John Pellegrino manages the Cyber Security Alliance, which focuses on cybersecurity best practices. ()
At the U.S. Army Research Laboratory, John Pellegrino sees no reason to go it alone. In the sprawling, shifting world of cybersecurity, he’ll take all of the friends he can get.
“We are all looking at cyberprotection together to come up with some fundamentals that will hopefully help us to make our networks more robust,” said Pellegrino, who manages the lab’s Cyber Security Research Alliance, which brings together military, academia and industry in an effort to share best practices.
Army knows the need, universities know the science, and private-sector information technology brings it together.
“We are not a production house, that is something industry is capable of doing at scale,” he said. “So industry is really our partner in taking it home, in putting it into practice.”
The Defense Department told Congress its Cyber Command needs $5.1 billion for fiscal 2015. With cyber threats evolving at a rapid clip, it serves the military well to tap into private-sector best practices as early and as often as possible. A range of collaborative efforts have been put into place so Defense can keep its finger on the pulse, and industry can show off its most promising new ideas.
By invitation only
In a Silicon Valley venture capital shop, Dwayne Melancon recently got together with a dozen cybersecurity leaders to brief the military brass on emerging security threats and solutions.
“We talked a lot about other projects, how we have implemented on what kinds of systems,” said Melancon, chief technology officer at IT security software firm Tripwire. “They are not looking for a specific product. They are looking for other industries that are facing similar problems. They want to look at what is happening outside their own world.”
Military leaders are frequently inviting private-sector chiefs for informal talks. At Melancon’s most recent meeting, he said he got about 45 minutes to present.
“When they do that, you get higher-level participation from the agency, where if you set up a meeting on your own, it can be hard to get to a decision-maker or someone who is in charge of strategy,” he said.
Military IT in turn gets a chance to take a deep dive into issues and best practices as they are emerging in the commercial marketplace.
Tight budgets encourage sharing
Observers say there has been a marked uptick in the pace of such discussions in recent months, partly due to the Edward Snowden affair effect and to financial factors.
“In the last 12 months, we have seen a real willingness to get together and share as much information as can be shared,” said Jeffrey Wells, executive director of cyber development in the Maryland Department of Business and Economic Development.
“Sequestration has had an impact on overall mission capabilities, it has caused a tightening of the belt, so that the military’s ability to solely manage the threat is being diminished,” said Jeffrey Wells, executive director of cyber development in the Maryland Department of Business and Economic Development. “As a result, people are seeing the need to reach out more to the commercial space.”
Wells’ office is one of many such state agencies looking to bolster local industry, in part by forging ties between the military and the private sector.“Our job is really to act as shepherd,” he said. His office recently hosted a three-hour session to connect innovative IT start-ups, like local defense contractors, and military representatives from the Army’s Fort Meade and elsewhere.
In addition to such state-sponsored gatherings, think tanks provide another forum for an exchange of cybersecurity ideas.
Through private roundtable events and formal discussion sessions, “we can bring in, in a nonpartisan way, a bunch of different people around the table to have a pretty frank discussion, without attribution,” said Ian Wallace, a visiting fellow at The Brookings Institution.
Such conversations play a crucial role in bolstering the nation’s cyber defenses.
“It is incumbent on those people who operate on the defense side to have an appreciation for the real-world implications of these things,” Wallace said.
At the same time, private industry has much to gain from the free flow of ideas.
“There is a slight presumption that the private sector has all the answers in this area,” Wallace said. “That is not necessarily true. There is a community in the military that probably has some of the best thinking on cybersecurity — expertise that exists because it has been government-funded. So the challenge there is to get that knowledge and expertise into the private sector.”
Best practices can become a two-way street, which may help to explain why military and industry alike have sought out so many and varied venues to make that conversation happen.