Artificial Intelligence, Open-Source Security, and Defense Unicorns with Rob Slaughter

Show Notes

Episode Summary:
Callye Keen discusses the complexities and challenges facing defense technology innovation with guest Rob Slaughter. They explore the landscape of government defense contracts, the role of open-source software in innovation, and the potential of leveraging AI in the defense sector.

Topic Highlights:
00:00 - The Government and Open Source
Rob Slaughter discusses the pros and cons of using open-source software in the defense sector. He highlights the barriers to adoption, including policy restrictions and security concerns. This conversation provides an in-depth look at the potential for change in governmental processes.

15:47 - The Security of Open-Source
Slaughter delves into the security implications of using open-source software. He expresses a nuanced understanding of the benefits and drawbacks, such as the potential for a broader community to identify vulnerabilities versus the risks of exposure.

30:02 - Balancing Innovation and Practicality
There is a struggle between pushing for innovation and adhering to practical limitations. Rob and Callye explore this balance, discussing the importance of clear communication, understanding end-user needs, and the careful management of resources.

38:49 - AI's Role in Defense
Delving into the opportunities AI presents, Rob paints a vivid picture of how machine learning models could process and extract information from government documents. However, he acknowledges the complexity of marrying classified information with AI, emphasizing the need for continued research and development.

40:39 - Auditing vs Implementation
Callye Keen introduces a significant problem in the defense industry - the focus on audit standards over implementation standards. This shift in approach could significantly alter the way businesses interact with government defense contracts and improve operational efficiency.

42:40 - The Incentive Dilemma
Both Callye and Rob underline the tension that exists between innovation and profitability in the defense sector. This part of their discussion explores the reasons behind the defense sector's reluctance to embrace open source and the potential loss of expertise that could ensue.

44:12 - Shaping Defense Innovation
Rob draws attention to the innovation ecosystem within the defense industry, the budget allocations, and the impact of leadership changes. He also expresses his concern about the rapid turnover of personnel in government innovation programs, likening it to the challenges startups face.

Callye Keen - Kform
https://kform.com/
https://www.linkedin.com/in/callyekeen/
https://youtube.com/@kforminc 
https://twitter.com/CallyeKeen 

Robert Slaughter - 
https://www.defenseunicorns.com/
https://www.linkedin.com/in/robertcslaughter/ 
https://www.youtube.com/@defense-unicorns
https://twitter.com/DefenseUnicorns

Chapters

• 0:00: Defense Industry Branding and Passion
• 7:17: Embracing Open Source in Defense Industry
• 15:55: Disconnect in Defense Community, Open Source
• 24:26: AI in Defense Systems
• 29:46: Software Approval and Cybersecurity Compliance Challenges
• 39:53: Challenges and Limitations of Defense Innovation

Transcript

Speaker 1: 0:00

the thought of engaging with an adversary that has advanced AI capabilities at scale To, when we are struggling, deliver anything. It absolutely terrifies me. It terrifies me to think, sending people to war illicit from a software perspective.

Speaker 2: 0:16

Welcome to the startup defense. Today I have Rob slaughter. This is a little bit of a celebrity interview for me. This is the only other entertaining podcast hosts that I know of that's covering the defense industry. So we have Rob. He's the CEO of defense unicorns and, I guess, chief podcaster as well. I and I want to get into this. What led you to launching a show in the defense space and defense industry? Obviously, your background. But before we dive into that, can you tell our audience the story of Rob? What are you up to? What are you passionate about right now?

Speaker 1: 0:53

Yeah, absolutely. I appreciate that been been called a lot of things entertaining, um, I'm gonna add that to list which you know if you're gonna be something might as well be entertaining to folks. So I appreciate all the kind words and you know for folks that that I've listened to the podcast, appreciate you turning into this one a huge fan of the startup defense and really, really honored to be on the show. For myself I kind of was a military brat in some ways, even though my, my dad I didn't directly serve, but my grandfather dibs, and so I grew up very close to an Air Force base, was always very passionate about the capital, defense and some of the activities, and Started my career on ROTC and eventually get in the military. For a number of years I mean. So it been most of my adult life active duty service member. I'm doing a lot of technical things and a lot of software things for a number of years.

Speaker 1: 1:48

Really, over time became Truly committed to the mission and you know the mission to me is Is really just about not not just national society but free, free societies in general. So it's, you know, much more than just a United States thing and it's more a philosophical of values thing, and this understanding that, in order for Certain values that that I live by as a person to to be present in this earth, I'm sure certain people have to make sacrifices. They make sacrifices with their lives, and they also make sacrifices with their careers, and so, for me personally, what I'm ultimately passionate about is dedicating my life to Ensuring that the values that I stand by and believe in continue to be valued across societies and protected against, in some cases, nations who don't uphold those same values what I find interesting about what you just said is it's very serious and mission focused, and your content and your posts on LinkedIn are also like this.

