Streamlining the US Navy's innovation process: A conversation with Acting CTO Justin Fanelli.

Liz Stokes: Welcome to a special edition of N2K "Cyber Wire". Today we have an exciting conversation lined up as Brandon Karpf sits down with Justin Fanelli, the acting CTO of the US Navy. They'll dive into how the Navy is streamlining its innovation process to stay ahead in an ever-evolving technological landscape. For some additional context, check out the article linked in the show notes. Here's their conversation. [ Music ]

Brandon Karpf: I am joined today by Justin Fanelli, Acting Chief Technology Officer of the Department of the Navy. Justin, thank you so much for coming on the show. I believe it is your first time on "CyberWire".

Justin Fanelli: It is, long-time listener, first-time caller. Thanks for having me.

Brandon Karpf: And you and I and Rick Howard, who's well known on this network, have had numerous conversations around technology creation, technology adoption, public-private partnerships, both within the Department of Defense and the government. I would like to just get your view today on how are we doing with these partnerships?

Justin Fanelli: So, the public-private partnership is growing in terms of the number of actual private-sector partners that we have and work with. It's up. New entrants are up. The performance of existing players are up. And so the CNO, the Chief of Naval Operations, sometimes says, Hey, we want more players on the field, from a warfighting perspective. We also want more industry partners on the field contributing to national security, contributing to economic security. And in this particular case, we are really excited about the number of new ideas and the impact of the solutions.

Brandon Karpf: If we can, I would love to dig in a little deeper on the nature of that partnership, because oftentimes folks who maybe are just uninformed or don't have the experience in DoD think of national security as purely military power. But you mentioned something in that response about it's not just military power. It's economic power, it's capability, it's national strength, it's even technology innovation adding to our national security. The strength of our market, the strength of our companies, the strength of our military all working together in concert. Can you talk a little bit about kind of why today is as good as it's ever been, and maybe some of the examples you see about how the Navy but also DoD more broadly is enabling that.

Justin Fanelli: I don't have to tell this audience how interesting some of the new cyber capabilities and innovations are. One of the things that is improving for us is our ability to harness and adopt innovation more intelligently and faster. And so we are no longer just looking at, Hey, we have a gap and we need to fill that. We're evaluating based on the outcome-driven metrics. What does this bring to the table? Does it open the door to divesting something so that we can invest further? That keeps this flow healthier in terms of both the technical debt and the resilience that the cyber capabilities create. In terms of more than just security and defense, sometimes people refer to the defense ecosystem as a sector. I teach a course at Georgetown called Cybersecurity Strategy: Public and Private Perspectives. Dual use. This was never clearer to me than when I was at DARPA as a fellow. It was a short period, but it stuck with me. Dual use that is funded by science and technology funding within the Department of Defense is in all 11 sectors, right? Like, this is showing up everywhere, so that is a launch pad as opposed to a sector. If someone is proving something out or increasing the technical maturity in a government lab or in a military lab, it's very likely that's going to be picked up by EdTech or FinTech or something else. We then on the back end often make use of that again after that initial investment, but that partnership, if we think about the Valley of Death, there is money on the left side of that and there's money on the right side of that. And we're trying to bring those closer together and really make that a focal area for where we can connect dots and how we can close that gap in terms of the speed to impact.

Brandon Karpf: Yeah, I'm glad you brought up the concept of dual use, right? It's a topic we hear across the board today in media, in technology, in the innovation ecosystem of this country and startups, talking about dual use that, you know, the quintessential one that comes to mind is, like, GPS that has a great commercial application. But also military where the investment made by the Department of Defense enabled a fantastic private sector technology that is really the foundation of our modern economy, you know, being a fantastic you know example of that dual use. I do want to, you know, dig in on that idea of the chasm, right? The Valley of Death, that place where companies can't necessarily get beyond without a lot of support financially and operationally to bring their technology fully into DoD or fully into the commercial application. You know, what programs and initiatives are new or coming or currently existing that are helping these companies, especially cybersecurity companies, bridge the Valley of Death, get across that valley of death, bring their dual-use capability, to bear within the market.

