Military commanders have had to change the way they operate in the field. Corporate executives should take note.

Much has been written over the years about parallels between the military and large corporations. But what insights are most relevant for senior executives today in an age of agile organizations? With his long experience in the Army and then in business, Justin Maciejewski is unusually well placed to reflect on the lessons for business, as a former commander of the British Army’s 800-strong 2nd Battalion, The Rifles, during its vital peacekeeping mission in Basra, Iraq, from 2007 to 2008.

Maciejewski’s career in the army spanned more than a quarter of a century, taking in the years after the Falklands War, in 1982, to recent operations alongside coalition forces in Afghanistan, the Balkans, and the Middle East. It was a time that coincided with the development of a new type of leadership based on empowerment, designed to make the British Army more tactically agile and able to overcome larger adversaries through maneuvers, rapid planning, and decision making that disrupt and break down the enemy’s cohesion. This has transformed the British Army’s approach, which for generations had been based on centrally controlled, set piece battles focused on overwhelming firepower and attrition. Awarded the Distinguished Service Order for his role in Iraq, Maciejewski joined McKinsey in 2013 and was appointed director general of the National Army Museum in London in 2018.

In this conversation with McKinsey’s Rob Theunissen, Maciejewski talks about the modern army’s agile model, the balance between command and control, the importance of (good) process, and the notion of learning without blaming.

The Quarterly: Why did the British Army change the way its organization works?

Justin Maciejewski: In the Second World War, the British Army achieved success by focusing a huge amount of resources on a smaller enemy force, then wearing them down through attrition. Battles were often very static, relying on numerical superiority. The battles were designed top down; everyone knew their place. Montgomery, the great British commander of the Second World War, called this “a tidy battlefield,” and he referred to it as the orchestra of war: one conductor conducting, with all the different instruments doing exactly what they are told to do.

As the British Army got smaller in the 1960s and ’70s, it found itself at a numerical disadvantage relative to the forces it was facing in the Cold War. Nevertheless, this culture of top-down direction continued. And in the Falklands, the British Army found that soldiers were waiting to be told exactly what to do in circumstances where casualties might have been avoided had they been more proactive. At the end of that war, people asked themselves, “Why did intelligent people sit there, waiting to be told what to do? Why didn’t they just get on and do it?

“In the late 1980s, the British Army radically redesigned the way decisions were made and how officers were empowered. A new system was introduced: Mission Command, which would now be called agile, was all about giving people the tools to make rapid decisions in order to disrupt the enemy.”

In reflecting on our performance in the Falklands War, in the late 1980s, the British Army radically redesigned the way decisions were made and how officers were empowered. A new system was introduced: Mission Command, which would now be called agile, was all about giving people the tools to make rapid decisions in order to disrupt the enemy. The idea was that you could defeat a larger enemy by getting inside their decision cycle, moving so quickly that their cohesion is disrupted and they begin to fall apart.

The Quarterly: What were the big changes?

Justin Maciejewski: In Montgomery’s army, the functions—artillery, engineers, logistics, medical, intelligence, signals, et cetera—were very powerful. In the 1980s, led by General Nigel Bagnall, the notion of integrating the functions at every level took hold. Every group was tailored for the operation that it was required to do, and functions were integrated in the volumes that were needed for that operation.

That sounds easy, but it’s difficult to do. And in order for that to happen, the army had to be much more standardized about the way it planned, the way it gave direction, and the way it cascaded intent. If you’re going to be very modular and agile about the way you allocate resources, people need to be speaking the same language.

Mission planning lies at the heart of military operations, and the army came up with seven questions, which everyone now uses across the entire organization. Once you standardize like that, you create organizations in which people feel confident to make decisions and where trust grows because people know what other people are going to do even before they come up with an idea.

The Quarterly: Standardization can feel rigid and bureaucratic—it almost sounds paradoxical alongside agility. Was that not limiting?

Justin Maciejewski: The trick is to work out what process is good and fundamental to the stable functioning of an organization—and to its consistency—and what process is bureaucratic and superfluous. Don’t throw out the good stuff when you get rid of the bad stuff; organizations that have been fossilized by bad processes sometimes try to get rid of it all.

What the army managed to do in the 1990s was to get rid of a lot of bad processes but design these very solid core processes, which everyone was able to rally around. I never saw them as constraining; I rather saw them like a trellis where a plant grows up an open frame. The effort to root out bad processes was considerable and involved significantly reducing the number of operating procedures to encompass only those activities that genuinely needed to be standardized.

For me, a good process is a process that helps someone see how to think, how to find a solution, but it doesn’t tell them what to do. It doesn’t tell them the exact answer. In other words, it’s not a tick box. It’s a framework that lets people bring themselves to the problem in a way that they know they’re not going to miss anything. It’s a support—but a support that gives them the chance to be creative.

The Quarterly: Could you describe in more detail how structure, process, and creativity work together?

Justin Maciejewski: In the old world, leaders wrote down what they wanted people to do in quite a precise way. People were given tasks that fit within an overall operation or mission. A mission today is not a set of tasks, because, in a dynamic situation, people should revert to the purpose rather than the task. Situations change; the enemy’s done something. That’s my purpose—that’s what I’m going to go after—rather than in the old system, where people would literally do their task and wait to be told what to do next.

For example, in the old world, you could say to someone, “Take and hold the bridge by midnight tonight.” In the new world, you would say, “Our intention is to cross that river. To do that, I see you securing that bridge by midnight tonight. And the reason we want you to do that is because we want to put 20,000 soldiers on the far side of that river by the close of day tomorrow.”

If you imagine that philosophy being replicated across an organization of 80,000 people at every level, it dramatically changes the performance. Everyone at every level is thinking, “What if it changes? How do I respond?”

In a business environment, people often express annual targets as percentages of growth or the amount of cost they have to take out without any real articulation of how that feeds into the overall success of the business. [What they should be saying is,] “We need you to take out this much cost because we want to put that into the R&D program for the next model that’s going to win us a new market.” It’s very disempowering to have targets without any real context of how that target fits into the bigger picture.

The Quarterly: What does it take for a leader to move into this new world?

Justin Maciejewski: I grew up during this transformation, but I think it was a lot tougher for some of the people who’d grown up in the old army. One thing you have to be prepared to do as a leader is to give people space to fail, to let people spread their wings as leaders, and to trust them. Occasionally, they’ll get it wrong. And, when they get it wrong, you mustn’t crucify them. Because if you do, they won’t do it again, and then you have to micromanage them because there’s no other option. Watching people grow as leaders, by tripping over the first time and then getting up and dusting themselves down, is most fulfilling. As new leaders gain more experience, you can supervise less.

Leaders also need to understand that there is a tension between command and control. A commander may want to do something, but it may be impossible, and that’s where command has to be constrained by control. And there are other times when the commander knows something can be done and has to be done, and sometimes the machine needs to work a little bit harder to make it happen, and that’s where command pushes control. They are both critical to success, and that distinction between command and control is something I really came to value.

The Quarterly: Can you paint a picture of how you spent your time as a military leader?

Justin Maciejewski: Once the army moved to Mission Command, much more of leaders’ time was spent up front in the creative process: “What am I trying to achieve? How do I visualize this happening? What is my mission? What am I being asked to do?” It’s about making sure everyone is clear around what’s expected of them. This gives commanders much more time away from their laptops and more time with the people they are commanding. I like to think we were all frontline people.

When we first got to Basra, we had an operations room—a control tower—that had all the screens with satellites and aircraft photography coming down and data flowing in from people on the ground on their radios. It was a huge hub of information. What I actually found was, I may have had all the data, but what I didn’t have was the fingertip feel of what was actually happening on the ground.

Over time, I came to realize that the data was not the most important thing for me to see on any given day. I would get a much better feel for the operation by seeing the “customers”—the people on the streets—and the soldiers themselves who were doing the job. I would spend two-thirds, maybe three-quarters, of my time with soldiers at the front line, either talking to them or listening to them after an operation. I spent a quarter of my time planning.

That’s where the chief of staff in the army really kicks in. In business, the chief of staff is someone who organizes the CEO’s diary. The chief of staff in the army is an incredibly powerful figure and is literally the chief of the machine. My chief of staff bought me the time to be with the soldiers, talk to my Iraqi colleagues, or meet local leaders in Basra. The chief of staff also was able to triage the data and feed to me what I needed: “Be aware that this is happening.” A key thing [in the army] is that the system selects the chief of staff to work with the commander. When I look back now, I really appreciate how much effort went in to selecting the right chiefs of staff to work with the right commanders.

How you allocate your time, though, is only part of it. The army also invests a lot of time in training leaders to manage the mental and emotional states of the troops.

The Quarterly: How do you do that? How do you show up as a leader in the army?

Justin Maciejewski: When a leader shows up in the army, the soldiers immediately worry that they’re under scrutiny, that they’re being evaluated. That imposes an additional burden. So when I started in Basra, my assumption was to let the guys lead. They’ve got the enemy to worry about, and they’ve got the local population to worry about, but if you show up, they’ve got their leader to worry about as well. When a leader shows up in the right way, it’s a source of encouragement; it shows you also have skin in the game on any particular day. When the bullets are flying around, it makes the point that we’re all in this together.

