You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. We get it, this interruption isn't what you actually want to be listening to right now. But at Credit Karma, we've learned that a little disruption can be a good thing, especially when it comes to the slow, outdated, and totally complicated financial system. We started shaking things up by offering free access to your credit scores, then we expanded into more areas of personal finance. And now we've added new tools and personalized features to make it easier to optimize your money and grow it faster. Download Intuit Credit Karma today and get everything you need to outsmart the system. Welcome to a special edition of N2K Cyberwire. Today, we have an exciting conversation lined up as Brandon Carff sits down with Justin Finelli, the acting CTO of the US Navy. They'll dive into how the Navy is streamlining its innovation process to stay ahead in an ever-evolving technological landscape. For some additional context, check out the article linked in the show notes. Here's their conversation. I am joined today by Justin Finelli, Acting Chief Technology Officer of the Department of the Navy. Justin, thank you so much for coming on the show. I believe it is your first time on Cyberwire. It is a long-time listener, first time caller, thanks for having me. And you and I and Rick Howard, who's well known on this network, have had numerous conversations around technology creation, technology adoption, public-private partnerships, both within the Department of Defense and the government. I would like to just get your view today on how are we doing with these partnerships? So the public-private partnership is growing in terms of the number of actual private-sector partners that we have and work with. It's up. New entrants are up, the performance of existing players are up. And so the C&O, the Chief of Neighbor Operations, sometimes says, "Hey, we want more players on the field." From a war-fighting perspective, we also want more industry partners on the field contributing to national security, contributing to economic security. And in this particular case, we are really excited about the number of new ideas and the impact of the solutions. If we can, I would love to dig in a little deeper on the nature of that partnership, because oftentimes folks who maybe are just uninformed or don't have the experience in DOD think of national security as purely military power. But you mentioned something in that response about it's not just military power, it's economic power, it's capability, it's national strength, it's even technology innovation adding to our national security, the strength of our market, the strength of our companies, the strength of our military, all working together in concert. Can you talk a little bit about kind of why today is as good as it's ever been and maybe some of the examples you see about how the Navy, but also DOD more broadly is enabling that? I don't have to tell this audience how interesting some of the new cyber capabilities and innovations are one of the things that is improving for us is our ability to harness and adopt innovation more intelligently and faster. And so we are no longer just looking at, hey, we have a gap and we need to feel that we're evaluating based on the outcome-driven metrics. What does this bring to the table? Does it open the door to divesting something so that we can invest further? That keeps this flow healthier in terms of both the technical debt and the resilience that the cyber capabilities create. In terms of more than just security and defense, sometimes people refer to the defense ecosystem as a sector. I teach a course at Georgetown called Cybersecurity Strategy, Public and Private Perspectives. Dual use. This was never clearer to me than when I was at Darba as a fellow. It was a short period, but it stuck with me. Dual use that is funded by Science and Technology funding within the Department of Defense is in all 11 sectors. This is showing up everywhere, so that is a launchpad as opposed to a sector. If someone is proving something out or increasing the technical maturity in a government lab or in a military lab, it's very likely that it's going to be picked up by EdTech or FinTech or something else. Maybe then, on the back end, often make use of that again after that initial investment, but that partnership, if we think about the Valley of Death, there is money on the left side of that and there's money on the right side of that. We're trying to bring those closer together and really make that a focal area for where we can connect dots and how we can close that gap in terms of the speed to impact. I'm glad you brought up the concept of dual use. It's a topic we hear across the board today in media, in technology, in the innovation ecosystem of this country and startups talking about dual use. The quintessential one that comes to mind is GPS that has a great commercial application but also military where the investment made by the Department of Defense enabled a fantastic private sector technology that's really the foundation of our modern economy, being a fantastic example of that dual use. I do want to dig in on that idea of the chasm, the Valley of Death, that place where companies can't necessarily get beyond without a lot of support financially and operationally to bring their technology fully into DOD or fully into the commercial application. Data programs and initiatives are new or coming or currently existing that are helping these companies, especially cyber security companies, bridge the Valley of Death, get across that Valley of Death, bring their dual use capability to bear within the market. The idea of these launch funds, so there's National Science Foundation and NIH that really the basic and early applied research that is off the ground, that's