Justin Fanelli: The idea of these launch funds, so there's National Science Foundation and NIH that really, like, the basic and early applied research that is off the ground, that's most often money that commercial sector wouldn't want to put in anyway. And so those are seen as a common good. A little bit later stage in terms of the technology readiness level, there are pure S&T plays like DARPA, the Defense Advanced Research Project Agency, ONR, Office of Naval Research, that are still lower technology-readiness level, but matriculating up. Those are generally working with companies who are cutting-edge companies working on cutting-edge things that may not be ready for commercial at scale. Those organizations have a number of funding mechanisms. And then it gets really interesting because within acquisition, so one of my hats is within the acquisition community. We've been asking for, Hey, what do we do between the S&T launches? So sometimes I picture a quarterback throwing a pass, and then the acquisition community being able to catch something that is a tight enough spiral, a catchable ball. And so that's something that we've for the longest time and always will have kind of left entrepreneurs to navigate. We've wanted to make that simpler both because it's more important than ever, but also because when we communicate clearly, we can make a big difference into what gets caught and how long it takes to get caught, and then how much of an impact that makes. And so there are some new funds. There is APFIT, A-P-F-I-T, that is seen as a Valley of Death closure fund. It's only three years old. It's on its third year right now, and it is doubled every year. So we're really excited about that one. SBIR program was one that was near getting canceled and got renewed. And so we've been doubling down on the opportunities coming out of that. And that's one where it's focused on small businesses. And so we've been just kind of ringing that bell to say, Hey, if there is a topic where -- and there are a lot of cyber topics where we can make use and pull something through, hey, this is a gap in the market, this is a performer that is excelling, can we ride that pony into the scale of acquisition that solves a provable problem? Hey, this is a tool that allows us to do something more effectively and more resiliently at a lower cost than we've ever done before. We need that, and we can tie that almost definitely to a top-level requirement that already exists. So, those are a couple of -- in the show notes, I'm happy to give a full list of capabilities because I think when I was doing this 25 years ago, we were complaining that there weren't enough avenues. We could always get better, but it's a whole different ballgame in terms of the avenues and what is available to entrepreneurs and to the acquisition community to make things happen quicker.

Brandon Karpf: I mean, as you talk about this need to align both the thrower and the catcher in terms of what they need, the timing, the resources, the funding, the technology maturity, you know, that type of alignment sounds extraordinarily complex to me. You know, you also talked about determining and assessing and evaluating what you need from a mission perspective, mission outcomes, and kind of aligning those things together, both the investments that you're making but also the acquisition programs that you're creating to align technology with mission outcomes. I mean, that sounds extraordinarily complex, just as -- in my layman, you know, observation. How are you doing that functionally on the ground? Like, how are you actually accomplishing that mission?

Justin Fanelli: There are a lot of players, there are a lot of needs, and so matching is an oversimplification, and probably throwing the pass is an oversimplification. But we do, like we said at the beginning, want this partnership to be a smoother, lower-friction partnership. There will always be competition, that's very healthy, but we want to simplify that story. And so one of the things we've done to try to simplify that story is to say, Hey, there are times where someone is selling a product or someone is using a product, but in a very limited way. And it's hard to tell. Sometimes it takes an hour. Sometimes it takes two or three meetings to figure out even where that is. And so we've used a couple constructs to start on second or third base to expedite the conversation. One of the most powerful ones, even though it's simple, is the investment Horizons. And so this looks at technology, where it is in the process to say 3, 2, 1, 0. One is production. Is it at scale production, whether it's a designated enterprise service or otherwise. This is -- at large, we have tens or hundreds of thousands or maybe even millions of users within this ecosystem. Horizon 2 is piloting. We've looked at it. Someone's using it. We want to use a structured pilot to learn by doing. We won't put this to scale, so there's psychological safety in there to learn before we scale, but we can't just do this at arm's length. And then there's Horizon 3, which is scouting, but scouting more deliberately. And so this could be other people's money, those S&T organizations that we talked about, or internal research and development, or the full dual-use case ecosystem to include, Here's what venture capital firms are backing, here's what new exciting things are happening. By laying those out three to two to one, we can see from a matriculation perspective how close we are, where they line up, where one product might do the job more effectively of three products. We don't want one for ones because that just keeps more cars piling out in the garage. But what that funnel actually shows us is really important. And then zero is divestment, which is -- it's not sexy, we're trying to make it sexy, but this is the idea of there are already a lot of things that we're sustaining. If we can turn off a legacy capability in favor of something that is more effective or providing bigger outcomes, we want to do that. So those are the technology Horizons, 3, 2, 1, 0.

Brandon Karpf: Yeah, that last point, I do feel like that Horizon 0 is the most important piece. I mean, they're all important, but being able to turn off technologies that are end-of-life or programs that are just past their due so that you can free resources to start acquiring and bringing things from 3, 2, to 1, that sounds like a critical feedback loop that, to my knowledge, just really hasn't been a part of the conversation much.