One day, we had a mortar attack, and a lot of guys were badly injured on the other side of the city. The day before, someone had been killed by an improvised explosive device, and someone had lost one of their legs. So we got into our vehicles, and we drove across the city to spend the afternoon with this company and see how they—a company of about a hundred people—were getting on. I just went up there, had a cup of tea, put my arm around a few people.

“One thing you have to be prepared to do as a leader is to give people space to fail, to let people spread their wings as leaders, and to trust them. Occasionally, they’ll get it wrong. And, when they get it wrong, you mustn’t crucify them. Because if you do, they won’t do it again, and then you have to micromanage them because there’s no other option.”

The fact that we made the effort to get up there after this attack, in the same sort of vehicles that they’d been attacked in, meant a huge amount to the guys. I came to realize that showing vulnerability and presence as a leader becomes a very important way of galvanizing everyone around a particular mission. I wouldn’t go on a mission with a leader because I was worried about that leader, but because I wanted to show that leader that I was right next to him. And that mind-set change was the most profound for me personally as a leader: seeing yourself not as an evaluator but as a supporter of the people who work for you.

The Quarterly: Say more about vulnerability, because it feels such an odd concept in the army.

Justin Maciejewski: For a meeting somewhere with, say, a tribal leader or local power broker, I would turn up with my entire panoply of drivers, communicators, and bodyguards—we call it the “commander’s tac,” maybe as many as 15 people—and there might be a jet in the air over the area. That’s saying you’re the biggest tribal chief in the area.

The vulnerable bit is when you go to a group of soldiers who are being led by somebody and say, “I would like to come out with you tomorrow.” And you don’t try and command it; you just try and be with them, to walk in their shoes. The night shift, for me, was the place where you got the best conversations, turning up in a guard tower at two in the morning and saying to a young soldier, “How are you feeling?” And they’d be honest. They’d say, “I’m scared.” One could then talk about things that we were all concerned about and how we were going to tackle them.

I’m always struck by Henry V in Shakespeare, when he goes out and walks around. That is a very profound insight of good leadership. It’s in the night, when it’s quiet or when people have got their thoughts, that you can gently get alongside them.

The Quarterly: Let’s go back to teams. How does the army compose its teams?

Justin Maciejewski: My team was built by my predecessors: years of investment in developing the right talent and pushing it forward. So my regimental sergeant major had spent 20 years in the army, but he’d been recognized 15 or 16 years previously and had been pushed through the system to be ready when I needed him. I didn’t find him through advertising a job.

When I looked at this group of 800 people, I could see the sort of institutional investment in talent over at least 20 years—but, in reality, over generations. And it made me realize just how good the army is at getting and developing the right people. I had to remove a few people when I was there, but not many—a handful in an organization of 800—while everyone else stepped up and did what was required of them.

Talent selection is crucial, and being rigorous about it is important. I haven’t come across many organizations [in business] where talent selection is really rigorous. Often, it’s based on a good year’s performance, then you leap forward into the next job rather than really understanding what potential looks like versus performance. It could be that someone’s doing something they’re not actually ideally suited for, but, by God, they’ll be good for the next level. I think business is too quick to bring in talent rather than develop it internally. Endlessly looking outside creates a very transactional approach to people.

The Quarterly: How, then, do you compose teams that can shoulder responsibility?

Justin Maciejewski: People have got to complement each other. So if you have an extrovert leader who may not be very good on detail, you need to make sure they’ve got a second in command who’s bloody good at it. You mustn’t let people pick their own teams, because what you then create is an inner circle. I’ve seen this in other armies, where commanders were allowed to move with their inner circle. And when you have an inner circle around the boss, you just create a sense of disempowerment for everyone who’s not in the magic circle of power. That creates a very fractious—and, ultimately, toxic—organization. In business, I often saw an outer circle of people who were feeling very scared and vulnerable, and I don’t think that’s the way to drive successful teams.

The Quarterly: Let’s talk about the performance dialogue, where the backbone of a culture and an organization’s true beliefs always pop out.

Justin Maciejewski: [In the army,] there’s a very mature initial conversation between the person giving the mission and the person receiving the mission around how they’re going to achieve that mission. Then there’d be a dialogue around the concerns. There’s literally a piece of paper with four headings on it, and one of the headings is “concerns,” so you can’t say, “I’ve got no concerns.” That would feel a bit weird. So it takes the fear out of alignment with your boss.

You mustn’t let people pick their own teams, because what you then create is an inner circle. And when you have an inner circle around the boss, you just create a sense of disempowerment for everyone who’s not in the magic circle of power.

At the end of the operation, there’s what we call an “after-action review,” where you review performance of that operation. And the key thing about this is that it’s facilitated by an outsider, not by the person commanding the mission but by someone who’s not directly involved in the operation—for example, someone from the intelligence staff. Generally speaking, the commander comes to that process at the end and says, “That’s really interesting. These are my thoughts, reflections. And what have we learned from this?” And then someone captures what we need to learn from it, and then that gets fed into a review of how we do an operation in the future.

When a mistake is made, you do not hang someone out to dry. Sometimes mistakes are made in battle and people get killed. If you crucify people when a mistake is made in battle, they will freeze with fear the next time they’re facing the enemy, and the consequences of that are far worse. The notion of learning without blaming is at the heart of removing fear from that process.

One thing people realize in this sort of environment is that no one is without fault. No one is invulnerable to making mistakes, because the pressures are huge. People are slow to judge because they know that tomorrow it could be them. When a mistake is made, you know it could be you. I’ve been really shocked by how much fear is used as a motivator in business—in a way that I never saw it used as a motivator in the army. People are very much in a state of fear, not because they’re being shot at, but because there’s an internal fear working in terms of how people are being evaluated and watched all the time.

The Quarterly: How did you leverage values in your day-to-day work?

Justin Maciejewski: I’ve always been struck since I left the army that the army doesn’t have just values; it has values and standards. And the reason is because it wants to help people understand what those values look like in action. So courage is a value; having the moral courage to call out something when it’s wrong is the standard.

I saw this with a young soldier who came to me and said, “Sir, my commander behaved badly in a house last night in Basra. He smashed up some furniture in a search, and it was wrong, sir.” That young soldier had the moral courage to do that.

We would spend 15 or 20 minutes, perhaps half an hour, a week talking about the army’s values—courage, loyalty, discipline—and what they actually meant. Values can be a hugely powerful thing when they’re shared across an organization, but you’ve got to invest in them. You can’t just put them on a notice board or up in an office and have that be the end of the job. In business, I think, we’re still in the foothills of how we use values in the most effective way to create healthy organizations and drive performance.

“I would never call my soldiers a ‘human resource.’ They were the soldiers, the battalion, the riflemen. The term ‘human resources’ dehumanizes people.”

The Quarterly: What have you observed about the way organizations in the corporate sector look at people?

Justin Maciejewski: One thing is that I would never call my soldiers a “human resource.” They were the soldiers, the battalion, the riflemen. The term “human resources” dehumanizes people.

The army is very mindful of its people because it can’t hire them in at any level. You can’t hire in someone to be a great general on the battlefield on day one. It has to nurture, invest in, and grow talent. Specialists can come in, but the core manpower has to be grown from within; the army does not use headhunters.

A lot of industry and business relies on the fact that it can just hire and fire people, so it becomes a hire-and-fire machine rather than a coaching-and-building machine. And I think that you can hire and fire your way to a certain level of performance, but by doing that, you will never build genuine teamwork and cohesion. The new approach to becoming agile in business is based on building small, tight-knit squads. That requires trust, and trust takes time. You’ve got to bind people to the idea and the purpose and, if you like, the essence of the company you’re building or the business you’re running. You’re never going to get people to go the extra mile if, fundamentally, it’s a transactional relationship.

About the author(s)
Justin Maciejewski is the director general of the National Army Museum and a former brigadier in the British Army. This interview was conducted by Rob Theunissen, a partner in McKinsey’s Amsterdam office.

Article link: https://www.mckinsey.com/business-functions/organization/our-insights/how-the-british-armys-operations-went-agile?cid=eml-app#

Office of the Chairman of the Joint Chiefs of Staff Public Affairs

Watch his farewell video message to the Joint Force:

By Chairman of the Joint Chiefs of Staff Gen. Joe Dunford

In the coming days, I will complete over four decades of active service and my tenure as the Chairman of the Joint Chiefs of Staff.  Before taking off my uniform for the last time, I wanted to tell you what an honor it has been to serve alongside you and to represent you here in Washington, D.C. and across the globe.  More importantly, I wanted to take a minute to simply thank you for who you are and what you do.

Those of you in uniform active, guard, and reserve represent less than one percent of the American people and you’ve answered the call to serve our nation during a time of war.

You chose to challenge yourself to excellence and to be a part of something greater than yourself.

You chose to make a difference.

Across the globe, you stand the watch on sea, air, and land as we simultaneously tackle the challenges associated with Russia, China, Iran, North Korea, and violent extremism. 

And you are driving change to deal with the challenges of the 21^st century to include those in space and cyberspace.

