:

• Industrial-era procedural laws that make rulemaking activity cumbersome and non-rulemaking activity less than optimal.
• The incentive of bad actors to overcome any solution that is typically greater than the incentive to maintain the protection.
•  Industry stakeholder fear of exposing their internally identified risk factors at precisely the time when sharing information about attacks would be of greatest value for a collective defense.

At the same time, those who know the networks the best—the network operators—exist under business structures that are not optimal for effective risk reduction. As an FCC white paper concluded three years ago:

As private actors, ISPs (internet service providers, such as 5G networks) operate in economic environments that pressure against investments that do not contribute to profit. Protective action taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections. Cyber accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job efficiently.

The FCC report’s finding—that market forces alone would not address society’s cyber risk interests—highlighted the ISPs over which the agency had primary jurisdiction. The report additionally examined the larger ecosystem and concluded that the motivation to solve the problem generally gets worse when consumers do not link a purchasing decision with a cyber risk outcome. This, unfortunately, is all too often the case, as service providers as well as device and application vendors do not make meaningful security differentiators public and don’t compete on any verifiable security indicators.

“None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged.”

In 2016, for instance, hackers shut down major portions of the internet by taking control of millions of low-cost chips in the motherboards of video security cameras and digital video recorders. That the internet could be attacked this way reflected the reality of digital supply chains: Because consumers didn’t consider cybersecurity in their purchase decisions of low-cost connected devices (they were the means, not the target of the attack), retailers didn’t prioritize security in their decisions of what to stock. As a result, manufacturers didn’t emphasize cyber in the components they purchased and thus chip and motherboard manufacturers did not include cyber protections in their product. None of companies defined a role for themselves for sustaining post-purchase product cyber readiness and, by and large, that’s still the case.

New industry verticals are bringing 5G-enabled capabilities to a market where good faith efforts are insufficient. There is no evidence that the business priorities of the suppliers of devices and applications are any different than those attributed to network operators in the FCC report. A 2018 report by the Trump administration’s Council of Economic Advisers, for instance, warned of, “underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.”

None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged. Continuation of corporate and governmental policies that are not keeping up with today’s cyber risk do not bode well for a volumetric expansion of the attackable network and data surface of 5G networks. There is a crying need for coordinated efforts to achieve targeted expectations.

TWO KEYS TO WINNING THE REAL “5G RACE”

The real “5G race” is whether the most important network of the 21st century will be sufficiently secure to realize its technological promises. Yes, speedy implementation is important, but security is paramount. To answer that overriding question requires new efforts by both business and government and a new relationship between the two.

The recommendations that follow are both important and not without cost. In normal times, such suggestions might be judged too much of a departure from traditional practices. These are not normal times, however. The outlook for a future that relies on 5G and other new digital pathways is cyber-defined. Our nation has moved into a new era of non-kinetic warfare and criminal activity by nation-states and their surrogates. This new reality justifies the following corporate and governmental actions.

Key #1: Companies must recognize and be held responsible for a new cyber duty of care

The first of this two-part proposal is the establishment of a rewards-based (as opposed to penalty-driven) incentive for companies to adhere to a “cyber duty of care.” Traditionally, common law established that those who provide products and services have a duty of care to identify and mitigate potential harms that could result. There needs to be a new corporate culture in which cyber risk is treated as an essential corporate duty and rewarded with appropriate incentives, whether in monetary, regulatory, or other forms. Such incentives would require adherence to a standard of cyber hygiene which, if met, would entitle the company to be treated differently than other non-complying entities. Such a cyber duty of care includes the following:

Reversing chronic underinvestment in cyber risk reduction

Proactive cyber investment today is the exception rather than the rule. For public companies, the Securities and Exchange Commission (SEC) and others are driving change from the corporate board-level on down through management. A favorite entrance point for cyberattacks, however, remains the smaller companies, many of which are outside of the scope of these efforts. Unfortunately, the SEC’s efforts impact only the less than 10% of American companies that are publicly owned. At the very least, where companies have a role in critical infrastructure or provide a product or service that, if attacked, could imperil public safety, there must be the expectation that cybersecurity risks are being addressed proactively.[2]

Implementation of machine learning and artificial intelligence protection

Cyberattacks on 5G will be software attacks; they must be countered with software protections. During a Brookings-convened discussion on 5G cybersecurity, one participant observed, “We’re fighting a software fight with people” whereas the attackers are machines. Such an approach was like “looking through soda straws at separate, discrete portions of the environment” at a time when a holistic approach and consistent visibility across the entire environment is needed. The speed and breadth of computer-driven cyberattacks requires the speed and breadth of computer-driven protections at all levels of the supply chain.

