Damaging attacks on Defense Department and private-sector networks have filled news headlines. They also prompted the Obama administration to appoint a national cybercoordinator and the Pentagon to create a Cyber Command.
But these initiatives still don’t address foundational issues that will certainly impede any progress. The biggest problem by far is that the U.S. government lags far behind industry in ensuring quality of service for its network infrastructure. In other words, the current acquisition culture makes it difficult to harness resources in support of cybersecurity.
This largely is the result of institutional practices, particularly in the way the Defense Department acquires information technology.
The government already is spending billions of dollars on IT products and services but does not hold its vendors accountable for cyberintrusions. The current contracting practices also fail to provide financial incentives to contractors to protect government networks from attacks.
Contracting typically is measured in terms of a service or a weapon system that the government is purchasing. Most contract types used today were designed to lower the risk to the government depending on the requirements, but they are not structured to reward or punish contractors for poor performance. This is a problem when it comes to cybersecurity.
The contract acquisition types that have stood out over time are known as “time and materials” and “labor hours.” Time-and-material contracts are primarily concerned with acquiring services for the government without knowledge of the required duration to finish the work. Similarly, labor hours are an acquisition of services, the only difference being that the government supplies all the necessary materials.
These contract mediums were used in eras when systems were closed networks and grew at a linear pace. An example was the CSC Infonet in the 1970s. Infonet was a large network with hundreds of users. The focus was more on supporting infrastructure development needs instead of ensuring quality of service.
In the decades since, there has been a continued push to make it easier for the government to be able to access commercial technology. To support this effort, legislation such as the Federal Acquisition Streamlining Act of 1994 and the Clinger Cohen Act provided measures so acquisition services could be obtained faster.
In this context, the Defense Department’s cyber-efforts have been directed towards obtaining “technical solutions” rather than high quality support.
The traditional acquisition economy is not giving the government the best value for taxpayer dollars. The biggest challenge for the government is that it now must protect vast, openly accessible networks. How can the Defense Department cope with these challenges given the lack of technical expertise within the government?
The Pentagon has turned to vendors and contractors for support in the areas of infrastructure design, maintenance and operations. But most contracts don’t require vendors to protect the networks as an integral piece of the service they provide to the client.
In the private sector, the situation is quite different. In the acquisition of cyberspace technologies, the most highly regarded contracts are “service level agreements” and their variants. SLAs are contracts that establish measurable performance indicators for services provided by vendors. For instance, a vendor may establish a service level agreement contract with a company that includes 99.9 percent guaranteed uptime and remediation of all cyberintrusions within 48 hours. It is up to the vendor to ensure that the agreement is not violated or it runs the risk of losing the contract. In some cases, the vendor must pay financial penalties if the service level agreement is violated.
By their nature, service level agreements also add a layer of acquisition oversight, since they put in place a criterion of success or failure in the contract. Following industry’s example, the U.S. government also tried to use SLAs and other similar performance-based measures.
Performance-based contracting was envisioned as a way to bring the benefits of service level agreements and at the same time give more freedom to vendors for developing technology. The process in theory would have the government release a requirement and request vendors to come up with a solution. Once a vendor was selected, the government would then actively monitor how well the vendor was performing. While in theory, the concept made sense, there have been a number of hurdles.
One is the institutionalized culture at the Defense Department that resists using anything other than the standard contract mediums. The reason is that performance-based contracting added new responsibilities for both the government and vendor that appear difficult to implement. For the government, the challenge has been fostering a culture that emphasizes monitoring the quality of work. At the same time, the vendor has found it difficult to meet the demands of the contract, which are alleged to be vaguely written or lack specific details.
Time and resource constraints also have made it difficult for the vendor’s system to be adequately tested as a proof of concept. Without any trial run, the final product has at times been a disappointment.
Little has been done to change existing habits. The outcome has been to largely circumvent performance-based contracting or SLAs by reshaping requirements. By all accounts, none of these actions addresses the fundamental inability to ensure a measurable quality of service or to improve the government’s ability to defend networks from cyberattacks.
Some of the problems were seen early on in NMCI (Navy Marine Corps Intranet) and more recently in Department of Veterans Affairs contracts. NMCI, which was completely run by a contractor, was a tough learning experience. On multiple occasions NMCI failed to meet the requirements set in the SLA. Instead of ending the contract, the Navy chose to continue using the vendor’s services without charging a financial penalty.
The Department of Veterans Affairs has also been challenged by the quality of its computing environment. After awarding a series of contracts for improving information security, it found that the resulting acquisitions had poor oversight.
Secretary of Defense Robert Gates plans to bring on some 30,000 acquisition officials to the Defense Department. At first glance this seems to present an excellent opportunity to increase the use of service level agreements and performance based contracts. But as has been the case with NMCI and Veterans Affairs, the entrenched culture has not broken free of the habits associated with old contract mediums.
Bottom line: It is increasingly imperative to somehow change the existing culture to include greater accountability, and offer further incentives in creating service level agreements and performance-based contracts.
Unless further attention is given to this problem, the United States runs the risk of falling behind in its technical leadership and in its cybersecurity capabilities.
As the Obama administration elevates the cybersecurity mission to the White House level, it is also important to recall that a similar role existed during the Clinton era. Richard Clarke sought to coordinate across government and provide an enhanced role for cybersecurity. Unfortunately, because of the difficulty in achieving coordination, the effort fizzled out. Let us hope for a better outcome this time around.
Anand Datla is a former Defense Department civilian who worked on strategic planning, policy and operations. He also served as a professional staff member of the House Armed Services Committee. He is currently a consultant based in the Washington, D.C. area.