Why the DOD’s Replicator should be a model for cybersecurity

The United States Department of Defense (DOD) recently revealed a new initiative centered on securing the fundamentals of technology innovation viewed as necessary to win a strategic competition with the People’s Republic of China. The new program, called Replicator, aims to take development – particularly those pertaining to areas of artificial intelligence (AI) like robotics, sensing, smart manufacturing, and machine learning – of American technological breakthroughs and quickly scale them toward strategic use.

Such a goal will surprise few given the tendency of defense organizations to want innovative capabilities that are deployable in the near-term. With Replicator, this desire is tempered by stipulations that might surprise some, namely that capabilities should not emphasize reliability or sustainability. This has implications for the cybersecurity industry.

The Replicator concept: an opportunity for cybersecurity

The current focus on attritable science and technology products that are low cost and designed to fail after only a few years reflects a major problem shared by both the DOD and industry. Innovation around new technology – AI in particular – is critical to remaining competitive in years to come. Yet, new technologies like generative AI are causing problems today. This puts traditional incubator programs, investment initiatives, and other activities that envision exquisite technological solutions to big societal problems in a bad place, burning through resources today but unlikely to deliver promised security in the future.

Replicator, by contrast, is a different kind of answer to such challenges. Instead of complex one-size-fits-most solutions, DOD intends to swarm into the future with many simple inventions that cost little, address today’s issues, and can be discarded or scaled up as needed. Replicator itself is all about streamlining the pipeline for such investments, making sure that the inertia of bureaucracy and traditional defense industry gatekeepers don’t block promising ideas.

Replicator is a clear opportunity for industry, particularly cybersecurity. Diverse technology partners of the federal government will now be encouraged to build and sell solutions without expectations of exquisite, maintainable deliverables. Industry stakeholders should also realize that Replicator and the ideas underlying it represent a robust model for development around AI that helps overcome traditional hurdles for those attempting to innovate in new technology spaces. Specifically, a mosaic mentality is a sound hedge against overcommitment to both cheap solutions that may have little staying power and “exquisite” ones that might overstay their welcome.

Replicator: Mosaic warfare on display

The Replicator initiative arrives at a time when new geopolitical realities and sufficient novel developments in science and technology allow for a simple gamble: Mosaic warfare, an alternative theory of success for military practice, can be scaled up to work at geo-strategic levels.

The idea of mosaic warfare comes from a staple of far-seeing innovation in the US defense community, the Defense Advanced Research Projects Agency (DARPA). The concept is similar to other conventional thinking on American national security operations and strategy, such as the Multi-Domain Battle theory of combined arms warfare. Mosaic warfare and the alternatives emphasize the need to overmatch adversaries by using precision strike capabilities in complex operational environments. The mosaic warfare concept differs that it does not assume the global operational environment is static in its complexity or defined by immutable rules of human interaction. Rather, the complexity the DOD and other security-focused organizations face is emergent and ever-changing.

The solution to complexity that is difficult to model for the long term is to be cheap, adaptable, and capable of solving problems by swarming them. If the good guys are forced to deal with evolving systems and dynamics of engagement, then so are their adversaries. As such, the focus of strategic competition is less about overmatching an opponent’s traditional security capabilities and more about disrupting an enemy’s system – their plan of approach and the assumptions that plan relies on – and causing it to collapse.

From a capabilities standpoint, mosaic warfare eschews traditional systems because they are inherently rigid and inadaptable. Instead, many systems that are flexible, cheap, and multi-faceted allow for creative, evolving character combinations that can be either emphasized or jettisoned without harming the overarching mission. Capability stands very little chance, in other words, of looking the same over relatively short timeframes.

Replicator embraces this paradigm and aims for results at scale by investing in a pipeline – many pipelines, actually – that can deliver these pocket innovations to a complex defense establishment. In doing so, the initiative answers three emergent conditions that underscore the necessity of moving beyond traditional defensive mindsets.

First, and most significant for cybersecurity professionals, is a recognition from both within and out-with the defense establishment that AI systems and related developments (e.g., robotics or sensing innovations) are hitting an early form of maturity. Accessibility of these products supports AI as a reliable element of security architecture. So many AI products are flooding the consumer space that it is relatively easy to find cost-effective solutions directly off-the-shelf. The result is more forgivability for organizations that want experiment.

Second, the last few years have provided extensive validation for organizations interested in leveraging emergent technologies to build new defense strategies. Conflict in Nagorno-Karabakh and Ukraine have demonstrated the value in scrappy creativity around the use of attritable systems, most particularly around novel information technologies. Both conflicts have become known as the first true examples of a “drone war,” “cyber war,” and a “proving ground” for AI, largely due to experimental use of off-the-shelf products to create asymmetries aimed at overcoming adversary power. Replicator is all about building capacity for engagement before necessity forces it upon us.

Finally, despite the recent focus on Russia and the Middle East, the emergence of the People’s Republic of China (PRC) as a strategic competitor of the West provides motivation to quickly transform budgetary, supply, and operational approaches to conflict. The strength of American overmatch has always been in the innovation economy, but the ability to overmatch an opponent with credible, immense capacity like the PRC is weighed down by inertia. Replicator is an attempt to optimize American industry and defense postures to limit the time needed to respond to strategic crisis.