Shifting from lag indicators of cyber-preparedness (post-attack) to leading indicators

A 2018 White House report found a “pervasive” underreporting of cyber events that “hampers the ability of all actors to respond effectively and immediately.” The 5G cyber realm needs to adopt leading indicator methodology to communicate cyber-preparedness between interdependent commercial companies and with government entities charged with oversight responsibilities. There are a number of good examples to pull from. Shared cyber risk assessments are increasingly a best practice for cyber-mature companies and their supply chain. Several accounting and insurance firms have developed lead metrics to inform cyber risk reduction investments and underwrite policies. The Department of Homeland Security has resiliency self-assessment standards to motivate long-term community disaster preparedness improvement.[3] Such a model should be extended to the 5G cyber realm in order to shift oversight from lag indicators to lead indicators.

A regular program of engagement with boards and regulators using cybersecurity lead indicators will build trust, accelerate closing the 5G readiness gap and lead towards more constructive outcomes when cyber attackers do succeed. Underreporting of lag indicators, as highlighted in the 2018 White House report should be addressed, but with the primary purpose of closing the feedback loop, improving the quality of lead measures and the investment decision process they inform.

Cybersecurity starts with the 5G networks themselves

While many of the large network providers building 5G are committing meaningful resources to cyber, small- and medium-sized wireless ISPs serving rural communities have been hard pressed to rationalize a robust cybersecurity program. Some of these companies have fewer than 10 employees and can’t afford a dedicated cyber security officer or a 24/7 cyber security operations center. Still, they will be offering 5G services and interconnecting with 5G networks. About one-third of these companies have ignored government warnings about the use of Huawei equipment and are now petitioning Congress to pay for their poor decisions and pay to replace the non-Chinese equipment. Any replacement must include the expectation that the companies will establish sufficient cybersecurity processes that sustain protections. All the networks that deliver 5G—whether big brand names, small local companies, wireless ISPs, or municipal broadband providers—must have proactive cyber protection programs.

Insert security into the development and operations cycle

For many application developers, a core agile development tenet has been sprinting to deploy a minimum viable product, accepting risk, and committing to later providing consumer-feedback-driven upgrades once the product gains a following. Software companies and those providing innovative, software-based products and services are beginning to insert cybersecurity in the process as a design, deployment, and sustainment consideration for every new project. Such security by design should be a minimum duty of care across the commercial space for innovations in the emerging 5G environment.

Best practices

The National Institute for Standards and Technology (NIST) Cybersecurity Framework has established five areas for best practice cybersecurity management that could become the basis of industry best practices: Identify, protect, detect, respond, and recover. For instance, NIST’s “identify” initiative focuses on determination of a company’s cyber universe, threats, and vulnerabilities in order to identify cyber risk reduction investments. While not limited only to the NIST framework, Congress should establish a cybersecurity standard of expected performance and accompanying incentives for its adoption by companies. While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry and continue to place the burden on poorly informed consumers to know whether the best practices are being fulfilled. The Consumer Technology Association (CTA)—representing the $377 billion U.S. consumer technology industry—helped produce an anti-botnet guide that outlines best practices for device manufactures, but there is no way for a consumer to easily tell if it’s being followed.

“While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry.”

Unfortunately, publication of optional cybersecurity best practices without full industry buy-in may be an attempt at responsible behavior and good public relations, but often do little to change the cyber risk landscape. While CTA has additionally published a useful buyer’s guide to explain cyber risk issues and improve household cyber hygiene, one wonders how many consumers of low-cost network connected technologies even know of its existence. Shifting cyber risk burdens to poorly informed consumers has limited utility. The 5G commercial sector needs to acknowledge the limits of consumer-based actions, own the residual risk, and work together with government oversight to assign cross-sector mitigation responsibilities.

Key #2: Government must establish a new cyber regulatory paradigm to reflect the new realities

Current procedural rules for government agencies were developed in an industrial environment in which innovation and change—let alone security threats—developed more slowly. The fast pace of digital innovation and threats requires a new approach to the business-government relationship.

More effective regulatory cyber relationships with those regulated

Cybersecurity is hard, and we should not pretend otherwise. As presently structured, government is not in a good position to get ahead of the threat and determine detailed standards or compliance measures where the technology and adversary’s activities change so rapidly. A new cybersecurity regulatory paradigm should be developed that seeks to de-escalate the adversarial relationship that can develop between regulators and the companies they oversee. This would replace detailed compliance instructions left over from the industrial era with regular and fulsome cybersecurity engagements between the regulators and the providers at greatest risk as determined by criticality, scale (impact), or demonstrated problems (vulnerabilities) built around the cyber duty of care. It would be designed to reward sectors where participants have organized and are clearly investing ahead of failure to address risk factors.