Speaker 2: 2:53

But for everybody that's listening, you can go to his website, defense unicorns, you can look up ZAR right and, and your branding is very fun and approachable, but what it does and who it serves is very serious. So from a business perspective, I found that very interesting because we're kind of in a industry that, rightly so, takes itself very seriously and your mascot is a unicorn. So can you just level set with me like a little bit about this, because the branding is very good and Before we started recording, I was saying, hey, you know, I have this experience talking a lot of people in e-commerce and startups and that's really a flavor of branding that you might see come out of the startup world or you might see more on that consumer, heavily branded, really dialed in. You know econ brand look, and yet you're doing what you're doing. Air gap deployment for military software right.

Speaker 1: 3:58

What we want and really our View from a branding perspective is we wanted people and in what we refer to, admission heroes, which are our customers, to instantly know that we're different, and we didn't really think of anything better than to effectively make a parody of the entire industry, which the entire industry is all about sharp corners. It's all about serious names. It's like insert God name here and all of these programs, records and everything's going to be serious and, like I said, it's all about having those triangles with typically silver or blacks, very dark reds, very serious colors. Hey, this is the the coolest thing to do and we wanted people instantly, when they work with us, to open up their minds and and Instantly think differently than what they were experiencing and working with other potential like defense contractors. And an effective way to do that was Was everything about the company to include the logo.

Speaker 1: 4:56

Nobody looks at that logo and thinks a defense company, but it does stick with you on its memorable. My daughter loves unicorns and the amount of unicorns stuff that people get me is absolutely insane, so obviously she's excited. That put smiles on their faces. It builds both company culture and externally, with the mission heroes that we work with. It's something to remember, and it was really about studying the tone from the very instant that a new mission hero comes in contact.

Speaker 2: 5:24

Yeah, I love this.

Speaker 2: 5:25

A recurrent theme that we'll have on the show is developing this talent pipeline and getting the best and brightest, whether that's commercial startups, looking at new opportunities in the defense space or getting people Graduating out of college and then looking at a military service career, or just looking and saying, hey, I really enjoy what's happening in AI and I'm going to approach this startup space in Defense because of the problem set or the mission set or the opportunities that are available.

Speaker 2: 6:03

But, to your point, a lot of the branding that's out there from my day-to-day customer, so I won't, you know, name any names with the big, the big boys is very, not just conservative but distancing. If I Was 22 years old and I'm gonna weigh, do I want to work for some cool startup company which seems like I'm gonna be a part of a Great culture and a growing team and I'm gonna get to know everybody and we're gonna work quickly and use agile principles and develop and find and grow together? Or I'm gonna go work for X Y Z prime? It's really really hard to convince me to go work for X Y Z prime when I'm stacking that up and somewhere in the middle is like Google or meta, which is a blend of those two things. Yeah, I think that as a industry, we really do ourselves a disservice by trying to be too cool for school.

Speaker 1: 7:00

Absolutely and obviously I hope the defense industrial base compete very well for for colleges and universities. And even though I joined the military at ROTC I, you know I do remember I'm going to the career fairs and talking with those. You know a number of different companies and I think they do a pretty good job. But I agree, I think younger generation is looking for something different. They're looking for anything that stands out. There has to obviously be substance behind it and I think that's key is that it has to obviously be much more than just a logo. There has to actually be the entire company culture buffing.

Speaker 1: 7:35

But the logo puts it in the right mindset. It has a lot of people just ask questions hey, what do you do here? You know, get a lot of eyes when I go to the bank and tell them and I work at the venture your corn's, and so you can imagine it's definitely a conversation started. Once the conversation is started, you know, I think you know as a company we do a really, really good job of just explaining how, how mission focused Everybody is can you tell us a little bit about what you're doing at defense unicorns?

Speaker 2: 8:03

What does the company actually do?

Speaker 1: 8:05

I think that's going to lead us down a couple of interesting roads and possible intersections with what we're both working on there's a number of issues across mission focused organization, which for us is, you know, everything from Energy to finance, to federal government, to the parkour offense. As a company, we we really focus on the catering events, but we do share no commercial and at sieve like Medicaid, medicare, and so we are in those other areas. But the real problems, when you actually drill down, what you actually see is that people are struggling to do their jobs Because it's something up. Sometimes that's bureaucracy, but disproportionately it's software and IT. And so you have all of these very, very bright, motivated people, which is hard to get, talent, it's hard to get those people in those positions. They've likely taken a sacrifice to take that position and they were hired to work on program blank. And program blank is the super important. You know, national security program or it's you know, ensuring the healthcare for hundreds of millions of people. It's the super important. But instead of spending their day making the world better, they're spending most of their days staring at a computer just trying to log on and they're struggling with things like Excel, because they can't get any software other than Excel approved, and they're spending most of their time just struggling with the system rather than actually making a difference, and so defense unicorns focus specifically on that problem.