Like your predecessors, you are ordinary men and women who hail from across the 50 states and U.S. territories but you routinely demonstrate extraordinary courage, honor, commitment, loyalty, and self-sacrifice.

It’s because of you that I am confident that we can defend the homeland and our way of life. It’s because of you that we have earned the trust and confidence of allies and partners around the world.

It’s because of you that people believe in America.

Over the past four years, I have spoken a lot about the need for our nation to maintain a competitive advantage over any potential adversary. You are our most important competitive advantage and any adversary would think twice about committing an act of aggression because of you.

And all of these words apply equally to our great civil servants who are an integral part of the team.

I’d also like to take a minute to recognize our families.  My wife, Ellyn, and I know the unique challenges and sacrifices of military families.  But we also know that the U.S. military is strong because of our foundation and our foundation is our families.  One of the most rewarding experiences of the last four years has been meeting with military families across the force. Thank you for welcoming us into your homes. Thank you for your willingness to sacrifice and support and thank you for your resilience. 

Let me close by saying that as I depart active service, I depart with incredible pride and gratitude, not because I’m a general or the chairman, but simply because I have stood in ranks with the Soldiers, Sailors, Airmen, Marines, and Coast Guardsmen who wear the cloth of our nation.

 Please know that I will remain in proud over watch following my retirement.

God bless you all and Semper Fidelis.

FALLS CHURCH, Va. — The Department of Defense is preparing for the next major step in consolidating military hospitals and clinics under a single agency, one of the largest organizational changes within the U.S. military in decades.

On Oct. 1, the Army, Navy and Air Force begin the final two years of a multi-year transition to shift administration and management of their medical facilities to the Defense Health Agency by October 2021, changes that are “transformational and far-reaching,” said Navy Vice Adm. Raquel Bono, the DHA Director (Retiring Navy Vice Adm. Bono is the former DHA director. Army Lt. Gen. Place assumed command as DHA Director Sept. 3, 2019)

“For the first time in our modern military’s history, a single agency, the DHA, will be responsible for all the health care the Department of Defense delivers to our 9.5 million beneficiaries,” Bono said. “Whether you receive your care at an on-base facility or through our TRICARE civilian networks, DHA will oversee your care. This consolidation will drive higher levels of readiness for operational and medical forces and integrate health care services to standardize practices across the entire Department, which means patients will have a consistent, high-quality health care experience, no matter where they receive their care.”

The primary driver for this change is the National Defense Authorization Act of 2017. Congress mandated that a single agency will be responsible for the administration and management of all military hospitals and clinics to sustain and improve operational medical force readiness and the medical readiness of military members, improve beneficiaries’ access to care and experience of care, improve health outcomes, and eliminate redundancies in medical costs and overhead across three separate Service-run systems. DHA will be responsible for health care delivery and business operations across the Military Health System including budgets, information technology, health care administration and management, administrative policies and procedures, and military medical construction.

Bono said that even though congressional directives mandate this change, “it’s the right thing to do.”

“We have more than 40 years of independent studies and internal reviews that demonstrate the current structure of the Military Health System is unsustainable,” she said. “What makes us unique from other health systems is that we are heavily embedded with combat forces around the world focused on operational medical readiness and the health of our warfighters. The transformational changes underway will improve that focus, support the DoD’s priority for a more lethal force, and improve our ability to deliver high quality health care to all of our beneficiaries. Improving medical readiness is the key driver of the overall effort.”

During this transition, the quality of care won’t change for beneficiaries of the Military Health System. More important, Bono said, is that over time, it will improve that care by enabling changes to improve access, patient experience, and outcomes.

“Ultimately, what this transition means for all of us in the Department of Defense is a more integrated, efficient and effective system of readiness and health, and integration of health care services that leads to a more standardized and consistent experience of care for patients,” Bono said. “Central to that is having one agency oversee MTF operations while supporting the Services’ effort to focus more on readiness.”

Since October 2018, the DHA has been operating eight hospitals and clinics as part of the first phase of what was at first a four-year transition period. In June, the overall timeline adjusted to three years to reduce the amount of duplicative management by the Military Departments and the DHA, said Dr. Barclay Butler, the DHA’s assistant director for management and MTF transition head. “The primary driver of that is to measurably and precisely coordinate the reduction of the Military Services’ Medical Department support and oversight of the MTFs to the DHA,” Butler said. “We want to create a simple and clear transfer of authority that positively impacts healthcare for our patients.”

From Oct. 1 of this year through October 2021, the transition will focus on four primary objectives:

Centralized administration and management: On Oct. 1, all hospitals and clinics in the continental United States transition to the DHA, with the Army, Navy and Air Force medical departments maintaining a direct support role. Butler said this means that while DHA assumes overall management, the existing intermediate commands of the Military Departments will continue management duties until the transfer is complete to ensure uninterrupted medical readiness operations and patient care. The Military Departments and the DHA are currently working out final plans to maintain continuity of operations.

Establish Health Care Markets: At the center of the reorganization is the creation of health care markets. The DHA will stand up 21 large markets during the transition period to manage MTFs in local areas. A market is a group of MTFs in a geographic area – typically anchored by a large hospital or medical center – that operate as a system sharing patients, providers, functions, and budgets across facilities to improve the coordination and delivery of health care services. “These markets are really key to the entire reorganization,” Butler said. “Market offices will provide centralized, day-to-day management and support to all MTFs within each market.” Readiness support is at the heart of a market’s responsibilities, Butler added, and they will ensure the clinical competency of all MTF providers within the market. The 21 large markets will collectively manage 246 medical facilities and centers of excellence.

Establishment of a Small Market and Stand-Alone MTF Organization: For stateside hospitals and clinics not aligned to a large market, this office, referred to as SSO, will provide managerial and clinical oversight. As with the large markets, the Military Departments will continue managing the MTFs until they are realigned under the SSO. There are 16 small market MTFs and 66 stand-alone MTFs assigned to the SSO.

Establish Defense Health Regions overseas: The transition period for standing up Defense Health Regions in Europe and Indo-Pacific begins in 2020. All MTFs overseas would then report to their respective DHA regional offices. The Indo-Pacific region has 43 MTFs, while the European region has 31.

(For a complete list of markets and their assigned MTFs, go to the MHS Transformation web page at www.health.mil/mhstsransformation.)

“Change can be challenging, and this is a complex transition,” Butler said. “We will see changes in reporting relationships and communication channels while instituting standardized clinical policies and procedures and business practices. We place a premium on communicating often as we move through this together with the Military Departments.”

Bono said that from a patient perspective, these changes should be transparent. “Our patients expect the same high quality care regardless of who is in charge. Doctors, nurses, and technicians will continue to focus on practicing medicine and improving their skills and readiness. In the end, this really is about the patient – integrating into one system will improve readiness for our medical professionals and result in better care and better health outcomes for our patients.”

For more on the DoD’s medical reorganization, go to the military health web site at www.health.mil/mhstransformation for fact sheets, an informational video, and more articles.

About the Defense Health Agency (DHA)
The DHA, established on Oct 1, 2013, is the nation’s military medical Combat Support Agency, a joint, integrated organization that enables the Army, Navy, and Air Force medical services to provide a medically ready force and ready medical force to Combatant Commands in both peacetime and wartime. In cooperation with the Joint Staff Surgeon and Military Department medical organizations, DHA leads the Department of Defense’s integrated system of readiness and health through a global health care network of military and civilian medical professionals, including nearly 450 military hospitals and clinics around the world, to improve and sustain operational medical force readiness and the medical readiness of the Armed Forces. The DHA supports the delivery of integrated, affordable, and high-quality health services for 9.5 million active duty service members, retirees, Reservists and Guardsmen, and their families at military hospitals and clinics or through the TRICARE network.

Article link: https://health.mil/News/Articles/2019/08/26/DoD-to-begin-next-major-phase-of-military-hospital-consolidation

Launching major transformation efforts is a common way that business leaders try to get a leg up on the competition, or just keep their heads above water. But too many of these efforts fail. Change is difficult, and many people not only resist it but seek to undermine it. Unsurprisingly, then, a McKinsey study found that merely 26% of transformation initiatives succeed. Most successful transformations have one thing in common: Change is driven through empowerment, not mandated from the top.

In my research of transformative political revolutions, social movements, and organizational change, successful efforts not only identify resistance from the start but also make plans to overcome those who oppose the transformation. And it’s done not with bribes, coercion, shaming, or cajoling, but by enabling others within their organizations to drive change themselves. Here’s how they do it.

Start with a small group. Typically, leaders launch transformation efforts with a large kickoff. It makes sense: They want to build momentum early by communicating objectives clearly. This can be effective if a ready consensus already exists around the initiative. Yet if the desired change is truly transformational, it is likely to encounter fierce opposition; inertia can be a powerful force, even more powerful than hope or fear. So by starting with a large communication campaign, essentially presenting the initiative as a fait accompli, you are very likely to harden the opposition of those who are skeptical of the change.