Justin Fanelli: The divest to reinvest is the lifeblood of any company that's been around for more than a little bit of time. And so like we sometimes say, in the Hacking for Defense course that I teach, we sometimes say, like, it's actually easier to be a startup than a longstanding company in this way. You don't have to contend with technical debt. You don't have to contend with some cost decisions, right? You're able to clean slate, and that could mean you're standing on the shoulders of giants. There's a Friedman book, "Thank You for Being Late", the idea of being able to leap ahead can be an advantage at times. And so we are looking for more leap aheads, addition through subtraction. So when people or organizations are good at divesting to reinvest, it really does open up the door in a pretty exciting way. Obviously, the Horizon 1 piece is, Hey, here's how well we're performing, here are the outcomes at that level. So it's all in service of that. But the deputy -- principal deputy CIO for DoD sometimes says, Hey, we've been in this house for a long time. And so it's very important that we do rehab on this house.

Brandon Karpf: Right, yeah, that you have to do preventative maintenance or, you know, at some point with all these systems. So, I mean, taking this Horizons model in the context of partnerships, who in the private sector or even public sector is enabling this, or has taken this model to heart, is doing this really well, that's making your job easier.

Justin Fanelli: The interesting part was most of our partners were already playing into this, they just didn't have the taxonomy. And so we have a lot of partners who are just excited to play and connecting dots. My program executive office, Digital, we had a handful of program offices. And so this is a familiar construct, whether you're in government or not, a program office. And we switched to portfolio management offices. And portfolio theory has been around for a long time. It's not used a ton in government, but as a concept, I think people are generally familiar that this allows us to make more data-driven objective decisions as opposed to, Here is my monolithic baby and I want to protect it at all costs. And so by shifting to portfolio, it's allowed us to show our vendor community and partner community at large. And so who's doing this well? When we were at RSA, people said, Oh, you're the folks who are using Horizons and portfolio. We know where we fit, we know what portfolio we fit in, and we don't have to defeat some program of record. We can just make our value proposition. And so that's -- we've talked to 500 companies in the last probably 14 months. The venture-backed community is giving us, Hey, here's the list of portcos that have the biggest impact on what we're doing. And we can prove that through outcome-driven metrics. And then who else has been supportive. Private equity, specifically with the Office of Strategic Capital that is relatively new has said, Hey, here is one opportunity that is much higher impact than another. And so, like, here are cyber tools that are very important to us, but we want to make sure that we know what company and what country is backing these tools. Let's make sure we're doing diligence. So, I'd say across the services and across several agencies, we're getting good support and people get it. And that's helping with direction.

Liz Stokes: We'll be right back. [ Music ]

Brandon Karpf: I see a friction point though, which you talked about companies or even investors coming and saying, I know where I fit in into a portfolio, okay, I'm not trying to beat out these incumbents. I can pitch my value proposition to slot in at this stage of the Horizon model within this portfolio. But just gaining the knowledge of what portfolio you fit into sounds a bit like inside baseball. I mean, how would a company, whether it's a new company or even an existing incumbent, how would they know what portfolio they fit best into?

Justin Fanelli: Yes, well, I'll tell you about just one program executive. So, Digital, we took a moonshot in terms of the number of meetings we take, and so we started scheduling every -- we started accepting basically and scheduling every possible cyber company that could make an impact to say, Hey, how bad can this be? It can be very good, but there are a lot of them. And so we really scoped out the space and we did kind of a forward pitch from that. How do we make that scalable? We put together an industry engagement book. Folks have said, and so you can check that on our website, they've said, Hey, this is a front door, we can make use of that. So I think the short answer is where groups can communicate clearly and effectively, then they can make a bigger difference than they probably think. So when they say it's hard to make something simple, but after it's simple, then folks are clear. The next step of automation, just to give you an idea of how we think, is we said, Okay, we can meet with you, but what really matters is from an intake perspective, how much impact do you have? So, a lot of people still want to meet, but we won't be able to fund something unless we can show that it makes this level of impact. So why don't you do a lean business case? It's two pages, it won't hurt anybody, and it gives us data, because even if you convince one or two or three people, data carries better than the word-of-mouth or playing telephone.

