By Sandra I. Erwin
As part of their routine combat training, Army brigades will be more rigorously challenged to fight enemies in cyberspace.
This new twist in combat training is part of a broader strategy to bolster Army skills at defending networks and to elevate the importance of cyber operations in war fighting, said Ronald W. Pontius, deputy to the commanding general of U.S. Army Cyber Command.
“We are working on truly integrating cyber operations into unified land operations,” Pontius told National Defense in a recent interview. The plan is to experiment with several brigades, study the results of the training and figure out how cyber warfare fits in the big picture of combat operations.
The 3rd Brigade Combat Team, 25th Infantry Division, was the first to try the experiment during its recent training rotation in Fort Polk, Louisiana. During drills at the Joint Readiness Training Center, the brigade deployed with its standard network defense capability, which Cyber Command supplemented with additional expertise. “We were trying to figure out how to bring defensive and offensive cyber operations, and how the brigade can think through how to integrate that into maneuver operations,” said Pontius. “This was the first of a series of experiments.”
There is growing pressure on the Army to beef up its cyber skills and prepare for the possibility that its weapon systems — many of which are digital devices connected to networks — could be hacked.
The trials will continue in the fall when another brigade goes through the JTRC, and next year as part of other Army fighting experiments, Pontius said. The mandate from the Army’s senior leadership is that “cyberspace operations are another warfare domain that needs to be fully integrated into land operations,” he said. “That’s part of what we’re working on. Experiments are important. We need to learn and grow from this.”
The Army will take the next year or two to study the results of the training and decide what, if anything, should change in the organization of combat units. “We’ll figure out what our future formations should be. What capabilities should be at brigade, division, corps levels, or what should be augmented,” said Pontius. The goal is to train field commanders to plan for operations in cyberspace like they plan physical security tactics. “We have a long way to go to work through what that means, train and educate our leaders, but that’s where we are heading.” The Army generally understands the importance of information systems and data. The question now is “Do we need to do better to protect it and how do we integrate that into operations? That’s part of the experiments.”
There will be two brigades in the Army entirely focused on cyber warfare: the 780th Military Intelligence Brigade based at Fort Meade, Maryland, and the Cyber Protection Brigade at Fort Gordon, Georgia.
Army Cyber Command, headquartered at Fort Belvoir, Virginia, has about 500 people, and is scheduled to relocate to Fort Gordon. The bulk of the Army’s cyber workforce of 19,000 — a mix of military, government civilians and staff contractors — resides at the Army Network Enterprise Technology Command at Fort Gordon.
“We are growing,” Pontius said. “We are in the third of a four-year growth plan that will be completed by the end of fiscal year 2016.” Both cyber brigades will have about 1,900 active-duty soldiers, and will be augmented by platoon-size teams from the National Guard and Army Reserve.
Army Cyber Command also will be overseeing a massive network consolidation effort that would bring the Army, National Guard, Reserves, Corps of Engineers and research labs into the same network environment. “We’re on a journey on that, it will evolve over the next couple of years,” said Pontius.
At the same time, the Army will transition to a defense-wide network that the Pentagon will create in order to better protect military systems from intrusions. “That’s the path DoD is on,” said Pontius. The overarching concept is called “joint integrated environment.”
The Defense Information Systems Agency is leading a program to deploy “joint regional security stacks.” These are suites of equipment that perform firewall functions, intrusion detection and other network security functions. Under this approach, cybersecurity is centralized into regional architectures instead of locally distributed architectures at each military base, post, camp, or station. The Army and Air Force have funded DISA to transition their networks to the new structure.
“The Army is in tremendous need of modernizing our network,” Pontius said. “Our modernization will be part of the modernization of the joint network,” he added. “When we move to the joint regional security stacks and a new joint architecture we will reduce the ‘attack surface’” on which intruders can operate. “That puts us on a more defensible basis.”
The shift to the joint regional security stacks will take about two to three years, Pontius said. “The model we have now, with all the different networks, is unaffordable. And we can’t defend it.”
Photo Credit: Army
By Sandra I. Erwin
U.S. manufacturers have hailed the Obama administration’s six-year effort to ease the red tape for exporters. Defense companies that make products with commercial applications especially have benefitted from reforms that have sought to draw a clear distinction between technologies that are uniquely military and those that are dual use.
One of the key goals of the reforms was to specify what items are regulated as “defense articles” by the State Department — as opposed to commercial products regulated by Commerce — and end the ambivalence that has vexed exporters.
So it might come as a surprise to Pentagon contractors that a new rule that affects electronic equipment would by default classify as a “defense article” any electronics developed with Defense Department funding, regardless of whether the technology is a sensitive military system or intended also for civilian applications.