Speaker 1: 9:43

We make software and IT easy. We're heavily focused on things like Kubernetes because that's where the largest point of adoption is. That's where a lot of people are not only heading but already app, and so we focus on secure software baselines. That makes delivering software and IT solutions just easy for any mission customer A lot of our mission customers. They work in Osbite environments. You know they work in these disconnected environments, so we produce tools that, such as ZAR, that makes that air gap software delivery easy. We also leverage a variety of other different solutions. We're an open source company.

Speaker 1: 10:20

One of the things that's always been frustrating in my experience with providing solutions for the government is the government kind of does one or two things. They either build something themselves on that's generally terrible or not as good, or they go with the cost solution, which is generally fantastic for that short term. But as they work with that solution over one year, five years, 10 years, it becomes less and less successful Many times because that small startup and that small solution that was awesome ends up getting an IPO or they end up getting bought out by a larger corporation. And then the agreements and understanding and customer intimacy that you fell in love with. Transition away.

Speaker 1: 11:01

The mission heroes and the customers that we love working with are those really really long, super important programs, those programs that, for the next 50 years, are going to be vital for national security, because those programs don't want to hear that there's a chance that a CEO at some company is going to be able to dork them over 10 years from now and their software baseline is going to be behind a license, and so we really really fundamentally focus on you, the mission hero. Own your own baseline, own your own destiny. You pay us for support, but we don't ever lock your data out. You always own your data and if you choose not to work with us, you can hire some other company and you don't lose access to your data. You don't lose access to your capability, which we fundamentally believe is in their best interest, and by being that sort of mission and customer first perspective, we think that ends up being the most successful business model as well.

Speaker 2: 11:55

You talk about open source and you're a big advocate for open source software, which I can really get behind. Common argument, I see, with open sources everybody knows the code, so it's going to be insecure. I hear this in defense very often. But then of course we're implementing Linux like over and over again. In my opinion, that means that more people have looked at it and also you have the ability to more rigorously test it for vulnerabilities. But how has that conversation gone, bringing it into the defense world? It's personality dependent.

Speaker 1: 12:32

The reality is in the statistics show, 95% of software consumed by aerospace and defense leverages open source products. So even your cot solutions are really going to be open source projects under the hate. And they're building on top of those open source solutions, because they'd be crazy to rebuild something that already exists. So there really is no alternative to am I going to use open source software, yes or no? The reality is you are going to use open source software. You kind of don't have a choice.

Speaker 1: 13:02

Maybe at certain areas in the stack you can go with some cot solution. You certainly can buy support for your open source software and for important systems. I think that's vital. You don't want a open source solution that isn't maintained by anybody, because I would agree, I would say that in general that's probably not super secure for systems. But just because you're paying a company to support the open source solution doesn't mean that it can't one still be open source, and it definitely doesn't mean that it's insecure just because it's open source. And so I think people just lack the perspective and they lack the understanding. One of the things I really hope with the executive memo that went out on software build materials s bombs is that people are going to start looking at their cot solutions and recognizing because they're going to actually have this bill of materials to figure out just how much open source solutions are actually in the cot's products that they bought.

Speaker 2: 14:00

Yeah, I'm really watching this to see how quickly that evolves, because I can't draw too many direct parallels in hardware or it's nature. There isn't that many, right down to the board level, open source pieces of hardware that people leverage, but essentially most of the components that you have it's open reference, the information is available and then it's built on standards. So what is interesting parallel between software and hardware in the defense space is that I'll commonly see pieces of hardware that are made bespoke as if that has never existed ever before, like no one's ever made a radio ever or no one's ever made a computer ever, and so you get these solutions which are instantaneously old when in reality it should have taken 15 minutes to design the thing. And it always makes me think about open source software and how those same kind of tenants or those same values could be translated over into hardware, because I'll use an example that's it's frustrating me right now particularly is there's a new connector that everyone came out with that's for man wearable stuff and I understand a lot of people worked on this. People built a lot of products around it and there's a number of similar things, but in reality all of the hubs that people built are just USB hubs and all they did was spend a lot of time making a worse USB. And so for a lot of this specialty backplane, this speed, this connector, I'm like you know that that's existed for forever and there's an open committee that you can just join, and USB for or Thunderbolt, that's already a thing, but you just created an incredibly worse version of this.

