WASHINGTON: A Pentagon procurement process that takes a decade to deliver can’t keep up with fast-advancing frontline of cyberwar. US Cyber Command needs more agile ways to get technology, top officials said today. For now, its nascent Cyber National Mission Force is actually building some key tools in-house.
“For us at the cutting edge,” said the Mission Force commander, Maj. Gen. Paul Nakasone, “we have developers on our teams.” Those developers are working in close partnership with well-informed partners — in the intelligence community, in industry, and elsewhere — and “helping us develop our effects,” he said. (Presumably this is military-speak for “software that does stuff.”)
“We need to be more nimble” in acquisitions in general, said Aaron Hughes, speaking alongside Nakasone and others at the Center for Strategic and International Studies. Hughes is deputy assistant secretary of defense for cyber policy and former vice-president of In-Q-Tel, an intelligence community-backed venture that’s often touted as a model for accelerating private sector innovation into government hands. CYBERCOM can’t just bypass the entire acquisition system, he said, but it might find shortcuts.
“I don’t think we can go from zero to 100 immediately, but I think some sort of pilot or trial that provides Cyber Command with those exquisite acquisition authorities might be relevant,” Hughes said. “We could potentially see that in the coming years.”
One model might be the acquisition authorities of Special Operations Command, which blends the legal status of a service — empowered to “train, organize, and equip” — with that of an operational headquarters. SOCOM’s budget is small, but it is famous for quickly getting a lot of innovative bang for its buck. There are provisions in the defense policy bill for 2016 to give such authorities to CYBERCOM.
SOCOM is a model in other ways, Nakasone said. “There were some really interesting things [when] we looked at Special Operations Command, particularly as we looked at training,” he said. “They really do that well.”
What do computer geeks have in common with special operators? For one thing, both specialties draw on every service: Of the 133 planned cyber mission teams, half of which are now in some form of operation, roughly one-third each come from the Army, Air Force, and Navy Departments (the latter encompassing the Marines). CYBERCOM decided early on that “there was only going to be one joint standard and it was going to make sure that all the services met that joint standard,” said Nakasone. “We learned that lesson from Special Operations.”
Just training the teams requires creating an entire high-tech infrastructure of virtual “ranges,” said CYBERCOM’s deputy commander, Lt. Gen. Kevin McLaughlin. “We’re spending a lot of resources on… are generating the ability to then train and exercise and ensure the readiness of these teams,” he said.
Just as tank brigades go to the National Training Center at Fort Irwin, Calif. and fighter pilots go to Red Flag wargames at Nellis Air Force Base, Nev., cyber teams need a realistic, challenging environment in which they can face off against an opposing force (OPFOR) run by real, live humans, McLaughlin said. “We already have parts of it in place,” McLaughlin said, but they can’t train enough teams simultaneously to wargame a major crisis, nor can teams access the virtual ranges 24-7-365.
CYBERCOM’s “Persistent Training Environment” initiative is under discussion as the Pentagon builds its budget request for 2017, McLaughlin said, but “it’s still too early to determine how much funding we’ll get.”