Industry partnerships crucial to meeting meet future cyberthreats

Editor's Note: This article originally appeared on FCW.com

To counter the digital threats of the future, Army officials said the service must redefine and deepen partnerships with industry and academia.

At the Mad Scientist Conference at West Point, Col. Carlos Vega said that when it comes to air power, the U.S. military dominates. "We have the bona fides to go [to the defense industry] and say, 'Make it bigger, make it faster,' and they will," said Vega, who is director of outreach at the Army Cyber Institute.

But that's not the case in the cyber domain. He said if the Army asks Apple for changes to a product, company officials will say the military is a small fraction of their business, and "we're going to stick with our product -- take it or leave it.'"

So the Army needs to change the way it thinks about cyber partnerships, Vega said.

"The partnership is a different type of relationship where you have a shared risk model between the two, you have a shared intent, you have a shared plan, and you have skin in the game with your other parties," he said.

Vega added that it is not about designing or acquiring products in the cybersecurity domain. It is about moving beyond the traditional contracting model and learning who has what capacities and solutions.

The Army Cyber Institute is "a platform where organizations bring problems and challenges and others bring solutions that may not have a problem to address," he said. "The intent is to build this system where problems and solutions can find each other."

Ideally, he said, the Army will have relationships with dozens of entities to understand what their capabilities are. Some of those relationships will evolve into working partnerships, and others won't. And some partnerships will meet a need for a period of time and then fade, Vega added.

In the future, the Army must be more agile when working with partners. "Academia and industry get a large vote in this, and we have to be flexible on how we meet each other's shared intent," he said.

To address the cyberthreats of the future, Joshua Toman, a U.S. attorney and former Army attorney, said the government must focus on understanding companies' needs.

"Business wants to keep the lights on," he said. "Businesses want to protect their trade secrets and things like that. So we have to [ask], how does business think about these endeavors?"

He argued that industry has capabilities that can help the government, and at the same time, companies have needs that are not being met by the government or current regulations.

"We have to, as the military, put forth to policymakers the arguments -- with academia's help, with industry's help, with our military experience and credibility -- to say we need changes in the law and the policy to have faster cyber response," Toman said.

He argued that the way to think about partnerships is to look at how the Wild West was tamed. He said the key was deputizing more and more people and delegating law enforcement authority to them.

"That's what cyber needs to look at -- how can we deputize, not just create these partnerships where it seems one-way from business and the public sector," Toman said.

Failure to empower industry and state partners could result in them getting mercenaries to respond to cyberattacks because the business sector has no offensive capability of its own, he added.

Vega said the Army Cyber Institute has already conducted one major exercise with a mix of public and private partners to respond to a "cyber bad day," adding that the exercise was about exchanging knowledge and capabilities rather than "dollars and cents."

"The greater good that came out of that is we're trying to identify some key takeaways that we can share with the masses," he said, because a key part of the institute's mission is expanding and sharing cyber knowledge.