Most successful transformations begin with small groups that are loosely connected but united by a shared purpose. They’re made of people who are already enthusiastic about the initiative but are willing to test assumptions and, later, to recruit their peers. Leaders can give voice to that shared purpose and help those small groups connect, but the convincing has to be done on the ground. Unless people feel that they own the effort, it’s not likely to go very far. For example, when Wyeth Pharmaceuticals set out to drive a major transformation to adopt lean manufacturing practices, it began with just a few groups at a few factories. The effort soon spread to thousands of employees across more than a dozen sites and cut costs by 25%.

Identify a keystone change. Every change effort begins with some kind of grievance: Costs need to be cut, customers better served, or employees more engaged, for example. Wise managers transform that grievance into a “vision for tomorrow” that will not only address the grievance but also move the organization forward and create a better future. This vision, however, is rarely achievable all at once. Most significant problems have interconnected root causes, so trying to achieve an ambitious vision all at once is more likely to devolve into a five-year march to failure than it is to achieve results. That’s why it’s crucial to start with a keystone change, which represents a clear and tangible goal, involves multiple stakeholders, and paves the way for bigger changes down the road.

That gap between aspiration and practical reality was the challenge that Barry Libenson encountered when he arrived at Experian as CIO in 2015. In his conversations with customers, it became clear that what they most wanted from his company was access to real-time data. Yet to deliver that, he would have to move from the company’s traditional infrastructure to the cloud, an initiative that raised serious concerns about security and reliability. He began by developing methods for accessing real-time data for internal use, rather than going straight to customer-facing features. That required his team to engage many of the same stakeholders and develop many of the same processes that a full shift to the cloud would have required and allowed him to show some early results.

“Once we developed some internal APIs, people could see that there was vast potential, and we gained some momentum,” Libenson told me. Experian not only successfully moved to the cloud but also launched its Ascend platform based on the new infrastructure, which is now the fastest-growing part of its business.

Network the movement. All too often we associate any large-scale change with a single charismatic leader. The U.S. civil rights and Indian independence movements will always be associated Martin Luther King Jr. and Mohandas Gandhi, respectively. In much the same way, turnarounds at major companies like IBM and Alcoa are credited to their CEOs at the time, Lou Gerstner and Paul O’Neill.

The truth is more complicated. King, for example, was just one of the “big six” of U.S. civil rights leaders. Gerstner gained allies by refocusing the company around customers. O’Neill won over labor unions by making a serious commitment to workplace safety. These examples show why, in his book Leaders: Myth and Reality, General Stanley McChrystal defines effective leadership as “a complex system of relationships between leaders and followers, in a particular context, that provides meaning to its members.”

Every large-scale change requires both leadership at the top and the widening and deepening of connections through wooing — not coercing — an ecosystem of stakeholders.

Consider the case of Talia Milgrom-Elcott, cofounder of 100Kin10. When she set out to start a movement to recruit and retain 100,000 STEM teachers in 10 years, she knew there was no shortage of capable groups working to improve education. In fact, she had worked with many people who were building myriad approaches to the issue. But they had never met one another. And so she created a platform for collaboration that brings together nearly 300 partner organizations through conferences, working groups, and networking. Today 100Kin10 is ahead of schedule to meet its goal.

Surviving victory. Often the most dangerous part of any transformation effort is when the initial goals have been met. That’s why successful transformation leaders focus not only on immediate goals but also on the process of change itself. If Wyeth had stopped at a 25% cost reduction, it would have soon found itself in trouble again. But because its employees embraced the lean manufacturing methods, the company was able to keep moving forward. In much the same way, if Experian had been satisfied with merely shifting to a new technology infrastructure, little would have been gained.

In some cases, the benefits of a successful transformation can last for decades. Remembering Gerstner’s IBM turnaround in the 1990s, one of his top lieutenants, Irving Wladawsky-Berger, told me, “Because the transformation was about values first and technology second, we were able to continue to embrace those values as the technology and marketplace continued to evolve.” After a near-death experience, the company remains profitable today.

Editor’s note: An earlier version of this article misidentified Barry Libenson as the CEO of Experian. He is the company’s CIO.
Greg Satell is an international keynote speaker, adviser and bestselling author of Cascades: How to Create a Movement that Drives Transformational Change. His previous effort, Mapping Innovation, was selected as one of the best business books of 2017. You can learn more about Greg on his website, GregSatell.com and follow him on Twitter @DigitalTonto.

Article link: https://hbr.org/2019/08/4-tips-for-managing-organizational-change

Racing to protect the most important network of the 21st century

Tom Wheeler and David SimpsonTuesday, September 3, 2019

Editor’s Note: Tom Wheeler recently appeared on the Lawfare Podcast to discuss the cybersecurity of 5G networks with Brookings Fellow Margaret Taylor. You can listen to the podcast episode here.

“The race to 5G is on and America must win,” President Donald Trump said in April. For political purposes, that “race” has been defined as which nation gets 5G built first. It is the wrong measurement.

We must “fire first effectively” in our deployment of 5G. Borrowing on a philosophy Admiral Arleigh Burke coined in World War II: Speed is important, but speed without a good targeting solution can be disastrous.[1]

5G will be a physical overhaul of our essential networks that will have decades-long impact. Because 5G is the conversion to a mostly all-software network, future upgrades will be software updates much like the current upgrades to your smartphone. Because of the cyber vulnerabilities of software, the tougher part of the real 5G “race” is to retool how we secure the most important network of the 21st century and the ecosystem of devices and applications that sprout from that network.

Never have the essential networks and services that define our lives, our economy, and our national security had so many participants, each reliant on the other—and none of which have the final responsibility for cybersecurity. The adage “what’s everybody’s business is nobody’s business” has never been more appropriate—and dangerous—than in the quest for 5G cybersecurity.

“As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications.”

The new capabilities made possible by new applications riding 5G networks hold tremendous promise. As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications. To build 5G on top of a weak cybersecurity foundation is to build on sand. This is not just a matter of the safety of network users, it is a matter of national security.

HYPERFOCUS ON HUAWEI

Effective progress toward achieving minimally satisfactory 5G cyber risk outcomes is compromised by a hyperfocus on legitimate concerns regarding Huawei equipment in U.S. networks. While the Trump administration has continued an Obama-era priority of keeping Huawei and ZTE out of domestic networks, it is only one of the many important 5G risk factors. The hyperbolic rhetoric surrounding the Chinese equipment issues is drowning out what should be a strong national focus on the full breadth of cybersecurity risk factors facing 5G.

The purpose of this paper is to move beyond the Huawei infrastructure issue to review some of the issues that the furor over Huawei has masked. Policy leaders should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation. This should be followed by an honest evaluation of the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation.

Such a review of 5G cyber threat mitigation should focus on the responsibilities of both 5G businesses and government. This should include a review of whether current market-based measures and motivations can address 5G cyber risk factors and where they fall short, the proper role of targeted government intervention in an era of rapid technological change. The time to address these issues is now, before we become dependent on insecure 5G services with no plan for how we sustain cyber readiness for the larger 5G ecosystem.

The after-the-fact cost of missing a proactive 5G cybersecurity opportunity will be much greater than the cost of cyber diligence up front. The NotPetya attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks did not exist at that time, of course, but the attack illustrates the high cost of such incursions, and it pales in comparison to an attack that would result in human injury or loss of life. We need to establish the conditions by which risk-informed cybersecurity investment up front is smart business for all 5G participants.

China is a threat even when there is not Huawei equipment in our networks. From the successful exfiltration of highly sensitive security clearance data in the Office of Personnel Management breach commonly attributed to China, to the ongoing China-linked threat actor campaign against managed service providers, many of China’s most successful attacks have taken advantage of vulnerabilities in non-Chinese applications and hardware and poor cyber hygiene. None of this goes away with the ban on Huawei. We cannot allow the headline-grabbing focus on Chinese network equipment to lull us into a false sense of cybersecurity. In a world of interconnected networks, devices, and applications, every activity is a potential attack vector. This vulnerability is only heightened by the nature of 5G and its highly desirable attributes. The world’s hackers (good and bad) are already turning to the 5G ecosystem, as the just concluded DEFCON 2019 (the annual ethical “hacker Olympics”) illustrated. The targets of this year’s hacker villages included key parts of the 5G ecosystem such as: aviation, automobiles, infrastructure control systems, privacy, retail call centers and help desks, hardware in general, drones, IoT, and voting machines.

5G EXPANDS CYBER RISKS

There are five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors:

1. The network has moved away from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, however, that activity is pushed outward to a web of digital routers throughout the network, thus denying the potential for chokepoint inspection and control.
2. 5G further complicates its cyber vulnerability by virtualizing in software higher-level network functions formerly performed by physical appliances. These activities are based on the common language of Internet Protocol and well-known operating systems. Whether used by nation-states or criminal actors, these standardized building block protocols and systems have proven to be valuable tools for those seeking to do ill.
3. Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
4. The dramatic expansion of bandwidth that makes 5G possible creates additional avenues of attack. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets. Functionally, these cell sites will use 5G’s Dynamic Spectrum Sharing capability in which multiple streams of information share the bandwidth in so-called “slices”—each slice with its own varying degree of cyber risk. When software allows the functions of the network to shift dynamically, cyber protection must also be dynamic rather than relying on a uniform lowest common denominator solution.
5. Finally, of course, is the vulnerability created by attaching tens of billions of hackable smart devices (actually, little computers) to the network colloquially referred to as IoT. Plans are underway for a diverse and seemingly inexhaustible list of IoT-enabled activities, ranging from public safety things, to battlefield things, to medical things, to transportation things—all of which are both wonderful and uniquely vulnerable. In July, for instance, Microsoft reported that Russian hackers had penetrated run-of-the-mill IoT devices to gain access to networks. From there, hackers discovered further insecure IoT devices into which they could plant exploitation software.