The regulation, which affects electronic systems whose development is funded by any Defense Department contract dated July 1 or later, has the potential to become a compliance nightmare for companies that rely on government contracts to design products that they hope to commercialize later.
The rule has industry attorneys scratching their heads because it seems to run counter to the spirit of the administration’s export control reform effort. Many industry CEOs have said the reforms have helped simplify the licensing process and removed onerous red tape from the exports of commercial technologies that once were categorized as defense articles under the U.S. Munitions List.
The electronics provision could have significant ramifications, said Jason M. Silverman, a partner at McKenna Long & Aldridge who specializes in government contracting. “Basically anything with a digital component that was developed with Defense Department funds would be controlled under ITAR.”
The International Traffic in Arms Regulation controls exports of defense-related products and services. The U.S. Munitions List has 21 broad categories of products that are subject to the ITAR. The reforms have focused on each separate category. Electronic equipment and systems fall under category 11. The newly introduced federal regulation applies to “developmental electronic equipment or systems funded by the Department of Defense via contract or other funding authorization.”
The definition of what is being regulated under ITAR is very broad, Silverman told National Defense. The government arguably is departing from the original purpose of export control reforms, which was to stop using catchall designations for product categories. “There’s no clarity on what is developmental,” he said. “This definitely has the potential to expose companies” that may not be aware that the technology they are developing under a defense contract falls under ITAR control. “I can see people being caught off guard.”
The specific impact of the rule on exporters might not be known for years, but attorneys like Silverman and others are warning of a possible regulatory quagmire particularly for small businesses that might not have the legal expertise. Big defense contractors have a compliance apparatus in-house to deal new regulations, but startups and commercial firms may be ill equipped to handle complex regulatory requirements, said Silverman.
A sticky situation would be, for instance, a company developing technology that, even though it was funded by the Pentagon, would have applicability in civilian markets such as medical devices or surveillance sensors. In such cases, the only way to avoid ITAR control would be to have the contract specifically state that the technology is both for “military and civilian applications.” Another option would be to file a “commodity jurisdiction” request to the State Department that would exempt that product from the ITAR.
The rule could come into play for any U.S. company that does any offshore research, development or manufacturing.
“Government contracting officers and contractors are going to have to be sensitive to this,” said Silverman. For contractors, especially, there is a lot at stake if all of a sudden they find themselves having to comply with regulations of which they were not aware. This is precisely the type of confusion that export control reforms were intended to avert, he said. “There’s supposed to be added clarity to these categories. You’re supposed to be able to classify items as either military or commercial and the reform was supposed to facilitate that process.”
Under the new rules, contractors might have to factor the cost of ITAR compliance into their negotiations with the government, or they could work out an agreement so the contracting officer states the product has commercial applications and therefore would not be ITAR controlled.
The notion that a product is ITAR controlled by nature of its funding is not new in export regulations, Silverman pointed out. “But this takes it a step further.”
A similar provision was put in category 15 for space systems. Hosted payloads and other subsystem development funded by the Defense Department would automatically be ITAR controlled unless it is exempted by language in the contract or by a State Department commodity jurisdiction ruling. Under category 8 (aircraft) the same rule covers developmental aircraft funded by the Defense Department.
The issue with category 11 is that, unlike aircraft, the lines between military and civilian application in electronic equipment and systems are much fuzzier so the rule could impact a wider universe of companies that make products in this category.
It is conceivable that, as a result of this rule, commercial companies might think twice before taking Pentagon money for any development work out of fear of falling under the ITAR regime, although that should not be a deterrent, said export attorney TJ Ogden. Companies should not use the ITAR as a crutch or fear the regulations, but should make sure they have proper knowledge of export control rules and set up a compliance program to deal with both the State and Commerce departments, said Ogden, who is director of defense exports at Defense Export & Logistics, a division of Pacific Propeller International.
Most of the export control reforms in general have been “very positive,” he said, although the electronics rule is likely to cause some confusion. “It would be important for the government to make sure they make regulation more specific as opposed to broad brushing all electronic systems.”
Photo Credit: Defense Dept.
By Yasmin Tadjdeh
Army leaders face a future of unknown threats that will require them to be agile and adaptable, the head of U.S. Army Training and Doctrine Command said June 30.
“The level of unpredictability and the rate of change and how quickly things can go bad … is probably the biggest challenge for the Army,” said Gen. David Perkins during a breakfast meeting with defense reporters in Washington, D.C.
When he entered the Army decades ago the nation was still in the midst of the Cold War, Perkins said. As a young officer, he was expected to study and understand his adversaries and learn how to best win battles. Future Army leaders will not have the luxury of knowing who their enemy is, he said. That will be a fundamental challenge.