Conversely, where sectors are ignoring cyber risk factors, graduated regulatory incentives can change corporate risk calculus to address consumer and community concerns. These activities would be afforded confidentiality and not be used by themselves to discover enforcement violations, but instead to help both regulators and the regulated better spot trends, best practices, and collectively and systematically improve their sector’s approach to cyber risk. DHS can have a supporting role for this, but at the end of the day, the balance between security, innovation, corporate means, and market factors is inherently regulatory. Absent the ability to impose a decision, government involvement can only be hortatory.

Recognition of marketplace shortcomings

Economic forces drive corporate behavior. Of course, there are bottom-line-affecting costs associated with cybersecurity. Even when such costs are voluntarily incurred, however, their benefits can be undone by another company that doesn’t make the effort. The first of this paper’s two recommendations suggests what companies can do to exercise their cyber duty of care. History has shown, however, that the carrot accompanying such efforts often needs the persuasion of a standby stick. This is only fair to those companies that step up to their responsibility and should not be penalized in the marketplace by those that do not step up. A rewards-based policy would amplify the value of cyber duty of care participation, especially when others fall short. It would also provide forward-looking incentive for risk reduction and a more useful feedback loop when breaches invariably occur.

Consumer transparency

Consumers have little awareness and no insight with which to make an informed market decision. The situation is analogous to the forces that resulted in the establishment of nutritional labeling for foods. Consumers should be given the tools with which to make informed decisions. “Nutritional labeling” about cyber risks or a cyber version of Underwriters Laboratories’ self-certification will help focus the attention of all parties on its importance.

Inspection and certification of connected devices

For years, the FCC has overseen a program to certify that radio-signal-emitting devices do not interfere with authorized use of the nation’s airwaves. Whether cellphones, baby monitors, electronic power supplies, or Tickle Me Elmo, the FCC assures the design and assembly of transmitting devices are within standards. The industry then organizes underneath that construct to self-certify devices in a cost-effective means baked into their production and distribution processes. At the time of the 2016 DYN attack that took control of millions of video cameras, the authors proposed a similar regimen to review the cybersecurity of connected devices. If we protect our radio networks from harmful equipment, why do we not protect our 5G networks from cyber-vulnerable equipment?

Contracts aren’t enough

Both the executive and legislative branches have focused on using government acquisition standards and pathfinder contracts to impose cybersecurity requirements where government contracts can compel commercial actions. This is an important, proven practice, but it can only go so far. Federal acquisition policies do not reach non-government suppliers that in an interconnected network can wreak havoc by simply connecting to the network. The majority of small and medium 5G network providers are not bound by any of these government contracts.

Stimulate closure of 5G supply chain gaps

For years government review of mergers and acquisitions has typically failed to appreciate the potential negative impact on critical supply chains. Moving companies and processes offshore or to joint ventures with foreign ownership/control has created wholesale gaps in the supply of crucial 5G components and the absence of domestic procurement options. Country of origin/ownership concerns must become relevant to both the corporate calculus that led to offshoring purchase decisions as well as to the market conditions that led to the destruction of a national capability in the first place. 5G supply chain market analysis must be continuous with regular engagement between regulators, industry, and the executive and legislative branches to properly incentivize globally competitive domestic sourcing alternatives.

Re-engage with international bodies

At present, the standards setting process for 5G is governed by the 3rd Generation Partnership Project (3GPP), an industry group that makes decisions by consensus based on input from its members, including Chinese 5G equipment companies. (Huawei reportedly made the most contributions to the 5G standard). The Obama FCC engaged directly with 3GPP to identify public safety and cybersecurity risk considerations applicable to the U.S. market. It additionally opened a notice of inquiry to ask the nation’s best technology brains how to implement cybersecurity risk reduction as part of the development and deployment cycle. The move was opposed by some industry associations and the Republican commissioners. Shortly after the beginning of the Trump administration, the new FCC cancelled the Obama FCC’s cyber initiatives.

There needs to be informed third-party oversight early in the 5G industry’s design and deployment cycle in order to prioritize cyber security. The nation, our communities and our citizens should—through their government—have some degree of agency in the process. The FCC and Commerce Department should participate in 3GPP and the U.S. feeder group as observer stakeholders. This will allow for earlier issue identification and the opportunity to submit concerns, without changing the basic governance of standards setting. The representatives of American citizens should have the option to escalate engagement on matters of national security and public safety concern.

CONCLUSION

It is an amazing turn of events when the U.S. Senate, currently led by Republicans, feels it necessary to introduce legislation instructing the Trump administration “to develop a strategy to ensure the security of next generation mobile telecommunications systems and infrastructure.” The 5G cybersecurity threat is a whole-of-the-nation peril. We should not be lulled into complacency because the newness of the network has masked the threat. We must not confuse 5G cybersecurity with international trade policy. Congress should not have to pass legislation instructing the Trump administration to act on 5G cybersecurity. The whole-of-the-nation peril requires a whole-of-the-economy and whole-of-the-government response built around the realities of the information age, not formulaic laissez faire political philosophy or the structures of the industrial age.

