CyberWire Daily - Mission possible? Navigating tech adoption in the DoD. [Special Edition]
Episode Date: October 27, 2024In this episode, N2K's Brandon Karpf interviews Pete Newell, CEO and Founder of BMNT, about the challenges facing technology adoption within the Department of Defense (DoD). They discuss the concept o...f “mission acceleration,” focusing on the DoD’s struggle to keep pace with rapid changes on the battlefield and the importance of a human-centered approach to technology adaptation. Newell emphasizes that true innovation in defense is more of a "people problem" than a technology issue, requiring shifts in organizational culture and internal education. Tune in to hear insights on accelerating change in defense through better problem articulation and training. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more here today for this N2K CyberWire special edition.
On today's show, N2K's Brandon Karpf speaks with Pete Newell, founder and CEO of BMNT.
They're talking about challenges associated with technology adoption and change in the DOD.
I am here today with Pete Newell, the CEO and founder of BM&T. And Pete, today you and I are
going to be talking about defense innovation and innovation adoption, some of the core problems
that we have around technology adoption.
But I'm glad, really pleased to have you join us today.
Thanks for coming on the podcast.
No, thanks so much for the invitation.
I'm looking forward to this.
So if we can just start off with your net assessment at the high level,
where do we stand today in terms of defense innovation,
technology adoption for DoD problem sets?
I think, you know, largely, I hate the word innovation.
What defense needs to be able to do is accelerate its accomplishment of certain missions.
One of the things I learned on the battlefield, particularly in Iraq and Afghanistan, was
it was the speed of adaptation of technology that was really a challenge.
We were significantly challenged in how long it took us to recognize that something had
changed on the battlefield, new technology, new operating concept or something.
And then being able to articulate that change in plain English so that somebody could go
out and recruit people to help solve that
problem, to build a prototype of something, to get back to the battlefield so that people
could touch it and say, no, that's not really the problem, or yeah, you went in the right
direction.
That cycle time or that OODA loop is turning faster and faster and faster and faster to
the point where we take so long to articulate
the problem that by the time we go find people and build a solution, the problem has already
changed because the adaptation has taken place.
So I'm really big on talking to people about mission acceleration.
It's first understanding what the organization's mission is and what it is on the ground and
what they need to do to increase that cycle time.
Now, innovation is a process you can use to increase that cycle time.
But at the heart of it is how do we accelerate accomplishment of the mission.
So it's tying everything to a mission objective,
whether it's a high-level mission objective or in-the-weeds mission objective?
Correct. And being able to change that mission objective to keep up.
Okay.
Good things change.
So what you just described to me,
you know, we primarily hear talk about technology
and we also focus on cybersecurity,
how technology relates to human systems and business
and government and national security.
What you just described sounds like a very human-centric process.
You described a person observing a change, a person dictating what the mission objective is,
a person taking that lesson learned and bringing it back to someone who can interpret it and turn
it into a technology or a capability. Can you walk us through, I mean, is that human cycle
working today or is it not totally connected
in that loop that you just described? It varies dramatically
from organization to organization to organization. First and foremost,
innovation isn't a technology problem. We have
plenty of tech. We have old tech, we have new tech, we have tech we could buy.
We have plenty of technology. It's a people problem. And I incorrectly
I call it a sociology problem. It's really an anthropology problem as I was corrected
by one of my analysts. Leave it to the analyst
to be pedantic. I got such stinking smart people working at
BM&T that I'm almost afraid to walk into the room and open my mouth some days.
And we encourage them to challenge us.
Love that, yeah.
You know, I had this conversation.
One said, excuse me.
And for one to know she's got a degree in anthropology.
But she says, you're talking about culture and laws and rules and interactions.
That's anthropology, not sociology.
I'll stick to my wrong definition.
It's a sociology problem
because everything you just described
requires a person to take action
or not take action.
So it's really people
learning how to apply different rules
or learning how to recruit networks of people
to actually accelerate
how balanced they come together, that is the challenge of getting things done.
Now, in some organizations, they recognize that and they're starting to train their people
and they've written what we would call a document for how the innovation process works
within the organization.
Senior leadership shows up to encourage people.
They're engaged. And the organization is starting to actually coalesce around certain things faster and faster and faster.
That's different than organizations where there's an entity at the side doing something, still butted against the rest of the bureaucracy of the organization.
They're still trying to find a foothold, or they're still fighting for their presence in something else.
A really different application.
I can give a shout out to the Transportation Security Administration, which you would not imagine would be at the forefront of actually doing this.
But they are the first government organization to actually write a doctrine document for innovation that explains how the process works within the organization.
They train it.
They execute it.
The TSA administrator shows up at different events around the country to actually talk and listen and do,
and then he goes back and tells the staff what they need to change.
