The Defense Department’s top IT leader urged technology industry leaders to help the U.S. “flip the economics” of cybersecurity — and do more to develop IT products that work together for the nation’s defense.
Speaking at a military technology forum Wednesday, DOD Chief Information Officer Terry Halvorsen, along with other top military officials, outlined where the Pentagon, the military services and the Defense Information Systems Agency are headed following a protracted period of budget cutbacks, department reorganizations and IT consolidation moves.
Halvorsen summed up why the U.S. is currently losing ground against hackers in cyberspace, saying the nation’s leadership in developing cyberspace has also made it a big target.
“The truth is, you can spend a little bit of money and a little time, and cause us to spend a lot of money and a lot of time to fix [cyber attacks]. The issue is, how do we flip that, so we’re on the winning side of economics,” he said, pacing between defense industry executives at the Northern Virginia chapter of the Armed Forces Communications and Electronics Association’s Warfighter IT Day.
Halvorsen outlined several ways he hoped industry might respond, beginning with the development of smarter automation tools — “everything from automated analysis … to tools that in some cases can provide automated response,” he said. “There’s no way in cyber that we can keep doing this with manpower alone. If you’re in that business, get busy.”
He also urged IT firms to think beyond perimeter defense. “We need to change the approach. Endpoint detection isn’t going away,” he said, but “I need the cyber equivalent of a layered defense,” referring to ways of containing aggressive cyberattacks from reaching the inner layers of DOD’s networks. But, he added, “all of those tools you want to sell me — they all have to work together.”
Moreover, they also need to be priced right, capable of scaling to a network that supports as many as 4 million users, and work in the field for users who have other duties besides IT.
Halvorsen acknowledged the Defense Department, which still spends $44 billion annually on IT and cybersecurity, no longer leads technology development in the U.S, as it once did. That’s one reason Defense Secretary Ash Carter has taken recent steps to work more closely with innovative technology firms, including setting up an office in Silicon Valley. Halvorsen said the Pentagon also plans to have two dozen DOD civilian executives working with leading technology firms, and a group of industry tech innovators working in Halvorsen’s office and elsewhere in the Pentagon starting in the new fiscal year, Oct. 1.
Halvorsen addressed a palpable undercurrent of frustration among industry executives, concerned about the continued push by the Pentagon for so-called lowest price technically acceptable contracts, which has made it increasingly difficult for experienced defense vendors to compete against less experienced — “lower bidding” — firms for the Pentagon’s business. Many industry executives maintain that while the Pentagon’s “Better Buying Power 3.0” policy, and the LPTA approach, was aimed at commodity products, it’s being increasingly applied to IT services.
“We absolutely agree there are times when best value ought to be the contract driver,” Halvorsen said. “And there are times when best cost ought to be the driver. We don’t always get that right, and we can do it better,” he said, adding that the need to integrate software and develop secure, software-enabled networks requires a best-value approach.
Some vendors who’ve worked with the Pentagon for years remain skeptical, however. “That message isn’t getting down to the contracting officers,” said one industry executive, who asked not to be identified. Another executive noted that the pressure to lower prices is resulting in a loss of experienced talent among many defense IT players. That may come back to undermine DOD’s IT initiatives just as Pentagon leaders are in the midst of fundamental repositioning.
Clearly some of that pressure is coming from DISA, which reorganized last January and is focusing more sharply on controlling costs and at rejiggering its portfolio of IT services to concentrate on where it provides unique IT value to its customers.
Recently appointed Vice Director Maj. Gen. Sarah Zabel explained that DISA is still working out the details of a new pricing model to its customers.
DISA is trying to be more transparent about its costs, she said, by working to “create a more direct connection between consumption and the cost of service.” The goal is to help “our customer make smarter decisions,” she added.
DISA is also in the process of consolidating the number of contracts, and looking at its contracting more holistically, she said, to reduce the overhead of managing contracts and to deliver services in a more agile fashion. She also said DISA is expanding its use of joint software license agreements as part of a broader effort to “reduce subscription rates and our costs of service, beginning in fiscal year 2016,” she said.
Defense officials at the AFCEA event repeatedly warned of the growing importance of rethinking how the military deals with adversaries in cyber space.
Vice Chief of Naval Operations Adm. Michelle Howard argued that the U.S., in many ways, is at a similar point in history that the military faced in the transition from World War II to the Cold War.
“But don’t be fooled. This is a powerful domain,” she said, referring to the vast reach of cyberspace. She recalled how operatives believed to be from Iran disabled 30,000 workstations at the oil firm Saudi Aramco in a single day in October 2012. “That would be like taking down a carrier strike group,” she said. “How would we command and control at sea if that happened?”
Part of the answer, she said, lies in recognizing that everyone is a warfighter in the cyber domain, from ship to shore, right up to the Pentagon, and that much more must be done to train every member of the military on the essentials of effective cybersecurity practices.