by Andrew White, Michael Smets, Adam Canwell
July 18, 2022
Summary. It’s not news that organizational transformations are prone to failure. To understand the skills, mindsets, and capabilities behind successful transformations in today’s dynamic environment, EY and Oxford University formed a research collaboration to investigate what it takes to lead a successful transformation. One of the authors’ most important findings is that, in order for transformation to be successful, leaders must approach it in ways designed to mitigate emotional harm to — and drive emotional commitment from — employees. The workforce bears the brunt of failed transformations, and the emotional damage can be substantial as employees lose confidence in leaders and become skeptical of further attempts at transformation. Drawn from their research, the authors present seven ways for leaders to set their transformations up for success by prioritizing their employees’— and their own — emotions.
The road is littered with failed transformation programs that were set up in the traditional way: Leaders define objectives, design a project plan, agree on KPIs, and recruit the right people. As many executives, academics, and consultants can relate to, the rate of failure in transformations is still far too high, and one that organizations can ill afford in these disruptive times.
To understand the skills, mindsets, and capabilities behind successful transformations in today’s dynamic environment, EY and Oxford University formed a research collaboration to investigate what it takes to lead a successful transformation. We surveyed 935 CXOs and 1,127 members of the workforce. Approximately 50% of them represented a successful transformation project and 50% an unsuccessful one. The respondents came from 23 countries, seven industries, and 16 sub-industry sectors. We also conducted 25 in-depth interviews with CXOs from multiple global companies. Before their interviews, each leader was asked to identify three critical turning points in their transformation. The interviews then focused on each turning point to understand when and why it happened, what actions were taken, and how they impacted the outcome of the transformation.
One of our most important findings is that, in order for transformation to be successful, leaders must approach it in ways designed to mitigate emotional harm to — and drive emotional commitment from — employees.
What makes transformations successful — and unsuccessful
In general, we found that leaders and workers started transformations at the same point emotionally: excited and optimistic. As the transformations got going, they all showed a reduction in positive emotions and an increase in negative emotions. All transformations are tough, and confidence is bound to dip. This is not only inevitable, it’s key to the transformation’s success: Heightened stress raises performance (up to a point), and leaders who learn from their emotions bring those lessons into the transformation. This maintains a zone of high performance, which is an accelerator for a transformation.
For emotions to be accelerators rather than inhibitors of transformation, leaders must put conditions in place in advance so that the transformation can come through this “pressure zone.” They must create psychological safety and construct mechanisms for all voices to be heard. And as the pressure increases, support, such as listening sessions and employee coaching, needs to increase along with it.
Without that corresponding increase in psychological safety and support, transformations spiral downward. The workforce is left feeling anxious and overworked. People lose faith in transformation when there’s no compelling vision, no visible progress, and no practical and emotional support from leaders. When key stakeholders and the leaders themselves lose faith in the transformation, they may start to distance themselves from it, looking to reduce damage to their own brands and jumping to different activities.
Seven steps for a successful transformation
The workforce bears the brunt of failed transformations, and the emotional damage can be substantial as employees lose confidence in leaders and become skeptical of further attempts at transformation.
Drawn from our research, here are seven ways for leaders to set their transformations up for success by prioritizing their employees’— and their own — emotions.
1. Address the unsustainable status quo.
The first step in any transformation is recognizing that the status quo is unsustainable. This takes courage and an ability to hold and facilitate the emotionally uncomfortable conversations that lead you to accept the delta between where you are today and where you need to be tomorrow. It’s about working on yourself first by becoming aware of what mindsets and assumptions underpin your view of success and beginning a transformational emotional journey.
Understanding the unsustainability of the status quo can mean putting yourself as a leader in a different place, often physically, in order to see yourself, your company, and the part of the world you operate in and impact differently. An executive from the consumer goods industry demonstrated this point in speaking about a 10-day executive trip to Silicon Valley:
For me the key to the start of the transformation was the Silicon Valley trip. Those of us in the top team saw what the world looked like somewhere else and realized just how different and successful it was. We thought, if we don’t do this, we could be toast in 10 years’ time. Speaking for myself, personally, I came away from Silicon Valley thinking, I have to undergo a pretty profound re-education.
2. Detach from the status quo.
The next step is to consciously detach from the status quo. Embrace the unknown and adopt the humility required to challenge the mindsets and assumptions you have about your company and its current ways of working, as well as the industry and what constitutes success.
This step is about understanding your own ego’s need to be an expert and recognizing the importance of being open to learning during this time of transformation. This is where the real work of leaning into the emotions of anxiety, fear, and excitement occurs as your identity and status moves to the backburner. You must view not knowing what the future might look like as a key capability, rather than a sign of personal weakness.
This means understanding the system in which you’re located (beyond direct competitors), how it’s changing, and what opportunities and risks are being created. This can be uncomfortable. Embrace this discomfort; don’t shy away from it.
This step also requires exposure to new ideas that will inform and structure the future of the industry you’re in and therefore your company. For example, a CEO of a multinational retailer described to us how they attended an eight-week bootcamp on circular economics to understand how the idea would inform how their company needed to transform its operations to align with environmental challenges.
3. Develop a purposeful vision.
Embracing the unknown and adopting humility enables you to develop a purposeful vision because it allows you to see more clearly what needs to change and why. It allows you to understand why you exist, independent from the current mindsets and assumptions and the ways your company operates and creates value. You can then imagine how you might create value differently at a functional, product and service, or even entire business model level. The leader of a healthcare business reflected:
When we began the transformation, the mindset in the organization was that our business model was razors and razorblades. I said, no, that’s not our business, our business is that we give people much needed answers and we change people’s lives. Now our teams are connected to a purpose and show up with their heart, not an arrogant approach…It doesn’t matter who you report to, or what your status is, it’s having a purpose that you can connect to, such as to make people’s lives better, and coming to work every day with a great attitude and a growth mindset. That’s transformation for us in a nutshell.
