To fight cybercrime, you need, of course, to stay ahead of the hackers—which is particularly urgent when you’re working on behalf of the military. That’s the job of IEEE Member Jeff Collins, a U.S. Air Force colonel and director of CyberWorx, a government-industry partnership in Colorado Springs launched in 2016 to combat cyberthreats facing the Air Force.
CyberWorx brings together a diverse group, including Air Force Academy cadets and professional technologists, to experiment within an innovative problem-solving framework to develop ways to stay ahead of adversaries. Those ways could include technological innovations and changes made to operational processes and government policies.
Collins, who has served in the Air Force for 26 years, earned a Ph.D. from Carnegie Mellon focused on cyber operations. Before CyberWorx, he was the Air Force’s deputy director of cyberspace strategy and policy at the Pentagon.
“Even though I couldn’t have known CyberWorx would exist, it feels as if my entire career was spent preparing to be its director,” he says.
In this interview with The Institute, he tells us about his organization’s efforts.
Tell us about the Air Force’s partnerships with tech companies.
The tech industry moves fast, and the U.S. Air Force can’t innovate fast enough on our own. Integrating the cutting edge, as well as changing our policies for the digital age, is tough for an organization as large as ours—it’s the “innovator’s dilemma.”
That’s why CyberWorx was formed—to create partnerships with great minds throughout the country to help us think differently and integrate capabilities agilely. We have hosted over a dozen design “sprints” in our lab, and the Air Force has completed two hackathons in which technologists have helped us find vulnerabilities in our systems and processes that need to be fixed quickly. We also work with a nonprofit that recruits people from industry to help us with our cyber projects and sprints.
They have helped us to update our systems to better thwart cyberattacks and give commanders better insights on cyber risks, and write new cyber policies.
CyberWorx incorporates what’s called a design-thinking framework. Can you explain what that is?
Design thinking puts people at the center of the question, whereas other methods focus on a technical system or product. We put together a diverse group of people to think about and design ways we might tackle a problem. In our design cases, having an Air Force operator process information from potentially tens or hundreds of systems puts her in a tough decision-making environment. Decisions have to be made fast and well, often under tremendous pressure.
Our goal is to make it easier for the human operators to prevent or respond to a cyberattack. In other words, how well can we convey information, or support the operator with AI, so they can make the right call as fast as possible? Our decision-making has to be faster than an enemy’s. Therefore, we have to integrate technology better to speed up our operator’s decision to act, or find ways to slow down the enemy’s decision-making processes.
We also have incorporated an Agile work process and principles many tech companies have adopted. Instead of taking nine months to complete a project, for example, we do ours in what’s called sprints. These can last a week or several weeks and allow us to formulate ideas and evaluate if we’re going in the right direction. Sprints provide immediate updates to a program based on current cybersecurity conditions and the mission needs of war-fighters.
Part of design thinking involves getting more diverse views—and not just about the best technology to use. It also includes better ways to train cyber specialists or write a cybersecurity policy, involving, say, a new tactic or procedure that won’t box us in and prevent us from out-innovating agile adversaries.
What is the incentive for industry to work with your program?
Beyond patriotism and the opportunity to help solve interesting, challenging problems, it’s twofold. First, the companies get to take part in what amounts to a design-thinking boot camp, which gives their employees experience with this framework for problem-solving that incorporates creative strategies for developing new products and services. This design-centered methodology has proven to be more successful in business than a top-down approach for innovation—it better enables what I call “innovation at the edge.” Letting front-line employees help innovate and deliver better value is a business advantage. Participants can incorporate design thinking at their companies.
The other incentive is business opportunities. While working on a project with us, participants get a better understanding of military challenges, which can help them propose a new service or product.
Do you have examples of some projects?
Our first project was to describe cyber risks to military people who don’t work in cybersecurity. Our cybersecurity professionals tend to focus on vulnerabilities instead of on mission risk, and so we came up with protocols on how to help operational commanders and units understand what they can do to mitigate risk. Faster ways, for example, for front-line users to report outages or anomalies that might indicate an attack—to provide a better, crowd-sourced picture to the cyber pros of what’s happening from a user perspective.
After that project was completed, three of the companies that participated realized they could combine intellectual property they had developed into a minimum viable product, or MVP, with sufficient features that could be ready to go. They sent a proposal to the government to prototype a demonstration of how their IP might help the military integrate these changes in an efficient and streamlined way. That’s at the heart of the design-thinking process—you want to get to a place where your users can see changes as quickly as possible. You can then iterate and scale or decide that it wasn’t as good an idea as you originally thought. If that’s the case you can move on to other ideas for solving the problem without having spent much time or resources.
In another sprint intended to speed up cyber operator training, one of the participants, RIM Technologies, of Colorado Springs, decided there might be commercial benefit to the ideas that were developed. Afterward, the company developed Cyber Mission Force One, which incorporated some of the lessons learned from that project to enable compilations and up-voting/down-voting of training material. Having innovative companies see commercial viability for their ideas and develop the MVP on their own saves the government from having to develop such a program itself. It could allow us, for example, to buy the training as a service.
It seems your program involves a good amount of experimentation. Must you have a level of certainty before pursuing a project?
We don’t have any certainty. We work in a big makerspace—our lab is designed for collaboration and experimentation. We tell our sponsor organizations what we’re going to try, but that there’s no guarantee. We work to understand the problem well. We then provide a range of ways an organization with an idea can move the Air Force forward quickly to overcome the problem. There’s value in an outside perspective and the collaborations between government, industry, and academia have all paid off so far. But no, there are no guarantees.
We do talk about how much failure we should expect when we’re trying to be innovative. What we have found is the problems are so broad and amorphous that there’s room to improve on every one of them. But that doesn’t mean what we come up with will be perfect. The days of searching for years for perfect solutions are behind us. Agility—the ability to continuously change course throughout a project—has a lot more value for us because the fight for cybersecurity is constantly shifting.
How is the Air Force preparing for an escalation in cyberthreats?
We have a greater need for cybersecurity talent—which is why we’re focused on educating and recruiting cyber operators, including our Air Force cadets here in Colorado Springs. In between our CyberWorx sprints, we teach a management course to Air Force students. It involves applying design thinking to cyber-related problems. When they graduate and go on to become officers, they will have a better understanding of the threats and the impact of cybersecurity on all our core missions. They will also contribute to the culture and ecosystem of innovation within the Air Force. They will be more ready to lead in the digital age.
IEEE membership offers a wide range of benefits and opportunities for those who share a common interest in technology. If you are not already a member, consider joining IEEE and becoming part of a worldwide network of more than 400,000 students and professionals.