Thought Leadership

Andrew Young, CMDR, U.S. Navy (Ret.)

June 2024

I joined the Marine Corps in the early 1990s. As part of my bootcamp training, I remember learning about how 1st Lieutenant Presley O’Bannon marched across 500 miles of North African desert toward Derna, Libya to 'the shores of Tripoli' to capture and oust the Pasha of Tripoli from his Governor’s Palace fortification, putting a stop to the Barbary pirates’ demands for tributes. These ‘tributes’ included significant payments of gold and even the enslavement of American Sailors. I remember being deeply impressed and inspired by America’s first raising of the American flag on foreign soil, knowing that this wasn’t just any old military officer. It was a United States Marine, a title which I aimed to earn.

While tales like this inspired Marine recruits to stoically stand tall and just “get ‘er done”, the way it was told left out an important leadership trait: humble teamwork. Leading seven hard charging Marines across hundreds of miles of treacherous desert to fight in hand-to-hand combat against a blood thirsty foe, like a slow-motion scene from the movie 300 (complete with intense electro-orchestral soundtrack), was inspiring to my arrogant and young individualism, but it was simply not the whole story.

Yes, 1st Lt O’Bannon led seven Marines, but how exactly did they accomplish it? The challenges before them were legion: desert conditions, navigation, supplies, camels, horses, dealing with local tribes, political challenges, not to mention combat operations aimed at conquering a fortress hundreds of miles away. The first key of humble team success was that O'Bannon and his Marines were not alone. They part of a joint coalition task force organized by William Eaton, who spent years during his time as the U.S. Consul of Tunis assembling a diverse force that included around 24 Greek and European mercenaries, 10 artillery men responsible for 2 cannons, and about 50 Arab and Berber cavalry. In addition, this force was supported by about 200 local fighters.

William Eaton was the general commander, not a military officer, in charge of the entire operation. William Eaton had been a Captain in the Continental Army during the Revolutionary War. He had served for 17 years and resigned in 1797. He was officially appointed as a “Navy Agent to the Barbary States.” In other words, 1st Lt O’Bannon was led by an experienced Government Civilian. In contrast, O’Bannon was a first tour Marine, having only joined in 1801 and barely 4 years under his belt. O’Bannon needed all the help he could get. Eaton utilized his diplomatic skills to maintain alliances with local leaders, securing necessary supplies and reinforcements for their desert march.

The epic story of the Battle of Derna provides a rich narrative to explore the leadership principles of a humble team. Here is an outline of eight key principles that young leaders should learn and apply early to ensure mission success. The principles are to get the right person for the job, build an inventory of team strengths, reliance on expertise, patient strategic planning, building and maintaining alliances, adapting to changing conditions, shared goals of a single mission, and humility in leadership.

Get the Right Person for the Job

As the coalition force approached Derna, Lt. O’Bannon and William Eaton took advantage of the unique capabilities of each group within the mixed alliance. The Greek mercenaries, who had battlefield experience in both Ottoman revolts and European wars, led the frontal assaults, drawing on their unconventional and asymmetric warfare, artillery, and siege warfare experience. This strategic personnel management practice of “fit-fill” (i.e., fit means matching personnel skills with roles; fill means ensuring those positions are occupied), means that humble teams must rely on the skills and experience of others, maximizing their effectiveness. Today's military operations and defense projects can mirror this approach by assigning roles based on skillset to optimize mission outcomes, enhancing operational efficiency and effectiveness. It sounds obvious, but organizations fail, and employees are unhappy in their jobs because people are in the wrong roles. Identify the skills needed to do the job and invest in finding and developing the best personnel for success.

Inventory of Team Strengths

Success at the Battle Derna also relied on cross training of their teams. The historical record of the events of the 1805 campaign are fairly scanty, focusing almost exclusively on Eaton, O’Bannon, the assault on the fort, and the raising of the flag. However, Arab and Berber cavalry would likely have been known for their battlefield agility, flanking maneuvers and the elements of rapid mobility. In addition, these warriors likely provided critical intelligence about local terrain and enemy movements. The U.S. team could not have been successful without integrating knowledge of terrain and tribal factions, logistical resupply points, intelligence regarding enemy, neutral and friendly force compositions, and the plethora of combat skills tailored for a desert environment. This strategic integration of all the skills from the entire team’s inventory was instrumental in the coalition's ability to surround and besiege Derna effectively. Modern organizations should have a detailed skills database and the points of contact on your team that have that background. Spend time developing this list of skills that your personnel have. This will save money trying to learn something by yourself, hiring unnecessarily, avoids reinventing the wheel, and allows for rapid and innovative problem-solving.