   Fifth-generation networks thus create a greatly expanded, multidimensional cyberattack vulnerability. It is this redefined nature of networks—a new network “ecosystem of ecosystems”—that requires a similarly redefined cyber strategy. The network, device, and applications companies are aware of the vulnerabilities and many are making, no doubt, what they feel are good faith efforts to resolve the issues. The purpose of this paper is to propose a basic set of steps toward cyber sufficiency. It is our assertion that “what got us here won’t get us there.”

 

5G service providers are the first ones to tell us that 5G will underpin radical and beneficial transformation in what we can do and how we manage our affairs. At the same time, these companies have publicly worried about their ability to address the totality of the cyber threat and have described the future challenge in disturbingly blunt terms. The president’s National Security Telecommunications Advisory Committee (NSTAC)—composed of leaders in the telecommunications industry—told him in November, “The cybersecurity threat now poses an existential threat to the future of the [n]ation.”

The nature of 5G networks exacerbates the cybersecurity threat. Across the country, consumers, companies, and cities seeking to use 5G are ill-equipped to assess, let alone address, its threats. Placing the security burden on the user is an unrealistic expectation, yet it is a major tenet of present cybersecurity activities. Looking to the cybersecurity roles of the multitude of companies in the 5G “ecosystem of ecosystems” reveals an undefined mush. Our present trajectory will not close the cyber gap as 5G greatly expands both the number of connected devices and the categories of activities relying on 5G. This general dissonance is further exacerbated by positioning Chinese technological infection of U.S. critical infrastructure as the essential cyber challenge before us. The truth is that it’s just one of many.

WHAT HAVE WE LEARNED THUS FAR?

5G has challenged our traditional assumptions about network security and the security of the devices and applications that attach to that network. As officials of the Federal Communications Commission (FCC), the authors struggled to deal with these challenges only to be confronted by:

• Industrial-era procedural laws that make rulemaking activity cumbersome and non-rulemaking activity less than optimal.
• The incentive of bad actors to overcome any solution that is typically greater than the incentive to maintain the protection.
•  Industry stakeholder fear of exposing their internally identified risk factors at precisely the time when sharing information about attacks would be of greatest value for a collective defense.

At the same time, those who know the networks the best—the network operators—exist under business structures that are not optimal for effective risk reduction. As an FCC white paper concluded three years ago:

As private actors, ISPs (internet service providers, such as 5G networks) operate in economic environments that pressure against investments that do not contribute to profit. Protective action taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections. Cyber accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job efficiently.

The FCC report’s finding—that market forces alone would not address society’s cyber risk interests—highlighted the ISPs over which the agency had primary jurisdiction. The report additionally examined the larger ecosystem and concluded that the motivation to solve the problem generally gets worse when consumers do not link a purchasing decision with a cyber risk outcome. This, unfortunately, is all too often the case, as service providers as well as device and application vendors do not make meaningful security differentiators public and don’t compete on any verifiable security indicators.

“None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged.”

In 2016, for instance, hackers shut down major portions of the internet by taking control of millions of low-cost chips in the motherboards of video security cameras and digital video recorders. That the internet could be attacked this way reflected the reality of digital supply chains: Because consumers didn’t consider cybersecurity in their purchase decisions of low-cost connected devices (they were the means, not the target of the attack), retailers didn’t prioritize security in their decisions of what to stock. As a result, manufacturers didn’t emphasize cyber in the components they purchased and thus chip and motherboard manufacturers did not include cyber protections in their product. None of companies defined a role for themselves for sustaining post-purchase product cyber readiness and, by and large, that’s still the case.

New industry verticals are bringing 5G-enabled capabilities to a market where good faith efforts are insufficient. There is no evidence that the business priorities of the suppliers of devices and applications are any different than those attributed to network operators in the FCC report. A 2018 report by the Trump administration’s Council of Economic Advisers, for instance, warned of, “underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.”

None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged. Continuation of corporate and governmental policies that are not keeping up with today’s cyber risk do not bode well for a volumetric expansion of the attackable network and data surface of 5G networks. There is a crying need for coordinated efforts to achieve targeted expectations.

TWO KEYS TO WINNING THE REAL “5G RACE”

The real “5G race” is whether the most important network of the 21st century will be sufficiently secure to realize its technological promises. Yes, speedy implementation is important, but security is paramount. To answer that overriding question requires new efforts by both business and government and a new relationship between the two.

The recommendations that follow are both important and not without cost. In normal times, such suggestions might be judged too much of a departure from traditional practices. These are not normal times, however. The outlook for a future that relies on 5G and other new digital pathways is cyber-defined. Our nation has moved into a new era of non-kinetic warfare and criminal activity by nation-states and their surrogates. This new reality justifies the following corporate and governmental actions.

Key #1: Companies must recognize and be held responsible for a new cyber duty of care

The first of this two-part proposal is the establishment of a rewards-based (as opposed to penalty-driven) incentive for companies to adhere to a “cyber duty of care.” Traditionally, common law established that those who provide products and services have a duty of care to identify and mitigate potential harms that could result. There needs to be a new corporate culture in which cyber risk is treated as an essential corporate duty and rewarded with appropriate incentives, whether in monetary, regulatory, or other forms. Such incentives would require adherence to a standard of cyber hygiene which, if met, would entitle the company to be treated differently than other non-complying entities. Such a cyber duty of care includes the following:

Reversing chronic underinvestment in cyber risk reduction

Proactive cyber investment today is the exception rather than the rule. For public companies, the Securities and Exchange Commission (SEC) and others are driving change from the corporate board-level on down through management. A favorite entrance point for cyberattacks, however, remains the smaller companies, many of which are outside of the scope of these efforts. Unfortunately, the SEC’s efforts impact only the less than 10% of American companies that are publicly owned. At the very least, where companies have a role in critical infrastructure or provide a product or service that, if attacked, could imperil public safety, there must be the expectation that cybersecurity risks are being addressed proactively.[2]

Implementation of machine learning and artificial intelligence protection

Cyberattacks on 5G will be software attacks; they must be countered with software protections. During a Brookings-convened discussion on 5G cybersecurity, one participant observed, “We’re fighting a software fight with people” whereas the attackers are machines. Such an approach was like “looking through soda straws at separate, discrete portions of the environment” at a time when a holistic approach and consistent visibility across the entire environment is needed. The speed and breadth of computer-driven cyberattacks requires the speed and breadth of computer-driven protections at all levels of the supply chain.

Shifting from lag indicators of cyber-preparedness (post-attack) to leading indicators

A 2018 White House report found a “pervasive” underreporting of cyber events that “hampers the ability of all actors to respond effectively and immediately.” The 5G cyber realm needs to adopt leading indicator methodology to communicate cyber-preparedness between interdependent commercial companies and with government entities charged with oversight responsibilities. There are a number of good examples to pull from. Shared cyber risk assessments are increasingly a best practice for cyber-mature companies and their supply chain. Several accounting and insurance firms have developed lead metrics to inform cyber risk reduction investments and underwrite policies. The Department of Homeland Security has resiliency self-assessment standards to motivate long-term community disaster preparedness improvement.[3] Such a model should be extended to the 5G cyber realm in order to shift oversight from lag indicators to lead indicators.

A regular program of engagement with boards and regulators using cybersecurity lead indicators will build trust, accelerate closing the 5G readiness gap and lead towards more constructive outcomes when cyber attackers do succeed. Underreporting of lag indicators, as highlighted in the 2018 White House report should be addressed, but with the primary purpose of closing the feedback loop, improving the quality of lead measures and the investment decision process they inform.

Cybersecurity starts with the 5G networks themselves

While many of the large network providers building 5G are committing meaningful resources to cyber, small- and medium-sized wireless ISPs serving rural communities have been hard pressed to rationalize a robust cybersecurity program. Some of these companies have fewer than 10 employees and can’t afford a dedicated cyber security officer or a 24/7 cyber security operations center. Still, they will be offering 5G services and interconnecting with 5G networks. About one-third of these companies have ignored government warnings about the use of Huawei equipment and are now petitioning Congress to pay for their poor decisions and pay to replace the non-Chinese equipment. Any replacement must include the expectation that the companies will establish sufficient cybersecurity processes that sustain protections. All the networks that deliver 5G—whether big brand names, small local companies, wireless ISPs, or municipal broadband providers—must have proactive cyber protection programs.

Insert security into the development and operations cycle

For many application developers, a core agile development tenet has been sprinting to deploy a minimum viable product, accepting risk, and committing to later providing consumer-feedback-driven upgrades once the product gains a following. Software companies and those providing innovative, software-based products and services are beginning to insert cybersecurity in the process as a design, deployment, and sustainment consideration for every new project. Such security by design should be a minimum duty of care across the commercial space for innovations in the emerging 5G environment.