most often money that commercial sector wouldn't want to put in anyway, and so those are seen as a common good. A little bit later stage in terms of the technology readiness level, there are pure S&T plays like DARPA, the Defense Advanced Research Project Agency, O&R, Office of Naval Research that are still lower technology readiness level, but matriculating up. Those are generally working with companies who are cutting edge companies, working on cutting edge things that may not be ready for commercial at scale. Those organizations have a number of funding mechanisms and then it gets really interesting because within acquisition, so one of my hats is within the acquisition community, we've been asking for what do we do between the S&T launches, so sometimes I picture a quarterback throwing a pass, and then the acquisition community being able to catch something that is a tight enough spiral or catchable ball, and so that's something that we've put along as time and always will have left entrepreneurs to navigate. We've wanted to make that simpler both because it's more important than ever, but also because when we communicate clearly we can make a big difference into what gets caught and how long it takes to get caught and then how much of an impact that makes, and so there are some new funds. There is AppFit APFIT that is seen as a Valley of Death Closure Fund, it's only three years old, it's on its third year right now, and it has doubled every year, so we're really excited about that one. SBIR program was one that was near getting canceled and got renewed, and so we've been doubling down on the opportunities coming out of that, and that's one where it's focused on small businesses, and so we've been just kind of raining that bell to say, hey, if there is a topic where there are a lot of cybertopics where we can make use and pull something through, hey, this is a gap in the market, this is a performer that is excelling, can we ride that pony into the scale of acquisition that solves a provable problem? Hey, this is a tool that allows us to do something more effectively and more resiliently at a lower cost than we've ever done before. We need that and we can tie that almost definitely to a top level requirement that already exists. So those are a couple, in the show notes, I'm happy to give a full list of capabilities because I think what I was doing this 25 years ago, we were complaining that there weren't enough avenues, we could always get better, but it's a whole different ballgame in terms of the avenues and what is available to entrepreneurs and to the acquisition community to make things happen quicker. I mean, as you talk about this need to align both the thrower and the catcher in terms of what they need, the timing, the resources, the funding, the technology maturity, that type of alignment sounds extraordinarily complex to me. You also talked about determining and assessing and evaluating what you need from a mission perspective, mission outcomes and kind of aligning those things together, both the investments that you're making, but also the acquisition programs that you're creating to align technology with mission outcomes. I mean, that sounds extraordinarily complex. Just as in my layman observation, how are you doing that functionally on the ground? How are you actually accomplishing that mission? There are a lot of players, there are a lot of needs, and so matching is an oversimplification and probably throwing the passes in oversimplification. But we do, like we said at the beginning, want this partnership to be a smoother, lower friction partnership. There will always be competition that's very healthy, but we want to simplify that story. And so one of the things we've done to try to simplify that story is to say, hey, there are times where someone is selling a product or someone is using a product, but in a very limited way, and it's hard to tell. Sometimes it takes an hour, sometimes it takes two or three meetings to figure out even where that is. So we've used a couple constructs to start on second or third base to expedite the conversation. One of the most powerful ones, even though it's simple, is the investment horizons. And so this looks at technology where it is in the process to say, three, two, one, zero. One is production. Is it at scale production, whether it's a designated enterprise service or otherwise? This is, at large, we have tens or hundreds of thousands or maybe even millions of users within this ecosystem. Horizon two is piloting. We've looked at it, someone's using it. We want to use a structured pilot to learn by doing. We won't put this to scale, so there's psychological safety in there to learn before we scale, but we can't just do this at arm's length. And then there's Horizon three, which is scouting, but scouting more deliberately. And so this could be other people's money, those S&T organizations that we talked about or internal research and development or the full dual use case ecosystem to include. Here's what venture capital firms are backing. Here's what new, exciting things are happening. By laying those out three to two to one, we can see from a matriculation perspective how close we are, where they line up, where one product might do the job more effectively of three products. We don't want one for ones because that just keeps more cars piling out in the garage, but what that funnel actually shows us is really important. And then zero is divestment, which is it's not sexy, we're trying to make it sexy. But this is the idea of there are already a lot of things that we're sustaining. If we can turn off legacy capability in favor of something that is more effective or providing bigger outcomes, we want to do that. So those are the technology horizons, three, two, one, zero. Yeah, that last point, I do