The Defense Logistics Agency is the other one that's really starting to spiral up because they've figured this out.
And they're starting to pull people together.
They're teaching them and defining
what that document will be. I suspect that DLA will actually write their first document this
year as well. That's an amazing change from 10 years ago. Well, what it sounds like to me that
those two organizations have done, they've made that a cultural identity. They've turned it into
a core competency of the
organization so as opposed to what you described as a lot of organizations having the unit that's
off to the side that is doing innovation kind of innovation theater actually incorporating it into
the core process and the core functions of an organization that's actually it's a great
observation about tsa that's not one that I would have made,
but now thinking about it, I've seen them just in the last few years adopt new technologies and new
capabilities and the speed at which I even get through the security line at almost every airport
has increased. So it does seem like they are actively making changes that we're not even aware
of. Yeah, they are such an amazing test tube. For the innovation problem.
Because their footprint in the airports.
Is severely constrained.
That space that you see them in.
That's what they get.
And everything they do.
To extend their mission.
Has to happen within that space.
So it's an amazing.
Example.
I think.
What you see coming from. What I would say the view of both organizations is the play of the long game. They realize that they now have to breed people internally who play by a different set of rules but understand what the rules of the rest of the organization are.
the rules for the rest of the organization are.
So they're training a core, and they're growing them, giving them experience, and moving them into positions where they can actually do the work.
And at the same time, they're training on the periphery.
They're training finance people and contracting people and other people who aren't core innovators
but actually touch the system so that when the innovation cells or whatever have to start building something
that's fragile to get something new, they have people across the organization you can reach out
to who understand the mission, understand the rules, and will help them do that. That is different
from, say, the Defense Innovation Unit, Naval X, AFWERX, Spaceworks, and all those others.
They don't have a large body of people to draw on,
and their services are not raising people
who will eventually take those jobs.
So when somebody leaves DIU,
they go shopping for somebody new.
And then they spend a year,
two years,
getting out on the ground
and trying to learn the job. And then they spend a year on two years, getting out on the ground and trying to learn the job.
And then they spend a year on the job and then they leave.
So, you know, I come back to the sociology problem.
If you don't build a new school to teach new rules and then give people the opportunity to get experience applying those rules in different circumstances, you're not
going to build a bunch of people to replace these. And you're constantly going to be fishing for
people to take the job. You can't scale that way. I'm interested then to pull the thread into the
specifics here. And you're starting to hit on why really I and this podcast have been reaching out to folks
in the defense innovation world and you and your teammates and to understand these lessons learned,
right? We work in the cybersecurity world where we've seen, you know, if you listen to the first
episode of this podcast in 2016, you'd be hard pressed to realize that that wasn't today.
So what that shows is 8 years
8 years of technology development and new tools
and new capabilities and the shift from on-prem to cloud
and now cloud to hybrid cloud and multi-cloud
and yet we're still facing the same issues
all of that new tech hasn't really fundamentally
changed anything because it's just been bubble gum and duct tape
on top of the same old problems.
And so I'm really curious how to implement what you're talking about,
the sociological solutions to the human problems of security,
whether it's national security, defense technology, what have you, cybersecurity.
And you started talking about education.
And so how can organizations,
whether it's DIU or Palo Alto Networks
or the DOD itself or the Department of the Navy,
how should they think about education
and implement education?
What should they be looking to accomplish there?
I think at the end of the day,
you're looking for people to gain experience.
That's the hard one.
And we can talk about hacking for defense, the course,
and what that does for student teams in terms of giving them experience.
And I'll quote a Stanford student from the course cohort that we taught.
And there's a student who got to the end of it and said,
and this is a Stanford student who'd been at Stanford for six years.
He went to his bachelor's degree.
And he said, in my time at Stanford, this is the hardest class I've ever taken.
They also said this is the only class that allowed me to use everything I ever learned at Stanford, every network I ever built, to work on a real problem with real people that gave me real experience that will lead to the job that I want to have.
And they harped on real,
real problem, real people, real experience.
Those students leave the course with such a sense of confidence
that they understand how to do discovery around a
problem and then do discovery around tons of solutions
and then discover pathways by which they can deliver things
that they have a pattern that will stick with them for the rest of their lives.
They're amazing.
What they do after the course,
in terms of either building companies or going to work on the government
or someplace else.
Now, when we first started hacking for defense,
we had a lot of support from the joint improvised ID threat organization.
And one of the things that John Young, who was the J8,
who looked at me and said, yes, I'll give you problems with this stamp, of course.
He goes, but solving one problem a year for me is really underwhelming.
I have thousands coming
into the building. He goes, my problem
is my people are supposed
to solve problems, aren't solving problems
anymore. They're just moving paperwork.
They have too many to do. In fact, they even
have zombie problems in the building. Nobody will touch.
