The National Security Agency's Utah Data Center in Bluffdale, Utah.

The National Security Agency's Utah Data Center in Bluffdale, Utah. AP Photo/Rick Bowmer

Ideas

Top-Down IT Approach Too Slow To Meet Threats

The Defense Department arms itself for cyber at the same plodding pace with which it buys major weapons.

Daniel E. Schoeni

|

Cyber warfare has arrived: the Defense Department is under attack, and national security is at stake. Yet in a field defined by rapid growth, DOD arms itself at the same pace with which it buys major weapons, an acquisition cycle of seven to 10 years. The “arsenal of democracy” has already provided the tools for hastening this process in the form of agile methods. The Pentagon has been reluctant to adopt different methods for software than it uses for other acquisitions. But unless it does so, it will lose its edge.

One need only consult the headlines to recognize that cyberattacks are a daily occurrence; attacks on prominent public and private institutions are so common that they barely register. But even if these headlines have lost their shock value, our networks remain vulnerable.

What is worse, far from being immune to cyberattacks, DOD faces greater threats because it is such an attractive target. Not only is it the world’s dominant military force, but it is probably more dependent on information technology than any other military. Fully 90 percent of its weapons systems’ functionality depends on software. This makes DOD a low cost/high reward target that is irresistible to adversaries.

In the 1990s, then-Defense secretary William Perry advocated use of commercial-off- the-shelf goods and services. His initiative extended to software. But COTS software is not the problem. The problem lies with the sort of software that isn’t available from commercial providers. Microsoft does not sell a commercial version of software designed for steering submarines, piloting drones or dropping bombs. For such unique software, the Pentagon must either write its own in house or contract out for such services. And in both cases the process takes far too long.

The reason that bespoke software acquisitions takes so long is that DOD relies on the waterfall method, long been discredited in the private sector. In a nutshell, this is a top-down approach that relies on establishing beforehand what the requirements are. But requirements are notoriously hard to pin down. Customers rarely know what they want up front and requirements change during development. Waterfall imposes the order that the Pentagon brass craves but does so at the expense of price, quality, and (most importantly to cyber defense) speed.

The solution is agile development. Agile doesn’t presume that it is possible to know what customers want beforehand. Instead, it utilizes an iterative process: Customers are given prototypes to tinker with, they provide feedback, programmers adjust the next version accordingly, and then the process starts anew. In this manner, agile eliminates waterfall’s documentation requirements. As waterfall critic Barry Boehm has written, “a prototype is worth 100,000 words.” Problems are identified and fixed early in the process, saving time and money. For 20 years, observers have recommended that Defense officials use iterative methods. The 2010 National Defense Authorization Act specifically mandated agile. Yet apart from using the word “agile” more often (to appease Congress?), little has changed. Waterfall prevails.

That is not because the Defense Department is too big to be nimble. In fact, the U.S. government was a pioneer in iterative methods starting in the 1950s. This included the Army’s artillery command-and-control command system, the Navy’s Trident submarine, the LAMPS helicopter-ship system, and the Air Force’s air defense system. Nor was DOD alone. NASA also used iterative methods to acquire software for Project Mercury, which was the first manned spaceflight.

The problem lies not with laws, but with DOD culture. Although mandated only five years ago, agile has been permissible for two decades. The department is not agile because it has chosen not to be. That is in part because senior procurement officials are more comfortable with waterfall, in part because the department is hierarchical and senior leaders prefer the sense of control waterfall confers, and in part because of ignorance. Mary Ann Lapham of the Software Engineering Institute observes there is still widespread confusion among acquisition professionals about whether agile is legally permissible.

Congress is not blameless. While agile eliminates documentation in favor of prototypes, onerous reporting requirements mean DOD will never be as agile as the private sector. But the Pentagon cultural inertia is still more to blame than is Congress. Because the problem is mainly cultural, tweaking regulations is not the solution. Agile reforms will not work until the culture changes. The front line must know what their options are, understand what agile is, and be committed to applying it. Better laws or regulations, no matter how well-worded, cannot do that.

One final caveat. There is a need for timelier solutions because an acquisition cycle that keeps pace with technology is essential to cyber defense. But danger lurks in the opposite direction. Speed is not everything. Tension may arise between agility and cybersecurity. Sometimes secure systems come at the expense of speed, cost, or quality; a system that is late, costly, or ineffective may be preferable to one that is unsecure. Harnessing agile’s advantages while also recognizing and compensating for its disadvantages will not be easy.

Three things are certain: Speedier acquisitions may not be not sufficient, but such speed is necessary for cybersecurity; agile is faster and cheaper and delivers better quality than waterfall; and doing and being agile will require substantial cultural changes within the Defense Department.

NEXT STORY: What Iran Deal Critics Don't Understand About Iran

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.