feel like that Horizon zero is the most important piece. And they're all important, but being able to turn off technologies that are end of life or programs that are just past their due so that you can free resources to start acquiring and bringing things from three, two to one. That sounds like a critical feedback loop that, to my knowledge, just really hasn't been a part of the conversation much. Divest to reinvest is the life a lot of any company that's been around for more than a little bit of time. And so like we sometimes say in a hacking for defense course that I teach, we sometimes say like it's actually easier to be a startup than a longstanding company in this way. You don't have to contend with technical debt. You don't have to contend with some cost decisions, right? You're able to clean slate and that mean could mean you're standing on the shoulders of giants. There's a Friedman book, thank you for being late, right? The idea of being able to leap ahead can be an advantage at times. And so we are looking for more leap aheads addition through subtraction. So when people or organizations are good at digesting to reinvest, it really does open up the door in a pretty exciting way. Obviously, the horizon one piece is, hey, here's how well we're performing. Here are the outcomes at that level. So it's all in service of that. But the deputy principal deputy CIO for DOD sometimes says, hey, we've been in this house for a long time. And so it's very important that we do rehab on this house. Right, you have to do preventative maintenance or at some point with all these systems. So I mean, taking this horizons model in the context of partnerships, who in the private sector or even public sector is enabling this or has taken this model to heart is doing this really well that's making your job easier. The interesting part was most of our partners were already playing into this. They just didn't have the taxonomy. And so we have a lot of partners who are just excited to play in connecting dots. My program executive office, Digital, we had a handful of program offices. And so this is a familiar construct, whether you're in government or not at program office. And we switch to portfolio management offices. And portfolio theory has been around for a long time. It's not used a ton in government. But as a concept, I think people are generally familiar that this allows us to make more data-driven objective decisions as opposed to here is my monolithic baby. And I want to protect it at all costs. And so by shifting to portfolio, it's allowed us to show our vendor community and partner community at large. And so who's doing this well? When we were at RSA, people said, oh, you're the folks who are using horizons and portfolio. We know where we fit. We know what portfolio we fit in. And we don't have to defeat some program of record. We can just make our value proposition. And so we've talked to 500 companies in the last probably 14 months. The venture-backed community is giving us, hey, here's the list of port codes that have the biggest impact on what we're doing. And we can prove that through outcome-driven metrics. And then who else has been supportive private equity, specifically with the Office of Strategic Capital that is relatively new, has said, hey, here is one opportunity that is much higher impact than another. And so here are cyber tools that are very important to us, but we want to make sure that we know what company and what country is backing these tools. Let's make sure we're doing diligence. So I'd say across the services and across several agencies, we're getting good support and people get it. And that's helping with direction. We'll be right back. And now a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. And more at nobefore.com/securitycoach, that's nobefore.com/securitycoach, and we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. One came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. I see a friction point though, which, you know, you talked about companies or even investors coming and saying, "I know where I fit in into a portfolio, okay, I'm not trying to beat out these incumbents. I can pitch my value proposition to slot in at this stage of the horizon model within this portfolio." But just gaining the knowledge of what portfolio you fit into sounds a bit like inside baseball. I mean, how would a company, whether it's a new company or even an existing incumbent, how would they know what portfolio they fit best into? Yes, well, I'll tell you about just one program or second ago, so digital. We took a moonshot in terms of the number of meetings we'd take. And so we started scheduling every, we started accepting basically and scheduling every possible cyber company that could make an impact to say, "Hey, how bad can this be? It can be very good, but there are a lot of them." And so we really stoked out the space and we did kind of a forward pitch. From that, how do we make that scalable? We put together an industry engagement book. Folks have said, and so you can check that on our website, they've said, "Hey, this is a front door. We can make use of that." So I think the short answer is where groups can communicate clearly and effectively, then they can make a bigger difference than they probably think. So what do they say? It's hard to make something simple, but after it's simple, then folks are clear. The next step of automation, just to give you an idea of how we think, is we said, "Okay, we can meet with you, but what really matters is from an intake perspective, how much impact do you have?" So a lot of people still want to meet, but we won't be able to fund something unless we can show that it makes this level of impact. So why don't you do a Lean Business case? It's two pages. It won't hurt anybody, and it gives us data