4. Lead emotional transformation.
This step gets to the heart of our argument and is the key to leading the emotional journey of transformation. Transformation can be exciting and unsettling for employees at the same time. They may feel excitement about being part of a purposeful company but unsettled and anxious — for example, if they can’t see how their skills will be relevant.
Addressing these emotions is key. Bringing topics like anxiety and fear of the unknown as well as different ideas about what the organization’s future looks like into formal conversations allows them to be worked through, instead of just festering and creating resentment.
Our research suggests that listening skills are just as important as a project plan in a leaders’ toolkit of skills. Here are some psychotherapy-based steps to improve your listening. We found that these are remarkably similar to what leaders of successful transformations reported doing:
- Create the right space to actively encourage emotional awareness and expression through simple questions such as, “What are you feeling? Can you tell me more about that?” Silence and open questions allow people to explore their own emotions.
- Use techniques such as deep listening (to what is said and unsaid) and paraphrasing what you think you’ve heard to facilitate emotional regulation, which enables the exploration of primary emotions. Encouraging self-observation and self-compassion, focusing on breath and creating an environment free from judgement and reaction are all important here.
- Create workshops that enable active reflection on emotions (using tools such as meditation, poetry, journaling, and art). This will help facilitate conversations that focus on meaning making and the development of new narratives to explain past experiences and current situations.
5. Include both the rational and emotional.
When executives begin a transformation, it’s not long before they reach for a project plan. More often than not, this focuses on a rational understanding of how long it will take to deliver key activities. These plans are often overly ambitious from a cost and time point of view, and our research suggests that they miss the critical listening component, which slows down the transformation process.
Conduct listening exercises via one-on-ones, small groups, and digital interventions and workshops across the organization that enable leaders and the workforce to understand their own purpose and values and how they integrate into the wider organizational purpose.
If you’re to integrate both the emotional and rational into your plans, you need to think of the process as a corkscrew rather than a straight line — in other words, a core focus on progress but a non-linear way of getting there. This requires a different approach to project planning that integrates the rational and emotional processes and activities by bringing together the need for patience and pace. An executive in the aerospace industry described it to us like this:
It is more like a spiral, where you just go up a little bit and the turning points are positive, and then a negative one. We came back a little bit and then we go up again and went to the second cycle.
6. Align KPIs, funding, resources, and people.
This is where the benefits of focusing on the emotional journey should come to fruition. Successful transformation requires major shifts in KPIs and performance management, funding, and resources. This new reality can be difficult for some people, as their lack of belief in the transformation becomes real as they lose power, status, and even their roles in the transformed organization. While losing people is more often than not an inevitable part of a successful transformation, our research shows that making decisions about practical matters like KPIs sooner rather than later enables people to transition from one emotional state to another — from reacting to the loss of the status quo to being creative about the future. This is a critical inflection point in the emotional journey.
This quote from a media industry executive illustrates how transformation creates a clear distinction between those who are aligned with the transformation and those who are not:
So, it probably did divide the business I think a little, between people who are here for the next evolutionary stage of what our industry is going through and those who are not. Not all of those who did not see this future have left the business, some are still doing what they do, but quite a few have. So, it’s accelerated a generational change inside our business, I think. I think people are leaders in our business earlier now. A good handful of years earlier than perhaps they would have been before, if they were able to grasp this more than their managers were able to grasp it.
What this step demonstrates in how new KPIs enable shifts in resources and make the transformation a concrete reality. This brings to light those people who are inspired and energized to bring the transformation to reality and those who are not.
7. Make transformation the new normal.
In the twentieth century, many organizations followed the model of being a “machine,” where predictability, stability, and hierarchy were the norm. This model was very good at delivering predictable performance but poor at coping with disruption. Many organizations still live with this legacy approach while their stakeholders demand something very different: a more “organic” organization where continual transformational is the norm.
Enabling transformation requires giving employees the information and resources they need to develop and innovate in other directions. One media executive described how knowledge and resource sharing allowed employees to develop in this way, which can enable the organization to move toward a state of continual transformation:
It’s definitely created a more entrepreneurial sense across the business that more people can participate in this, than perhaps they could previously. Some of the knowledge was quite esoteric. If you wanted to know how to do some of these things you needed to work in a certain department and you needed to be trained in certain ways by someone face to face or hand to hand, to actually show you how to do them. So, it was quite difficult for you to train yourself how to do the things that we do as an agency business. Now anybody who wants to, who has the time an inclination can access all of our tools and systems, discover online all the training that they need to know how to master them and can feedback and help work into what the next situation is likely to be.
. . .
Leaders are expected to deliver continual, rather than episodic, transformation and evolution. Transitioning to this state will not only require new leadership skills, organizational structures, processes, and KPIs — leaders need to bring all these things together to operate within this new paradigm.
- Andrew White is a senior fellow in management practice at Saïd Business School, University of Oxford, where he directs the advanced management and leadership program and conducts research into leadership and transformation. He is also a coach for CEOs and their senior teams.
- Michael Smets is a professor of management at Saïd Business School, University of Oxford. His work focuses on leadership, transformation, and institutional change.