“Relatively speaking, life was pretty predictable” during the Cold War, he said. “The problem we have now is we have no idea who our adversary would be [and] we have no idea where we will face them.”
Previously, leaders would be trained by repetition, he said. They would continue to learn more about a particular adversary and build upon that knowledge. They would develop checklists for battles. That method is no longer applicable to current forces, he said.
“We can’t train leaders like that anymore because we don’t know where they are going to go. You may go to West Africa to do Ebola. There is no Ebola checklist,” he said. “That means we have to train leaders to be adaptive, to be innovative.”
Additionally, officers may not have traditional allies to lean on, he said. As a young leader, Perkins said the military had NATO. But “we have no idea who the coalition [of the future] is,” he said. Further, “somebody today in your coalition may not be there a year from now and they may come with caveats.”
TRADOC is working on ways to better equip and train soldiers and officers for unfamiliar threats, he said. The right balance hasn’t been found yet, but Perkins said he was hopeful.
“The young officers and soldiers we are bringing into the Army … they’re very used to constant change,” he said. “Their anxiety is not as high, I think, [as] my generation when we went into an unknown situation.”
The command is looking into updating its educational methods to help better train them, he said. “Are we doing the right things at Command and General Staff College? Are we doing the right things at basic training?” he asked. “Are we building these critical thinkers? Can we innovate our course instruction quicker?”
Additionally, having soldiers participate in more war games would make them more adaptable and innovative, he said.
Photo: Gen. David Perkins, Army Training and Doctrine Command commander (Army)
By Sandra I. Erwin
Just less than two years ago, the Pentagon warned in a report to Congress that “continued uncertainty will hit smaller, innovative, and niche product companies particularly hard due to a lack of capital resources.”
But Pentagon officials offered a much cheerier outlook last week as they unveiled the results of the fiscal year 2014 small business federal scorecard.
The federal government overall awarded 24.9 percent of all prime contracts to small businesses in 2014, or about $91.7 billion. And defense contracts accounted for more than half, at $54.3 billion, a figure that earned the Pentagon high praise from the Obama administration.
“This is the highest percentage of contracting dollars ever awarded to small businesses since the 23 percent goal was established in 1997,” said Small Business Administrator Maria Contreras-Sweet, who appeared at a Pentagon news conference June 26 with Undersecretary of Defense Frank Kendall.
“Small businesses now are filing more patents than ever,” she said. “So they're also driving innovation.”
The Pentagon has made a deliberate effort over the past five years to boost small business contracting, said Kendall. The Defense Department’s “better buying power” procurement guidelines specifically promote the use of small businesses, “both for innovation and for efficiency and to control costs,” he said. “Small businesses, particularly in the services industry, tend to be leaner and more anxious to get work, and thus tend to be more economic in many cases for the department.”
Defense officials’ upbeat talk about small business contracting is a far cry from pessimistic forecasts that followed the military spending downturn between 2009 and 2013. CEOs of large prime contractors repeatedly warned that they feared losing small business suppliers, especially those that make specialized defense-unique products.
Under Kendall, the Pentagon’s industrial policy office launched a sweeping “tier by tier” study of the defense supply chain out of concern for the financial health of small suppliers.
Today, there are no reasons to worry, said André J. Gudger, acting deputy assistant secretary of defense for manufacturing and industrial base policy.
“We don't have a weak supply chain. We have a very healthy one,” he said. “There's areas of concern that we have that we focus on, but yes, we have overall a healthy industrial base set up from our first tier to our sub tier suppliers.”
Kenyata L. Wesley, acting director of the office of small business programs, credits Kendall’s better buying power for the improved climate. “Better buying power strategically focuses on small business as well as technology and innovation,” he said. “If you look at better buying power 3.0, which is now the third iteration, there's a lot more initiatives based on small businesses, because we're not stopping, we're not taking the foot off the gas. … It's not a political statement that they're the economic engines. They're technology engines.”
Gudger said he continues to monitor the state of the industry. “I'm responsible for the industrial base and ensuring that it's a modern, healthy, robust industrial base. And we look at the fragility and criticality of all businesses, not just small. That includes the medium and the large, to see where we have critical capability where we might have an industrial base that's thin or weak.”
Today, he said, “there is no systemic crisis” concerning defense suppliers. “Our industrial base looks very healthy. We have improved it.”
The SBA has programs to help cash-strapped federal contractors, said Contreras-Sweet. One is called “emerging leaders,” she said. “We take experienced companies, as we help them grow to scale, put them through what we call a mini-MBA.” Another is called “quick pay,” aimed at suppliers with cash flow problems.