He goes, I can't
even kill problems off because I don't have the time
to focus on them. What he said was, I will't even kill problems off because I don't have the time to focus on them
what he said was, I will help you with this university class if you come to my
organization and teach my people to view the same thought
in order to start clearing problems, and that was the genesis for
the development for hacking for defense
and the development of BM&T as a government-facing organization.
Well, our job is to help the government organizations internally while the Common Mission Project
is focused on the education platform.
From a problem-solving standpoint, the government has yet to internalize a professional military
or civilian education system that does that,
except in a couple of small places where the organizations are involved,
except in the places where those organizations are involved in hacking for defense,
supporting problems as problem sponsors,
or by actually getting people in the classroom.
That's different than, I'll give you, I guess, the counter to that.
In the UK,
hacking for defense is taught at Sandhurst,
the military academy.
If you are a senior military officer,
you go to, I guess,
the Defense War College at King's College.
At King's College,
you can get a degree in national security innovation.
The capstone course for that degree program is hacking for defense.
Those officers are now being taken from that course and being placed in higher-level staffs
to help them sort out how they're going to do mission acceleration
and how they're going to do mission acceleration and how they're
going to build these innovation processes along the long run.
So in the UK, higher level all the way down to the lower level, they are starting to invest
in people and trying to figure out how to connect the dots between the two.
We've not figured out how to do that in the US yet.
We're still pushing things to the side
and doing a lot of one-offs, but there's no doctrine for it. Right. And tying that back to
your earlier statements, what the UK seems like they're doing is they're internalizing the skills,
the norms, the process as just part of their professional education. They're not saying,
this is the unit that does it. They're saying everyone in this organization at a certain level needs to have the knowledge, the skills, the experience,
having done it so it becomes part of our organizational norms.
Correct. And I think, you know, the UK, because they don't have the economy we do,
they don't have the budget we do, has to focus on people because that's the place where they
can make grounds. I think it's unfortunate in the United States because we have these massive budgets, it's easy to
throw money at tech and ignore the focus on the people.
I'll give you an example. I read
a great futures document that the Army built that talked about the future operating
environment. I think at the last page there were two paragraphs
and one talked about the need for invested people.
Got to recruit the best people, got to have the right people. And then the next paragraph
talked about the need to transition tech faster.
The missing link between the two is you're not going to get that last one unless
you teach people how to do this. I mean, literally, I've got a
work document that's called The Missing Link.
You're not connecting the dots between growing people who understand tech and the mission and the ability to transition tech.
You're not going to get there at scale.
And by scale, it's not just scale in terms of numbers.
Scale in how fast things, the cycle speed has to scale faster.
Sure. The clock speed. I don't know what you would call that. The clock speed goes faster.
Clock speed, yeah. And it's not just in one organization, it's across the entire world.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
So then where we are today, I mean, where do we go from here? What is BM&T's role?
And in the next five years, what do we need to get done to close that loop, to find the missing link, to actually connect those two components?
You know, the beauty of what BM&T has done and continues to do is we are expert observers of the entire system.
And because we have clients spread from one end to the other,
we actually see the cause and effect of both successes and failures,
and we're able to document those things that work,
and we'll say why they worked, and those things that didn't work,
and we know why they failed, which allows us to rebuild models that we actually take to clients.
It's okay.
We understand where you are versus where you want to be.
And if you adopt this model, simply because that's where you want to be,
you're going to fail because you haven't done these following things.
So let's work on these following things in order to get you there
so that you can actually absorb this model and do it over time.
And, you know, it's a lot of, I would say, boutique-tailored integration.
But we're able to deploy people into those organizations to help the people who have that mission actually see themselves and see their organization in order to make something happen correctly.
More broadly, because, you know, BM&T is part of a tight ecosystem of BM&T versus the Common
Mission Project versus the wider H4D system versus Steve Blank and Pete Newell, we continue
to take on new topics every year where we spend time researching
those topics and listening to people across the ecosystem.
And then we bring them together for an event we call the Red Queen.
We're running Red Queen 6 at the end of October, focused on the topics of transition and leadership
where we bring in senior leaders from across the defense and the intelligence ecosystem, and in fact, they have a large contingent from the UK come this year.
And sit them down with, here's our observation, but we're also bringing in people to talk who are experiencing both the failures and the others to create some synergy amongst them.
experiencing both the failures and the others to create some synergy amongst them.
And then we'll take what we learned from that and reflect it back and say,
if we want to continue to push these down, here are the things that are broken.
Here are the people that are doing good work on them.
Here are the people who need to be integrated into it.
And try to bring that organization.
Try and bring this organization together to actually make progress.
And it's amazing what you can learn. For instance, we'll have Doug Beck, the current DIU director, sitting in a chair
next to Raj Shah, the old one. And we can do a reflection on
the experiences of both.