- ACAdam Canwell is head of EY’s global leadership consulting practice. Adam has published extensively on leadership and strategic change. Adam has sold and delivered transformation programs across multiple industries in both the UK and Australia, working with FTSE 100 (or their equivalent) organizations
Article link: https://hbr.org/2022/07/organizational-transformation-is-an-emotional-journey?
A Q&A with NCC Group’s Viktor Gazdag ahead of a Black Hat USA session on CI/CD pipeline risks reveals a scary, and expanding, campaign vector for software supply chain attacks and RCE.
Tara Seals Managing Editor, News, Dark Reading. August 09, 2022
Continuous integration/continuous development (CI/CD) pipelines may be the most dangerous potential attack surface of the software supply chain, researchers say, as cyberattackers step up their interest in probing for weaknesses.
The attack surface is growing too: CI/CD pipelines are increasingly a fixture within enterprise software development teams, who use them to a build, test, and deploy code using automated processes. But over-permissioning, a lack of network segmentation, and poor secrets and patch management plague their implementation, offering criminals the opportunity to compromise them to freely range between on-premises and cloud environments.
At Black Hat USA on Wednesday, Aug. 10, Iain Smart and Viktor Gazdag of security consultancy NCC Group will take to the stage during “RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise,” to discuss the raft of successful supply chain attacks they’ve carried out in production CI/CD pipelines for virtually every company the firm has tested.
NCC Group has overseen several dozen successful compromises of targets, ranging from small businesses to Fortune 500 companies. In addition to security bugs, the researchers say novel abuses of intended functionality in automated pipelines have allowed them to convert pipelines from a simple developer utility into remote code execution (RCE)-as-a-service.
“I hope people will give some more love to their CI/CD pipelines and apply all or at least one or two recommendations from our session,” Gazdag says. “We also hope this will spark more security research on the topic.”
Tara Seals, Dark Reading’s managing editor for news, sat down with Viktor Gazdag, managing security consultant of NCC Group, to find out more.
Tara Seals: What are some of the more common security weaknesses in CI/CD pipelines, and how can these be abused?
Viktor Gazdag: We see three common security weaknesses regularly that require more attention:
1) Hardcoded credentials in Version Control System (VCS) or Source Control Management (SCM).
These include shell scripts, login files, hardcoded credentials in configuration files that are stored at the same place as the code (not separately or in secret management apps). We also often find access tokens to different cloud environments (development, production) or certain services within the cloud such as SNS, Database, EC2, etc.
We also still find credentials to access the supporting infrastructure or to the CI/CD pipeline. Once an attacker gets access to the cloud environment, they can enumerate their privileges, look for misconfigurations, or try to elevate their privileges as they are already in the cloud. With access to the CI/CD pipeline, they can see the build history, get access to the artifacts and the secrets that were used (for example, the SAST tool and its reports about vulnerabilities or cloud access tokens) and in worst case scenarios, inject arbitrary code (backdoor, SolarWinds) into the application that will be compiled, or gain complete access to the production environment.
2) Over-permissive roles.
Developers or service accounts often have a role associated with their accounts (or can assume one) that has more permissions than needed to do the job required.
They can access more functions, such as configuring the system or secrets scoped to both production and development environments. They might be able to bypass security controls, such as approval by other developers, or modify the pipeline and remove any SAST tool that would help searching for vulnerabilities.
As pipelines can access production and test deployment environments, if there is no segmentation between them, then they can act as a bridge between environments, even between on-prem and cloud. This will allow an attacker to bypass firewalls or any alerting and freely move between environments that otherwise would not be possible.
3) Lack of audit, monitoring, and alerting.
This is the most neglected area, and 90% of the time we found a lack of monitoring and alerting on any configuration modification or user/role management, even if the auditing was turned on or enabled. The only thing that might be monitored is the successful or unsuccessful job compilation or build.
There are more common security issues, too, such as lack of network segmentation, secret management, and patch management, etc., but these three examples are starting points of attacks, required to reduce the average breach detection time, or are important to limit attack blast radius.
TS: Do you have any specific real-world examples or concrete scenarios you can point to?
VG: Some attacks in the news that related to CI/CD or pipeline attacks include:
- CCleaner attack, March 2018
- Homebrew, August 2018
- Asus ShadowHammer, March 2019
- CircleCI third-party breach, September 2019
- SolarWinds, December 2020
- Codecov’s bash uploader script, April 2021
- TravisCI unauthorized access to secrets, September 2021
TS: Why are weaknesses in automated pipelines problematic? How would you characterize the risk to companies?
VG: There can be hundreds of tools used in pipeline steps and because of this, the tremendous knowledge that someone needs to know is huge. In addition, pipelines have network access to multiple environments, and multiple credentials for different tools and environments. Gaining access to pipelines is like getting a free travel pass that lets attackers access any other tool or environment tied to the pipeline.
TS: What are some of the attack outcomes companies could suffer should an adversary successfully subvert a CI/CD pipeline?
VG: Attack outcomes can include stealing source code or intellectual data, backdooring an application that is deployed to thousands of customers (like SolarWinds), gaining access to (and freely moving between) multiple environments such as development and production, both on-prem or in the cloud, or both.
TS: How sophisticated do adversaries need to be to compromise a pipeline?
VG: What we’re presenting at Black Hat are not zero-day vulnerabilities (even though I found some vulnerabilities in different tools) or any new techniques. Criminals can attack developers via phishing (session hijack, multifactor authentication bypass, credentials theft) or the CI/CD pipeline directly if it’s not protected and is Internet-facing.