because even if you convince one or two or three people, data carries better than the word of mouth or playing telephone. So I was struck, and this does relate, I think, to what you were just talking about. I was struck by the headline quote in the Atlantic Council's commission on defense innovation adoption. Back in April, 2023, I've seen you use this quote on some of your documents from your office. So the quote is, "We have found that the United States does not have an innovation problem, but rather an innovation adoption problem. The DoD struggles to identify, adopt, integrate, and field these technologies." And so the thing that really stuck out to me was this four-step process of identify, adopt, integrate, and field. And you've talked about a number of ways in which your office and others in DoD are trying to better identify, adopt, integrate, and field. What I just heard you say, though, is there's still a tremendous amount of responsibility to the company to help you identify them, to help you adopt them. They need to pitch themselves and present their value proposition in a way that they understand how it's going to be adopted, how it's going to be integrated within your existing programs, offices, portfolios, and really mission needs. Would you say that that is fairly accurate? I think it's fairly accurate. And ultimately, it becomes a dance, right? Where does the onus go? If we are looking for moneyball, if we're saying, "Hey, we have $1 and we're going to spend it on one or two things," which one is the biggest impact? Would you want that to be on the receiver of the pitch to figure it out, or would you want to give the attacker advantage to the vendor who understands, "Here's how my product or our service has helped eight companies." They'll innately understand that probably better than they understand our domain, but it's easier for those companies that want to make an impact to know, "Hey, here's how I pitched to this group. Here's how I pitched to this group. Here's what my product does," as opposed to a small group of folks trying to understand a lot of different products and then figure out what's the best need. So we're just giving the onus or the platform or the opportunity to them to provide that value proposition so that we are not locked in. The chances that we have confirmation bias as a buyer is higher and opening the aperture to a wider range, likely better than the low confirmation bias or a different confirmation bias, someone who is pushing an innovative idea. We just know that most of the innovative ideas are out there, and so we need a funnel to receive them. So what we've done is we said, "Okay, we're in the same line as you. Innovation adoption problem, what can we do about that?" We send warfighters into the theater, we send them with a kit, so if we send folks into the DOD or federal ecosystem, here's the Innovation Adoption Kit. So the IAK is a set of tools to break that valley of death, in this case, into a handful of glands that say, "What if we're so prescriptive that we're asking for a technology that doesn't make sense anymore? We should then use top-level requirements. What if we are measuring something that is no longer relevant or doesn't have the same impact that we'd like it to, then outcome-driven metrics are a proven answer? How do we talk about things that aren't quite mature enough? Why not the horizons?" So we're just offering those up and signing out some memos and references so that people can single up on language, because ultimately the taxonomy isn't the interesting part. The learning by doing, the finding the win-wins takes plenty of time, and so we want to shorten that front-end stuff. So one example I can give just my familiarity with it. Seeing these requirements written in that potentially create vendor lock-in or even technology lock-in and antiquated technology would be like a VPN. The number of requirements I've seen coming out of the DOD that require VPN, that specific technology as opposed to thinking about what are they actually trying to accomplish with a VPN or a virtual network? I see that as a great example of exactly what you're talking about, thinking beyond and thinking of that top-level requirement as opposed to getting into the nitty-gritty of how you apply or accomplish that mission. Then that's the partnership we want from a public-private perspective. We say, "Hey, here is the operational goal." That's different from a prescriptive retirement requirement that mentions a specific capability that happened to be invented in a year, like a different century than we're in right now. The "how" is something that we want to harness American innovation. If we can adopt more intelligently and be more adaptive, we're seeing that 10x improvements are not out of the question without even a cost increase in some cases. These are things that we just want to be really academically honest on from a moneyball perspective, from a cyber moneyball, from a military moneyball, and just from buying wins, how value-oriented are our investments. The analogy I'll draw for some of our listeners might resonate, but back from my targeting days when I was active duty, it's effects-based targeting, not capabilities-based targeting. What that means is, what is the effect you're trying to accomplish and trying to achieve, and let's come up with the targeting and the capability that will meet that effect. As opposed to saying, "Here are all these capabilities and technologies I happen to have on my shelf today, let's just take those off and do something with it." It's really thinking about, from a strategic perspective, what are you trying to accomplish, and then let the rest of us figure out how we go about accomplishing it. To that point, think about the difference in scale. If you solve one problem, then you have