Speaker 2: 15:55

I could pull a number of examples where the reality is there's a disconnect between the development and the community that's developing that, and then the defense industrial base who's potentially executing on that, that's ingesting it. So instead of participating in that space, they're building their own adjacent additional requirement sets or standards and then saying we have this new awesome thing, we already have XYZ. It's hardly exist. I don't know a nice way of putting it, but I do follow what you say in open source and I think, like, is there going to be an open source hardware company coming up? That's a little bit more than just saying PC104? We made a square that's all the same size, like that's awesome. But what happens when the bill of materials is going to be completely audited, supply chain being audited? When people get wind of the software bill of materials, they'll think why can't I do that for my computer that's inside of here or in my radio that I'm buying from XYZ? I think it's going to get really scary for hardware manufacturers.

Speaker 1: 17:02

Yeah, and I think the defense community and federal government, I think, is getting better, but there's, I think, still significant gaps. I think there are very, very small segments that are doing a good job, but disproportionately, I think, everybody's still messing up the issue and it actually comes to the devil's always in the details. To take your you know, usb analogy, it's so frustrating when you buy a new device and you can't commonly plug it into anything, either to charge or to plug it into your computer. And we've all had those experience to where either the computer changed or your phone changed or whatever device you had slightly changed. Anytime you change that interface, it becomes super expensive to maintain that product, super more frustrating because it can't actually connect anything and in the software world the equivalent is APIs will give you like a common issue that you see across the community and things like Kubernetes, in that Kubernetes is Kubernetes but everybody's Kubernetes is slightly different and the distros themselves many times add features and the features themselves have custom and unique API. And when you build capabilities on top of those custom, unique, non-standard APIs, what you're doing is coming out with a new non-standard charger that then makes it incompatible with the other devices across the community and people don't understand why that's so bad. They don't understand why that's so toxic, because if you look at a system like you know JADC2, you know join all the main command and control.

Speaker 1: 18:39

The entire point of the program is to connect all these things together. To be having discussions off of non-standard APIs is actually just madness, because you're creating something that's at its own custom snowflake when the only people who actually benefit are the defense contractors that's billing you per hour. They actually have no incentive to not tell you that you're wrong, that, no, you're wrong. There's actually a way to standardize this, and by standardizing this we could actually drive costs down. And so to me, like it's the devil's always in the details, and that people are fully incentivized to do the right thing.

Speaker 1: 19:19

I think most people, when they hear the words, they understand that it's common sense, like, hey, I don't want my weapon system to be a snowflake that can't plug into anything, because then it's going to be infinitely expensive for me, it's going to be expensive to anybody else and the JADC2 ecosystem, and they understand those words. But the majority of people that they're surrounding themselves with you're not saying those words. They just think you know Kubernetes is Kubernetes. They just think that this Cots product is this Cots product and there's nothing wrong with Cots or commercial solution. Those are provided incredible value. But you need to make sure that those solutions provide standard interfaces that allow it to be extensible to all the demands that the solutions need to go to, which is drastically different in the defense community than in the peripheral, just because of the sheer number and size of the systems and the differences across systems.

Speaker 2: 20:14

I like the idea of drawing a parallel to the API.

Speaker 2: 20:18

So what we're really, what we can really look at here, is in the past, a lot of these systems were siloed.

Speaker 2: 20:27

So if I was an ex provider, I would be in charge of ex weapon systems or ex comm systems and my data path would be fairly clean and siloed as well.

Speaker 2: 20:38

But now, because of silly ideas like AI, which I really want to get into with you, ai at edge we're not looking at siloed information where just my group or just my company is responsible for ex and the maintenance of ex. We're talking about mass sensor data acquisition systems. We're talking about systems that go out and understand the operational environment that they're working in from an RF or signal perspective and then building a complete situational awareness map or whatever other output is important at that time. And so when we think of hardware, software and its API, its general case for extensibility is because it's no longer I want to be able to see this on the screen or integrate with this mobile device. It's I don't know in six months what else is going to be used and I don't know what teams are going to collaborate, what they have. And so guy has taken this very frustrating problem and turned it into an unbelievably big, massive, massive problem, one of the things that I think is always interesting about the community is how successful motivated grassroots initiatives really are.

Speaker 1: 21:58

And I bring that up because there's a project going on in the Navy called Open Ship, and if they're giving a briefing outside of the Navy, you'll hear Open Sensor, which is a project maintained by Lieutenant Colin Dublan, and this is active duty. You know Navy 03, who is writing this code that's trying to abstract the sensor layer from the different ships that he gets deployed on. And so you know, as I'm sure you know, you're a head where person you can understand when you're looking at that infrastructure layer and you're trying to jump from sensor to sensor to sensor, like a radar system isn't just any radar system. Two radar systems are different and a camera isn't just a camera. The radar systems are different. But how do you actually come up with a sensor agnostic API that allows you to develop capabilities that abstracts the sensor layer from what the Department of Defense is trying to do and then to tie it into AI and some of the stuff that we're working on?