NCC Group even performed security assessments where we initially tested Web applications. What we found is that CI/CD pipelines are rarely logged and monitored with alerting, other than the software building/compiling job, so criminals don’t have to be that careful or sophisticated to compromise a pipeline.
TS: How common are these types of attacks and how broad of an attack surface do CI/CD pipelines represent?
VG: There are several examples of real-world attacks in the news, as mentioned. And you can still find, for example, Jenkins instances with Shodan on the Internet. With SaaS, criminals can enumerate and try to brute-force passwords to get access as they don’t have multifactor authentication enabled by default or IP restrictions, and are Internet-facing.
With remote work, pipelines are even harder to secure as developers want access from anywhere and at any time, and IP restrictions aren’t necessarily feasible anymore as companies are moving towards zero-trust networking or have changing network locations.
Pipelines usually have network access to multiple environments (which they shouldn’t), and have access to multiple credentials for different tools and environments. They can act as a bridge between on-prem and cloud, or production and test systems. This can be a very wide attack surface and attacks can come from multiple places, even those that have nothing to do with the pipeline itself. At Black Hat, we’re presenting two scenarios where we originally started off with Web application testing.
TS: Why do CI/CD pipelines remain a security blind spot for companies?
VG: Mostly because of the lack of time, sometimes the lack of people, and in some cases, lack of knowledge. CI/CD pipelines are often created by developers or IT teams with limited time and with a focus on speed and delivery, or developers are just simply overloaded with work.
CI/CD pipelines can be very or extremely complex and can included hundreds of tools, interact with multiple environments and secrets, and be used by multiple people. Some people even created a periodic table representation of the tools that can be used in a pipeline.
If a company allocates time to create a threat model for the pipeline they use and the supporting environments, they will see the connection between environments, boundaries, and secrets, and where the attacks can happen. Creating and continuously updating the threat model should be done, and it takes time.
TS: What are some best practices to shore up security for pipelines?
VG: Apply network segmentation, use the least-privilege principle for role creation, limit the scope of a secret in secrets management, apply security updates frequently, verify artifacts, and monitor for and alert on configuration changes.
TS: Are there any other thoughts you would like to share?
VG: Although cloud-native or cloud-based CI/CD pipelines are more simple, we still saw the same or similar problems such as over-permissive roles, no segmentation, over-scoped secrets, and lack of alerting. It’s important for companies to remember they have security responsibilities in the cloud as well.
Article link: https://www.darkreading.com/application-security/software-development-pipelines-cybercriminals-free-range-access-cloud-on-prem
By Lieutenant Commander Derek Bernsen, U.S. Navy
August 2022 Proceedings Vol. 148/8/1,434
The Navy is currently the least capable military service for cyber operations and security. While the first computer network attack capabilitiesoriginated from the Navy in the 1970s and 80s, the service has since backslid into mediocrity. Even the House Armed Services Committee (HASC) has noticedand included provisions in the draft 2023 National Defense Authorization Act to force an overhaul of Navy cyber.
The problems in Navy cyber communities and commands—and with its cyber concepts—result in a negative feedback loop. The Navy does not have sufficient cyber capabilities and forces, and instead relies on joint and other services. The Navy is also the only military branch without service-retained offensive cyber units—without which cyber personnel have limited ability to show their value to the fleet. Because of this, Navy leaders are left wondering why cyber is important to Navy missions, and how to integrate cyber into existing capabilities. This leaves Navy cyber sidelined, unsupported, and unable to directly integrate into Navy warfighting capabilities beyond joint operations. Our maritime adversaries understand cyber as a key component in warfare, so it is imperative the Navy fix the feedback loop stemming from these areas.
Problems with the Cyber Community
The Navy’s undervaluation of and apathetic approach to cyber has created a negative feedback loop within its community. Structural community issues (as I explained in my earlier article here) showcase a community struggling to grow.
Recent naval investments in cyber have been theater at best. For example, creating the cyber operations major at the U.S. Naval Academy (along with a $143 million cyber building), while preventing midshipman completing the cyber operations major from commissioning as cyber warfare engineers (CWEs). In 2022, the Academy only graduated four midshipmen skilled enough to be selected as CWEs—all computer science majors. Only two of those four were permitted to become CWEs. The others two were initially forced into surface warfare and aviation communities. A third was later allowed to become a CWE due to a medical disqualification. Meanwhile, the Marine Corps selected seven Naval Academy graduates for its cyber community, and the Army selected 40 West Point graduates for its cyber community. This was after Congress was told in 2018 that the Navy’s investment at the Academy would yield 30 CWEs each year. Thus far, there have only been six.
The Navy’s actions have made it clear that it would prefer to have computer science and cyber operations majors fill arbitrary billets in warfare communities unable to meet their retention requirementsrather than do what they were trained for—protect U.S. interests in cyberspace. While not all graduates would want a cyber career over another operational community, clearly those that endure the rigorous CWE accessions process desire such a career and are placed elsewhere.
No Real Cyber Commands
Compounding personnel problems, Navy information warfare community (IWC) commands are not structured to support cyber. Unlike their counterparts in the other services, such as the Army’s 915th Cyber Warfare Battalion, Navy units do not conduct offensive cyber operations. While Chief of Naval Operations Admiral Michael Gilday recognized this discrepancy and called for service-retained cyber forces and capabilities in the form of tactical cyber units, the Navy has yet to establish one. While the Navy does have a few dedicated cyber protection teams conducting defensive operations, it lacks any Navy personnel conducting offensive cyber operations for Navy missions. This feeds a perception among Navy leaders that cyber is a joint mission and that the service gets little to no benefit for supporting joint offensive cyber operations. Anything the Navy does to improve its cyber training and manning pipeline will not contribute to the Navy’s mission.