Reliance on Expertise

The beginning of the end of the siege of Derna was displayed in naval and artillery coordination. The USS Nautilus, USS Hornet, and USS Argus, strategically pre-positioned off the Libyan coast, unleashed a barrage of naval gunfire. Their cannons, booming with unyielding fury, methodically broke down the ancient Ottoman walls that had long defended Derna, shaking the morale of the defenders with each strike. On land, Greek artillerymen operated the field cannons. These experts focused their firepower on weakened sections of the fortress walls, exploiting the chaos sown by the naval bombardment. The precise and coordinated firepower opened breaches that would have been impregnable under normal circumstances. Only after the fortress’s defenses began to crumble were 1st Lt. O’Bannon, his Marines, and hundreds of mercenary infantry able to advance through the smoking ruins. They capitalized on the openings created by their bombardiers, plunging into the heart of the city for close-quarters hand-to-hand combat. The shock and awe of combined naval and land artillery was critical, creating the necessary breaches for an assault that would otherwise likely have failed. This expert orchestration of firepower was indispensable, ensuring that what could have been a protracted siege instead culminated in a decisive and swift victory. Just as artillery proved decisive at Derna, modern organizations must harness the full potential of their specialists to achieve victory. Strategically position your experts where their skills will have the greatest impact in order to break through barriers. Leaders should actively cultivate collaborative environments among specialists, so projects benefit from targeted expertise.

Strategic Patience and Planning

The trip across the desert took 50 days, likely traveling about 10 miles per day. The forces gained the most ground during the cool of the mornings and evenings, avoiding the oppressive heat of the day as well as the risks of traveling in the dark. Each halt was more than a water break from a relentless march; it was an opportunity for tactical refinement and reconnaissance. During their stops, Eaton deployed scouts, gathering intelligence on the fortifications and defensive strategies of Derna. This patient planning turned their movement into a carefully choreographed advance toward the objective. During each stop, the coalition was able to physically refresh, and leadership could fine-tune their approach based on the latest intelligence and terrain analysis. This strategic patience and planning ensured that when they finally saw the walls of Derna, Eaton’s forces were ready for the assault. Strategic patience and meticulous planning are essential for today’s leaders. Success requires taking a tactical pause, get a bearing of how the situation has changed, adapting by carefully planning the next steps, and proceed accordingly. This will turn potential chaos into a calculated advantage, minimize resource depletion and maximize efficient execution.

Forging and Sustaining Strategic Alliances

In the harsh terrain of North Africa, William Eaton's diplomatic skills were legendary. He navigated a complex web of European mercenaries, U.S. political and militaries policies, and local tribal politics. Utilizing his years of consular experience, Eaton made key alliances with local tribes, securing safe passage and logistical support for the expedition. These alliances provided the coalition with vital supplies, reinforcements, and intelligence on the ground. As Eaton’s forces neared Derna, it was the trust and rapport he and his protégé O’Bannon had built with these tribal leaders that grew their force size and lifted spirits, turning potential adversaries into staunch allies. This coalition building blended military objectives with diplomatic engagement. Today’s leaders, whether in military theaters or corporate boardrooms, must similarly prioritize building and maintaining robust alliances and building coalitions. Strategic partnerships can dramatically extend an organization’s capabilities and reach, turning challenges into opportunities and fostering resilience against unforeseen adversities. The myth of lone heroes only works in movies. In real life, it just doesn’t work.

Mastering the Art of Tactical Flexibility

As the siege of Derna unfolded on April 27, 1805, Eaton’s and O’Bannon’s coalition faced fierce resistance from the city’s well-prepared defenders. The initial frontal assaults met with staunch opposition from snipers, small arms fires, and coordinated counter attacks from the Ottoman forces. This threatened to derail the coalition’s momentum. However, the coalition team demonstrated remarkable tactical flexibility, quickly reevaluated their strategy in real-time. They introduced agile siege tactics that included scaling the walls with grappling hooks and ropes, while deploying Arab and Berber cavalry as highly mobile assault teams. This tactical flexibility allowed the U.S. led team to breach the walls, sowing confusion among the defenders and exploiting gaps in their fortifications. This swift pivot from a conventional approach to a more guerrilla-style tactic kept the defenders off balance. Such adaptation under pressure turned the tide of the battle, enabling the coalition to capitalize on the chaos within the enemy ranks and push forward to victory. This level of adaptability is invaluable. Leaders must foster a culture where flexibility is ingrained, and teams are empowered to make quick, decisive changes in dynamic conditions. It's not just about altering strategies; it’s about anticipating challenges and proactively formulating dynamic responses.