Speaker 1: 22:59

You know, specifically, actually, with Open Ship, is another project we're working on. That's LeapFrog. Leapfrog AI, which is trying to take the Open AI API and, you know, have parity matching with that API standard but bring those solutions in the air gap. And why that's so? I think game changing, especially when you know mixed with Open Ship, is you'd have the ability to take telephroll you know LLMs, commercial generative AI capabilities and then bring them in-house in a sensor-agnostic way and connect them to similar systems radar, you know, camera, insert common ISR capability here and actually connect it to real software running in real production environments. From what I've seen, everything from an AI perspective especially is super stovepipe. The very few success stories are out in the corner. There's no ability to kind of leverage that solution somewhere else in a different environment. You see the success, you see how valuable it is, but it's always done in silos and it's never done in a way that's truly scalable across the entire force, not even just the force in any one service, but across the entire DOD in federal debt.

Speaker 2: 24:17

When I think of traditional AI implementations, I think of a black box and it's beyond siloed. But projects that I've seen in the past, yeah, even with really great outputs, you think like, well, what's the applicability for even a very similar mission? Set zero. So this is what I like tracking with current AI, the perspective that people are bringing, where there's a much stronger emphasis on the actual training, learning and pulling up an operational picture. So whenever I think of these physical product networks so whether it's a ship or it's a tent or whatever it is you always see these like clever pictures that people draw with there's like a satellite and a dash line, some guy in a vehicle.

Speaker 2: 25:10

I love everybody's diagrams, but when you look at that and then you look at a traditional network diagram where it's very organized and it's like layer two we do this and layer three, we do this, or like an old software diagram where it's like here's the business layer, here's the database layer, here's the GUI, or like you're like oh, that's really great. Now let me go over to what my customer does. It's like oh God, it's one of everything layered on top of each other, going across these different layers, and so there's a really great case for AI to be able to untangle the Gordian knot with some kind of training module. So I'm really excited for that and we're working on a number of hardware solutions to try to bring that as far out to the edge as possible, as small as possible and as, let's say, as heavy as possible.

Speaker 2: 26:00

It's incredible what you can do now with some of the AMD epics or the Intel scalable or the ampere products and what you can do to bring that right to the edge. It's like what we would do in 10 racks. Now I can almost fit in a suitcase. So is it really really exciting? But I don't think that the system of system designers have caught up to what you can do with the software and what you can do with the hardware. Like there's a big gap missing in the middle. So I was kind of excited to have you on to chop it up about that, because I know you see a completely different side of this issue and it's a massive opportunity.

Speaker 1: 26:40

The needs within the defense community are slightly different, because we've already mentioned air gap solutions, also edge solutions. As you know, there's you know, gpu shortage, but in the defense community you actually have a CPU shortage. You have tiny devices, they're outdated, you don't have the processing power that you have, so how you would work an AI solution in the defense ecosystem is slightly different. One of the things that concerns me the most with AI in the defense is to go back to kind of the original things that we were talking about, which is the gap for software delivery, like people have truly weaponized the ATO, the authority to operate which has truly pure intent this risk management framework process, to where we're going to ensure that the systems that we operate have a risk mindset and that we have a way to evaluate the risks of any system. Like it makes sense and on paper it makes sense, but in execution what's actually happening is counterproductive and because what you have is these outdated system that nobody wants to touch because you'd have to rework the ATO package. The biggest concern I always have, and the type of thing that I'm likely to go off on LinkedIn and Twitter, is that everybody's talking about all these CVEs and current systems and nobody's looking at the software that hasn't been updated in five to 10 years. And so you know, I don't care how insecure a new product is, you know it's not going to be less secure than something that's 10 years old, it's just not. And so what's happened through this weaponization of the ATO process is that the ability to deliver software is getting delayed, which is making systems less secure. But then, on top of it, the capabilities that people are deploying with at crack, and they're deploying with systems that they shouldn't be, and we're putting people in arms danger, we're putting lives at risk. So when we are at war which luckily this current stage we're not there's obviously international engagements, but US troops in combat isn't a regular thing right now. At those times in our history when we are at war, people are dying because of our lack of ability to deliver software.

Speaker 1: 28:50

Ai is that next wave of capabilities and if we don't have good solutions in place, you have to admit that the weaponization of the ATO process is not going away Like it is a barrier, and I've tried before. I spent most of my year like career, just going around the process and finding innovative people that will, you know, write me a blank permission slip to just deliver stuff because it's in the best interest of the mission. That's not the scalable solution. The reality is that the process is here to stay.