Navy Cyber Warfare Development Group (NCWDG) appears to be the exception, but it is plagued by similar joint issues. The name “Cyber Warfare Development Group” may lead readers to believe that NCWDG is solely cyber focused. But NCWDG is a multifaceted monster. Its components have competing responsibilities including research and development, acquisitions, special technical capabilities, and coordinating work with all national level agencies for not just cyber, but for all cryptologic functions. Additionally, NCWDG is responsible for planning and executing U.S. Title 10 (defense) and Title 50 (intelligence) information warfare and cyber operations, is a force provider to the cyber mission force, and operates the Navy’s signals analysis labs.1 It is simply doing too much to focus on cyber. On top of this, because the NCWDG commander must be an acquisitions professional, it is rarely led by someone with relevant cyber operations expertise. NCWDG is good despite its structure, not because of it.
Problems with the Navy’s Cyber Concept
Navy strategy on cyber is shortsighted, and Navy leaders are ill equipped to develop a more forward-looking strategy. This is because the Navy has no command with a single cyber focus contributing directly to a Navy mission.
The Navy has always been slow to adapt because of deeply ingrained cultural issues, stubborn adherence to outdated traditions, and a refusal to advance its thinking. Rear Admiral William S. Sims explained this in a 1921 addresson military conservatism to that year’s Naval War College graduates. He states, “arguments in favor of fundamentally new weapons have failed except those that resulted in shedding the blood of the unbelievers; that defeat alone has been accepted as a final demonstration.” For a domain that evolves as quickly as cyber does, this culture is doubly concerning.
In addition, Navy leaders lack technical depth in the cyber arena. It has become acceptable for leaders to say “I don’t understand cyber” in Congressional hearings. In addition, because few commands contribute cyber capabilities directly to Navy missions or focus solely on cyber, few Navy leaders see the true benefits of cyber or understand how cyber operations work in a military context. Thus, Navy leaders either get their understanding of cyber operations from hacker movie stereotypes, or do not think cyber adds any value to warfighting. Clearly Navy leaders have recognized this as they recently selected yet another aviator to lead Fleet Cyber Command rather than a flag officer from the cryptologic warfare communities, despite the fact that these communities notionally lead the Navy’s cyber missions.
The 2023 Draft NDAA Proposal
Congress is clearly frustrated and has recently stepped in via provisions in the draft 2023 NDAA to force change in Navy cyber. Specifically, HASC has included language to “establish a cyber warfare operations designator . . . separate from the [CWO],” “establish cyberspace operations as a military discipline that is a separate community from the [IWC],” and prohibit non-cyber personnel from working in cyber fields. These provisions, if passed, will make a huge impact, but there is still room for interpretation on implementation. The Navy must consider how it implements these carefully or risk continuing stagnation.
If the NDAA passes with its current or similar language, the Navy must remove cyber tasks from the CWO and IP communities, allowing them to refocus on their traditional areas of expertise. While the IP community has traditionally filled cyber roles (e.g., red/blue teams, computer network defense, etc) and non-cyber IT roles (e.g. system/network administration, infrastructure maintenance, IT account management, etc), the establishment of a cyber designator, as described in the NDAA, necessitates consolidating all cyber roles in one community. The next step is to deliberately nurture its technical communities, and this can be done in one of two ways. The Navy can either make the CWE community responsible for everything cyber, or split cyber to empower the CWE community while also establishing a cyber operations officer (COO) community for less technical roles.
The all-CWE option ensures the Navy has the best cyber personnel in every role. Expanding the CWE community to take full control, responsibility, and accountability for cyber operations ensures that every CWE officer has a deep technical understanding and cyber-focused experiences, making it the best long-term solution. All cyber jobs benefit from a technical background, even if they are less technically demanding. Growing a community with a deep technical foundation will enable the Navy to conduct maritime cyber operations and develop concepts to bring it back to the cutting edge and lead in the cyber domain.
A COO community would, unlike the current cryptologic warfare community, be wholly focused on cyber and receive technical training, but would focus on the less technically demanding roles in cyber. This community would fill a large portion of cyber roles while allowing the CWEs to modestly expand, remaining an elite and lean community. This builds two communities with technical backgrounds—one focused on pushing the cutting edge and another on the less-technical day-to-day cyber work (e.g., system administration) and community management (e.g. detailing). The Navy would still need to grow the CWE community and foster a relationship between CWEs and COOs. While COOs may get enough focus to be capable in cyber, they would need to know when to call on CWEs for their technical insight. Leadership roles must be shared by the two communities. For example, a COO leadership role must be accompanied by a CWE deputy and vice versa to take advantage of their complementary skills. Failure to align these two communities would result in short-term improvement but long-term stagnation.
If given the choice, the Navy should opt for growing the CWE community and include their rigorous accessions process and strict technical depth. The potential pitfalls of a less technical COO community are too great and would result in Congress being forced to take another heavy-handed move to solve a problem the Navy will not address on its own.
New Cyber Commands
The Navy should establish new commands that focus solely on cyber. Creating service-retained cyber units whose sole responsibility is some aspect of cyberspace operations creates a foundation to build genuine expertise. Commands that already exist in this space, such as NCWDG, should split themselves into more focused commands. There is even precedent for this given Navy Information Operations Command Maryland’s split in 2017. Navy units whose sole mission is cyber are required to develop concepts and capabilities for maritime cyber—something joint and other service units have no reason to prioritize.