And I hope to hear Raj Shah talk about, here are the things I needed my leadership to
do for me that they didn't, and to see how that's reflected with Doug Beck.
But there are tons of people in this room who need to hear that conversation so they recognize their role as senior leaders in raising innovators and entrepreneurs in service and keeping them, but also protecting them from the system.
Does this process scale?
How do we take this and grow it beyond the ecosystem that you live in
and have it impact positively other core ecosystems
that face the same issue where it's a people problem,
a sociological or anthropological problem?
I would say it is scaling.
For instance, we could take hacking for defense.
We started the first class at Stanford in 2015.
It's a 10-year anniversary of the spring.
But hacking for defense then became hacking for
diplomacy. The State Department still runs,
actually, the University of Connecticut is teaching this fall,
hacking for climate. In the UK, there's
hacking for the Ministry of Defense or National Security. There's
hacking for sustainability. There's hacking for the Ministry of Defense or National Security. There's hacking for sustainability. There's hacking for transportation.
They're actually also launching hacking
for programming at the high school level in the
UK this year, which is amazing. So in terms of scale,
the education piece is starting to scale in different
places.
In the U.S., as I said, there's a complete absence of,
you know, we've taught hacking for defense at the Air Force Academy,
the Military Academy, Naval Postgraduate School.
Not in the Naval Academy yet.
I'll stop my feet one more time. Just five years of my trying.
I'm doing my best.
It's certainly not in the senior level, not the war colleges.
The war colleges, yeah, the staff.
So because there's no doctrine, there's no professional military education.
And because there's no professional military education,
there's no way to standardize what we've learned and
promulgate what's different about
this cycle speed and the rules that it works with versus
what we've done for the last 30, 40 years.
I think we've got to get to the point. I love what King's College
and the Ministry of Defense have done with their master's degree program.
Now, I, for instance, as a War College graduate, went to the Joint Advanced Warfighter School, which was intended to train me as a strategist for four-star headquarters.
did the job because I became a brigade commander, but at least there is a model that says we're going to take 14 or 20
students a year and put them through a one-year course and insert them
on a higher headquarters as a strategy officer.
Why can we not create the same thing
for all the chief innovation officers that we keep appointing
who are literally, they're appointed and thrown into OJT.
Right. Totally.
And by the time they finally figure out what they're doing
and start to have an effect,
their senior leader champion moves to a new job,
and then they get hammered by the whole system again.
Right, yeah. And the world spins madly on.
Yeah. So I think if we really want to move forward,
and I think it's not just Department of Defense,
it's the government as a whole or public service as a whole,
we have got to find a way to educate public service
in a different system.
So then, you know, with that call to action,
I'd like you to leave us with painting a picture.
And the picture that I'd love you to paint for the audience is, what do we risk by not doing this?
And then alternatively, what are the opportunities that when we do this that we will see come to fruition?
We risk relevance.
And, you know, I talk about risk as an entrepreneur.
Somebody says, oh, there's a risk of something failing,
there's a risk of something going bad.
I say, you're missing the point.
An entrepreneur's risk isn't failure,
it's in not recognizing and seizing an opportunity.
That's a completely different risk mindset.
Can you imagine if we'd ever fired somebody for not seizing an opportunity and run with it?
If you're an entrepreneur, if you miss opportunities and you've taken investment from people, you will get fired by your investors in a heartbeat.
That's the fundamental change. So by not doing this, we're continuing to punish people for accepting the risk
of going after things rather than encouraging
them to butt up against the boundaries of what's appropriate or allowed
and starting to change those things. And as they get
experienced, you give them more latitude.
And at the same time, also protecting them
from all of the bureaucratic people
who want to investigate them to death.
So, to go back to your picture thing,
you know, the picture becomes one of relevance.
If we do not do this, our protagonist will.
And we will find that we are
running way too slow
to even
stay in place,
which is kind of where the Red Queen thing came from.
Remember the scene
from Alice in Wonderland
where the Red Queen
grabs her and they're running and running and running, and finally
Alice falls on the ground and says,
I'm exhausted from all this running, but I'm running faster and faster and I'm staying in one place.
And of course, the Red Queen says, if you ever want to get ahead, you're going to have to run faster and faster and faster and faster.
That's us.
Pete, a perfect place to end this first interview.
Thank you so much for coming on the podcast.
It's been great to have you.
I enjoyed it.
We're looking forward to having you back to talk more
and to speak more with BM&T and the Common Mission Project.
Awesome. Thank you, Brian.
Thanks, Pete.
Our thanks to Pete Newell, founder and CEO of BMNT, for speaking with us. That was N2K's Brandon Karp on the mic.
Thanks for joining us. We'll see you again next time. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.