“People are going to be put at risk and possibly die as we increasingly connect life sustaining devices to the internet,” was the stark warning from one of the experts participating in a Brookings roundtable on 5G cybersecurity. This cold reality is because the internet’s connection to people and the things on which they depend will increasingly be through vulnerable 5G networks. It is an exposure that is exacerbated by a cyber cold war simmering below the surface of consumer consciousness.

Early generation cyberattacks targeted intellectual property, extortion, and hacked databases. Today, the stakes are even higher as nation-state actors and their proxies gain footholds in our nation’s critical infrastructure to create attack platforms lying in wait. Any rational risk-based assessment reveals that the favored adversary target is our commercial sector. Companies that provide critical network infrastructure or provide products or services connected to it represent the likely and potentially most dangerous enemy course of action in the ongoing cyber cold war.

“If you’re asking me if I think we’re at war, I think I’d say yes,” the former commandant of the Marine Corps, Gen. Robert Neller, told an audience in February. “We’re at war right now in cyberspace. … They’re pouring over the castle walls every day.” While our adversaries, no doubt, see positive outcomes for high-profile direct attack, they also are perfecting less-risky positive outcomes in a steady pace of low-level attacks intended to erode U.S. public confidence in our cyber critical infrastructure and the digital economy it underpins. The low-intensity cyber war is already ongoing as our adversaries risk very little in these attacks and stand to gain much.

Into this attack environment has come a software-based network built on a distributed architecture. With its software operations per se vulnerable, and a distributed topology that precludes the kind of centralized chokepoint afforded by earlier networks, 5G networks will be an invitation to attacks. Given that the cyber threat to the nation comes through commercial networks, devices, and applications, our 5G cyber focus must begin with the responsibilities of those companies involved in the new network, its devices, and applications. The cyber duty of care for those involved in 5G services is the beginning of such proactive responsibility.

At the same time, the federal government has its own responsibility to create incentives for 5G companies to focus on the cyber vulnerabilities they create. This is especially the case when there may be a corporate or marketplace lack of motivation to prioritize a maximum cyber effort. As outlined in this paper, this will necessitate replacing the rigid industrial-era relationship between government and business with more innovative and agile means of dealing with the shared problem.

Yes, the “race” to 5G is on—but it is a race to secure our nation, our economy, and our citizens.

The moment is now for a bipartisan call to action to not just address the current 5G exposures, but also to address the structural shortfalls that have allowed the cyber readiness gap to continue to grow. What got us here won’t get us to a secure 5G-enabled future.

Tom Wheeler was the 31st chair of the FCC from 2013 to 2017. Currently, he is a visiting fellow at the Brookings Institution. Rear Admiral David Simpson, USN (Ret.), was chief of the FCC’s Public Safety and Homeland Security Bureau during the same period. Currently, he is a professor at Virginia Tech’s Pamplin College of Business.

The Brookings Institution is a nonprofit organization devoted to independent research and policy solutions. Its mission is to conduct high-quality, independent research and, based on that research, to provide innovative, practical recommendations for policymakers and the public. The conclusions and recommendations of any Brookings publication are solely those of its author(s), and do not reflect the views of the Institution, its management, or its other scholars.

Microsoft provides general, unrestricted support to The Brookings Institution. The findings, interpretations, and conclusions posted in this piece are not influenced by any donation. Brookings recognizes that the value it provides is in its absolute commitment to quality, independence, and impact. Activities supported by its donors reflect this commitment.

Report Produced by Center for Technology Innovation

Article link: https://www.brookings.edu/research/why-5g-requires-new-approaches-to-cybersecurity/

1. 1Captain Wayne P. Hughes, Jr., USN (Ret.), Fleet Tactics and Coastal Combat, 2^nd ed., U.S. Naval Institute Press, 2000, pp.40-44
3. 2Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015). Externalities and the Magnitude of Cyber Security Underinvestment by Private Sec tor Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. http://dx.doi.org/10.4236/jis.2015.61003
5. 3While the authors do not want to understate the shortfalls associated with the NIMS self-assessment model and lack of federal engagement at the regional level to assess actual NIMS implementation, we do want to note that a decade in, NIMS has succeeded in establishing a common language and investment framework for long-term steady improvements to resiliency in over 10,000 jurisdictions across the country.

 

---

August 12, 2019  By Jack Corrigan,
Staff Correspondent

The plan is meant to help federal leaders roll out standards that reduce the potential risks of AI without stifling innovation.