Eventually, cyber will need to be integrated with units across the various other Navy warfare domains (surface, subsurface, special warfare, etc.) to maximize the cross-over advantages of cyber effects. Doing so before building dedicated cyber units that regularly produce experts will not be successful. Instead, dedicated cyber units should be where cyber professionals first cut their teeth before being attached to other units to employ their expertise.
Just as the Navy does not request the Air Force’s permission to fly planes, the Navy needs its own capabilities to operate without requesting to use joint or other service capabilities and personnel. Dedicated Navy defenders will be more experienced with the Navy networks and systems. Similarly, offensive professionals would be intimately familiar with the intricacies of maritime cyber and be able to develop capabilities and conduct tailored cyberspace operations. Dedicated cyber units enable cyber professionals to command and lead these units. Placing talented cyber leaders in charge of these units will set conditions for greater capability and community growth than allowing non-cyber personnel to command.
Alternate Concept Solutions
Time is needed to grow and refine concepts. It is understandable for national and naval leaders to demand to be shown why they should invest in cyber. Yet there is a chicken-and-egg problem without the correct alignment of personnel, structures, and concepts. The Navy needs to rethink the timeline it expects to see results outside of classified spaces and what it can do to support those results. Special operations forces (SOF) are beginning to see the benefits because they have begun to invest in cyber. CWEs have already proven their potential impact with SOF at demonstrations. The impact can go beyond demonstrations, but the Navy must set conditions for it to happen.
Correctly aligning cyber communities and commands will help the Navy develop new concepts for employing maritime cyber operations. Though most cyber operations will continue to be conducted remotely, there are opportunities for conducting close-access cyber operationsthrough working with SOF or from various naval platforms. The cryptologic warfare community has had decades to develop these concepts but has failed to do so. The fewadvancements in the past decade have been led by CWEs, though naturally most are classified.
The Navy’s ability to go anywhere and maintain a significant dwell time poses a great opportunity for initial access, which is the largest obstacle to offensive operations. The Navy must embrace cyber as a domain and capability to be used against maritime targets, such as hacking enemy warships and forcing their engines to seize up or hacking foreign antiship cruise missile systems preventing them from being launched as a strike group conducts operations. Defensively, concepts for maritime cyber that must be expanded include protectingwarships from cyber attacks, decoupled and modular systems so the Navy can get rid of its Windows XP machines, and inter-ship network defenses. The Navy—and much of the government—has a scarcity mindset that regards cyber capabilities as too expensive and sensitive to ever be used. This mindset must change to empower the people tasked with developing and operating these capabilities. The Navy needs to shift its Overton window to align with the realities of cyber and embrace lower equity cyber capabilities.
Finally, the Navy must hold its civilian and uniformed cyber personnel accountable for results. It must send the message that cyber is important enough that if you fail, you will get fired.
Consequences of Inaction
If the Navy cannot prioritize cyber, then it must divest itself entirely of cyber warfare. Maintaining a mediocre cyber force is a waste, so the Navy must choose to go all-in or all-out. Divesting may force the DoD to create an independent U.S. cyber force, but that would mean the Navy would forever lack the ability to conduct maritime cyber or develop tailored cyber concepts and capabilities.
No Admiral Sims is coming to save Navy cyber. The Navy must make tough decisions to create an environment in which it can again be a top cyber player. Overhauling the responsible communities, reorganizing commands so cyber is not an after-thought, and setting conditions for refreshed concepts of maritime cyber are all critical. If the Navy does not follow this path, then it must exercise a truly drastic plan: sacrifice any opportunity to ever again be a capable cyber player and give its full support to the creation of an independent cyber service. The one thing truly unacceptable is to stay the course and accept mediocrity in cyber.
1. U.S. Navy, Navy Cyber Warfare Development Group Instruction 3120.1C, NCWDG Standard Organization and Regulations Manual (18 February 2021).
Article link: https://www.usni.org/magazines/proceedings/2022/august/navy-needs-cyber-course-correction
Lieutenant Commander Derek Bernsen, U.S. Navy
Lieutenant Commander Bernsen is a cyber warfare engineer officer who recently transferred to the U.S. Navy Reserve. He has a master’s degree in computer science from Georgia Tech and is a graduate of The Citadel.
By CHRIS RIOTTAAUGUST 1, 2022
The proposal would establish baseline safeguards for cybersecurity and physical issues like natural disasters
A group of bipartisan senators have introduced legislation to establish baseline cybersecurity requirements and new protections against catastrophic weather-related disasters for federal data centers across the country.
The Federal Data Center Enhancement Act of 2022 tasks the Office of Management and Budget with establishing standardized cybersecurity requirements for the federal facilities, which host some of the nation’s most sensitive information technology and cybersecurity infrastructure.
OMB will have 180 days to provide new minimum requirements for data centers under the legislation, which includes specific calls for information security protections and safeguards against power failures, natural disasters and intrusions. The bill also instructs OMB to work with the Cybersecurity and Infrastructure Security Agency and the National cyber director’s office to establish the requirements, as well as consult with the General Services Administration and the Federal Chief Information Officers Council.
Sen. Gary Peters (D-Mich.), chairman of the Senate Homeland Security and Governmental Affairs Committee, noted the responsibility federal data centers have to protect data like Social Security and credit card information in a statement after the bill was introduced on Friday.
“The federal government is responsible for storing considerable amounts of sensitive and personal information,” he said, adding: “We must ensure this data is stored securely and used in a way that does not violate civil rights and liberties.”