Singular Vision

Eaton and O’Bannon excelled not just as tacticians but as unifiers. The joint coalition crystallized around a singular, compelling vision: to liberate Derna and restore Hamet Karamanli to power. Hamet Karamanli was the older brother of Yusuf Karamanli, who claimed the title of the Pasha of Tripoli in a coup around 1794. Hamet had been working with Eaton toward this objective for some time. This strategic objective was compelling to many of the coalition forces because it was viewed as a moral imperative. This political reality and singular vision was critical to the alliances and tribal cooperation essential for success. With this mission at the heart of the campaign, the joint coalition bonded behind a common purpose. The clarity and consistency of this message put aside linguage barriers and cultural differences, aiming everyone toward the same goal. This strategy of unification through shared goals is as critical in modern settings as it was on the sands outside Derna. In today's complex operational environments, whether in military engagements or multifaceted corporate projects, aligning teams under a single mission is indispensable. Leaders must articulate clear goals and foster a sense of shared destiny. This establishes a sense of participation in a larger story, driving teams toward success.

Cultivating Success Through Humble Leadership

William Eaton and First Lieutenant Presley O’Bannon exemplified humility in their leadership throughout the campaign, including the aftermath of their victory at Derna. They understood that the triumph was not merely a result of their brilliant strategy or personal bravery, but was rooted in the contributions of each segment of their assembled force. Recognizing this, Eaton and O'Bannon publicly acknowledged the vital roles played by the Greek mercenaries, Arab and Berber cavalry, and local fighters, celebrating everyone’s contributions. This act of sharing credit was a gesture of goodwill. It was also a strategic leadership approach that reinforced unity and loyalty among the troops. By highlighting the collective nature of their victory, they fostered a sense of shared purpose and mutual respect across cultural and tactical divides, setting a precedent for future collaboration. Today, this kind of humble leadership is essential. Leaders who acknowledge and value each team member's contribution can enhance group effectiveness and motivate individuals to perform at their best. Such leaders cultivate a team, driving respect, community successes, and creating an environment where many talents achieve common goals. This not only leads to more effective and innovative outcomes but also builds a resilient organization where people feel valued and part of something larger than themselves.

In conclusion, the story of Eaton, O'Bannon, and their coalition at Derna stands as a testament to the power of the humble team. Their triumph, achieved through shared resolve and mutual respect, highlights that true strength emerges when individuals unite under a common cause. This historical episode serves as a reminder that in both military and civilian endeavors, the most significant victories are those won together. As leaders and team members today, let us draw inspiration from their unity, remembering that the humble team, bound by purpose and respect, is the cornerstone of enduring success.

Steve Salinas, Captain (Former), USMC

May 2024

Artificial Intelligence (AI) kill switches are hardware or software mechanisms designed to remotely disable or restrict the operation of artificial intelligence systems if they exhibit undesirable or dangerous behaviors. Proposed by experts from academia and industry, including OpenAI and the University of Cambridge's Centre for the Study of Existential Risk, these kill switches are seen as a way to mitigate the risks associated with increasingly complex AI models.

One of the proposed uses for AI kill switches is to maintain control over the hardware running AI, making malicious or rogue behavior detectable, excludable, and quantifiable. Some implementations of kill switches embed co-processors that check digital certificates and allow for hardware deactivation or performance reduction if the certificate is invalid. Such mechanisms could prevent misuse of AI in applications like military technology or critical infrastructure. This protection prevents malicious actors from circumventing some of the safeguards in place that keep foundation models compliant to an AI service-provider's ethical guidelines.

However, implementing AI kill switches comes with pros and cons. Kill switches offer a tangible method to control potentially rogue AI behaviors, ensuring safety and regulatory compliance. An important consideration is that these additional checks performed by kill switch software and hardware add computational burden to end systems, which further prohibits robust kill switch implementations on computationally restricted end systems. Furthermore, these very safeguards could become targets for hackers or be misused by authoritarian regimes to stifle innovation, free speech, and human rights. Balancing these aspects is crucial as AI continues to evolve and integrate safety features.

Killswitch technology is still new, and implementation of this safeguard is nuanced and may not be the correct solution for every deployment of AI technology. As AI becomes increasingly important to organizations and businesses, so too is it important to weigh in expert perspectives when considering these complexities. At Datalytica, our deep understanding and innovative approaches are essential for any organization interacting with AI systems, ensuring both the effective deployment of AI and the necessary safeguards to protect against its risks.