Brandon Karpf: So I was struck, and this does relate I think to what you were just talking about. I was struck by the headline quote in the Atlantic Council's Commission on Defense Innovation Adoption. They published this back in April 2023. I've seen you use this quote on some of your documents from your office. So, the quote is, "We have found that the United States does not have an innovation problem, but rather an innovation adoption problem. The DoD struggles to identify, adopt, integrate, and field these technologies." And so the thing that really stuck out to me was this four-step process of identify, adopt, integrate, and field. And you've talked about a number of ways in which your office and others in DoD are trying to better identify, adopt, integrate, and field. You know, what I just heard you say, though, is there's still a tremendous amount of responsibility to the company to help you identify them, to help you adopt them. They need to pitch themselves and present their value proposition in a way that they understand how it's going to be adopted, how it's going to be integrated within your existing programs, offices, portfolios, and, really, mission needs. Would you say that that is fairly accurate?

Justin Fanelli: I think it's fairly accurate. And ultimately it becomes a dance, right? Where does the onus go? If we are looking for money, well, if we're saying, Hey, we have $1 and we're going to spend it on one or two things, which one is the biggest impact? Would you want that to be on the receiver of the pitch to figure it out? Or would you want to give the attacker advantage to the vendor who understands, Here's how my product or our service has helped eight companies. They all innately understand that probably better than they understand our domain, but it's easier for those companies that want to make an impact to know, Hey, here's how I pitched to this group, here's how I pitched to this group, here's what my product does. As opposed to, like, a small group of folks trying to understand a lot of different products and then figure out what's the best need. So we're just giving the onus or the platform or the opportunity to them to provide that value proposition so that we are not locked in. The chances that we have confirmation bias as a buyer is higher and opening the aperture to a wider range, likely better than the low confirmation bias or a different confirmation bias of someone who is pushing an innovative idea. We just know that most of the innovative ideas are out there, and so we need a funnel to receive them. And so what we've done is we said, Okay, read the same line as you, innovation adoption problem, what can we do about that? We send war fighters into theater, we send them with a kit, so if we send folks into the DoD or federal ecosystem, here's the innovation adoption kit. And so the IAK is a set of tools to break that Valley of Death, in this case, into a handful of glens that say, What if we're so prescriptive that we're asking for a technology that doesn't make sense anymore? Well, we should then use top-level requirements. Well, what if we are measuring something that is no longer relevant, or doesn't have the same impact that we'd like it to? Then outcome-driven metrics are a proven answer. How do we talk about things that aren't quite mature enough? Why not the Horizons? And so we're just offering those up and signing out some memos and references so that people can single up on language, because ultimately the taxonomy isn't the interesting part. The learning by doing, the finding the win-wins, takes plenty of time and so we want to shorten that front end stuff.

Brandon Karpf: The one example I can give just my familiarity with it, seeing these requirements written in that potentially create vendor lock-in or even technology lock-in and antiquated technology would be like a VPN. You know, the number of requirements I've seen coming out of the DoD that require VPN, you know, that specific technology as opposed to thinking about what are they actually trying to accomplish with a VPN, or a virtual network. You know, I see that as, you know, a great example of exactly what you're talking about, thinking beyond and thinking of that top-level requirement as opposed to getting into, you know, the nitty-gritty of how you apply or accomplish that mission.

Justin Fanelli: And that's the partnership we want from a public-private perspective. If we say, Hey, here is the operational goal, that's different from a prescriptive retirement -- requirement that mentions a specific capability that happened to be invented in a year, like, a different century than we're in right now. But the how is something that we want to harness, American innovation. And if we can adopt more intelligently and be more adaptive, then we're seeing that 10x improvements are not out of the question without even a cost increase in some cases. So these are things that we just want to be really academically honest on from a money ball perspective, from a cyber money ball, from a military money ball, and just from buying wins, how value-oriented are our investments.

Brandon Karpf: The analogy I'll draw for -- some of our listeners might resonate, but back from my targeting days when I was active duty, it's effects-based targeting, not capabilities-based targeting. So what that means is, What is the effect you're trying to accomplish and trying to achieve? And let's come up with the targeting and the capability that will meet that effect. As opposed to saying, Here are all these capabilities and technologies I happen to have on my shelf today, let's just take those off and do something with it, right? It's really thinking about from a strategic perspective, What are you trying to accomplish, and then let the rest of us figure out how we go about accomplishing it.

Justin Fanelli: And to that point, think about the difference in scale. If you solve one problem, then you have solved one problem. If you can prove the effects or the value of what you've created, you can use that with anyone else who has a similar high-level problem. There are interoperable things, and so in a lot of cases we say, Hey, is this something that needs to touch a lot of interfaces? Are we making trade-offs? Okay, let's use MOSA. Like, modular open systems approach is really important for us, right? But how we make those trade-offs, if this is a defensible piece, then that opens all the doors to more intelligent conversations.