solved one problem. If you can prove the effects or the value of what you've created, you can use that with anyone else who has a similar high-level problem. There are interoperable things, and so in a lot of cases we say, "Hey, is this something that needs to touch a lot of interfaces? Are we making trade-offs? Okay, let's use MOSA." Like modular open systems approach is really important for us, but how we make those trade-offs, if this is a defensible piece, then that opens all the doors to more intelligent conversations. You mentioned a critical word there, and I want to dive in on that. This being part one of a multi-part series, we won't go too much further, but you mentioned scale, and everything that you've talked about around this idea of partnerships, public-private partnerships, how you're evaluating technologies, integrating, adopting, identifying technologies sounds like a tremendous human resources challenge. You're talking about things that, in my mind, don't scale well to use a tech innovation term. These are things that require human resources that are skilled and talented. How do you think about identifying and developing talent within your organization to make sure that they have the skills that they need to identify, help adopt, manage, integrate new technologies? Sounds like a tremendous talent challenge. The friction isn't new. In general, there are lots of areas for improvement. They're always have been, and that's true for the cyber sector and everywhere else. This is the best part of being alive right now. When Leonardo da Vinci was a youth, he said, "Hey, the hardest part about being alive right now is there's nothing to invent. Everything's already been invented." Then he went on to have more inventions than anybody else, and that's not even true anymore. The opportunities for value creation and removing friction about. One of the main ways that we're doing this, note that I'll talk about talent, is if we see something that we're doing 15 times in a row, we want to abstract that. We want to automate that so that we can spend more time focusing. Sometimes we get dragged down rabbit holes that are lower value. We want to slick and simplify where we can. Some of these trade-offs that are just repeat trade-offs. Simplicity and speed for scale are really important. The idea, we will never have so much talent that I'm worried about wasting it because of AI. There will always be more problems than we have people. How do we take these people and give them meaningful work? We will do that by focusing them on hard problems. That means stripping away the less important or the more repeated stuff and saying, "Okay, you are an expert on this technical domain, let's say quantum, and then this security domain, cryptography. Let's connect some dots there. We have data, we have processes to connect those dots, and we can push these pieces together to put that domain knowledge and your general process knowledge together to create much bigger inputs than someone who's doing this as a generalist." The short answer to your question is we're developing versatileists who are loving life because they're spending more time to get to results. They're getting through the horizons in several landmark cases much, much faster than they were. I've mentioned VC a couple of times, the VC feedback cycle, seven years before you know if you did something well or not, oftentimes, sooner if you messed up. We prefer the chef or the cook feedback cycle. I know if I made a grilled cheese sandwich that sucks in seven minutes, right? I can learn from that. It wasn't particularly detrimental. I ate it anyway. I was a little bit burned, but then we know how to do that differently. The learning by doing at speed in a framed way that is not particularly -- that is not exposing to important or significant risk, and then applying that to higher and higher stakes problems. Mean time to feedback, if you will, right? Mean time to feed back. To use a cyber term. I love it. Well, okay, so last question of this particular session and what I have here is a 20-sided dice, a D20, and I've got a list of 20 random questions, so you're going to get whatever pops up. Cool? Yes, it sounds like this has existed for a minute and I have not read this die, so hit me cold. Ooh, this is a fun one for you. So this one's called Tech Pet Peaves. What's one thing in the tech industry that frustrates you to no end? Can I give 20 answers to this one side of a die? Yeah, go for it. We'll go back to selling a technology based on the technology. I love Tech, an electrical engineer, I love this stuff. If you can't talk about it in terms of what impact it's going to have on the people that it's serving, then it's going to get lost. It's going to wash out. There are not enough technical people. We want more STEM people in the ecosystem, but we need translators and that translation is to outcomes. So if you love your tech, we do too, please make sure you're talking about what common good it brings, what impact it has, not just the wiring diagram. Perfect. Justin, this is a great first part of our conversation. We look forward to having you back for the next one. A special thanks to Justin for sharing his insights on the US Navy's innovative strides and the future of naval technology. If you're looking for more details on today's discussion, be sure to check out the article linked in the show notes for additional context. We appreciate your listening and hope you join us again for more in-depth conversations on the latest technology and cybersecurity. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. What's happening at M-WISE, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-WISE features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at mwise.io/cyberwire that's mwise.io/cyberwire [MUSIC] (gentle music)