Best practices

The National Institute for Standards and Technology (NIST) Cybersecurity Framework has established five areas for best practice cybersecurity management that could become the basis of industry best practices: Identify, protect, detect, respond, and recover. For instance, NIST’s “identify” initiative focuses on determination of a company’s cyber universe, threats, and vulnerabilities in order to identify cyber risk reduction investments. While not limited only to the NIST framework, Congress should establish a cybersecurity standard of expected performance and accompanying incentives for its adoption by companies. While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry and continue to place the burden on poorly informed consumers to know whether the best practices are being fulfilled. The Consumer Technology Association (CTA)—representing the $377 billion U.S. consumer technology industry—helped produce an anti-botnet guide that outlines best practices for device manufactures, but there is no way for a consumer to easily tell if it’s being followed.

“While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry.”

Unfortunately, publication of optional cybersecurity best practices without full industry buy-in may be an attempt at responsible behavior and good public relations, but often do little to change the cyber risk landscape. While CTA has additionally published a useful buyer’s guide to explain cyber risk issues and improve household cyber hygiene, one wonders how many consumers of low-cost network connected technologies even know of its existence. Shifting cyber risk burdens to poorly informed consumers has limited utility. The 5G commercial sector needs to acknowledge the limits of consumer-based actions, own the residual risk, and work together with government oversight to assign cross-sector mitigation responsibilities.

Key #2: Government must establish a new cyber regulatory paradigm to reflect the new realities

Current procedural rules for government agencies were developed in an industrial environment in which innovation and change—let alone security threats—developed more slowly. The fast pace of digital innovation and threats requires a new approach to the business-government relationship.

More effective regulatory cyber relationships with those regulated

Cybersecurity is hard, and we should not pretend otherwise. As presently structured, government is not in a good position to get ahead of the threat and determine detailed standards or compliance measures where the technology and adversary’s activities change so rapidly. A new cybersecurity regulatory paradigm should be developed that seeks to de-escalate the adversarial relationship that can develop between regulators and the companies they oversee. This would replace detailed compliance instructions left over from the industrial era with regular and fulsome cybersecurity engagements between the regulators and the providers at greatest risk as determined by criticality, scale (impact), or demonstrated problems (vulnerabilities) built around the cyber duty of care. It would be designed to reward sectors where participants have organized and are clearly investing ahead of failure to address risk factors.

Conversely, where sectors are ignoring cyber risk factors, graduated regulatory incentives can change corporate risk calculus to address consumer and community concerns. These activities would be afforded confidentiality and not be used by themselves to discover enforcement violations, but instead to help both regulators and the regulated better spot trends, best practices, and collectively and systematically improve their sector’s approach to cyber risk. DHS can have a supporting role for this, but at the end of the day, the balance between security, innovation, corporate means, and market factors is inherently regulatory. Absent the ability to impose a decision, government involvement can only be hortatory.

Recognition of marketplace shortcomings

Economic forces drive corporate behavior. Of course, there are bottom-line-affecting costs associated with cybersecurity. Even when such costs are voluntarily incurred, however, their benefits can be undone by another company that doesn’t make the effort. The first of this paper’s two recommendations suggests what companies can do to exercise their cyber duty of care. History has shown, however, that the carrot accompanying such efforts often needs the persuasion of a standby stick. This is only fair to those companies that step up to their responsibility and should not be penalized in the marketplace by those that do not step up. A rewards-based policy would amplify the value of cyber duty of care participation, especially when others fall short. It would also provide forward-looking incentive for risk reduction and a more useful feedback loop when breaches invariably occur.

Consumer transparency

Consumers have little awareness and no insight with which to make an informed market decision. The situation is analogous to the forces that resulted in the establishment of nutritional labeling for foods. Consumers should be given the tools with which to make informed decisions. “Nutritional labeling” about cyber risks or a cyber version of Underwriters Laboratories’ self-certification will help focus the attention of all parties on its importance.

Inspection and certification of connected devices

For years, the FCC has overseen a program to certify that radio-signal-emitting devices do not interfere with authorized use of the nation’s airwaves. Whether cellphones, baby monitors, electronic power supplies, or Tickle Me Elmo, the FCC assures the design and assembly of transmitting devices are within standards. The industry then organizes underneath that construct to self-certify devices in a cost-effective means baked into their production and distribution processes. At the time of the 2016 DYN attack that took control of millions of video cameras, the authors proposed a similar regimen to review the cybersecurity of connected devices. If we protect our radio networks from harmful equipment, why do we not protect our 5G networks from cyber-vulnerable equipment?

Contracts aren’t enough

Both the executive and legislative branches have focused on using government acquisition standards and pathfinder contracts to impose cybersecurity requirements where government contracts can compel commercial actions. This is an important, proven practice, but it can only go so far. Federal acquisition policies do not reach non-government suppliers that in an interconnected network can wreak havoc by simply connecting to the network. The majority of small and medium 5G network providers are not bound by any of these government contracts.

Stimulate closure of 5G supply chain gaps

For years government review of mergers and acquisitions has typically failed to appreciate the potential negative impact on critical supply chains. Moving companies and processes offshore or to joint ventures with foreign ownership/control has created wholesale gaps in the supply of crucial 5G components and the absence of domestic procurement options. Country of origin/ownership concerns must become relevant to both the corporate calculus that led to offshoring purchase decisions as well as to the market conditions that led to the destruction of a national capability in the first place. 5G supply chain market analysis must be continuous with regular engagement between regulators, industry, and the executive and legislative branches to properly incentivize globally competitive domestic sourcing alternatives.

Re-engage with international bodies

At present, the standards setting process for 5G is governed by the 3rd Generation Partnership Project (3GPP), an industry group that makes decisions by consensus based on input from its members, including Chinese 5G equipment companies. (Huawei reportedly made the most contributions to the 5G standard). The Obama FCC engaged directly with 3GPP to identify public safety and cybersecurity risk considerations applicable to the U.S. market. It additionally opened a notice of inquiry to ask the nation’s best technology brains how to implement cybersecurity risk reduction as part of the development and deployment cycle. The move was opposed by some industry associations and the Republican commissioners. Shortly after the beginning of the Trump administration, the new FCC cancelled the Obama FCC’s cyber initiatives.

There needs to be informed third-party oversight early in the 5G industry’s design and deployment cycle in order to prioritize cyber security. The nation, our communities and our citizens should—through their government—have some degree of agency in the process. The FCC and Commerce Department should participate in 3GPP and the U.S. feeder group as observer stakeholders. This will allow for earlier issue identification and the opportunity to submit concerns, without changing the basic governance of standards setting. The representatives of American citizens should have the option to escalate engagement on matters of national security and public safety concern.

CONCLUSION

It is an amazing turn of events when the U.S. Senate, currently led by Republicans, feels it necessary to introduce legislation instructing the Trump administration “to develop a strategy to ensure the security of next generation mobile telecommunications systems and infrastructure.” The 5G cybersecurity threat is a whole-of-the-nation peril. We should not be lulled into complacency because the newness of the network has masked the threat. We must not confuse 5G cybersecurity with international trade policy. Congress should not have to pass legislation instructing the Trump administration to act on 5G cybersecurity. The whole-of-the-nation peril requires a whole-of-the-economy and whole-of-the-government response built around the realities of the information age, not formulaic laissez faire political philosophy or the structures of the industrial age.

“People are going to be put at risk and possibly die as we increasingly connect life sustaining devices to the internet,” was the stark warning from one of the experts participating in a Brookings roundtable on 5G cybersecurity. This cold reality is because the internet’s connection to people and the things on which they depend will increasingly be through vulnerable 5G networks. It is an exposure that is exacerbated by a cyber cold war simmering below the surface of consumer consciousness.

Early generation cyberattacks targeted intellectual property, extortion, and hacked databases. Today, the stakes are even higher as nation-state actors and their proxies gain footholds in our nation’s critical infrastructure to create attack platforms lying in wait. Any rational risk-based assessment reveals that the favored adversary target is our commercial sector. Companies that provide critical network infrastructure or provide products or services connected to it represent the likely and potentially most dangerous enemy course of action in the ongoing cyber cold war.

“If you’re asking me if I think we’re at war, I think I’d say yes,” the former commandant of the Marine Corps, Gen. Robert Neller, told an audience in February. “We’re at war right now in cyberspace. … They’re pouring over the castle walls every day.” While our adversaries, no doubt, see positive outcomes for high-profile direct attack, they also are perfecting less-risky positive outcomes in a steady pace of low-level attacks intended to erode U.S. public confidence in our cyber critical infrastructure and the digital economy it underpins. The low-intensity cyber war is already ongoing as our adversaries risk very little in these attacks and stand to gain much.

Into this attack environment has come a software-based network built on a distributed architecture. With its software operations per se vulnerable, and a distributed topology that precludes the kind of centralized chokepoint afforded by earlier networks, 5G networks will be an invitation to attacks. Given that the cyber threat to the nation comes through commercial networks, devices, and applications, our 5G cyber focus must begin with the responsibilities of those companies involved in the new network, its devices, and applications. The cyber duty of care for those involved in 5G services is the beginning of such proactive responsibility.