Defense Department service contracts appear to be the sweet spot for small businesses. About half of all defense contracts are for services. “The Department of Defense made a decision to focus on areas that were very healthy for small businesses,” said Gudger. “We focused on areas such as knowledge base services, electronic and communications, and facilities management.”
In the federal scorecard, the SBA gave the Defense Department an “A” grade. Eighty percent of the grade is based on the actual prime contracting dollars, said John Shoraka, associate administrator for government contracting and business development at SBA. Ten percent of the grade comes from the amount of subcontracting dollars, and the remaining 10 percent is based on subjective factors such as specific leadership efforts.
Shoraka noted that the federal government also broke a new record for contracts awarded to businesses owned by our military disabled veterans. The goal is 3 percent, but in 2014 that percentage rose to 3.7.
Photo: Undersecretary of Defense Frank Kendall (Defense Dept.)
The Office of Personnel Management and the FBI have wildly divergent estimates of the total number of individuals affected by recent OPM data breaches, and the discrepancy of approximately 14 million has caused concern amongst lawmakers.
FBI officials have found that an estimated 18.2 million people are at risk of having their personal information stolen, but OPM Director Katherine Archuleta said that she does “not believe that this is an accurate number.” At a Senate Committee on Homeland Security and Governmental Affairs hearing June 25, she estimated that only 4.2 million have been affected.
Archuleta said that she does not “have an understanding" of how the FBI came up with its estimate. She acknowledged that she has yet to personally meet with FBI Director James B. Comey to discuss the discrepancy.
Sen. John McCain, R-Ariz., took issue with Archuleta’s lack of discussion with Comey, saying that it seemed that the matter did not “rise to her level of attention.”
“When there is a clear situation here of an allegation by the most respected law enforcement agency in America of 18.2 million, [and what] you’re alleging is 4 million, wouldn’t you sit down with the director of the FBI and say ‘Hey, the American people need to know, especially those 14 million between four and 18 million that may have been breached?” he asked. “Why wouldn’t you sit down with the FBI to find out where they got their information so you can corroborate it or deny it?”
The argument about numbers is not the only source of contoversy. While multiple reports have surfaced blaming China for the two recent hacks on OPM’s system, Archuleta deferred the line of questioning from the Senate committee, saying “OPM is not responsible for attribution.”
Quoting Comey, Sen. Tom Carper, D-Del. said: “There are two kinds of big companies in the U.S.: those that have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
Two separate breaches of OPM's networks were discovered earlier this year. The first, in which federal employee personal and financial information was hacked, was discovered in April. A second breach involving background investigation information was detected in May.
Notifications have been sent to 4.2 million federal employees potentially affected by the first data breach. OPM is currently unsure of the total number of individuals affected by the second.
“This massive theft of data may be the largest breach the federal government has seen to date,” said Committee Chairman Ron Johnson, R- Wisc. “Cybersecurity on federal agency networks has proved to be grossly inadequate. Foreign actors, cyber criminals and hacktivists are accessing our networks with ease and impunity.”
OPM has been hacked five times in the past three years, Johnson said, three of which happened on Archuleta's watch, which began 18 months ago.
OPM Inspector General Patrick McFarland, who has warned OPM multiple times of its vulnerability to cyber threat, stated the agency has continued to “neglect” and “ignore” his warnings and suggestions of shutting down OPM’s IT system infrastructure.
“I don’t know why they were ignored but they were ignored, in my estimation,” he said.
Archuleta said she did not follow McFarland’s guidance because she “had to make a very conscious and deliberate decision as to the impact of shutting down" the vulnerable systems. “I made a conscious decision that we move forward with this ... [and] make improvements as rapidly as possible. And we have done that,” she said.
Following the detection of the breaches, the Office of Management and Budget launched a 30-day "Cybersecurity Sprint" in an effort to further improve federal cyber infrastructure and protect systems against evolving threats, said Tony Scott, U.S. chief information officer for OMB. The strategy stemming from the initiative will detail short, medium and long-term steps that the government should take to address current operational deficiencies and vulnerabilitie, he said.
Photo Credit: Thinkstock
U.S space agencies must complete the purchase of Russian-made RD-180 rocket engines until a domestically produced equivalent is ready for use, the head of U.S. Space Command said June 26.
"Without access to the RD-180 ... we severely limit our assured access [to space], undermine the competition we have worked so diligently to enable and will have traded one monopoly for another in the medium and intermediate vehicle classes," Gen. John Hyten said at a House Armed Services Committee hearing.