Steve Salinas, Captain (Former), USMC

May 2024

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) published three advisories on vulnerabilities targeting Industrial Control Systems (ICS). While these specific vulnerabilities are new, ICS systems have long been the target of malicious actors due to how the systems are employed. Unlike conventional Information Technology (IT) systems that may be integrated with industrial systems, Operation Technology (OT) prioritizes availability over confidentiality or integration which balances security considerations differently that in conventional systems.

Maintaining ICS systems is difficult. ICS provides control, monitoring, and vision of OT that in many cases must operate continuously outside of strict maintenance windows. This constrains the update cycle of industrial systems to pre-planned instances, in the best of cases. Often these systems are deployed in remote locations that further delay the ability of operators and maintainers to identify vulnerabilities. Historically, one of the ways maintainers circumvented issues with remote systems, is by using hardcoded passwords. The use of a standard password across devices ensured that when a maintainer arrived at a remote location they would have some means of accessing the system of interest. ICSA-24-123-01 and ICSA-24-067-01, identifies this as one of the issues with PowerPanel 4.9.0 and prior, that ultimately allow an attacker to gain administrative access to the affected system.

ICS systems often only have a fraction of the computational power that consumer-grade hardware offers. This benefits industrial systems because it ensures that the systems used to monitor and control the OT due not increase the power requirement and cost beyond what is necessary. Unfortunately, as ICSA-24-123-02 shows, this can result in the abandonment of some security measures like input sanitization in favor of performance. The resultant effect is that these systems can then be used to access IT systems with confidential or proprietary data that an attacker can use in more advanced attacks.

Securing ICS systems requires a systematic approach that impacts how future systems are developed and integrated into new critical infrastructure, as well as techniques to mitigate the impact of existing vulnerable technologies. Most vulnerabilities in ICS systems can be significantly mitigated by minimizing the connectivity of ICS infrastructure, segmenting networks, and improving the robustness of password policies. Protecting these systems from cyber threats is not just about safeguarding data but is crucial for the continuity of essential services that sustain society.

Steve Salinas, Captain (Former), USMC

April 2024

At the end of February, a significant announcement emerged from the White House, advocating for the widespread use of "memory safe" programming languages. This endorsement, detailed in a press release available here, highlights the crucial role of memory safety in mitigating software vulnerabilities. By pinpointing memory unsafe languages as a primary source of these vulnerabilities, the statement underscores the necessity for increased public and private sector collaboration to elevate the prominence and implementation of memory safe practices. This initiative marks a significant stride towards bolstering memory safety, but it raises questions: What exactly is memory safety, and why is it so crucial for the future of software development?

What is memory safety?

Memory safety can be thought of as a set of guarantees and assurances made by a programming language that prevent a class of vulnerabilities. In other words, by choosing to develop an application in a memory safe language, software can be immunized against an entire type of vulnerability. Unfortunately, that does not guarantee that your software is entirely bug-free or prevent other classes of vulnerabilities, but research indicates that memory vulnerabilities are the root cause of up to 70% of CVEs (Common Vulnerabilities and Exposures).

How does memory safety work?

There’s two primary ways that memory safety is implemented. Some languages, like Rust, heavily scrutinize code at build-time to ensure that checks are in place to prevent unsafe behavior. Other languages, like Python, provide “garbage collectors” at run time to prevent erroneous memory conditions. Both of these approaches are hugely beneficial to developers because the final product is robust by default.

Why do we use unsafe languages?

To fully grasp the new prioritization of memory safe languages, it’s important to understand why developers use unsafe languages. Historically, unsafe languages have been the best way to maximize software performance on bare metal systems. In particular, some hardware cannot run the requisite garbage collecting services that some memory safe languages require. This can be either due to resource limitations or compatibility issues. These issues, combined with the maturity if unsafe languages in other development respects, make unsafe languages viable for software developers and end users in some contexts.

Industrial control systems that operate critical infrastructure are often among the resource constrained hardware that has leveraged unsafe code to allow developers to squeeze system resources for performance. Paradoxically, this means that some of our most important systems are the most vulnerable to exploitation as a result of this. However, memory safe languages offer varying degrees of compatibility with unsafe, allowing new code to be built on top of unsafe code bases. This can potentially ensure that as developers continue to build repositories, new code can provide assurances that were not integrated in earlier versions.

Why should companies care?

The software development landscape is rapidly evolving, with a marked increase in the demand for memory safety, driven by government advocacy and customer expectations. Consequently, software development companies must adapt their strategies, moving away from unsafe codebases and development environments towards embracing memory safe programming languages wherever feasible.