Case for a Replicator approach within cybersecurity

As organizations scrutinize AI’s utility for cyber defense and operations, the Replicator model of development, deployment, and attrition offers an opportunity for the cybersecurity community. Cybersecurity vendors can develop new solutions around proven concepts rather than existing, extensive architectures and stand a reasonable chance of finding DOD or other federal government contracts. The expectation that effective solutions are powerful but ultimately unmaintainable provides a counterintuitive motivation for vendors to develop cheap and disaggregated solutions. Interoperability of AI systems is generally found in shared information architectures and the minds of the user, making disjointed development less concerning.

Defense community sponsorship of new systems, techniques, and practices built around Replicator concepts presents an opportunity for enterprise customers of cybersecurity technologies. As the mosaic supply chain devalues complex traditional product suites that are expensive and static, public sector cybersecurity leaders will likely be able to demand lower cost for immediate return from vendors.

Beyond the potential value of a DOD move away from conventional procurement pipelines, Replicator suggests a mentality shift away from static operational paradigms and toward asymmetrical ideas of success. For cybersecurity, recent years have seen an avalanche of advocacy for new alternatives to traditional defensive, patching-oriented paradigms.

Voices like Bruce Schneier argue that persistent updating and vigilance demand the unachievable from technology that is inherently insecure and burdened by human failures. We are forced to live with it due to the reality that existing infrastructure and approaches must be maintained. The problem gets worse each year as vulnerabilities become embedded ever deeper in our approaches and our code.

The mosaic mentality shifts attention away from defender systems – both the technology and the human element – and toward those of the attacker. The concept is not a replacement paradigm but certainly one that interacts with existing approaches in new and potentially game-changing fashion. Under the mosaic concept, asymmetry is where adversary strengths are made into weaknesses to be exploited. Operationally, this brings several implications for cybersecurity practice.

First, the primary vision of AI-enabled malware or AI-augmented operational planning sees an autonomous threat actor able to analyze an attack surface rapidly, rapidly change techniques and tactics, and prioritize target types depending on independent assessments of tactical risk. This sounds powerful but it is still a tool being leveraged against a static defensive setup. It is suboptimal because the defensive landscape is destined to change. AI systems might, for instance, rapidly dilute the data footprint of compromised infrastructure by generating terabytes of false generative content, turning a perceived offensive advantage in automated speed and scale into a debilitating weakness.

Second, the Replicator idea of swarming solutions to pressing challenges underscores a core principle that may seem counterintuitive to cybersecurity professionals, namely that overwhelming a problem often means not being a first mover. To take advantage of adversary strengths it is necessary to understand their system of approach. Then, the second mover can more effectively swarm into gaps in the adversary setup.

What’s necessary is only that the defender can swarm toward solutions under crisis conditions, something that is difficult with “exquisite” products and packages. Instead, cheap AI solutions that can be patched together in a creative mosaic in the short term can provide the second mover rapid response capability and offer cybersecurity defenders an advantage that traditional patching paradigms – focused on maintainable, complex capacities – cannot.

Avoiding cybersecurity innovation pitfalls

Finally, Replicator is meaningful for cybersecurity industry practice, particularly as it pertains to AI development and onboarding, because it provides a clear model for overcoming traditional pathologies and challenges related to technology innovation. Researchers agree that optimal harnessing of AI will occur where open network structures exist to promote the flow of information about new developments, and where prevailing thinking about organizational missions resonate with incoming ideas about new technological possibilities.

These conditions speak to a unique feature of emergent technology adoption, namely that sufficiently disruptive technologies (like AI, web technologies, or the telegraph) organically expand the possible pathways via which an organization might accomplish its mission (including better cyber defense). New pathways for achieving organizational goals are not always recognized by the people and institutions involved. Insular organizations led by inflexible thinkers often produce tribal visions of what a new technology could bring. The operational ideas that follow are often fragile and colored by inter-group conflict.

Fixing one of these issues – insular organizational structure or the lack of visionary leadership – isn’t sufficient. Open company structures under rigid leadership often produce a “see what sticks” approach to new technology, often leading to little real mission-specific development. Insular organizations with visionary leaders often champion ideas that are inflexible and ultimately not resilient to the tests of time or marketplace. One need only ask the leaders of Research in Motion what they think about physical keyboards on smartphones today to see the pitfalls of such a setup.

Replicator’s conceptual gambit is a solution to avoid these pathologies and pitfalls of new technology innovation. Building an interconnected organizational structure headed by leadership possessed of the right technology visions is a complicated task. Embracing attritable capacities for cyber defense – and other challenges – lets bad ideas die in the gauntlet of testing while resisting commitments to expensive, “exquisite” solutions that are hard to retreat from. This not only builds novel mosaic capacities for cybersecurity practice, but also acts to mitigate the risks of premature over-investment.

Working towards mosaic cyber defense practices

The Replicator initiative is one of the most thought-provoking developments to come from the defense establishment in years. The lessons to be learned for cybersecurity development and practice should not be overlooked. Mosaic warfare is a model for cybersecurity operation that complements traditional static defensive paradigms by creating asymmetries in the use of cheap, attritable solutions. The same approach presents an excellent model for overcoming many of the pitfalls of attempting to innovate around new technologies – such as AI – for existing organizational missions.

What’s needed to bring the promise of something like Replicator to private cybersecurity practice is recognition that the DOD is leading thinking – for now – on AI and related technology adoption. With such recognition, space might open wherein pipelines for attritable solutions for cybersecurity practice become competitive with traditional market offerings and where norms of limited use become standard. With movement in this direction, the possibility of cybersecurity stakeholders changing common doomsayer narratives on AI and cyber futures is real.

CSO and CISO, Security

Go to Source