Peters introduced the bill along with Sen. Jacky Rosen (D-Nev.) and Sen. John Cornyn (R-Tex.).
The bill seeks to build on recent efforts to close and consolidate federal data centers: over 6,000 facilities have been consolidated since 2010, a trend that has resulted in an estimated $5.8 billion in cost savings and cost avoidance, according to a copy of the bill obtained by FCW.
Agency leaders will be tasked with regularly assessing their data center usage to help determine whether to continue operating a data center, and to ensure legacy systems are updated, modern technologies are employed and the facility is overall optimized and secure against potential vulnerabilities.
“The sensitive information stored on federal systems cannot be left open to vulnerabilities like cyberattacks or natural disasters,” Cornyn said in a statement. “This legislation would help secure federal data and encourage optimization, which will save taxpayer dollars and protect Americans who entrust their information to the federal government.”
Rosen also noted the “increasing threat of cyberattacks and natural disasters” in a statement and said the bill “will enact a new set of security and resiliency standards” to protect data.
Article link: https://fcw.com/security/2022/08/senators-introduce-bill-ensure-resiliency-federal-data-centers/375219/
Companies already have the systems in place that are needed to evaluate their deeper impacts on the social fabric.
By Nathaniel Lubinarchive page Thomas Krendl Gilbertarchive page August 9, 2022
We all want to be able to speak our minds online—to be heard by our friends and talk (back) to our opponents. At the same time, we don’t want to be exposed to speech that is inappropriate or crosses a line. Technology companies address this conundrum by setting standards for free speech, a practice protected under federal law. They hire in-house moderators to examine individual pieces of content and remove them if posts violate predefined rules set by the platforms.
The approach clearly has problems: harassment, misinformation about topics like public health, and false descriptions of legitimate elections run rampant. But even if content moderation were implemented perfectly, it would still miss a whole host of issues that are often portrayed as moderation problems but really are not. To address those non-speech issues, we need a new strategy: treat social media companies as potential polluters of the social fabric, and directly measure and mitigate the effects their choices have on human populations. That means establishing a policy framework—perhaps through something akin to an Environmental Protection Agency or Food and Drug Administration for social media—that can be used to identify and evaluate the societal harms generated by these platforms. If those harms persist, that group could be endowed with the ability to enforce those policies. But to transcend the limitations of content moderation, such regulation would have to be motivated by clear evidence and be able to have a demonstrable impact on the problems it purports to solve.
Moderation (whether automated or human) can potentially work for what we call “acute” harms: those caused directly by individual pieces of content. But we need this new approach because there are also a host of “structural” problems—issues such as discrimination, reductions in mental health, and declining civic trust—that manifest in broad ways across the product rather than through any individual piece of content. A famous example of this kind of structural issue is Facebook’s 2012 “emotional contagion” experiment, which showed that users’ affect (their mood as measured by their behavior on the platform) shifted measurably depending on which version of the product they were exposed to.
In the blowback that ensued after the results became public, Facebook (now Meta) ended this type of deliberate experimentation. But just because they stopped measuring such effects does not mean product decisions don’t continue to have them.
Structural problems are direct outcomes of product choices. Product managers at technology companies like Facebook, YouTube, and TikTok are incentivized to focus overwhelmingly on maximizing time and engagement on the platforms. And experimentation is still very much alive there: almost every product change is deployed to small test audiences via randomized controlled trials. To assess progress, companies implement rigorous management processes to foster their central missions (known as Objectives and Key Results, or OKRs), even using these outcomes to determine bonuses and promotions. The responsibility for addressing the consequences of product decisions is often placed on other teams that are usually downstream and have less authority to address root causes. Those teams are generally capable of responding to acute harms—but often cannot address problems caused by the products themselves.
With attention and focus, this same product development structure could be turned to the question of societal harms. Consider Frances Haugen’s congressional testimony last year, along with media revelations about Facebook’s alleged impact on the mental health of teens. Facebook responded to criticism by explaining that it had studied whether teens felt that the product had a negative effect on their mental health and whether that perception caused them to use the product less, and not whether the product actually had a detrimental effect. While the response may have addressed that particular controversy, it illustrated that a study aiming directly at the question of mental health—rather than its impact on user engagement—would not be a big stretch.
Article link: https://www.technologyreview.com/2022/08/09/1057171/social-media-polluting-society-moderation-alone-wont-fix-the-problem/
August 02, 2022by John R. Fischer , Senior Reporter
Following its $28 billion acquisition of Cerner, Oracle has renamed the EHR business, Oracle Health, and has redesigned its organizational structure with several leadership changes.
David Feinberg, who served as Cerner president and CEO, will now be chair of Oracle Health, according to an internal email shared by an Oracle executive on Reddit. “David has played a pivotal role in stewarding Cerner through the acquisition, and I am excited to leverage his knowledge and connections with the healthcare community,” wrote Mike Sicilia, executive vice president of Oracle’s global business units.
Travis Dalton, who was Cerner’s chief client and services officer, will take over as general manager for Oracle Health GIU. Dalton joined Cerner in 2001 and has held several senior leadership positions in finance, sales and consulting. In his new role, he will oversee Oracle Health’s worldwide go-to-market teams, including marketing, sales, service, global operations and the health office.
Oracle executive vice president Don Johnson will now manage Oracle Health engineering, with former Cerner chief technology officer Jerome Labat and other tech executives reporting to him. “This structure will give the Oracle Health engineering team many more technical resources and capabilities to accelerate our industry transformation,” wrote Sicilia.
The company is also combining its IT, finance, legal, HR and other corporate divisions into centralized, global teams.
