Why the DOD’s Replicator should be a model for cybersecurity

Voices like Bruce Schneier argue that persistent updating and vigilance demand the unachievable from technology that is inherently insecure and burdened by human failures. We are forced to live with it due to the reality that existing infrastructure and approaches must be maintained. The problem gets worse each year as vulnerabilities become embedded ever deeper in our approaches and our code.

The mosaic mentality shifts attention away from defender systems – both the technology and the human element – and toward those of the attacker. The concept is not a replacement paradigm but certainly one that interacts with existing approaches in new and potentially game-changing fashion. Under the mosaic concept, asymmetry is where adversary strengths are made into weaknesses to be exploited. Operationally, this brings several implications for cybersecurity practice.

First, the primary vision of AI-enabled malware or AI-augmented operational planning sees an autonomous threat actor able to analyze an attack surface rapidly, rapidly change techniques and tactics, and prioritize target types depending on independent assessments of tactical risk. This sounds powerful but it is still a tool being leveraged against a static defensive setup. It is suboptimal because the defensive landscape is destined to change. AI systems might, for instance, rapidly dilute the data footprint of compromised infrastructure by generating terabytes of false generative content, turning a perceived offensive advantage in automated speed and scale into a debilitating weakness.

Second, the Replicator idea of swarming solutions to pressing challenges underscores a core principle that may seem counterintuitive to cybersecurity professionals, namely that overwhelming a problem often means not being a first mover. To take advantage of adversary strengths it is necessary to understand their system of approach. Then, the second mover can more effectively swarm into gaps in the adversary setup.

What’s necessary is only that the defender can swarm toward solutions under crisis conditions, something that is difficult with “exquisite” products and packages. Instead, cheap AI solutions that can be patched together in a creative mosaic in the short term can provide the second mover rapid response capability and offer cybersecurity defenders an advantage that traditional patching paradigms – focused on maintainable, complex capacities – cannot.

Avoiding cybersecurity innovation pitfalls

Finally, Replicator is meaningful for cybersecurity industry practice, particularly as it pertains to AI development and onboarding, because it provides a clear model for overcoming traditional pathologies and challenges related to technology innovation. Researchers agree that optimal harnessing of AI will occur where open network structures exist to promote the flow of information about new developments, and where prevailing thinking about organizational missions resonate with incoming ideas about new technological possibilities.

These conditions speak to a unique feature of emergent technology adoption, namely that sufficiently disruptive technologies (like AI, web technologies, or the telegraph) organically expand the possible pathways via which an organization might accomplish its mission (including better cyber defense). New pathways for achieving organizational goals are not always recognized by the people and institutions involved. Insular organizations led by inflexible thinkers often produce tribal visions of what a new technology could bring. The operational ideas that follow are often fragile and colored by inter-group conflict.

Fixing one of these issues – insular organizational structure or the lack of visionary leadership – isn’t sufficient. Open company structures under rigid leadership often produce a “see what sticks” approach to new technology, often leading to little real mission-specific development. Insular organizations with visionary leaders often champion ideas that are inflexible and ultimately not resilient to the tests of time or marketplace. One need only ask the leaders of Research in Motion what they think about physical keyboards on smartphones today to see the pitfalls of such a setup.

Replicator’s conceptual gambit is a solution to avoid these pathologies and pitfalls of new technology innovation. Building an interconnected organizational structure headed by leadership possessed of the right technology visions is a complicated task. Embracing attritable capacities for cyber defense – and other challenges – lets bad ideas die in the gauntlet of testing while resisting commitments to expensive, “exquisite” solutions that are hard to retreat from. This not only builds novel mosaic capacities for cybersecurity practice, but also acts to mitigate the risks of premature over-investment.

Working towards mosaic cyber defense practices

The Replicator initiative is one of the most thought-provoking developments to come from the defense establishment in years. The lessons to be learned for cybersecurity development and practice should not be overlooked. Mosaic warfare is a model for cybersecurity operation that complements traditional static defensive paradigms by creating asymmetries in the use of cheap, attritable solutions. The same approach presents an excellent model for overcoming many of the pitfalls of attempting to innovate around new technologies – such as AI – for existing organizational missions.

What’s needed to bring the promise of something like Replicator to private cybersecurity practice is recognition that the DOD is leading thinking – for now – on AI and related technology adoption. With such recognition, space might open wherein pipelines for attritable solutions for cybersecurity practice become competitive with traditional market offerings and where norms of limited use become standard. With movement in this direction, the possibility of cybersecurity stakeholders changing common doomsayer narratives on AI and cyber futures is real.