Congress has prohibited the use of the Russian-made engines for heavy lift rockets after 2019. Industry is working to produce a domestic version, but there are concerns that a replacement will not be ready in time. That may leave SpaceX, founded by billionaire Elon Musk, alone in offering heavy lift services if its Falcon Heavy is developed by then.
“If the current law is not modified, America will not have assured access to space and competition will have been unintentionally eliminated, giving the new entrant a monopoly,” Tory Bruno, President and CEO United Launch Alliance, said referring to launch provider SpaceX.
The nine RD-180 rocket engines available will not ensure access to space for the United States national security needs, said Hyten. He supported the Defense Department request to fulfill the 2012 purchase of additional RD-180 rocket engines in order to allow ULA to participate competitively until a new launch system is available to deliver necessary space capabilities.
Federal law requires two independent providers of launch systems for access to space. ULA manufactured Atlas V and Delta IV launch systems, which use the Russian made RD-180 engine, currently carry two-thirds of U.S. national security payloads.
ULA needs the originally allocated 29 RD-180s in order to maintain business viability until a replacement launch engine can be certified in 2019, said Bruno.
“As senior Russian leaders have noted numerous times, they can cut off the supply of the RD-180 engine the United States at will,” said Jeffrey Thornburg SpaceX senior director of propulsion engineering. The Falcon 9 launch system, produced domestically by SpaceX, is certified to handle the “highest-value national security payloads,” said Thornburg.
Bruno took the opportunity to criticize rival SpaceX. Congress should examine the company's prior failures to fulfill promises made about its technology, said Bruno.
“The space and business press is awash in stories that chronicle the history of SpaceX over-promising and under-delivering on both cost and schedule,” said Bruno.
Thornburg noted that SpaceX's Falcon 9 was recently certified to carry national security payloads and said that its Falcon Heavy rocket, which is still under development, will as well. Both are domestically manufactured, he noted.
Hyten said Market competition and government support should be able to deliver an U.S. engine by fiscal year 2019, and two certified launch systems by fiscal year 2022.
The U.S government is responsible for almost all of the demand for rockets which used to maintain the U.S national security space capabilities, said former NASA administrator Michael Griffin. “The vagaries of the market cannot be allowed to determine whether or not critical payloads make it to space in a timely fashion,” he said.
An American funded and owned engine equivalent to the RD-180 should be produced, “as quickly as we can possibly do so,” said Griffin.
NASA provided SpaceX with $3.5 billion in funding for seven launches, said Griffin. That points to either incredible costs associated with launch, or large sums of that money have gone toward “capitalizing” the company, he said.
“I very strongly believe that government money, which has been provided to SpaceX has in fact gone for the development of Falcon 9,” said Griffin.
The NASA program funding was focused on the Dragon space capsule, while the Falcon 9 program was funded by SpaceX, countered Thornburg.
Photo: NASA engineers successfully test a Russian-built RD-180 rocket engine (NASA)
By Sandra I. Erwin
House and Senate conferees will meet next month to iron out differences over the 2016 National Defense Authorization Act. Of particular interest to Pentagon weapon buyers and the defense industry is whether lawmakers will adopt Senate proposals to shake up the procurement power structure.
Senate language that would shift significant authorities over weapon programs from the defense secretary to the individual military services has surprised Washington insiders, even those who have advocated this move for years and thought it would never happen. And it has galvanized supporters of the status quo who are warning that the proposed changes would reverse recent progress in defense program performance.
Defense experts predict the outcome will be a halfway compromise rather than a seismic shift. They also hope the coming legislation will mark the beginning of what could be a years-long process of repairing a deeply broken procurement system.
“We are not going to invent anything new to fix acquisition,” said retired Lt. Gen. Charles R. "CR" Davis, who recently served as the top military adviser on Air Force acquisition programs.
Davis commended the defense committees for recognizing the current path is unsustainable and for attempting to put Pentagon weapons procurement on track. Legislation, though, will not magically undo decades of bad management. “There is absolutely no new thoughts coming out of any of these discussions that haven’t at one time or another been thought of, used or implemented,” he said in an interview. What is being proposed are “nuanced changes of what’s been done before.”
The troubles in Pentagon procurement, said Davis, in part have been caused by a “lot of people thinking they can fix it by policy or legislation or regulation.”
But he agrees wholeheartedly with Sen. John McCain that there has to be a way to hold officials accountable for missteps. McCain, chairman of the Senate Armed Services Committee, has been the main proponent of the provision to decentralize decision-making power and transfer authorities to the military services.
Davis sees both pluses and minuses in such a move.