Federal standards for artificial intelligence must be strict enough to prevent the tech from harming humans, yet flexible enough to encourage innovation and get the tech industry on board, according to the National Institute of Standards and Technology.

However, without better standards for measuring the performance and trustworthiness of AI tools, officials said, the government could have a tough time striking that balance.

On Monday, NIST released its much-anticipated guidance on how the government should approach developing technical and ethical standards for artificial intelligence. Though it doesn’t include any specific regulations or policies, the plan outlines multiple initiatives that would help the government promote the responsible use of AI and lists a number of high-level principles that should inform any future standards for the tech.

The strategy also stresses the need to develop technologies that would help agencies better study and assess the quality of AI-powered systems. Such tools, which include standardized testing mechanisms and robust performance metrics, would allow the government to better understand individual systems and determine how to develop effective standards.

“It is important for those participating in AI standards development to be aware of, and to act consistently with, U.S. government policies and principles, including those that address societal and ethical issues, governance and privacy,” NIST officials wrote in the plan. “While there is broad agreement that these issues must factor into AI standards, it is not clear how that should be done and whether there is yet sufficient scientific and technical basis to develop those standards provisions.”

NIST’s plan was born out of a February executive order that called on agencies to ramp up their investments in AI as global competitors like China work to bolster their own AI capabilities. The strategy comes as one of the government’s first and most concrete steps toward placing guardrails on a technology that could have significant negative repercussions if left unchecked.

The AI standards developed in the years ahead should be flexible enough to adapt to new technologies while also minimizing bias and protecting individual privacy, the agency said. While some standards will apply across the broader AI marketplace, NIST advised the government to also examine whether specific applications require more targeted standards and regulations.

“The degree of potential risk presented by particular AI technologies and systems will help to drive decision making about the need for specific AI standards and standards-related tools,” officials said.

As the government begins developing rules for AI, it’s also important to remember the importance of timing, according to NIST. Standards that come too early could get in the way of innovation, officials said, but if they come too late, it will be difficult to get industry to agree to them voluntarily. As such, agencies need to constantly look outside of government to gauge the current state of AI and understand when federal action may be needed.

“The government’s meaningful engagement … is necessary, but not sufficient, for the nation to maintain its leadership in this competitive realm,” NIST said. “Active involvement and leadership by the private sector, as well as academia, is required.”

In the plan, NIST officials said government leaders should work to better coordinate agencies’ efforts to understand AI and develop standards for the tech. To that end, they recommended the White House designate a member of the National Science and Technology Council to oversee AI standards and urged agencies to study the approaches tech companies are taking to steer their own AI development efforts.

NIST also advised the government to invest in research that focuses on understanding AI trustworthiness and incorporating those metrics into future standards. Expanding public-private partnerships could also help inform federal AI standards, they said, and increasing cooperation with international partners could help address many of the national security concerns related to the tech.

“Public trust, security, and privacy considerations remain critical components of our approach to setting AI technical standards,” U.S. Chief Technology Officer Michael Kratsios said in a statement. “As put forward by NIST, federal guidance for AI standards development will support reliable, robust and trustworthy systems and ensure AI is created and applied for the benefit of the American people.

Article link: https://www.nextgov.com/emerging-tech/2019/08/nist-lays-out-roadmap-developing-artificial-intelligence-standards/159119/

 

By Driek Desmet, Niels Maerkedahl, and Parker Shi

To fully benefit from new business technology, CIOs need to adapt their traditional IT functions to the opportunities and challenges of emerging technology “ecosystems.” Here’s how it’s done.

IT has traditionally functioned as the foundation to keep a company running. One of its core functions has been to protect company operations with firewalls and encryption to keep external technologies out. With the advance of technologies, however, a vast array of capabilities and sources of competitive advantage are emerging beyond a business’ traditional walls. Those capabilities are coalescing in a wealth of new ecosystems (see Exhibit 1).

These ecosystems often overlap. A social payment app, for example, may be part of the mobile, social, data, and banking services ecosystems. The Internet of Things (IOT) is an ecosystem where multiple applications communicate with each other as a network

By plugging into these ecosystems, companies can get access to entire networks. They can, among other benefits, find new customers, tap into new sources of data, and improve established business processes.

CIOs and IT organizations have a huge role to play in capturing these opportunities. But they can’t do it through “business as usual.” In an ecosystem environment, an exclusive focus on “protecting the center” can limit a company’s ability to capitalize on emerging opportunities. To adapt their complex business-technology architecture to function in a world of ecosystems, CIOs will have to figure out how to simultaneously draw external technologies closer while managing security issues and getting a handle on the accelerating stream of technological innovations.

