Before I dive into the topic of this post I should just say I can't believe it has been March since I've posted anything here. Epic lame. I've had lots of ideas for posts but just haven't seemed to get around to posting them. One minor excuse is that I've been posting as a contributor at radar.oreilly.com (you can find my posts here) and many of the little things I might have posted here before now just end up on my feed at twitter. They both function as sort of Limn This post relief valves. I'm going to try to get back into the swing of things here though. Now, back to the topic...
Last week I participated in a lively panel discussion moderated by Col Leslie Blackham of Electronics Systems Command at the second USAF Cyber Symposium. Panelists included Noah Shactman from Wired's Danger Room, Grant Wagner from the NSA and SE Linux fame, Richard Bejtlich from GE and Tao Security, Cisco's CSO John Stewart, and Marianne Hedin from IDC. The theme of the panel was "Sharing vs. Protecting" and exploring that tension gave lots of opportunity for a broad range of conversation that included open technology, organizational issues, social computing in the defense space, and even the role government in a Democratic Republic (well, maybe just a little bit of that).
A theme similar to Sharing vs. Protecting is discussed in Jonathan Zittrain's excellent book The Future of the Internet and How to Stop It. In the book Zittrain explores the tension between "generativity" and lockdown that is playing out on the public Internet and in corporate networks. In those venues security concerns are creating pressure to replace the open PC (you can run any program you like on it) with tethered appliances that remain under the control of their makers such as the blackberry, iPhone, Xbox, TiVo, etc. We see the same trend in the defense space as devices like Sun's SunRay find a market. As a result we are squeezing out venues for the kinds of experimentation that led us to the Internet we have today (e.g. this article is as an example of the impact of this change on the gaming industry).
In the defense space, where the ability to rapidly innovate and deploy new code can be equivalent to maneuver on the traditional battlefield, this generativity vs. lockdown argument has real consequences. Networks like the Navy Marine Corps Internet (NMCI) are like ships that have permanently set Condition Zebra. Such a ship would have great watertight integrity, but can you imagine having to get commanding officer permission every time you need to open a watertight door to go to chow? Networks like NMCI are so constrained that they are difficult to use for their intended missions and absolutely worthless for generative activities that lead to innovation. The DoD's next FalconView-like grass roots endeavor is not going to come out of one of these networks.
The question Zittrain attempts to answer in his book distills down to "how do we maintain a highly generative environment while eliminating the security concerns that plague the current Internet?" The DoD has the same challenge even if it would use different words. One of the more interesting questions put to the panel, and that speaks directly to this question, was "How do we manage local innovation and capability development in a web 2.0 environment?" I posited that at least part of the answer might be found in something like Facebook's platform or SalesForce.com's platform as a service offering but tailored for things that the military focuses on, like command and control and situational awareness tools. I believe that a highly secure application platform, acting as an aggregation point for a variety of data and content, and exposing application capability and data via simple API's would unleash all manner or rapid innovation from warfighter and contractor alike.
On the Internet Zittrain worries that platforms such as these, though highly generative, are problematic because they are contingent; they can be shut down or modified to be less open at any time by their owners. On the Internet, the contingency of generative platforms can have a chilling effect for those smart enough to realize the inherent risk in committing to them, or can have a post facto impact on innovations later thought by the platform owners to be competitive or otherwise disruptive. I think this is less of an issue in the defense space as long as the government and not one of its' contractors owns the platform (this is a really big "if", just look at Boeing's stranglehold on SOSCOE).
This idea of C2 Platform as a Service probably deserves its own post later (particularly that part about ownership) so for now I'll just introduce it as a possible mechanism to provide secure generativity on the DoD Internet. However, before I close out this post I just want to touch one other item that was discussed on the panel, the value of the social web.
We were asked weather the benefits of the social web outweigh the security risks. In my response I suggested that the word "social" tends to skew the conversation toward trivialities and away from meaningful participation in communities of practice. Richard Bejtlich made the point that there are about 12 other people in the world that do what he does and they form the nucleus of an incredibly important community to him. Despite the fact that he is an ex Air Force officer, none of his peers in that community are in the Air Force. His natural peers in the Air Force aren't collaborating across organizational lines with him; are they even peering effectively with each other inside the organization? Analogously, today's Air Force pilots don't participate in communities of practice with airline pilots or stunt pilots, but it wasn't always this way. Earlier in the development of military aviation flying clubs were important feeders into military cockpits and places where best practices were developed and communicated. In the cyber domain it is still more like 1914 than like 2008.
I believe we are also missing the opportunity to leverage these kinds of technologies to turn the currently binary "deployed" / "not deployed" bit into something much more seamless. Why is that ALL of a departing soldier or airman's expertise and participation goes with him or her when they rotate out of theater? It seems to me that there is a massive opportunity to "virtualize" the organization such that hard won knowledge and expertise could still be made available in theater in some combination of ad hoc and formalized ways.
This post is already too long so I'll save other topics that we discussed (e.g. open technology, the opportunity to harness volunteerism, etc.) for future posts. Let me know if you have also been thinking about how to preserve generativity while simultaneously protecting our important network assets.