When a service faces a major “milestone” decision, such as whether to start production of a weapon system, the advice of the Pentagon’s procurement leadership is helpful, he said. The problem that has festered for years — and ultimately led to the Senate language — is that Defense Department acquisition staffs have grown uncontrolled over the past two decades and created a massive web of red tape that stifles program managers and slows projects to a crawl.
“There is a problem with the role of the AT&L staff,” said Davis, speaking about the large bureaucracy that reports to the undersecretary of defense for acquisition, technology and logistics.
“Many of them have never run a major program. There are hundreds, if not thousands of those folks. They all feel they have vested power.” The Defense Department’s “better buying power” guidance in 2010, especially, has emboldened AT&L staff to “review and provide direction to a program,” Davis said. With so many overseers and no clear chain of command, program managers are distracted from their primary duties to manage cost and schedule.
The Senate bill would transfer milestone decision authority from Undersecretary of Defense for AT&L Frank Kendall to the senior acquisition executives of each service. That would not necessarily fix the larger problem, Davis cautioned. “In some cases, a discussion with Kendall and a small group brings value added. It’s not whether AT&L is the MDA [milestone decision authority] or not. It’s about what you have to do to get there, and how bastardized the system has become by giving the staff what appears to be huge power to redirect things, but no accountability for what they do.”
Program managers are constantly second-guessed by service staffs, AT&L and congressional staffs, said Davis. “You put so many people in charge of a program who have the ability to rewrite your document and redirect your decision” that even simple steps can take months or years. “Power is so diffuse and we no longer have clear definitions of the roles of key players. That’s why we are having issues. … I am with Sen. McCain. Program managers ought to be held accountable, be fired if they screw up, but they need to have the authorities to make decisions.”
The case could be made that the F-35 joint strike fighter might have benefitted from a service-centric chain of command rather than centralized DoD management, said Davis, who oversaw the Air Force F-35A. In the early days of the program, then Chief of Staff Gen. T. Michael Moseley pushed to have Air Force prototype aircraft fielded sooner and to have new features added incrementally. But the Pentagon rebuffed that idea. “If McCain’s service-focused plan had been in place you may have had a different program now. The F-35 authority was so diffuse. There was no one in charge the way it was set up,” said Davis. “There is something to be said about the intent of Sen. McCain’s proposal.” How to actually implement it is up for debate, he added.
On the F-35, there is much blame to go around. Fundamentally, Davis said, the program got on the wrong track the day the acquisition strategy was signed by then Undersecretary for AT&L Jacques Gansler. Besides the much criticized overlap between development and production, the aircraft hinged on dozens of unproven technologies that were way below the maturity level that should have been accepted. “All on a cost-plus contract with all that unproven technology and unproven acquisition processes. There is no doubt that we have lived with the consequences of what was signed that day.”
The NDAA, while well intended, should not be trying to put patches on flawed policies, said Davis. Congress should not be stepping in to perform the functions of a program manager.
“We need to stop and reset,” he said. Congress should write a clean-sheet description of the duties of the major players: the program managers, the contracting officers, the program executive officers, the senior acquisition executives and AT&L. “I think we would end up with a much cleaner system, and more accountable. Until we do that, we’re going to continue to chip around the edges,” he added. “Very few PMs have had a sense of accountability because they have no sense of having the authority to implement the decisions they’re supposed to be accountable for. The system is an aberration of anything that would make sense.”
Other experts doubt McCain’s plan will fix the accountability problem. The services each have “particular motivations” and need supervision, said former acting Deputy Defense Secretary Christine Fox. “I do believe it is important for the secretary of defense to have responsibility and oversight over major acquisition programs,” she said at a Lexington Institute forum on Capitol Hill. Citing the F-35, she said it was an example of the services wanting something badly enough that “they were able to convince themselves that they could indeed have it for less than anyone would have ever predicted, and sooner than anyone would have ever predicted.”
Fox warned that diminishing AT&L authority could undermine Congress’ 2009 acquisition reform legislation that established a Pentagon office — that Fox ran for several years — to produce independent cost estimates of major programs. “Taking the secretary and undersecretary out of the acquisition loop runs the risk of rolling back some of the recent progress that we have seen,” she said. To ensure accountability, “what you need is independent cost estimates with teeth.”
Fox faulted unstable budgets for the negative trends witnessed in program costs and schedules. When budgets are hard to predict, as they have been in recent years, “we don’t cancel, we slip and slide. That’s what we always do under budget pressures and uncertainty.”
Other former Pentagon officials support McCain’s initiative. Tina Jonas, former Defense Department comptroller, said the services should have a bigger role in military acquisitions. “In conversations I have had with military officers, I hear a desire to be brought into the process,” she said. “That would increase accountability.”