IDC predicts that by 2018, more than 50 percent of large enterprises—and more than 80 percent of enterprises with advanced digital-transformation strategies—will create or partner with industry platforms.1 At the same time, there will be more than 50 billion connected devices expected by 2020, according to Cisco.

These numbers point toward a radical reframing of what IT is and how CIOs manage it—not as an internal collection of information technologies (IT) but as a broad network of ecosystem technologies (ET). For the CIO, this shift also creates a significant opportunity to work closely with the CEO on business priorities and to become a prime strategic partner.

Understanding ecosystem technologies

ET encapsulates an expanded set of IT capabilities and functions (Exhibit 2). The CIO still needs to manage the multi-speed IT functions2 as well as current bilateral programs. The new layer of ET represents a new set of capabilities as well as the extension of existing ones.

CIOs can define and shape their ET three ways:

1. Opening up internal IT to outside world

This approach is about architecting IT to link internally driven systems and capabilities into external systems. One example of this in action is Delta Air Lines’ mobile app, which extends to Uber so travelers can order a car upon landing. Kraft has expanded its recipe app to become a pantry-management tool, generating a shopping list that seamlessly connects with the grocery-delivery service Peapod. Think of it as extending the customer’s journey—and the company’s relationship with the customer—through integration with other service providers.3

Many companies have already been providing integration capabilities to upstream and downstream partners—technologies such as EDI (electronic data interchange) have been in existence for decades. However, those integration points are often static. They are bilateral connections with a small, preselected group of partners such as distributors and suppliers. Those points of integration happen infrequently and often in a batch.

The future of integration into external ecosystems will force companies to interact with many more partners covering a broad range of functions, ranging from customer sourcing to social advertising to payment solutions. That’s because the low cost of technology and a dynamic start-up environment has led to a massive increase in the rate at which new services are being introduced. This means that the IT function must follow the ‘Amazon principle’ of making system components available as a service to enable integration with the ecosystem. The interfaces must be open, dynamic, and functional in real time so that they can integrate partners, technologies, and applications on an as-needed basis.

One clear implication is the need to design lightweight technology architecture built on microservices and application programming interfaces (APIs) to allow third parties to easily hook into the new ecosystem. CIOs need to start thinking in terms of platform architecture such as auto-industry OEMs use to allow for future upgrades across the ecosystem. They may even need to offer an ‘app store’ to allow consumers to pick and choose desired capabilities—and, of course, the infrastructure must be robust and secure.

One example of how this can play out might be found in telecom players that expand their connected services to e-commerce, music, health, insurance, education, media, and smart homes. These services would all be connected into one ecosystem offering the customer multiple services through the telco’s technology backbone. Salesforce’s AppExchange is already doing this by creating an environment in the cloud where developers can create and release their own apps.

2. Internalizing external IT

This approach focuses on opening up internal IT systems so that the business can plug in the external capabilities available in the ecosystem to better serve its own customers, support its own employees, or create new products and capabilities, often offered via SaaS and APIs. A simple example is integrating a third-party point-of-sale (POS) application into a company’s internal payment systems to simplify a customer’s in-store purchase process. Or integrating a third-party customer-service chat function into a company’s website. Or even integrating Yammer to help with employee productivity.

This approach clearly changes how IT designs and manages its systems. It’s no longer about buying software packages and building bespoke solutions on premise or working with a few systems integrators to deliver a business solution. It’s now all about understanding the end-to-end customer experience and how external and already available services can be utilized with internal solutions to offer a complete and unique offering. Companies will need to complement internal skills with external specialization integrated deeply into the ongoing fabric of its IT application development and infrastructure management. It’s about creating a 24/7 environment that enables product offerings to millions of customers globally.

One leading international travel company, disrupted by start-ups in the market, decided it needed to build up its capabilities to drive its transformation. An important component of its strategy was to use specialized vendors from the external ecosystem to support different capabilities, for example, mobile, search engine, CRM, payments. This approach allowed them to accelerate their transformation, scale up their services, and tap specialized talent as technologies evolved and demand spiked.

3. Modernizing IT to scale innovation

We’ve all heard often enough how torrid the pace of new technologies has become. But it’s worth remembering that many of the new tools have the potential to fundamentally change a company’s business model, though that may not be clear at first. To guard against being caught unprepared and to adopt a more aggressive competitive posture, companies should begin testing these technologies to be ready to bring them on board as soon as their value is proven and they can work at scale. This may be a matter of “playing” with new technology (e.g., alike open source standards) in dedicated sandlots where the connectivity between the internal IT and external IT can be tested. Furthermore IT leaders will need to actively form partnerships or alliances with vendors and service providers to really understand and evaluate how the technology can be used in their business environment.