Speaker 1: 29:19

And how do you actually develop solutions that can map to the process without compromising speed, so that way, on ships and planes and tanks and C2 centers and business units, people do their job and day-to-day operations, can actually have AI and all of the capabilities that we're saying you know in our lives, but actually incorporating into their jobs, like their actual, no kidding operational mission jobs. And it terrifies me Like absolutely terrifies me the thought of engaging with an adversary that has advanced AI capabilities at scale to, when we are struggling, deliver anything. It absolutely terrifies me. It terrifies me to think sending people to war ill-oclip from a software perspective.

Speaker 2: 30:06

Yeah, who hasn't seen Windows NT still installed on a computer? Right, and it's like a running joke, I don't know. You could probably go to any installation and you could find that there's a critical system that's still running on a completely unsupported version of Windows because it has one piece of software that is the approved only version of that software and it'll never be updated, ever again, and that kind of goes decades back. It is an interesting space because we live in a world where we have the most advanced, very interesting compelling technology and we have Windows NT running on computers at the same time, probably in the same facility. What came to my mind in your story there as well is people always find a way, and one of the things that I do is design shielded enclosures. So we make small ones, we make big ones, and I think that software is kind of like when somebody wants to run a phone line or an additional piece of power to their shielded enclosure and they drill a hole in it.

Speaker 2: 31:14

You know you're not supposed to install that app on your phone, right? It hasn't gone through NIAP approval, it's not supposed to be on there, but you need it and the fact that you need it it opens up the floodgates for other potential. Like well, I also need TikTok, or I also need something else as well. Like, hey, we kind of flex the rules a little bit to get that one tool that I actually needed and now it's kind of a free for all. There's a lot of fun stories as, like researchers would out a beer app and they were able to track these people because they social engineered them to all download this app that they're not supposed to. That shares too much information and I think, like I'm glad that we did that on purpose.

Speaker 2: 31:57

But I know the reason that that phone's not completely locked down is because there's apps that they need that aren't approved, that they have to get. So they have to go to a Puma or the app store, right, and go get them. And that's what you get when there isn't a fast approval or an approval process that is close to commercial speed, and that happens in software. And then, because of the software, it sticks in hardware and that's where I see it is like, hey, I want this new capability. Why do you have a literal 30 year old computer? Why do you have a 20 year old piece of networking gear in this situation? And it's because approvals happened. Maybe that company was acquired three times between there, but we need the thing, but a very simple problem. So you saying about open source or APIs or just this little kernel here it kind of cascades all the way down into having that I don't know that beer app to track troop movements.

Speaker 1: 33:00

Right the problem and solution for today's environment is shadow IT, which is sad but true to say, some of the most successful organizations that I've been at from an operations perspective had significant capabilities in their life.

Speaker 1: 33:14

Off in the quarter box you have this system that you've spent hundreds of millions, if not billions, of dollars on, and then next to it you have the thing that was made by Anif, by who knew some Python and some ashtrip thing, and they got a solution ready, and the majority of people are spending just as much time on shadow IT systems as they are on the real systems Because, quite honestly, the shadow IT system is actually listening to their needs better than the program offices and the programs of record, which is the sad truth.

Speaker 1: 33:49

It does talk to things like the J-SIDs process and how people staff requirements, but I think, regardless of any of that, the problem still is that software is too hard and if software was easy, that Python application could get approved and that Python application could be authoritatively approved and used within operations. And that's the true solution. It's not to shut it down and stop that. It's bad, it's actually all goodness. The problem is that there's not actually a clear path to make it legitimate, to make it most likely more secure, because I'm sure there's certain things that they're doing that could be improved. But it'd be a lot better to, eyes wide open, evaluate and look at those systems and make them better over time than to just ignore that they're there, while still acknowledging that they're operationally required.

Speaker 2: 34:39

Some mix between pretend they don't exist and full blown FedRAMP approval. There's got to be somewhere in between, yeah.

Speaker 1: 34:48

I would actually say that you need to automate the ATO and open source it, and the French New Corners is a company. That's our vision, that's our goal. We're going to open source the ATO this year. Open source the NIST data out of 53 controls, same thing from a FedRAMP perspective as many of the controls that could be satisfied.

Speaker 1: 35:08

Actually open source the control responses, which hasn't been really done.

Speaker 1: 35:13

And the reason it hasn't been done is because a lot of times your control responses are treated as CUI information because they're tied to a system.

Speaker 1: 35:21

But if you just generically develop a system in the open source and then actually answer all of the controls, not necessarily tied to a system, then you can actually open source another control thing, leverage it and use it.