Undersecretary for AT&L Kendall has been vocal that he opposes the Senate reforms. His former deputy Andrew P. Hunter, who is now at the Center for Strategic and International Studies, was careful not to take sides in remarks at the Lexington forum. His current boss, CSIS President and CEO John Hamre, has been a persistent advocate of strengthening the authority of the services — a return to how it was before the passage of the 1986 Goldwater-Nichols Act.
“The chain of command issue is central to the more controversial provisions in the Senate bill,” Hunter said. Changing the current structure, however, does not guarantee success, he said. “We should focus on making the process successful.”
Left to right: Undersecretary of Defense Frank Kendall, Sen. John McCain Photo Credit: Defense Dept., Thinkstock
By Yasmin Tadjdeh
The Chairman of the House Committee on Homeland Security slammed colleagues in the Senate for what he said is an unacceptable delay in passing desperately needed cyber security legislation.
The National Cybersecurity Protection Advancement Act, sponsored in part by Rep. Michael T. McCaul, R-Texas, received 355 votes when it came before the House in April. Since then, it has been languishing in the Senate as countries launch cyber attacks on the United States, he said June 24. And in the wake of the Office of Personnel Management cyber intrusion, where millions of federal employee’s personal data was stolen, it is imperative work begin in earnest, he said.
“It’s sitting over there in the Senate. You would think after this breach of enormous proportions that the Senate would start to act on this bill,” he said during a National Journal-sponsored discussion in Washington, D.C. “I don’t think we have time to wait and yet they continue to wait over there.”
The United States is facing an unprecedented amount of attacks from around the world, he said. Whether it is Russia, North Korea, China or Iran, a robust cyber security information-sharing framework would help mitigate intrusions, he said.
McCaul said he was confident that if his cyber security bill were presented to President Barack Obama tomorrow he would sign it into law.
“It would greatly enhance our ability to protect Americans from nation states sponsors like China and North Korea and Iran from attacking Americans in the private sector and also the federal government,” he said. “I can’t express enough how important it is to get these bills passed and how irresponsible it is not to.”
McCaul said the bill balances privacy with security. Getting that balance right has been tricky in the past, he said. “What has been the problem? Why hasn’t it worked before? Well, we haven’t had liability protection and without liability protection you cannot incentive true information sharing,” he said.
“This bill has the strongest liability protection that we could possibly write to incentive the private sector to participate,” he said.
Under the bill’s provisions, companies would share information about breaches with the government and with other firms, if they chose. That is critical because 80 percent of threats and malicious codes exist in the private sector, McCaul said.
The Department of Homeland Security would lead the effort, he said. “DHS can’t spy on you. DHS can’t prosecute you. The way it’s set up … [is] truly an information sharing process. The information can only be used under the bill for cyber security purposes only.”
There must be action as attacks become more frequent and nefarious, he said.
“We’re going beyond just credit card theft. We’re entering the age of espionage and cyber warfare,” he said. “I’ve seen our offensive capability, it’s very impressive. That capability turned against us could be devastating.”
The recent OPM breach was for espionage purposes and is the most significant intrusion against the federal government ever, he said.
“I would say it’s espionage because of they way it was done. [It] was big data theft. We didn’t see a deluge of credit card theft after this. It was just a huge data theft to mine that data and use and compromise Americans,” he said.
McCaul said if his bill had been turned into law it could have prevented the OPM attack.
He pinned the attack on China, although Adm. Michael Rogers, head of the National Security Agency and commander of U.S. Cyber Command recently said the nation may not have been responsible for it.
Photo: Rep. Michael T. McCaul, R-Texas, left, speaks with Tim Grieve, editor in chief of National Journal (Yasmin Tadjdeh)
By Taylor Feuss
Information sharing and cooperation between military and intelligence communities has significantly improved but more can still be done, said retired Army Gen. Stanley McChrystal, former commander of U.S. and International Security Assistance Forces in Afghanistan.
Intelligence and operations communities need to think alike and understand each other, McChrystal said June 23 at the 2015 GeoInt Symposium in Washington, D.C.
“I tell commanders you better become intelligence [experts] because this is just a fight for information,” he said. “We can kill anybody we can locate. It’s no longer a case of being able to defeat the Soviet tank division. It’s a case of you can defeat whatever you can find but you have to know where you’re looking. You have to understand it enough. It’s a different mindset.”
McChrystal, who served as commander of the Joint Special Operations Command from 2003 to 2008, said the 2006 mission that killed terrorist leader Abu Musab al-Zarqawi in Iraq is good example. Following the mission’s completion, McChrystal gave out one medal to an intelligence sergeant, who he said “pulled it all together,” and was able to think as both an intelligence and operations perspective.
