Pentagon revamps cyber weapons acquisition strategy
The Pentagon has found that its traditional methods of designing and buying cyber weapons are ill suited for this fast-changing battlefield.
When Britain’s National Health Service was hit by a vicious malware attack this month, the Pentagon’s cyber warriors went on high alert. Much to the relief of Defense Department leaders, the U.S. military’s health and medical computer systems dodged that bullet.
“I was pleased at how well we weathered the recent cyber nastiness,” said James MacStravic, the Pentagon official now performing the duties of undersecretary of defense for acquisition, technology and logistics.
The wave of ransomware onslaughts that crippled medical institutions around the world in May stirred fears at the Defense Department. Officials for some time have moved to protect medical records from cyberattacks as data moves from legacy networks to commercial health management systems. “And we did OK” in averting the malware attack, MacStravic said. “I’m encouraged by what we’ve been able to do on defensive cyber systems.”
The bad news on this front is that winning the battle doesn’t mean you’re winning the war. Cyber warfare is a never-ending game of catchup. In fact, this is an area where more spending doesn’t guarantee better outcomes, as MacStravic pointed out.
“Things in cyber tend to be small in terms of what we’re procuring,” he told reporters during a recent interview. “The acquisition challenge is relatively narrow. Cyber is done on an external, commercial infrastructure. I don’t procure that.”
The Pentagon has a troubled history buying information systems that cost too much and perform poorly, and it is hoping to avoid similar missteps in acquiring technologies to boost cyber security.
MacStravic cited the Air Force OCX program as a cautionary tale. OCX is the ground command-and-control portion of the next-generation GPS navigation satellites. The program has been beset by delays and cost overruns. The root cause of that problem: “We had asked for the wrong thing, and we asked for it the wrong way,” he said. “We wanted secure commercial software components. We had no idea how to ask for that, or how to verify it was what we asked for, or determine if the information was secure.”
As it becomes more difficult to anticipate or prepare for the next big cyberattack, the Pentagon increasingly favors the use of fast-track contracting and prototyping.
Companies are being enlisted for pilot projects by the so-called “C5 Consortium” (short for command, control, and communications in cyberspace), an industry organization that reports to the Army Contracting Command. It has about 380 dues-paying member companies that bid for contracts as new requirements are submitted by the military services or defense agencies.
The C5 consortium expects to award $2 billion worth of contracts over the next decade. It is allowed to work with contractors under a simplified approach that comes with minimum red tape known as “other transaction authority,” something that Congress has been pushing the Pentagon to do more.
Some of the more time-sensitive cyber projects also move faster because authorities are delegated down to the program manager. The Army’s project manager for defensive cyber operations, for example, is allowed to sign off on “rapid prototyping” contracts up to $50 million. The top acquisition executive of each military service is authorized to green-light projects worth up to $250 million. One industry official said the C5 consortium has become “a key tool to prototype technologies for defensive operations.”