Brandon Karpf: So -- and you mentioned a critical word there, and I want to dive in on that, and this being part one of a multi-part series, we won't go too much further, but you mentioned scale. And everything that you've talked about around this idea of partnerships, public-private partnerships, how you're evaluating technologies, integrating, adopting, identifying technologies, sounds like a tremendous human resources challenge, right? You're talking about things that, in my mind, don't scale well, to use a tech innovation term, right? These are things that require human resources that are skilled and talented. So how do you think about identifying and developing talent within your organization to make sure that they have the skills that they need to identify, help adopt, manage, integrate new technologies? Sounds like a tremendous talent challenge.

Justin Fanelli: The friction isn't new.

Brandon Karpf: Okay.

Justin Fanelli: In general, there are lots of areas for improvement. There always have been, and that's true for the cyber sector and everywhere else. This is like the best part of being alive right now. In -- when Leonardo da Vinci was a youth, he said, Hey, the hardest part about being alive right now is there's nothing to invent. Everything's already been invented. And then he went on to have more inventions than anybody else, right? And that's not even true anymore. The opportunities for value creation and removing friction abound. One of the main ways that we're doing this, and then I'll talk about talent, is if we see something that we're doing 15 times in a row, we want to abstract that, we want to automate that so that we can spend more time focusing. Sometimes we get dragged down rabbit holes that are lower value, and so we want to slick and simplify where we can some of these trade-offs that are just repeat trade-offs. Simplicity and speed for scale are really important. The idea of we will never have so much talent that I'm worried about wasting it because of AI. There will always be more problems than we have people. How do we take these people and give them meaningful work? We will do that by focusing them on hard problems. And that means stripping away the less important or the more repeated stuff and saying, Okay, you are an expert on this technical domain, let's say quantum, and then this security domain, okay, cryptography. Let's connect some dots there. We have data, we have processes to connect those dots, and we can push these pieces together to put that domain knowledge and your general process knowledge together to create much bigger inputs than someone who's doing this as a generalist. And so the short answer to your question is, we're developing versatilists who are loving life because they're spending more time to get to results. They're getting through the Horizons in the - in several landmark cases much, much faster than they were. And so I've mentioned VC a couple times, the VC feedback cycle, seven years before you know if you did something well or not, oftentimes. Sooner if you messed up. We prefer the chef or the cook feedback cycle. I know if I made a grilled cheese sandwich that sucks in seven minutes, right? I can learn from that. It wasn't particularly detrimental. I ate it anyway. It was a little bit burned, but then we know how to do that differently. So, the learning by doing at speed in a framed way that is not particularly -- that is not exposing to, like, important or significant risk, and then applying that to higher and higher stakes problems.

Brandon Karpf: Mean time to feedback, if you will, right? Mean time to feedback. O

Justin Fanelli: Oh, very good. Yes, yes.

Brandon Karpf: To use a cyber term.

Justin Fanelli: That's it.

Brandon Karpf: I love it. Well, okay, so last question of this particular session, and what I have here is a 20-sided dice, a D20, and I have a list. I've got a list of 20 random questions, so you're going to get whatever pops up, cool?

Justin Fanelli: Yes, it sounds like this has existed for a minute, and I have not read this guy, so hit me cold.

Brandon Karpf: Oh, this is a fun one for you. So this one's called Tech Pet Peeves. What's one thing in the tech industry that frustrates you to no end?

Justin Fanelli: Can I give 20 answers to this one side of a die?

Brandon Karpf: Yeah, go for it.

Justin Fanelli: We'll go back to selling a technology based on the technology. I love tech. I'm an electrical engineer. I love this stuff. If you can't talk about it in terms of what impact it's going to have on the people that it's serving, then it's going to get lost. It's going to wash out. There are not enough technical people. We want more STEM people in the ecosystem, but we need translators, and that translation is to outcomes. So if you love your tech, we do too. Please make sure you're talking about what common good it brings, what impact it has, not just the wiring diagram.

Brandon Karpf: Perfect. Justin, this was a great first part of our conversation. We look forward to having you back for the next one.

Liz Stokes: A special thanks to Justin for sharing his insights on the US Navy's innovative strides and the future of naval technology. If you're looking for more details on today's discussion, be sure to check out the article linked in the show notes for additional context. We appreciate your listening and hope you join us again for more in-depth conversations on the latest technology and cybersecurity. [ Music ]