“Nobody thought that was the wrong thing to do. Everybody realized it matters,” he said. “I think a lot of people are well on their way to that, but many of our structures don’t necessarily reflect that.”
As the world evolves, both intelligence analysts and military operators must have the ability to think for themselves, communicate instantaneously and execute missions without waiting for instructions from higher ups, McChrystal said, noting that cooperation and operation efficiency have improved since the post-9/11 wars began.
“When I started in command in the special operations task force I essentially approved every operation,” he said. “Two years later I was approving none of them because that wasn’t my job. There were people that could do that.”
Theresa Marie Whelan, principal deputy assistant secretary of defense for Special Operations/Low-Intensity Conflict, said the intelligence and military communities have worked together as a team in recent years, calling integration a “main component of success.”
“It is the teaming. It is the integration. It is the information sharing. It’s the feedback loop,” she said. “The operations side owes the intelligence side the feedback information from what their doing on the ground so that it can further enhance the intelligence community’s ability to refine their products and abide to the best tactical intelligence possible.”
If the U.S. wants to continue as a dominant military force, there must be more cooperation and integration between the two bodies, Whelan said.
“It’s a matter of continuing to have intelligence professionals working with the operators so that they can understand what the operators’ needs are,” she said.
“It’s also important for operators to sort of get the same experience on the other side. Even as a policy maker it’s really critical to understand the dynamics of each other’s roles because then we understand the strength and we also understand the limitations," she said.
"That to me is the most important component of success in the future. It’s not necessarily toys and tools but its cooperation of the professionals in each realm and that’s how we’re going to get the most out of both our intelligence community and out of our SOF forces,” she added.
Photo Credit: Thinkstock
By Graham Kilmer
Adm. Michael Rogers
The National Security Agency is not yet saying whether China was to blame for the massive data breach at the Office of Personnel Management that resulted in the theft of millions of government worker records, according to its director.
Director of the NSA and head of U.S. Cyber Command Adm. Mike Rogers said — in response to a question during a speech at the GeoInt 2015 conference — that the process of attributing the OPM data breach is ongoing, and that he does not accept any “assumption” that the breach is attributable to China.
"I think first of all, I'm not getting into the specifics of attribution. That's a process that we're working through on the policy side. That's ongoing," he said.
Revelations that millions of government employee records had been pilfered by hackers were followed by speculation in the media that China was to blame. An audience member asked Rogers how NSA had reached that conclusion. He said NSA hadn't.
"You put an assumption in your question. so I'm not going to accept your assumption," he said.
Attribution for a specific cyber security event is different depending on the actors involved, said Rogers. Attribution has come a long way, and it is no longer the challenge it was 10 years ago, he said.
“Sony is a good example of that,” said Rogers, referring to the theft of the movie studios emails, which the NSA attributed to North Korea.
Intelligence and security agencies in the U.S. government were able quickly come to a consensus that the characterization of the attack on Sony came from there, said Rogers.
“We are in a world in which increasingly data has value as a commodity to a wide range of people,” said Rogers, “and there’s a wide range of people, groups, and nation states aggressively seeking access to that data.”
The U.S. government has identified 16 segments of the private sector that represent critical importance to the nation’s security, said Rogers, such as financial, transportation, and power. A breach of data at financial institutions could lead to a destruction of their business model and long-term viability, he said. This is a problem that requires increased investment, Rogers said.
Historically, intellectual property as well as research and development work were the primary targets of cyber attacks, said Rogers. Recently, large data sets have increasingly become the target of attacks, he said. This is due to the power of big data analytics, he said. This is causing groups to attempt harvesting massive amounts of data.
Continually responding to individual incidents involving data security is not a winning strategy, said Rogers. Both government and private sector organizations will be in a constant fight to safeguard networks and data, said Rogers.
The Defense Department is currently investing time in identifying where there are massive amounts of data susceptible to breaches in order to maintain security, said Rogers.
The ability to remain mobile and maintain a digital interface is part of the foundation of daily private and professional life, said Mike Rogers. These wireless and mobile technologies present vulnerabilities to the security of data, however, it is not an option to disregard them and their application for possible mission outcomes, he said. The risks must be acknowledged, and an attempt must be made to mitigate that risk, Rogers said.
Lines of communication are becoming blurred, Rogers said. He likened the digital communication space to a super highway of information that everyone is traveling on. The challenge becomes what are the right cars to monitor, he said. Monitoring all the cars in the highway is an un-workable strategy and goes against the principles of the United States.
Clarification: Story clarifies remarks made by Rogers on attribution of OPM hack.
Photo Credit: Defense Dept.