To compete against near peer adversaries in the cyber sphere, industry officials say the Department of Defense has to be more agile in equipping its workforce and cyber warriors. But doing so will likely require major changes in the way DoD procures software and equipment, which is still geared toward a lengthy process that lends itself to producing large platforms, and to the culture of how the Pentagon does business.
Nate Fick, CEO at Endgame, an endpoint security company, said the military needs to get rid of onerous requirements that typically drive the acquisition process for software. He suggested a new approach that moves away from hardware and platforms and instead focuses on buying streams, or organic, evolving product.
Think about a customer who is focused on consuming a product and sees that they are buying a specific item this year and then will need to buy the newest thing two years later. Fick, a former Marine officer, said that approach doesn’t work because it doesn’t keep up with the dynamism of the adversary.
Similarly, Brad Medairy, senior vice president who leads all of Booz Allen Hamilton’s cyber business, believes while certain rapid contracting vehicles such as other transaction authorities provide agility, they still fall under the old way of thinking in terms of deliverables.
“In the cyber game, I think that they need to rely on industry more to innovate and deliver outcomes in unique ways,” he told Fifth Domain. “The government needs to shift that buying mentality … to buying more outcomes and solutions and holding the industrial base accountable for that.”
One example could be managed services, he said. He pointed to threat hunting-as-a-service as an example. Since most organizations are facing a shortage of talent, rather than concentrate on buying a number of individuals for a service or solution, the Pentagon could purchase an outcome – such as threat hunting – as a service for a certain rate per month.
For all the domains of warfare – land, sea, air, space and cyber – the Department of Defense organizes forces to maneuver in each corresponding domain. But this paradigm shift has caused industry partners to change how they offer certain cyber solutions to DoD.
In the past, cyber defense has been conducted by IT administrators who automated tools to alert them of malicious activity. But because the military is building forces to be used in war, not just an office environment, the products being built for the commercial sector are no longer suitable, John Harbaugh COO at root9B, a cybersecurity company, told Fifth Domain.
Instead, Harbaugh, who was a former U.S. intelligence official, believes the commercial space will have to evolve in the coming years to address the demand coming from the government and DoD. This includes creating platforms and capabilities that enable and empower network defenders to maneuver in cyberspace as a warfighting domain.
Fick said DoD leaders are beginning to recognize that prevention isn’t always going to work and detection response can take too long. With this shift, cyber warriors need platforms just like those in the physical domains.
From a warfighter perspective, Harbaugh said, the platform needs to be tailorable and easily controlled. That means if the operator is trained and certified for a certain type of mission they will only be allowed to operate those systems.
For vendors, this approach means not just taking what is already being sold to the commercial space, and trying making it fit to ta warfighter model. Rather, it’s about how to reimagine the definition of cyber warfare and not sell a solution that is going to be out dated in six months or a year.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.