Speaker 1: 35:32

But if you go to a program and you say, hey, let's see your NIST 853 control mapping for Oval, it's at least CUI and most of the time it's secret for certain systems. So there's really not a lot of information sharing, which makes it harder because 1,000 people asking the same 1,000 questions with 1,000 different ways could become this gobbled up mess. And so it's not that the processes themselves like they're sheer to say and everybody fighting them. It makes sense for short wins and I've been a part of that community for a long period of time but that's only going to give you short wins. It's not going to give you the true scalable solution that is going to be required in case we go to a nation and nation engagement with a near peer or peer adversary. You need to actually have a true solution in place and the process is here to stay. You need to actually map the process and impedance match it with what Cromerq industry is doing from a innovation perspective.

Speaker 2: 36:30

While you're open sourcing 853, can you open source 171 while you're over there? Because, yes, absolutely so. Yeah, cmmc, I've gone through a bunch of MSPs and because of what I do, I'm not. I'm fairly familiar with how cybersecurity works and what to do. But if I was a smaller company or I didn't start as a software developer or I wasn't into tech, this would be really, really hard for a manufacturer to meet because it sounds crazy, but in reality you look at it and there's just mysterious guidance when 90% of it's going to be the same for every single company. I'm like I'm pretty sure I'm just going to give away how to do this and Microsoft's actually, to their credit, is pretty close to showing you exactly how to do it. But why not? Why is the perfect implementation to meet cybersecurity basic hygiene? Why is that not open source so you can just have it as a recipe, give it to somebody and say they know how to implement this exact solution. We're going to lose a lot of manufacturing capability, a lot of innovation capability, because people can't do that. They do not understand the problem with ITAR. They don't understand the problem.

Speaker 2: 37:50

So for everybody that's listening, nist 853 is more in industry. So we're talking about approving an app or a program, whereas 171 or CMMC level two compliance is for your cybersecurity of your company if you touch confidential but unclassified information, and it's mandated now that you have compliance. But if you're a startup and you want to get into defense and then you're unaware of how to meet these requirements, they're fairly obtuse. It takes quite an effort and then, on top of any FAR regulation or other types of acquisition regulation, you're looking at a steep, steep learning curve, when in reality, rob, I would even say that the FAR should be open source and there's no reason why I can't just put that on an LLM and be able to query it and know exactly what to do for any contract.

Speaker 1: 38:49

I think definitely there's folks out there trying to do stuff like that taking a series of government documents, sticking them in some LLM as some embeddings to where they can go. I answer a question that's seen a lot of progress. Ask Sage is one thing that makes a lot of talk about it. I know he's done a lot of that stuff Locally with LeapFrog AI. Again, we've done some things. Some of the biggest differences is LeapFrog's really intended for private and disconnected environments and stuff like that.

Speaker 1: 39:19

So, looking at, how do you marry up your CUI or classified documents, something like an LLM? I think solutions are getting there, but I think you nailed it in that it is too hard for a small company. This is all we do, and I'm confused as heck. After years along this journey, I'm probably more confused now than I ever was. I'd, luckily, work with other people that are less confused than me, but it's like this is very confusing things. So it's not that it's complex, but it's overwhelming and it's subjective.

Speaker 1: 39:51

That's the other curveball here. Why isn't it open source? Well, it's not necessarily open source, because two different AOs may not accrue the same response, and so well, what are people approving? And one of my biggest comments to. That has always been well. Of course, the AOs have some subjectiveness because there's really not a library or a standard that they can reference to, and so they've learned to be self-taught and what they're looking for, and so they've developed a subjectiveness because they've had to, because there's no real good instructions for giving them guidance on certain technologies of how these things should be answered. And if they have better documentation, better training, more of better library of responses, then I think we'd see a better standardization. That costs departments and federal agencies.

Speaker 2: 40:38

Yeah, a lot of these standards.

Speaker 2: 40:39

They've been born from ISO standards AS9100 or ISO 9001, where I've been a lead auditor for 15 years in those standards and I'll tell you that every time we get a new third party auditor, they have their own flavor of things and those were built 100 years ago to be fair, 80 years ago, no-transcript. They've been Xerox and cut and paste and Xerox again, but the flavor of it is it's an audit standard, it's not an implementation standard. So, to change the approaches, hey, that this is, it's open source, how to do it right? Why isn't there a guidance manual? Why isn't there something that you can sign up for and say like, hey, here's the 10 ways that are really great about implementing XYZ? This is the top three ways that we like for people to do this to solve this particular challenge. Why is it all a mystery is because it's approached as an auditing standard, not an implementation standard, and that, to me, is a cultural change. It is the other side of the coin and if we could get over there, we could be much more operational or ready.