It is true that many companies have already been actively investing in emerging technologies. For example, many financial-services companies have set up internal corporate venture-capital funds to invest in technologies such as blockchain and the IOT. However, companies have demonstrated less progress—and success—in integrating those technologies into their existing IT infrastructure and successfully extending the value proposition to their customers. The start-ups often have immature technologies that cannot scale, and they often leverage external cloud services that may not be compatible with companies’ own cloud infrastructure. Therefore it’s important for companies to think through how they enable a smooth integration of both technical solution and working culture to fully capitalize on the products that the start-ups are offering. If not done correctly, companies will create the next wave of spaghetti IT infrastructure.

Given the scale of innovation, it would be virtually impossible to keep up unless the CIO designates specific analysts or architects whose job it is to identify and assess the compatibility of external technologies. The DBS Innovation Group, for example, has established a fintech SVP role responsible for identifying, integrating, and managing potential eco-system members. This person leads and drives fintech engagements locally and regionally, and reports to the global head of partnerships.
Regardless of which way—or combination of ways—the CEO and CIO choose, IT moves to the forefront not just of technology but also of business-model innovation.

Getting started with ET

While building out ET is complex and based on many interdependencies, we’ve found that focusing on the following six elements gives CIOs and CEOs a big advantage in getting the most value from it:

1. Rethink the business’ strategy.

Which way, or combination of ways, a company chooses to interact with various ecosystems (or create its own ecosystem) depends on three things: its strategy, the market environment, and the risk appetite of the overall enterprise. This in turn requires the CIO to work closely as a partner with the CEO and C-suite to help shape the business strategy by identifying emerging technologies and ecosystems that could disrupt the marketplace, determine where future sources of value are, and develop necessary strategic actions to capture it. This dialog is a two-way and constant exploration in which technology and business strategy are inextricably linked. The CIO’s role is not just to determine feasibility but to help the business determine what threats and opportunities exist in engaging in ecosystems (see article “The economic essentials of digital strategy”).

2. Develop the infrastructure.

The new bidirectional integration of technologies is dynamic in nature; it happens in real time with thousands of invoking partners or end consumers. This requires companies to redesign the next-generation integration architecture to support it and enforce open standards that can be easily adopted by external parties. A company’s existing master data-management catalog will also need to be extended to include third-party data and potential integration with external master-data providers. There has to be a clear data architecture and governance in place to ensure data cleaning, rationalization, and standardization for the systems to work.

3. Reinvent customer-management processes and structures.

When customers call with technical issues, it will be challenging to figure where the fault points are in an ET environment. Is it the company’s systems, a third party’s services, the cloud that houses the service, the network—or some combination of the above? This reality will require companies to fundamentally rethink their infrastructure-support processes.

Creating SLAs that clearly define issue resolution and escalation protocols that all parties agree to will be crucial. Creating standard identifying tags or ‘tripwires’ and integrating them into participating ET services, partners, and technologies will be important to locate issues quickly so they can be resolved.

These standards and agreements, however, are not an excuse for shuttling customers from one partner to another and another. The customer-facing company needs to solve the issues behind the scenes and spare the customer the complexity of navigating the partners’ ecosystems.

4. Define the parameters for cybersecurity, legal, and partnerships.

As a result of the extended infrastructure, internal cybersecurity policies and processes will need to include third-party partners and vendors. A new set of security standards should be defined and agreed to that clearly articulates how the integration will take place and what kind of data can be exchanged with whom.

Working with a broad range of third parties will raise other legal questions as well. IP, liability, privacy, profit sharing, and regulatory/compliance issues all have the potential to severely impede potential benefits from engaging in the broader ecosystem. Licensing issues have already emerged between cloud companies and on-premises hardware and software businesses because of competing and different business models. Data ownership and customer management in particular will be crucial given the need for companies to access both.

This will call on significant negotiating skills and a commitment to develop and apply a broad set of standards to avoid constant renegotiating with each new partner or vendor from scratch. Setting up an app-store approach where standards are clearly stated, tools provided, and agreements specifically made at the beginning may provide a useful model.

Engaging with a network of vendors also requires changes in skills certification and vendor performance management. Companies will need to clearly define the standards and procedures under which vendors must operate and guidelines that define how the vendor will be included in the delivery lifecycle. Home Depot is developing standards with the manufacturers of its products to ensure compatibility with the Wink connected-home system. Companies that do this most effectively treat vendor relationships as partnerships with strong transparency. The internal-supply and vendor-management functions will need to be restructured to work more like M&A, which can integrate new partners or establish new alliances quickly and efficiently.

5. Cultivate an “open” mind.

CIOs have traditionally focused on protecting systems and ensuring that they run well. But the new digital world demands more active engagement with the outside world to understand competitive threats and sources of value. CIOs should start with developing a much more externally compatible view of the current IT infrastructure and thinking about how to design new ways of meaningfully integrating external systems. Spending a long time building overly complex ‘bulletproof’ systems is counterproductive; testing an application or new platform environment should take a matter of days or weeks.