At the same time, the federal government has its own responsibility to create incentives for 5G companies to focus on the cyber vulnerabilities they create. This is especially the case when there may be a corporate or marketplace lack of motivation to prioritize a maximum cyber effort. As outlined in this paper, this will necessitate replacing the rigid industrial-era relationship between government and business with more innovative and agile means of dealing with the shared problem.

Yes, the “race” to 5G is on—but it is a race to secure our nation, our economy, and our citizens.

The moment is now for a bipartisan call to action to not just address the current 5G exposures, but also to address the structural shortfalls that have allowed the cyber readiness gap to continue to grow. What got us here won’t get us to a secure 5G-enabled future.

Tom Wheeler was the 31st chair of the FCC from 2013 to 2017. Currently, he is a visiting fellow at the Brookings Institution. Rear Admiral David Simpson, USN (Ret.), was chief of the FCC’s Public Safety and Homeland Security Bureau during the same period. Currently, he is a professor at Virginia Tech’s Pamplin College of Business.

The Brookings Institution is a nonprofit organization devoted to independent research and policy solutions. Its mission is to conduct high-quality, independent research and, based on that research, to provide innovative, practical recommendations for policymakers and the public. The conclusions and recommendations of any Brookings publication are solely those of its author(s), and do not reflect the views of the Institution, its management, or its other scholars.

Microsoft provides general, unrestricted support to The Brookings Institution. The findings, interpretations, and conclusions posted in this piece are not influenced by any donation. Brookings recognizes that the value it provides is in its absolute commitment to quality, independence, and impact. Activities supported by its donors reflect this commitment.

Report Produced by Center for Technology Innovation

Article link: https://www.brookings.edu/research/why-5g-requires-new-approaches-to-cybersecurity/

1. 1Captain Wayne P. Hughes, Jr., USN (Ret.), Fleet Tactics and Coastal Combat, 2^nd ed., U.S. Naval Institute Press, 2000, pp.40-44
3. 2Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015). Externalities and the Magnitude of Cyber Security Underinvestment by Private Sec tor Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. http://dx.doi.org/10.4236/jis.2015.61003
5. 3While the authors do not want to understate the shortfalls associated with the NIMS self-assessment model and lack of federal engagement at the regional level to assess actual NIMS implementation, we do want to note that a decade in, NIMS has succeeded in establishing a common language and investment framework for long-term steady improvements to resiliency in over 10,000 jurisdictions across the country.

 

---

August 12, 2019  By Jack Corrigan,
Staff Correspondent

The plan is meant to help federal leaders roll out standards that reduce the potential risks of AI without stifling innovation.

Federal standards for artificial intelligence must be strict enough to prevent the tech from harming humans, yet flexible enough to encourage innovation and get the tech industry on board, according to the National Institute of Standards and Technology.

However, without better standards for measuring the performance and trustworthiness of AI tools, officials said, the government could have a tough time striking that balance.

On Monday, NIST released its much-anticipated guidance on how the government should approach developing technical and ethical standards for artificial intelligence. Though it doesn’t include any specific regulations or policies, the plan outlines multiple initiatives that would help the government promote the responsible use of AI and lists a number of high-level principles that should inform any future standards for the tech.

The strategy also stresses the need to develop technologies that would help agencies better study and assess the quality of AI-powered systems. Such tools, which include standardized testing mechanisms and robust performance metrics, would allow the government to better understand individual systems and determine how to develop effective standards.

“It is important for those participating in AI standards development to be aware of, and to act consistently with, U.S. government policies and principles, including those that address societal and ethical issues, governance and privacy,” NIST officials wrote in the plan. “While there is broad agreement that these issues must factor into AI standards, it is not clear how that should be done and whether there is yet sufficient scientific and technical basis to develop those standards provisions.”

NIST’s plan was born out of a February executive order that called on agencies to ramp up their investments in AI as global competitors like China work to bolster their own AI capabilities. The strategy comes as one of the government’s first and most concrete steps toward placing guardrails on a technology that could have significant negative repercussions if left unchecked.

The AI standards developed in the years ahead should be flexible enough to adapt to new technologies while also minimizing bias and protecting individual privacy, the agency said. While some standards will apply across the broader AI marketplace, NIST advised the government to also examine whether specific applications require more targeted standards and regulations.

“The degree of potential risk presented by particular AI technologies and systems will help to drive decision making about the need for specific AI standards and standards-related tools,” officials said.

As the government begins developing rules for AI, it’s also important to remember the importance of timing, according to NIST. Standards that come too early could get in the way of innovation, officials said, but if they come too late, it will be difficult to get industry to agree to them voluntarily. As such, agencies need to constantly look outside of government to gauge the current state of AI and understand when federal action may be needed.

“The government’s meaningful engagement … is necessary, but not sufficient, for the nation to maintain its leadership in this competitive realm,” NIST said. “Active involvement and leadership by the private sector, as well as academia, is required.”

In the plan, NIST officials said government leaders should work to better coordinate agencies’ efforts to understand AI and develop standards for the tech. To that end, they recommended the White House designate a member of the National Science and Technology Council to oversee AI standards and urged agencies to study the approaches tech companies are taking to steer their own AI development efforts.

NIST also advised the government to invest in research that focuses on understanding AI trustworthiness and incorporating those metrics into future standards. Expanding public-private partnerships could also help inform federal AI standards, they said, and increasing cooperation with international partners could help address many of the national security concerns related to the tech.

“Public trust, security, and privacy considerations remain critical components of our approach to setting AI technical standards,” U.S. Chief Technology Officer Michael Kratsios said in a statement. “As put forward by NIST, federal guidance for AI standards development will support reliable, robust and trustworthy systems and ensure AI is created and applied for the benefit of the American people.

Article link: https://www.nextgov.com/emerging-tech/2019/08/nist-lays-out-roadmap-developing-artificial-intelligence-standards/159119/

 

By Driek Desmet, Niels Maerkedahl, and Parker Shi

To fully benefit from new business technology, CIOs need to adapt their traditional IT functions to the opportunities and challenges of emerging technology “ecosystems.” Here’s how it’s done.

IT has traditionally functioned as the foundation to keep a company running. One of its core functions has been to protect company operations with firewalls and encryption to keep external technologies out. With the advance of technologies, however, a vast array of capabilities and sources of competitive advantage are emerging beyond a business’ traditional walls. Those capabilities are coalescing in a wealth of new ecosystems (see Exhibit 1).

These ecosystems often overlap. A social payment app, for example, may be part of the mobile, social, data, and banking services ecosystems. The Internet of Things (IOT) is an ecosystem where multiple applications communicate with each other as a network

By plugging into these ecosystems, companies can get access to entire networks. They can, among other benefits, find new customers, tap into new sources of data, and improve established business processes.

CIOs and IT organizations have a huge role to play in capturing these opportunities. But they can’t do it through “business as usual.” In an ecosystem environment, an exclusive focus on “protecting the center” can limit a company’s ability to capitalize on emerging opportunities. To adapt their complex business-technology architecture to function in a world of ecosystems, CIOs will have to figure out how to simultaneously draw external technologies closer while managing security issues and getting a handle on the accelerating stream of technological innovations.

IDC predicts that by 2018, more than 50 percent of large enterprises—and more than 80 percent of enterprises with advanced digital-transformation strategies—will create or partner with industry platforms.1 At the same time, there will be more than 50 billion connected devices expected by 2020, according to Cisco.

These numbers point toward a radical reframing of what IT is and how CIOs manage it—not as an internal collection of information technologies (IT) but as a broad network of ecosystem technologies (ET). For the CIO, this shift also creates a significant opportunity to work closely with the CEO on business priorities and to become a prime strategic partner.

Understanding ecosystem technologies

ET encapsulates an expanded set of IT capabilities and functions (Exhibit 2). The CIO still needs to manage the multi-speed IT functions2 as well as current bilateral programs. The new layer of ET represents a new set of capabilities as well as the extension of existing ones.

CIOs can define and shape their ET three ways:

1. Opening up internal IT to outside world

This approach is about architecting IT to link internally driven systems and capabilities into external systems. One example of this in action is Delta Air Lines’ mobile app, which extends to Uber so travelers can order a car upon landing. Kraft has expanded its recipe app to become a pantry-management tool, generating a shopping list that seamlessly connects with the grocery-delivery service Peapod. Think of it as extending the customer’s journey—and the company’s relationship with the customer—through integration with other service providers.3

Many companies have already been providing integration capabilities to upstream and downstream partners—technologies such as EDI (electronic data interchange) have been in existence for decades. However, those integration points are often static. They are bilateral connections with a small, preselected group of partners such as distributors and suppliers. Those points of integration happen infrequently and often in a batch.