Oracle acquired Cerner in June 2022 in an all-cash deal. It is its largest acquisition to date and provides access to Cerner’s EHR systems, as well as a stake in the provider- and patient-facing clinical systems market.
The company will modernize Cerner’s solutions by integrating its Autonomous Database, APEX low-code development tools and voice-enabled user interface. It also is moving them into its Gen2 Cloud platform to aid treatment decision-making and reduce IT infrastructure costs.
Additionally, Oracle plans to create a nationalized database that pulls information from thousands of EHRs in hospitals across the U.S. This will solve interoperability problems, create faster access to records and enable development of diagnostic AI models, according to Oracle chairman Larry Ellison.
“Better information will allow doctors to deliver better patient outcomes. Better information will allow public health officials to develop much better public health policy and it will fundamentally lower healthcare costs overall,” said Ellison in a virtual briefing.
FORT BRAGG, N.C. — Soldiers from the XVIII Airborne Corps and 82nd Airborne Division are leading the U.S. Army’s transition to data-centric operations as they use new technologies to counter evolving threats.
Leveraging Army Vantage, the Army’s enterprise data decision platform that connects to and draws data from new and legacy systems in any form at any scale, deployed units are configuring end-to-end operational applications to streamline the outload of forces, automate logistics status reporting, capture new unstructured data and make real-time, intelligent decisions.
Commanders and staff are often dependent upon a myriad of disconnected joint, service level and combatant command data sources that, on their own, are unable to provide a single operational picture to commanders. In addition, these systems do not inform echelons below corps, and they lack the flexibility and adaptability to accommodate rapidly changing priorities and requirements on the ground.
Soldiers are now able to bring modern technology to bear against legacy systems to solve the critical knowledge gaps for commanders in stride with Army Vantage,
“Our efforts on [Army] Vantage connected dozens of standalone systems and removed swivel chair operations to streamline our deployment process, ensuring we hit the ground running,” said XVIII Chief Technology Officer Jared Summers.
Traditionally, deployments have been tracked with small pieces of information that inform outload operations, siloed across tens of disconnected — and sometimes outdated — systems. These different systems didn’t provide the full picture of the outload process making it cumbersome to stitch together segments of the common operating picture to produce up-to-date data.
As a result of this process, Soldiers in January and February resorted to phone calls and emails to track the movement of critical units. This meant deploying units manually entering data into Excel spreadsheets and PowerPoint slide decks to track the most up-to-date Unit Movement Plans. This manual process consumed hundreds of staff hours entering, formatting, and validating that data. The ever-changing data made even the most updated Excel spreadsheet or PowerPoint turned stale before the information was distributed across formations.
On recent deployments, the 82nd Airborne Division faced new challenges with seeing ground truth. Units were tasked to capture data from new sources at the edge — including data from partner nations — to inform operational decisions. No system existed for this type of mission, but the Soldiers of America’s Contingency Corps were able to solve this problem in days using Army Vantage as a starting point.
“[Army] Vantage became a game changer for us during our last deployment,” said XVIII Chief Data Officer Jock Padgett. “With the centralized and well-connected data operations platform, we enabled warfighters from the edge to Joint Staff with new, rapidly built end-to-end data pipelines, decision making modules and meaningful dashboards.”
The advantage of Army Vantage’s no-code application builder allowed Paratroopers from the 82nd Airborne Division to configure a transportation management tool to integrate real-time updates from tactical edge devices and enabled Soldiers to track and execute logistical tasks from a single, connected mission command environment.
Within a week, the 82nd Airborne Division transitioned from antiquated Excel spreadsheets reporting to a fully functioning application built in Army Vantage.
“The speed at which engineers and citizen data scientists can build products for operational users is exponentially faster on [Army] Vantage,” said Padgett. “Previously, we would spend the majority of time trying to get systems accredited or trying to gain access and integrate data. Now, we can actually fight with that data.”
At the XVIII Airborne Corps headquarters, Soldiers with Project Ridgway, the corps’ AI-driven initiative, and the newly established Data Warfare Company help configure applications within Army Vantage to track real-time equipment supply levels in theater.
“Leveraging the [Army] Vantage platform, we were able to rapidly create workflows ensuring we had up-to-date status of all classes of supply,” said Summers. “We were also able to leverage the analytic and monitoring tools on Vantage to compare expected to actual usage rates and set parameters or alerts when a certain class of supply was running low.”
“Our goal is to transform our logistics operations from a pull to a push-based system,” he added. “Just as with just-in-time logistics, we will know what is needed, when its needed and where to ensure a secure supply chain.”
Army data platforms should enable units to build for the unexpected, adapt to changing conditions and aggregate new battlespace information for which collection was not anticipated prior to — and during — the onset of a contingency.
Army Vantage’s flexible no-code, app-building tools and user-configured data capture forms are empowering America’s Contingency Corps to do just that. By having the tools to rapidly and seamlessly combine curated data from multiple source systems with enhanced insights captured from those on the front lines, units can create a digital twin that replicates the world in its truest state.
With an established application interface layer, Army Vantage provides this novel data asset to warfighting and logistics systems, powering a cohesive decision environment and enabling the XVIII Airborne Corps’ effort to see the battlespace in a single pane of glass.
“We’re continuing to grow the data integrations across [Army] Vantage, asking new, novel questions related to operations, logistics, personnel, and intelligence data. [Army] Vantage has tremendously advanced the Army’s Single Pane of Glass initiative,” said Padgett. “We’re making progress.”
healthcarereimagined 