6. Invest in new  capabilities

As businesses increasingly engage with external ecosystem technologies, full-stack architects and convergence infrastructure engineers are needed who can provide expertise in third-party packaged software, have fluency in multiple best-of-breed technologies, and bring experience integrating multiple technologies. ‘Translator’ capabilities will also be crucial to bridge the gaps between business goals and technology requirements to be provisioned through the ecosystem. Any new function within the enterprise architecture should work closely with business to understand how external services can be integrated with products to extend the customer value proposition.
With the advancement of cloud computing and infrastructure as programmable software, infrastructure resources (e.g., networks, servers, storage, applications and services) can now be rapidly provisioned, managed, and operated with minimal effort. That requires DevOps (the integration of development and operations) and cloud engineers, who have the experience to navigate a rapidly changing cloud computing ecosystem and program software, as well as data scientists, automation engineers, and enterprise architects. Companies will also need to find a few senior developers who can set up app-store development standards.

Companies have outsourced many of these capabilities. But due to the increased importance of engineering and automation skills, many are rethinking that approach as IT evolves from utility to enabler.

Integrating a company’s IT with third-party capabilities creates opportunities to capture substantial new sources of value. But until IT expands to become ET, the vast majority of those opportunities will remain out of reach.

Article link: https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/adopting-an-ecosystem-view-of-business-technology

July 16, 2019
Officials outlined plans to drive innovation, streamline IT acquisitions and build a more agile and resilient cyber posture.

By Jack Corrigan, Staff Correspondent

Pentagon officials vowed to improve oversight of their IT investments as part of a multi-year push to upgrade the Defense Department’s tech for the 21st century.

Officials on Friday released their Digital Modernization Strategy, offering insight on how the Pentagon plans to prioritize its roughly $46 billion annual IT budget over the next five years. Cloud adoption, artificial intelligence and cybersecurity will all factor in heavily to the department’s technological future, according to the strategy, but those capabilities won’t be possible unless officials do a better job coordinating their efforts.

“More effective oversight of IT investments is necessary due to the decentralized nature of [Defense Department] operations and spending,” officials wrote in the strategy.

In January, Congress passed a law giving the Pentagon’s chief information officer more authority over IT budget requests and spending plans, and officials said the new measures “will enable continual, comprehensive department-wide IT modernization in a common, coordinated way.”
In the strategy, officials outlined four overarching goals that will guide the department’s tech efforts in the years ahead: innovate for competitive advantage; optimize for efficiencies and improved capability; evolve cybersecurity for an agile and resilient defense posture; and cultivate talent for a ready digital workforce.

Under the first goal, officials pointed to a number of areas where the Pentagon should focus its investments in the years ahead, including cloud computing, artificial intelligence and command, control and communications systems. While each new capability will be critical to maintaining the nation’s technological edge, the department sees cloud adoption as “the foundation” for many of the others, officials said.

Today, the Pentagon is in the process of bidding out two massive cloud computing contracts—Defense Enterprise Office Solutions and Joint Enterprise Defense Infrastructure—worth billions. The platforms are intended to help the department make better use of data and pave the way for emerging technologies like artificial intelligence, and if they’re not up and running soon, Defense leaders fear national security could suffer.

Officials are also ramping up operations at the Joint Artificial Intelligence Center, which will serve as the hub for AI research across the department. In the years ahead, officials plan to focus on building more partnerships between the JAIC, industry and academia, and building a pipeline to scale up the technologies developed at the center.

The second goal—optimize for efficiencies and improved capability—will focus largely on the department accelerating IT procurements and adopting more enterprisewide solutions, as opposed to component-specific systems. Officials plan to accomplish the goal in part by improving category management and technology deployment process, as well as optimizing migrating applications that can’t run in the cloud to optimized, enterprise data centers.

The third goal, agile and resilient cybersecurity, will involve prioritizing security in each step of the acquisition process for “every network, system, application and enterprise service,” they said. Other steps include restructuring the department’s cyber architecture to bolster defenses and digital awareness, deploying an “end-to-end” identity, credential and access management infrastructure, and securing information held by Defense contractors, they said.

Lastly, maintaining the country’s technological capabilities will require the department to build a similarly capable tech workforce, officials said. To that end, the department plans to improve its internal workforce management processes, increase training opportunities for IT procurement specialists and expand programs to recruit and retain cyber specialists.

The government faces a continuous struggle to recruit and retain talented technologists, though the Pentagon has historically fared better than civilian agencies.

Article link: https://www.nextgov.com/it-modernization/2019/07/pentagon-releases-its-5-year-digital-modernization-strategy/158460/