It takes roughly seven years, on average, for an idea to lead to a Pentagon contract, but the life cycle for automated equipment is just over three years. The long acquisition process and short lifespan means a Pentagon program that can impulsively scan an enemy’s network has technology that’s already more than two generations old on the first day that it is used.
This paradox is highlighted in a new report, “Cyber Acquisition," which describes the Department of Defense’s cyber acquisition process as “too slow,” a “support nightmare” and one that “puts the warfighter at risk.”
Because of the delay in acquiring cybersecurity equipment, “the military will be forced to utilize increasingly inferior capabilities,” the paper reads. It will appear in the upcoming Cyber Defense Review, an academic journal.
Frustration over the Pentagon’s acquisition process are not new, but the paper argues that because of rapid innovations in cybersecurity the discontent has been compounded.
“Cyber is at the shortest extreme of the acquisition needs time scale,” the study reads. It was written by Thomas Klemas and Rebecca Lively, both of the U.S. Air Force, and Nazli Choucri, a professor at the Massachusetts Institute of Technology.
Staffers charged with deciding whether to purchase a system or develop a program of record at the Pentagon are rarely the sole arbiter of what is eventually acquired, the paper argues. Instead, layers of bureaucrats are also included in the process, which only exacerbates the delays, the experts said.
“The current system emphasizes rigid adherence to written process and systems over measurable outcomes and speed,” according to the article. “This is not surprising where the volume of regulations, restrictions, and documentation is so vast and acquisition personnel are not trained to operational needs.”
“The system today does not account for unique attributes of cyber capabilities, such as the need for variety and constant change in the environment,” said Katherine Charlet, a former Pentagon deputy assistant secretary and a director at the Carnegie Endowment for International Peace. Charlet warned that the Pentagon should also take into consideration cybersecurity of traditional weapons purchases. “Quality, cost and schedule won’t matter if your system can be immediately defeated by an adversary as soon as it’s fielded, or if it take hundreds of millions more dollars to add cybersecurity mitigations after-the-fact.”
Experts argue that recent policy changes have made the purchasing problem worse.
Pentagon officials can use a process known as “other transaction authorities” to help accelerate the acquisition process. But a recent decision by the Government Accountability Office to review the process sets a dangerous precedent, said Bill Greenwalt, a fellow at the Atlantic Council.
Greenwalt called the Pentagon’s cyber acquisition methodology a “crisis,” in part because the United States is already technologically behind other countries.
However, Greenwalt said that the Pentagon’s new cyber rapid acquisition authority, which Cyber Command used for the first time last year to amass information technology-related research and services, has driven down purchasing time.
Although the need for better purchasing was a recommendation of the Pentagon’s Defense Science Board, a group of outside experts, idea is not explicitly mentioned in the department’s new cyber strategy.
“Many of the problems that we saw which were handicapping IT acquisition were also handicapping cyber acquisition,” said Nick Tsiopanas, a staff member at the 809 panel, which makes purchasing recommendations to the Pentagon.
He highlighted the “separate determination and findings process” that the Pentagon uses in its acquisition method, which he called a “redundancy.”
Tsiopanas argued there has recently been momentum from Pentagon officials to change how equipment is purchased.
“The most intractable thing is the culture. It is the hardest nut to crack.”