The future of integration into external ecosystems will force companies to interact with many more partners covering a broad range of functions, ranging from customer sourcing to social advertising to payment solutions. That’s because the low cost of technology and a dynamic start-up environment has led to a massive increase in the rate at which new services are being introduced. This means that the IT function must follow the ‘Amazon principle’ of making system components available as a service to enable integration with the ecosystem. The interfaces must be open, dynamic, and functional in real time so that they can integrate partners, technologies, and applications on an as-needed basis.

One clear implication is the need to design lightweight technology architecture built on microservices and application programming interfaces (APIs) to allow third parties to easily hook into the new ecosystem. CIOs need to start thinking in terms of platform architecture such as auto-industry OEMs use to allow for future upgrades across the ecosystem. They may even need to offer an ‘app store’ to allow consumers to pick and choose desired capabilities—and, of course, the infrastructure must be robust and secure.

One example of how this can play out might be found in telecom players that expand their connected services to e-commerce, music, health, insurance, education, media, and smart homes. These services would all be connected into one ecosystem offering the customer multiple services through the telco’s technology backbone. Salesforce’s AppExchange is already doing this by creating an environment in the cloud where developers can create and release their own apps.

2. Internalizing external IT

This approach focuses on opening up internal IT systems so that the business can plug in the external capabilities available in the ecosystem to better serve its own customers, support its own employees, or create new products and capabilities, often offered via SaaS and APIs. A simple example is integrating a third-party point-of-sale (POS) application into a company’s internal payment systems to simplify a customer’s in-store purchase process. Or integrating a third-party customer-service chat function into a company’s website. Or even integrating Yammer to help with employee productivity.

This approach clearly changes how IT designs and manages its systems. It’s no longer about buying software packages and building bespoke solutions on premise or working with a few systems integrators to deliver a business solution. It’s now all about understanding the end-to-end customer experience and how external and already available services can be utilized with internal solutions to offer a complete and unique offering. Companies will need to complement internal skills with external specialization integrated deeply into the ongoing fabric of its IT application development and infrastructure management. It’s about creating a 24/7 environment that enables product offerings to millions of customers globally.

One leading international travel company, disrupted by start-ups in the market, decided it needed to build up its capabilities to drive its transformation. An important component of its strategy was to use specialized vendors from the external ecosystem to support different capabilities, for example, mobile, search engine, CRM, payments. This approach allowed them to accelerate their transformation, scale up their services, and tap specialized talent as technologies evolved and demand spiked.

3. Modernizing IT to scale innovation

We’ve all heard often enough how torrid the pace of new technologies has become. But it’s worth remembering that many of the new tools have the potential to fundamentally change a company’s business model, though that may not be clear at first. To guard against being caught unprepared and to adopt a more aggressive competitive posture, companies should begin testing these technologies to be ready to bring them on board as soon as their value is proven and they can work at scale. This may be a matter of “playing” with new technology (e.g., alike open source standards) in dedicated sandlots where the connectivity between the internal IT and external IT can be tested. Furthermore IT leaders will need to actively form partnerships or alliances with vendors and service providers to really understand and evaluate how the technology can be used in their business environment.

It is true that many companies have already been actively investing in emerging technologies. For example, many financial-services companies have set up internal corporate venture-capital funds to invest in technologies such as blockchain and the IOT. However, companies have demonstrated less progress—and success—in integrating those technologies into their existing IT infrastructure and successfully extending the value proposition to their customers. The start-ups often have immature technologies that cannot scale, and they often leverage external cloud services that may not be compatible with companies’ own cloud infrastructure. Therefore it’s important for companies to think through how they enable a smooth integration of both technical solution and working culture to fully capitalize on the products that the start-ups are offering. If not done correctly, companies will create the next wave of spaghetti IT infrastructure.

Given the scale of innovation, it would be virtually impossible to keep up unless the CIO designates specific analysts or architects whose job it is to identify and assess the compatibility of external technologies. The DBS Innovation Group, for example, has established a fintech SVP role responsible for identifying, integrating, and managing potential eco-system members. This person leads and drives fintech engagements locally and regionally, and reports to the global head of partnerships.
Regardless of which way—or combination of ways—the CEO and CIO choose, IT moves to the forefront not just of technology but also of business-model innovation.

Getting started with ET

While building out ET is complex and based on many interdependencies, we’ve found that focusing on the following six elements gives CIOs and CEOs a big advantage in getting the most value from it:

1. Rethink the business’ strategy.

Which way, or combination of ways, a company chooses to interact with various ecosystems (or create its own ecosystem) depends on three things: its strategy, the market environment, and the risk appetite of the overall enterprise. This in turn requires the CIO to work closely as a partner with the CEO and C-suite to help shape the business strategy by identifying emerging technologies and ecosystems that could disrupt the marketplace, determine where future sources of value are, and develop necessary strategic actions to capture it. This dialog is a two-way and constant exploration in which technology and business strategy are inextricably linked. The CIO’s role is not just to determine feasibility but to help the business determine what threats and opportunities exist in engaging in ecosystems (see article “The economic essentials of digital strategy”).

2. Develop the infrastructure.

The new bidirectional integration of technologies is dynamic in nature; it happens in real time with thousands of invoking partners or end consumers. This requires companies to redesign the next-generation integration architecture to support it and enforce open standards that can be easily adopted by external parties. A company’s existing master data-management catalog will also need to be extended to include third-party data and potential integration with external master-data providers. There has to be a clear data architecture and governance in place to ensure data cleaning, rationalization, and standardization for the systems to work.

3. Reinvent customer-management processes and structures.

When customers call with technical issues, it will be challenging to figure where the fault points are in an ET environment. Is it the company’s systems, a third party’s services, the cloud that houses the service, the network—or some combination of the above? This reality will require companies to fundamentally rethink their infrastructure-support processes.

Creating SLAs that clearly define issue resolution and escalation protocols that all parties agree to will be crucial. Creating standard identifying tags or ‘tripwires’ and integrating them into participating ET services, partners, and technologies will be important to locate issues quickly so they can be resolved.

These standards and agreements, however, are not an excuse for shuttling customers from one partner to another and another. The customer-facing company needs to solve the issues behind the scenes and spare the customer the complexity of navigating the partners’ ecosystems.

4. Define the parameters for cybersecurity, legal, and partnerships.

As a result of the extended infrastructure, internal cybersecurity policies and processes will need to include third-party partners and vendors. A new set of security standards should be defined and agreed to that clearly articulates how the integration will take place and what kind of data can be exchanged with whom.

Working with a broad range of third parties will raise other legal questions as well. IP, liability, privacy, profit sharing, and regulatory/compliance issues all have the potential to severely impede potential benefits from engaging in the broader ecosystem. Licensing issues have already emerged between cloud companies and on-premises hardware and software businesses because of competing and different business models. Data ownership and customer management in particular will be crucial given the need for companies to access both.

This will call on significant negotiating skills and a commitment to develop and apply a broad set of standards to avoid constant renegotiating with each new partner or vendor from scratch. Setting up an app-store approach where standards are clearly stated, tools provided, and agreements specifically made at the beginning may provide a useful model.

Engaging with a network of vendors also requires changes in skills certification and vendor performance management. Companies will need to clearly define the standards and procedures under which vendors must operate and guidelines that define how the vendor will be included in the delivery lifecycle. Home Depot is developing standards with the manufacturers of its products to ensure compatibility with the Wink connected-home system. Companies that do this most effectively treat vendor relationships as partnerships with strong transparency. The internal-supply and vendor-management functions will need to be restructured to work more like M&A, which can integrate new partners or establish new alliances quickly and efficiently.

5. Cultivate an “open” mind.

CIOs have traditionally focused on protecting systems and ensuring that they run well. But the new digital world demands more active engagement with the outside world to understand competitive threats and sources of value. CIOs should start with developing a much more externally compatible view of the current IT infrastructure and thinking about how to design new ways of meaningfully integrating external systems. Spending a long time building overly complex ‘bulletproof’ systems is counterproductive; testing an application or new platform environment should take a matter of days or weeks.

6. Invest in new  capabilities

As businesses increasingly engage with external ecosystem technologies, full-stack architects and convergence infrastructure engineers are needed who can provide expertise in third-party packaged software, have fluency in multiple best-of-breed technologies, and bring experience integrating multiple technologies. ‘Translator’ capabilities will also be crucial to bridge the gaps between business goals and technology requirements to be provisioned through the ecosystem. Any new function within the enterprise architecture should work closely with business to understand how external services can be integrated with products to extend the customer value proposition.
With the advancement of cloud computing and infrastructure as programmable software, infrastructure resources (e.g., networks, servers, storage, applications and services) can now be rapidly provisioned, managed, and operated with minimal effort. That requires DevOps (the integration of development and operations) and cloud engineers, who have the experience to navigate a rapidly changing cloud computing ecosystem and program software, as well as data scientists, automation engineers, and enterprise architects. Companies will also need to find a few senior developers who can set up app-store development standards.

Companies have outsourced many of these capabilities. But due to the increased importance of engineering and automation skills, many are rethinking that approach as IT evolves from utility to enabler.

Integrating a company’s IT with third-party capabilities creates opportunities to capture substantial new sources of value. But until IT expands to become ET, the vast majority of those opportunities will remain out of reach.

Article link: https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/adopting-an-ecosystem-view-of-business-technology