SAN FRANCISCO — On stage at the RSA security conference here March 2, Defense Secretary Ash Carter was praised by the moderator for his “cool” ideas and his efforts to reach out to the Silicon Valley.
Carter was applauded when he said he supported strong encryption of data, and overall, the room reacted positively to his message. One official on the trip received a handful of business cards from individuals hoping to find a way to work with the department.
But the scene also spoke to the cultural divide facing Carter as he attempts to bring the Valley and DC closer together. Carter’s address was not featured as a major event on RSA’s website, and where lines were out the door for small workshops, the room where Carter was speaking was only half full, with the audience ducking in and out.
Capturing Silicon Valley’s attention, it seems, is still up in the air. The good news for Carter, however, is the Pentagon seemed to gather notice with two initiatives announced during his trip to San Francisco.
The first was that Eric Schmidt, executive chairman of Google parent company Alphabet, will head up a new Pentagon advisory board focused on innovation. Schmidt is the quintessential Valley figure, and having him take an active role gives Carter’s outreach greater heft.
Schmidt told reporters March 2 that he has a number of names in mind to round out the 10-to-12 person board, but has yet to contact those individuals. He did say he is looking at "people who are highly technical and who can anticipate the changes in technology that will affect the mission of security.”
Ben FitzGerald, with the Center for a New American Security, said the board is a good idea and that Schmidt gives it needed credibility.
“The question will be the particular role of the board, where it will sit institutionally and how its recommendations might be acted on,” FitzGerald said. “Even the traditional defense boards have a mixed record in terms of efficacy and utility.”
The second, and perhaps most exciting initiative for the broader tech community, was the announcement of a “bug bounty” program that involves the Pentagon selecting a group of hackers, giving them department targets, and asking them to do as much damage as possible — and then reporting back what they found to help the DoD patch those holes, in exchange for some kind of reward.
Participants will be need to be registered and vetted, although a senior defense official said that the process for how they will be tested is still being worked out. All participants must be US citizens.
That type of program has become a best practice in the tech world, with the website BugCrowd.com maintaining a list of more than 470 companies that have such programs, including giants like Google, Microsoft, PayPal and Yahoo.
Jonathan Cran, vice president of operations at Bugcrowd, wrote in an email that the Pentagon announcement is a “great step in the right direction to addressing the critical need for cyber security skills in the US,” but raised concerns about the US citizenship requirement to participate.
“In general, researcher talent is more expensive in the US, so limiting the program to US-based, background-checked researchers may present challenges or simply require more incentives to participate,” Cran wrote. “33% of Bugcrowd's researcher base is here in the US, and less than 10% of those submit to background checks."
Mark Ryland, chief solutions architect with Amazon Web Services in Seattle, said Carter’s outreach to the tech community has not gone unnoticed.
“Just this week seems like a real breath of fresh air,” Ryland said.
DJ Patil, US chief data scientist and a former top executive at Silicon Valley heavyweights like eBay and LinkdIn, said he believes Silicon Valley will “100 percent” respond to Carter’s overtures, particularly the bug bounty program.
“The number one thing I found as a Silicon Valley person is, everybody wants to figure out how to help. They struggle to figure out how you actually do that,” Patil said. “What they’re realizing now is ‘oh, through DIUX, through all these other mechanisms, this is no longer talk – this is real.’ And that is brokering a very different dialogue and conversation.”
He also notes that hackers may take part in the bounty program even if the financial reward is limited, whether out of a sense of duty or a sense of pride at being able to discover flaws others had yet to identify.
Adds Peter Singer of the New America Foundation, “It is a great example of Pentagon following the practices of the best firms, building incentives to make the hacker market work for you. [It’s a] great illustration of how the payoff of the outreach to Silicon Valley is not to be measured in new widgets but new ideas.”
The point about ideas versus physical technology is a key one, especially when discussing the core of Carter’s Silicon Valley outreach program, the Defense Innovation Unit-Experimental (DIUX).
An outpost of the Pentagon located in the heart of the Valley, DIUX has been criticized for not having produced any tangible results since standing up in August. But there is a sense, both with Carter’s staff and with the companies that are dealing with the unit, that it is making inroads with the community.
That was on display during Carter’s visit, when he held a “Shark Tank” style event where five small companies pitched him directly on their products for the Pentagon.
Sherban Naum, regional vice president for Bromium Federal, spent roughly 10 minutes explaining his product to the Pentagon officials. Afterwards, he was effusive with his praise for the fact DIUX was able to get him in front of Carter for even just a brief period of time.
Asked if he felt DIUX was working well, he responded effusively. “Oh my goodness yes. Yes. Yes, absolutely,” noting that officials from the group meet with his company on a weekly basis.
“It’s very cool. It’s very un-governmental,” Naum said. “You expect it to be big bureaucracy. This is nimble, it’s agile, and they actually do care.”
The challenge facing Carter’s innovation push now is twofold. First, it requires making sure the new ideas coming from the West Coast do not get bogged down by the internal Pentagon machinery of acquisition processes, security clearances and a long paper trail.
And second, it needs to be set up to outlast Carter himself.
For his part, Carter said he was “very confident” the process will outlive him, in part because of the people who have been hired, and in part because focusing on innovation simply makes sense for the department.
FitzGerald is less confident, given Carter’s role as the driver of the innovation discussion.
“The big question that remains for these announcements and the secretary’s innovation agenda writ large is how it will persist beyond his tenure and, relatedly, to what extent will he be able to drive change in core DoD organizations and processes,” FitzGerald said. “Those efforts require the personal support of the secretary. With less than a year remaining in his tenure, how will the secretary lock in his gains and truly move the building?”