Currently, customers are not likely to find vendors who supply software exclusively developed in memory safe languages that meets all their needs. The sheer volume and inherent value of existing unsafe code make it daunting for many projects to transition. Yet, as memory safe languages evolve and their interoperability with traditional code improves, the barriers to adopting these languages are decreasing. Enhanced interoperability means that integrating new, memory-safe features into legacy systems becomes more straightforward, mitigating the costs and complexities of upgrading large-scale projects.

However, it's crucial to recognize that not all projects can seamlessly switch to memory safe languages due to compatibility issues or the specific resource demands of certain platforms. Despite these challenges, the steady push from governmental bodies, the rising demand from consumers, and the overarching necessity for enhanced security protocols make the shift toward memory safety an imperative for businesses. In the foreseeable future, companies may have to attest to degree of adoption of memory safe languages as part of security, compliance, or insurance requirements.

Conclusion

Memory safety represents not just a technological shift but a cultural one in the world of software development. As the White House's push for memory safe programming languages underscores, there's a growing recognition of the role that software infrastructure plays in national and global security. The pivot towards memory safety is more than just an attempt to curb the frequency and severity of cyber-attacks; it's a proactive measure to build a more resilient digital future. As developers and companies navigate this shift, they're not only responding to immediate security concerns but also contributing to a foundation that will support safer, more reliable software systems for years to come. This move towards memory safe languages, therefore, isn't just about preventing the next big data breach; it's about ensuring that our digital infrastructure can support the increasingly complex, interconnected world we live in. By prioritizing memory safety, we're investing in a future where technology can continue to advance without being undermined by fundamental security flaws.

Steve Salinas, Captain (Former), USMC

March 2024

What is Generative AI?

Generative Artificial Intelligence, sometimes called “Gen AI”, is a newly popular technology that is revolutionizing content creation and has implications that extend into various disciplines. The technology has become so popular a new executive order, Executive Order 14110, recently provided guidance on AI security considerations. Generative AI is trained on openly available samples, and can provide a user with text, image, or even video based on prompts entered through a chat-like interface. Even though artificial intelligence has been a growing field of research for decades, only for the past couple of years have accessible interfaces made these generative products viable for commercial use.

How can I use Generative AI?

A plethora of use cases exist for generative AI, and best leveraging the technology depends not only on desired outcomes, but on the availability of quality data used to train the model. Commercially deployed models can typically provide immediate value by augmenting existing human capital and improving efficiency in development workflows, information digests, or even marketing imagery. But it’s important to understand that the data gathered by these platforms can sometimes be used to train future models. Most vendors provide commercial offerings that prohibit use of a user’s inputs for training, but like any other security context, it remains important to understand what information the vendor may be retaining so that an organization can properly assess the risk of integrating generative solutions into sensitive workspaces.

Open-source models offer a different solution and enable tech-savvy organizations to train and deploy their own models to meet specific needs. This may give an organization increased control over the data used to train the model, the usage data gathered while the model is deployed, and the protocols used to interact with the model. Open-source models can also be run locally and can therefore enable AI integration in systems with limited connectivity to the internet. The potential of an open-source implementation is the technical difficulty of implementing, deploying, and maintaining the solution which may be prohibitive requirements for some organizations.

What are the security concerns?

Like any other technology, Artificial Intelligence brings with it security considerations that are worth thinking about. Research indicates that some types of adversarial attacks can result in models leaking data they were trained on, or behaving in unexpected ways that can potentially damage a company’s reputation.

If you plan on using a third-party model through a programming interface, it can be important to understand where and how your usage data is being stored, for how long, and what mitigations and safeguards are in place to ensure the model behaves as expected. If you’re training your own model for a tailored use case, it’s important to understand that malicious users or unexpected input can result in anomalous behavior that you should account for during the design of your implementation.

One of the benefits of the public internet is that data for training generative algorithms is plentiful. AI companies are therefore able to scrape the internet for human-generated content that’s ultimately used to train large proprietary generative systems. This development approach has raised copyright and privacy concerns from several groups, and the exact consequences and legal nuances are still being worked out. However, companies can be sure that the environment will continue to evolve in the coming years as these issues are resolved.

Research is increasingly demonstrating that content output by Generative AI, when used to train successive generative models, produces worse results. As generative algorithms integrate into existing platforms, the synthetically generated content of earlier generative algorithms can potentially result in the degenerative performance of new models. Research into this topic is ongoing, but this facet of Generative AI indicates that datasets of human-generated content will be valuable to future development efforts.

Conclusion

There’s a lot to think about as a company looks to leverage generative solutions in the marketplace. The topics discussed here are actively being discussed in policy as demand for risk mitigations for AI technologies continues to increase. How can you tell if your AI solution is secure? Contact us and find out!