The Defense Department isn’t built to handle cybersecurity defense well. Its acquisition system is designed to develop and purchase large, expensive weapons systems while holding to the tenets of competition, transparency and integrity. That means it can’t keep up with cybersecurity defense.
“The defense acquisition process is slow by design,” Lt. Col. Dan Schoeni, judge advocate at the Air Force, said on Cybersecurity Month. “And that’s completely understandable — when you’re spending billions of dollars of other peoples’ money, the number-one thing on taxpayers’ minds is fraud, waste and abuse. They’re concerned about, ‘Where are our tax dollars going?’ So the system has been built, has been skewed in favor of overarching principles.”
But taking seven-to-10 years to develop a new fighter jet or weapons system is one thing; taking that long to develop cybersecurity systems is another. It can’t keep up with the speed of attacks, much less the speed with which the threat environment itself evolves.
Schoeni said Congress has tried to help by expanding authorities for purchasing cybersecurity technology, including rapid acquisition and special emergency procurement, but neither one does enough.
“At least with the math I did in my own research, 97 percent of the money the DoD is spending on cyber acquisitions is being spent under the old process, the seven-to-10-year acquisition cycle. Only 3 percent is really being affected by these changes,” Schoeni told the Federal Drive with Tom Temin. “The other problem is that these two measures are really oriented toward defense and recovery, and with cyber, if you’re really only authorizing the money to be spent at the 11th hour, it’s already too late at that point.”
Basically, by the time Congress approves more money, it’s already too late.
But the culture at DoD is working against the speedy acquisition of cybersecurity, mainly just because the agency is used to doing software development in a certain way. But since that policy went into effect, DoD’s reliance on software for weapons system functionality has risen to 90 percent, according to a 2009 report from the Defense Science Board.
“Defense is really hard in the cyber world,” Schoeni said. “It’s really cheap, really easy to attack. I’ve heard experts say that in a couple of hours, they could teach you the basics on how to do cyber attacks. So it’s really cheap to attack. But it’s really hard to defend against. So, in that sense, the best defense is a good offense. The best defense to cyber attacks is building an arsenal, a deadly arsenal, so that no one would dare attack us. If we are focused on defending and recovering, it’s already too late.”
He said time and materials contracts can be used alongside agile to develop an iterative, build-and-tweak approach to software development. But Congress isn’t on board with that idea yet.
“There’s a lot of talk about agile, but when it comes down to it, Congress likes to have things planned out years in advance, and likes to know what the DoD is doing. And this doesn’t work well in cyber where things are changing so fast and it’s so hard to plan in advance,” Schoeni said.