Design Thinking and Entrepreneurial Approaches to Cyber Defence Workshop
Watch the Design Thinking and Entrepreneurial Approaches Brief
The afternoon was devoted to a special “Design Thinking and Entrepreneurial Approaches to Cyber Defence” workshop reserved exclusively for youth engagement and lead by:
- Dr Amy Ertan, Cyber and Hybrid Policy Section (CHP), Emerging Security Challenges Division (ESC), NATO [Facilitator]
- Mr Graham Henshaw, Executive Director, Miller Entrepreneurship Center, William & Mary [Facilitator]
- Dr Anthony Stefanidis, Professor of Computer Science, William & Mary [Facilitator]
Participants were given a specific problem faced by NATO in the cyber defence realm. They were guided through how to apply design thinking to this task, then were given space to ideate as they worked through “How Might We” (HMW) questions on one of three problems.
Problem #1 addressed: a range of adversarial state/state-sponsored, criminal, and other malicious actors conduct cyber and hybrid attacks against targets to achieve strategic objectives. These attacks may range from traditional cybersecurity breaches to sophisticated disinformation campaigns. Traditional deterrence mechanisms don’t work in the same way as with kinetic weapons (i.e. nuclear). As an Alliance of 30 nations, it is essential that NATO work together effectively to achieve its tactical, operational, and strategic objectives.
Problem #2 addressed: there is a significant shortage of skilled cyber-versed security experts in the workforce. Especially ones who can operate effectively in the overlap space of cyber technology and policy making. Nations report challenges relating to the recruitment and retention of skilled cyber experts, and significant attention is being dedicated to training future talent (including through schools and university programmes).
Problem #3 addressed: NATO and its Allies face an incredibly fast-moving threat landscape. One aspect of this relates to technological developments – where adversaries are making the most of changing cyber techniques and emerging disruptive technologies. NATO and its Allies face the challenge of predicting future security threats AND preparing adequately for them.
At the end of the workshop, participants pitched their solutions to the challenge as part of a group.
Darius Kölsch, Desk Officer for Science & Innovation, Institute for a Greater Europe: Our group discussed the general problem of emerging and disruptive technologies, and the corresponding challenge of NATO having to predict future technological developments. Specifically, we discussed the question “How might we enhance Allies’ preparedness for future security threats?” Several different approaches were taken into consideration, including incentivizing academic immigration, expanding (/maintaining) high-tech export controls, and creating an overview of all emerging technologies. Ultimately, however, we settled on expanding red teaming. In particular, we suggest expanding the role of red teams outside of the military, and within critical infrastructure. Given that a substantial portion of critical infrastructure in NATO member states lies in the hands of private companies, it is crucial to expand the definition of red teaming to include the corporate realm. Red teaming, the concept that one simulates an attack on security systems in order to discover flaws, is not new; our proposal is to expand the scope of red teaming. Possible implementation could include NATO-certification or other support (e.g., funds, coordinating secretariats, dedicated public-private partnerships) for private red team companies, or the creation of a NATO Red Team beyond the cyber domain. PR campaigns supporting a culture of red teaming in society may be considered as well. It is acknowledged that the proposal likely is not the cheapest. We nonetheless chose it because the priorities we see for NATO, particularly in the light of crises such as the Ukraine war, are proven effectiveness and resilience, and that, ultimately, is best achieved through repeated application and testing.
Alexandros Goniadis, Cybersecurity Operations Officer, CERT-EU: Our team decided to ideate on the basis of Problem #2 and “how might we: pursue agile organizational solutions that optimize collaborative decision-making across technology and policy teams, in particular. The ideas focused on how to bridge the gap between technology and policy teams within an organisation in general and then within an organisation like the Red Cross in particular, taking into account the target/nature of the organisation, international focus and budget/resource limitations. The team used two criteria to categorise its ideas, which were the cost of implementation and organisational resistance, while we made the strategic choice of limiting the pool of shortlisted ideas on the basis of their low cost and low organisation resistance. We landed on two ideas that complement each other. A) Create a cell within the organisation where the technical and the policy level would meet regularly and collectively work on creating links between “the field” and policy, B) organically bring the Policy Team closer to the Technology team, rather than management/hierarchy in order to build trust, the feeling that both teams work for the same goal, so that the policy team would not be perceived as a remote entity/gatekeeper of information between the technical team and management.
Isabella Castro, Fulbright Scholar, Fulbright Commission in Belgium: Our group addressed the issue of enhancing cyber defence collaboration between states, academia and the private sector to promote interoperability with NATO members & partners in combating cyber and hybrid attacks. Our group sought out to find a solution that was both practical and strategic in facilitating collaboration while respecting sovereignty and private property. As a result, we arrived at a recommendation of creating an independent organization consisting of members from academic spheres, the private sector, and state actors. This organization would require members to discuss and create policy recommendations as well as new software/technological developments used to multilaterally deter cyber warfare. Members would act as individual representatives rather than representatives of their employers, thus allowing for diversity of thought but autonomy in decision making.
Participating students will receive an acknowledgement of participation from William & Mary.
