The Army is changing the way it buys software and has started entering into new agreements with industry to acquire the intellectual property rights of software.
Generally, contractors that develop systems for the Army own the actual code they write. This means if an update needs to be made quickly, the Army has to go back to the contractor and often pay for updates because they don’t own the rights to the programming.
“It used to be the way we looked at intellectual property rights is we kind of saw it as a binary decision. The government either bought it or we didn’t. Most times we didn’t because it was very expensive,” Maj. Gen. Randy Taylor, commander of Communications and Electronics Command (CECOM), told C4ISRNET in a May 20 interview. “The reason it was so expensive is because what company would want to compromise that?”
CECOM is responsible for sustaining and refurbishing Army systems such as radars and radios. As software has become a critical enabler, and a crutch in some cases, CECOM has had to grapple with sustaining and maintaining software for the service as the organization’s mission now includes ensuring refurbishment and readiness of command, control, communications, computers, cyber, intelligence, surveillance and reconnaissance (C5ISR) systems.
Now, Taylor said, under a new effort underway when the Army buys and develops a system, the Army follows an agreement that predetermined events can trigger a clause in which the government will have rights to the intellectual property developed by the contractor at a pre-negotiated price. For example, due to the nature of threats, new signatures for a radio or radar could be detected and necessitate a quick software update.
To ensure each side is properly protected, a neutral third party will hold onto the intellectual property of the software code and the government will pay for what it needs when it needs it.
“That reduces my expense risk and reduces their competition risk," Taylor said. “We’ve already started that. That is a brand new way of doing business.”
Reducing software costs
In the past few years, sustaining software has been a crushing expense for the Army.
“If you saw the trend of how software sustainment was going up before we did a big course correction, we were approaching the point, theoretically, someday where all of our sustainment dollars would go to software and have nothing left for the hardware,” Taylor explained.
The first step toward gaining control of this problem, Taylor said, was reducing software baselines. During the last 18 years of war, there were so many different versions of software on different platforms. CECOM worked with the various program offices to consolidate these down to minimum number.
Taylor said when systems are purchased now, Army leaders want more commonality with the program offices so that one software solution can be applied to similar functions.
He also noted that the Army has negotiated better enterprise licenses which has led to greater efficiencies. He said the Army’s sustainment community went from 43 software contracts to 34. While that’s still a large number, the difference makes an impact.
Automated software patching
One of the most critical defensive mechanisms in the cybersecurity world is simplifying patching systems. These updates are issued to ensure systems are up to date against reported threats.
This can be a challenge for the globally deployed Army in which some units are operating in disparate environments with limited connectivity. In the past, updates were loaded to compact discs and mailed to units in the field, significantly increasing the time for patching.
Now the Army is working on ways to automate that process for deployed units, which improves tactical cyber defense.
“What we’ve done recently is made it a lot easier to work with automated or what we call electronic patching. Meaning we have 33 systems, mission command systems, that require updates from us right now as an example that are good candidates to be electronically patched,” Taylor said. “Of those, in 2017 we went from about eight that could be electronically patched to now we’re on our way to 24 of the 33 with this capability.”
The system is not automated, however, in the sense that systems update themselves. A patch is posted online and as long as soldiers have a connection to the Department of Defense Information Network they can pull the updates down and apply them. However, depending on the type of update and echelon of unit, some soldiers might need to be connected to larger pipes for more bandwidth.
“When you look at the cyber vulnerability in the Army, the widest growing attack surface is that tactical [side] because there [are] so many soldiers with so much equipment and so many different units and a lot of that is administered and operated at a relatively low level,” Taylor said.
The automated updates also have the added benefit of allowing greater oversight of what units are patching. First, because it is more convenient than waiting for a disc, Taylor said the new system ensures the updates are more likely to be done. Second, Army officials can see who is applying the updates and tell certain units they have to do them if they haven’t.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.