DoD’s Fatal Cybersecurity Flaw

“In today’s globalized world… …this approach couldn’t be more ill conceived!”

The DoD currently attempts to mitigate cyber threats through onerous certification processes and drawn-out acquisition decision and implementation timelines. In today’s world plagued with cyber criminals and dedicated state sponsored cyber warriors, this approach couldn’t be more ill conceived!

DoD LCC curves_DAU

Nominal DoD Life Cycle Budget Curves

Like all of DoD’s acquisition and budgeting processes, programs of record are funded using some version of the spending curves shown on the right. These traditional spending curves align well with weapon systems that are researched, developed, purchased, sustained, and disposed, in the life-cycle phases shown. Each curve looks like a hill with funding going from small to large and then back to small, associated with the phased effort, purchased materiel and expenditures involved. This onerous practice may appropriately cover DoD platforms or weapons, but given the reality of modern commercially driven information technology (IT) and cyber vulnerabilities, it is radically misaligned with the DoD’s critical need for cybersecurity and IT capability.

Fed_IT_Budget_FY16The chart on the left shows Federal IT budget requests from FY14-FY16. Looking across the columns, it is easy to see that dollar amounts remain relatively constant year-by-year. Yet inside of each of these department requests the IT programs of record are funded following the approved budget hills. To get those budget hills approved and funded, each department spends enormous time and energy working lengthy approval processes involving requirements stakeholders, department comptrollers, and eventually Congressional budget approval committees.

These budget hills are further compromised because approved funds are allocated into types of money, such as research & development, equipment purchase, and maintenance/sustainment. Each funding type can then only be used as designated leaving little to no flexibility for changing how funds are used during the execution year.

The often proclaimed purpose of this complicated budget activity is good stewardship of public tax-dollars. Most DoD contracting officers further work to drive down IT contract personnel costs and IT contract profit margins. The unintended consequences of these long standing practices are IT systems that are old and full of cyber vulnerabilities because of:

  • Incentivizing a New Defense Industrial Base.pdfunproductive human process churn;
  • ineffective use of IT funding;
  • lowered IT contractor skill sets; and
  • very long IT implementation and upgrade times.

For a deeper understanding of DoD contracting challenges, I recommend Daniel Goure’s report, Incentivizing a New Defense Industrial Base, shown to the right.

“…state-of-art IT products reduce cyber vulnerabilities…”

It is well understood within the commercial IT technology community that state-of-art IT products reduce cyber vulnerabilities, as explained in Cole Humphreys’ article, “The Risks And Hidden Dangers Of Outdated Technology.” The Federal/DoD catch 22 is that it is impossible to field state-of-art IT systems. So while the Office of Personnel Management struggles to dig out from under the massive SF86 personnel clearance data loss, and DoD continues to lose valuable military weapon system design data to cyber theft, nothing is being done to address slow IT acquisition and upgrades cycles which are the root cause of the problem.

“The Federal/DoD catch 22 is that it is impossible to field state-of-art IT systems.

The unrecognized reality is that DoD could remain at the leading edge of IT and cyber security within current IT budget levels. To understand how we need only review commercial company IT budget and implement practices. Within these companies, just as in the DoD, IT budgets are relatively level year-to-year. However commercial Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) execute yearly plans without artificial budget constraints on adding or reducing IT personnel, upgrading needed capability, mitigating cyber vulnerabilities, or retiring older systems. Because these CIOs/CISOs know budgets will remain relatively constant, they plan for upgrades and execute new opportunities within months and years, rather than the years and decades required within the DoD. Unlike the Federal government, commercial budgets are planned around level funding that varies only when new opportunities justify seed funding for significant upgrades. As is often the case in IT, upgrades can reduce the cost of operations & sustainment thereby creating a self-funding effect for the remainder of an upgrade. By continuing these efficient IT upgrade cycles, commercial IT companies are able to increase IT capability while reducing cyber vulnerabilities, all within nominal yearly funding levels.

Using the DoD’s current levels of IT funding, if commercial IT spending and upgrade practices were adopted, DoD IT capabilities would remain closer to state-of-art, thereby reducing cybersecurity vulnerabilities. Further, as IT capabilities are modernized, IT support to mission improves in a continuous cycle of upgrades and improvements.

To create this continuous improvement cycle DoD should:

  1. Plan for, and help Congress understand, that DoD IT budgets will always remain within a few percent of the previous year’s budget;
  2. Include within the IT budget, IT support and maintenance, cybersecurity operations support and maintenance, IT/cyber upgrades, and all IT personnel costs, to include contract support personnel;
  3. Allow IT/cyber budgets to be used flexibly to cover item 2, year-by-year;
  4. Eliminate the budget hills and colors of IT money, and concentrate yearly budget decisions around seed funding to improve IT and cybersecurity capabilities; and,
  5. Contract for best IT capability in the shortest amount of time without contracting to reduce contract margins and IT personnel costs.

Today, commercial companies are conducting proof of concept testing on state-of-art software defined data center (SDDC) technologies. These virtualization products are providing order of magnitude reductions in rack space & power, while reducing cyber vulnerabilities, increasing IT mission capabilities, and reducing personnel requirements through system setup and administration automation. If DoD were capable of quickly adopting SDDC technologies into existing IT systems, the same advantages would accrue across mission and business systems. Flexible IT upgrade cycles would then continue to reduce cyber vulnerabilities while improving DoD’s warfare capabilities year-by-year!

Tax-dollar stewardship like that is what our government could be proclaiming!

Posted in DoD IT Acquisition, Leadership, Technology Evolution | 9 Comments