Speaker 1: 41:54

Yeah, and you know it doesn't. To go back to the incentive thing, it doesn't help that the experts on those solutions are the ones that are the, the people who are making money through the process, Because there, once again, there's no incentive to making it open source, there's no incentive to making it easier, because you're actually the business model itself assumes it's too difficult. And by being too difficult then you have to pace. And that's the dirty reality of a lot of these things, is that because it's so difficult you have to pace it. And because all of those reasons because the experts are effectively leveraging their knowledge on the solution, of course it's not open source, because there's no, there's no incentive to make it open.

Speaker 2: 42:39

You know it does this well. It is a different problem. But PEOs, on grants, program officers people look at this like I'm going to send in my pitch deck or I'm going to write this white paper, I'm going to send it in. These people are going to slap me down and I'm so afraid to tell them what I'm working on, because they're going to tell me how dumb I am. And then, because I work in startups, we do this. And then we have this phone call, we have a zoom call and they're like hey, I loved your. This is great, your draft is great. Let me help you fix this up. Oh, okay, yeah, great, let's do that. Hey, you know, there's somebody I know that's has this. Let's shore this up, you know, and they're there to, not as a goalkeeper, but they're as a facilitator and it's the opposite thing. It's unreal.

Speaker 2: 43:26

You know, later, after they give you the thumbs up, there is going to be somebody who's got to look over and make sure that you haven't lost your mind or not. But the cultural difference on the, let's say, softworks, afworks, you know, diu, on that side of hey, let's go work with people and they're not going to get it right. We're going to show them these opportunities. We're going to massage or best fit what they can do. For the challenge sets that are out there, that's gotten better and better and better, but for these things like we're talking about it is, if not a black box, it's like the Wizard of Oz thing. You like pull back the curtain and it's not like real. Yeah, I just wish it was a little bit more like that. I could go on about this conversation forever. I'm really happy.

Speaker 1: 44:11

Good times, huge shout out to all the innovation ecosystem. You know it's tough because the afrox, diu, you know cyber works, like all you know all of the works is, and all you know Project Blue Castle, rug and Platform one. You combine all of them together and you still get a fraction of the percentage of the defense budget which I'm just going to throw out numbers. Based upon my observation, I would say that most of that community probably gets one to 2% of the budget and they probably produce 5 to 10% of the impact, and so you're getting a 5 to 10 x multiplier on what you're getting, which is a fantastic return, but you're not seeing the like massive change that you want to see because the percent that you're actually investing, that percent that's actually generating that RLI, is so low, and so it's like, of course, you're only seeing that 5 to 10% impact because you're not actually truly investing in what those solutions could be. You're seeing a great ROI, you're just not doubling down on it and you know I've seen that time and time again. You know PCS cycles and the number of times that you get. You get traction on something, something's working, maybe it's getting to ops or already in ops, and then two or three people PCS away and then 18 months later the activity dies because it loses that champion. You know, to go back to the similarities and differences between you know, from our four world and defense world, like you know, I was involved with the organization that became Afrox and those people before it became that organization. I was never a part of Afrox but like I remember that those things starting and you know I helped start Space Camp and I helped start Cloud4.1.

Speaker 1: 45:58

And the reality is all of these people in the government that are in those positions, you all, everybody moves, like you know, since I've gotten out like I started to fend chino-corns. It's been two and a half years. You know it's massive growing started. We're 100 people, which blows my mind. If I was in the military they would be PCSing me.

Speaker 1: 46:19

Right now we're catching our stride, things are getting better and then you would force me to move in the best interest of the nation, which is terrible. Why would you move somebody at a pivotal time like that from, like I quote startups on life cycle, and you see that time and time again across the innovation cycle, a combination of lack of funding and a lack of stability and leadership. And you know you combine those two things and it's a recipe for you know, it's a recipe for failure, which is why innovation, the innovation ecosystem, although it does have success stories, has a tremendous amount of failures. I still think it's a good ROI compared to the rest of the defense budget, but there is way more failures than there could be or should be if they actually figured out how to bridge projects and they actually figured out a way to stabilize the leadership and the champions of some of those projects.

Speaker 2: 47:11

For more on that. Everyone should listen to Rob's interview with Steve Blank, which is scathing, really good. Steve says exactly what is on his mind, which is always is always really valuable for me. But I think we've both had Pete Newell on our shows as well two really fantastic people that are huge advocates for innovation across academia, commercial and bringing that into DoD or IC. That was a really great episode. So I'm going to end this episode at that point is you should go listen to Defense Unicorns and if you're wondering what episode to start, start right at the top. Steve Blank, right. He's the lean startup guy, right. So listen to that episode and you'll get a little bit of flavor of what we have going on in the defense industry. Rob, thank you so much for being on the show. This has been a blast.

Speaker 1: 48:10

Yeah, Thank you so much. Truly an honor to everybody listening. Also a fan of the startup defense and hope you continue to watch the show.

Speaker 2: 48:18

This has been the startup defense, thank you.