While many complain about how the slow pace of the current acquisition system cannot keep up with the speed of cyber, the Air Force has been instituting a model for cyber capability development that has engendered capabilities in a fraction of the current process.
What makes the Air Force approach different than all the other services? The funding pot they use for this rapid cyber capability development. A new paper published by Rebecca Lively, an attorney with 24th Air Force/Air Force Cyber, outlines how the Air Force uses operations and maintenance (O&M) funds for rapid cyber capability development.
Under what is commonly referred to as the color of money, the military has certain pots or buckets of funds to use for specifically defined things. Typically, the services have used research, development test and evaluation (RDT&E) funds in this space because software development has the word “development” in it, Lively told Fifth Domain prior to her presentation on her paper Nov. 7 at the CyCon U.S. conference in Washington. Many might be hesitant to get creative when it comes to fiscal law and think outside the box because using funds other than what they were intended for can be cause for imprisonment.
Under a construct termed Real Time Operations and Innovation (RTOI), the Air Force has established a three-pronged criteria for such rapid cyber capability development;
- Total anticipated investment is less than $2 million;
- The “project enhances or is linked to an existing operational system, platform or capability;” and
- “The project’s end product or capability can achieve Capability Release for Operational Use in less than 180 days.”
O&M funds, Lively writes in her paper, which was provided to Fifth Domain in advance, are one-year appropriations, which are generally used for supplies, equipment and other expenses necessary to operate and maintain the organization. They are also considered the most flexible because they can be more easily reallocated as operational needs change, unlike RDT&E funds. Moreover, O&M funds are available at the operational level to operational commanders unlike RDT&E funds.
This construct is not designed to be used for long term projects, Lively said, adding that if something will require sustainment, it doesn’t apply. Defensive cyber capability is the best use case under the RTOI model. Cyber defense is much easier to justify as plugging a hole or fixing a vulnerability is clearly maintenance, Lively said.
For defensive capabilities it’s a lot easier to get something off the shelf that industry is using against a similar problem, she said.
There’s a lot that can be done with $2 million in cyber, she adding, noting that there’s so much that can be done if they need a quick and easy fix.
Rapid offensive cyber capability development under the RTOI model is a bit trickier, however. Offensive tools in most cases have to be tailored to a specific vulnerability, of which time can be of the essence: if the vulnerability is patched by the target, the exploit becomes useless. The government won’t put out bids for specific off the shelf offensive capabilities getting at specific vulnerabilities. This makes using O&M funds for offensive tool development much more difficult.
That’s not to say the Air Force isn’t using this on the offensive side. It is limited to tweaking something either available off the shelf or tweaking something that was previously developed, Lively said while presenting her paper at the conference. “Maybe it was a capability that went after a certain type of router and we’re tweaking it to go after a similar but different router,” she said.
In terms of real-world examples, Lively pointed to congressional testimony of the previous commander of AFCYBER, Maj. Gen. Burke “Ed” Wilson in 2015, who said there were “capabilities that have thwarted the exploit of user authentication certificates, the unauthorized release of personally identifiable information, and the blocking of sophisticated intrusion attempts by advanced persistent threat actors.”
Additionally, the 90th Cyber Operations Squadron has developed 110 cyber capabilities in the last two years, comprising of RTOI efforts to include 42 highly tailored cyber capabilities “enabling AF freedom of action and mission assurance in cyber against agile and advanced threats; 2) supporting [major commands] … operations and planning; and 3) enabling urgent operational needs and ongoing Combatant Command contingency operations,” according to a fact sheet. The 90th COS has also delivered 16 capabilities to Cyber Command through national support teams that help defend the nation against cyber attacks as well as combat support teams, which are the offensive cyber teams provided through the cyber mission force that are aligned to combatant commands and provide cyber effects for combatant commanders. AFCYBER is responsible for European Command, Strategic Command and Transportation Command.
Lively said this squadron is building things in near real time, which no other service has been able to do.
Why haven’t other services adopted this model
One of the key reasons other services might not have adopted this model, Lively said, is due in part to fear of thinking outside the box when it comes to fiscal law given the potential consequences for misusing funds.
Additionally, some services might not want to do it because they’ve already committed to spending RDT&E dollars and don’t want to have to call and notify Congress that they’re going to switch, which is required. Getting through the bureaucracy of DoD and notifying Congress in an official manner is difficult.
While the Air Force has been using RTOI in this capacity for nearly a decade, what’s new is the formalization of a set process and the publicization of it. It was only recently published in a formal Air Force Space Command instruction. Prior to that it was in various guidance memorandums and not publicly discussed or publicly available.
Rather, the authority was published in a series of short term guidance memorandums that were all for six months or less, mainly due to the fact the service wasn’t sure they could use these funds in this manner. They were tweaking the dollar limits, they were tweaking the thresholds for what types of capabilities and requirements. Every six months they’d get a new set of rules and then they finally came up with something they were happy with and published it.
Lively said part of publishing the paper was to get this out there and help educate other services.
Many leaders often note that cyber is a team sport. At the joint level, Cyber Command trains all cyber warriors to the same joint standards so each has the same baseline of skills and knowledge. With the Air Force’s current RTOI model, the case may exist that EUCOM, for example, can develop capabilities rapidly while the other commandant commands supported by the other services – who provide their own funding for cyber forces and capabilities – cannot rapidly equip leading to incongruence.
What permanent changes can be instilled
Lively said during her presentation that this is not DoD guidance or policy and not documented in financial regulations, meaning RTOI is not set in stone and could go away if regulations or policy changes.
Additionally, while the Air Force is currently employing this model using O&M funds for rapid cyber capability development due to the fiscal gray area, the RTOI construct increases the risk of legal violations for funding projects that are on the border between O&M funding and either RDT&E funding or procurement funds, especially if urgent needs emerge, Lively wrote in her paper.
“The real limitation is you have to stick with the limits of O&M funds. You have to be tied to or linked to … an operation or platform, capability or system,” she said.
She offered in her paper that the law be amended to say, “The Secretary concerned may spend from appropriations available for operation and maintenance amounts necessary to carry out unspecified full-spectrum cyberspace capability development projects costing not more than $2,000,000. b) An unspecified full-spectrum cyberspace capability development project is a project to produce a cyberspace capability that has an approved cost equal to or less than $2,000,000.”
This would more clearly define the process and open up many more possibilities.
A lot of cyber development is starting with next to nothing and rapidly developing a capability to get at certain problems, she said. “Right now that would still probably be considered RTD&E and you have to use those specific funds, which aren’t available to the operational commander and as a result you can’t do in that short time frame.”