Back to news

June 8, 2020 | International, C4ISR, Security

GAO Chides DoD For Absence Of Cybersecurity Requirements

Overall, costs of major DoD acquisition programs have grown by 54 percent over their lifetimes and schedule delays average two years, GAO's annual report finds.

By

WASHINGTON: Five years after the Pentagon demanded every weapon system include the requirement that it be able to fight through Russian and Chinese cyber attacks expected on future battlefields, DoD “does not often include cybersecurity” in key performance parameters (KPP) for major programs, says GAO in its annual defense acquisition review.

Of the three services, the Air Force is the worst at fulfilling two of the three best cybersecurity practices, the report says. The congressional watchdog found “inconsistent implementation of leading software practices and cybersecurity measures” among high-dollar “major defense acquisition programs” (MDAPs) — 85 programs worth $1.80 trillion at the end of 2019.

“This included longer-than-expected delivery times for software and delays completing cybersecurity assessments— outcomes disruptive to DOD's efforts to keep pace with warfighters' needs for enhanced, software-dependent capabilities and protect weapon systems from increasingly sophisticated cybersecurity threats,” GAO said in the June 3 report.

Cybersecurity KPPs Left Out

The GAO report explains that KPP “are considered the most critical requirements by the sponsor military organization, while key system attributes (KSA) and other performance attributes are considered essential for an effective military capability.” In 2015, DOD modified its main requirements policy—the Joint Capabilities Integration and Development System Manual (JCIDS) rules on “survivability” requirements to include the ability to operate in a “degraded cyber environment.”

Yet, GAO found that, at the end of 2019, 25 of the 42 major acquisition programs reviewed regarding cybersecurity practices failed to include cybersecurity as a parameter in their KPPs; “even more programs reported that their KSAs did not address cybersecurity.”

GAO has targeted cybersecurity, software development and DoD-wide information technology (IT) improvement programs in its recent annual reviews because DoD weapon systems “are more networked than ever before — a change that while providing benefits for the warfighter also “has come at a cost” because “more weapon components can now be attacked using cybersecurity capabilities,” GAO explains. “Further, networks can be used as a pathway to attack other systems.”

The watchdog has found consistently that failing to bake in cybersecurity requirements to system design and development ends up costing more money and time when program offices struggle to re-engineer systems once they hit production. This is a problem that affects most types of software development; and similarly trying to upgrade or replace software to improve cybersecurity often proves impossible.

The 2019 report thus “looked at DOD's progress with developing:

  • (1) strategies that help ensure that programs are planning for and documenting cybersecurity risk management efforts (cybersecurity strategies),
  • (2) evaluations that allow testers to identify systems' weaknesses that are susceptible to cybersecurity attacks and that could potentially jeopardize mission execution (cybersecurity vulnerability evaluations), and
  • (3) assessments that evaluate the ability of a unit equipped with a system to support assigned missions (cybersecurity assessments).”

Most of the 38 MDAPs reviewed reported creation of cybersecurity strategies. However, of the 19 major programs that require cybersecurity vulnerability evaluations — under regulations set by the Office of the Undersecretary of Defense for Acquisition and Sustainment Ellen Lord — 11 have not completed them or failed to do so on time. Another three said they didn't have a schedule yet for doing so; and one — an unnamed Air Force program — told GAO it actually didn't know if it had undertaken the required evaluation. Indeed, the Air Force had the worst record on the evaluations, with none of its six programs having completed the evaluation processes.

Of the 42 programs, 14 told GAO they had not finished their cybersecurity assessments. GAO also “found variation among the military departments in the rates they had completed these assessments. Specifically, among the three military departments, the Army reported the best rate for programs conducting cybersecurity assessments, while the Air Force had the lowest rate.”

IT and Software Problems Plague Programs

“Over the years, weapon acquisition program officials, through their responses to our questionnaires, have consistently acknowledged software development as a risk item in their efforts to develop and field capabilities to the warfighter, and this year is no different,” GAO reported somewhat wryly.

GAO found that more than a quarter of the 42 MDAPs reviewed reported cost growth from software changes but admitted that “details
are limited” in DoD reporting.

Part of that uncertainty might be due to the fact that GAO found a number of major programs are transitioning to commercial approaches to software development, such as “agile development” that involves introducing incremental improvements over time. However, GAO found, “deliveries often lag
behind industry standards.”

Indeed, Air Force acquisition czar Will Roper told a webinar yesterday sponsored by Dcode, a tech innovation hub connecting commercial industry to government agencies, that while the Air Force can't go back and re-do old programs, “every new contract we do has to include DevSecOps.”

“We are all in,” he added, “it's going to change the world.”

DevSecOps stands for “development, security and operations,” and is a framework and tools for “designing in” software and cybersecurity. Roper long has been a key champion within DoD for moving to commercial practices and has repeatedly said he wants the Air Force to become a “software company.”

GAO said that officials from 26 of the MDAPs regarding software development reported that software concerns had created risks at some point during their program's history.

The biggest problem faced was — you guessed it — changes necessitated to ensure cybersecurity. The second biggest program was that the software development simply was “more difficult than expected.” Hardware design changes also played a big role in creating software problems, requiring subsequent changes in software configurations.

Interestingly, while often bemoaned as a cause for program delays, requirements changes came in at the low of end of the reported issues troubling software development.

Of the 15 major DoD IT programs reviewed, worth $15.1 million, 10 had delays in their original baseline schedules. But on the bright side, 11 showed decreased life cycle cost estimates.

Further, all 15 have cybersecurity strategies as required by DoD regulations, and most reported having undertaken in 2019 at least one operational cybersecurity test.

That said, “less than half reported conducting developmental cybersecurity testing,” GAO found. And according to DoD's own “Cybersecurity Testing and Evaluation Guidebook,” GAO scolds, “not conducting developmental cybersecurity testing puts programs at an increased risk of cost and schedule growth and poor program performance.

Cost and Schedule Growth Stabilizes

As it does every year, GAO also reviewed all 85 MDAPs for cost and schedule growth, and on that front the news is good: GAO found that the programs DoD Overview “have generally stabilized non-quantity related — (i.e. meaning not related to buy more stuff) — cost growth and schedule growth.”

“Between 2018 and 2019, total acquisition cost estimates for DoD's 85 current MDAPs grew by a combined $64 billion (a 4 percent increase), growth that was driven by decisions to increase planned quantities of some weapon systems,” GAO found. “For example, DoD more than doubled in the past year the total number of missiles it plans to acquire through the Air Force's Joint Air-to-Surface Standoff Missile program.”

And some programs actually lowered their year-average costs. GAO found that 55 MDAPs (more than half) “had lower average procurement unit costs since last year. Examples of programs with lower unit costs include the Navy's Joint Precision Approach and Landing System (16 percent decrease) and the Air Force's F-22 Increment 3.2B Modernization (15 percent decrease).”

“Also between 2018 and 2019, capability delivery schedules for MDAPs increased, on average, by just over 1 month (a 1 percent increase),” GAO said.

However, the report cautioned that cost/schedule performance looks “less encouraging as measured against their original approved program baselines.”

The report found that the major acquisition programs “have accumulated over $628 billion (or 54%) in total cost growth since program start, most of which is unrelated to the increase in quantities purchased. Additionally, over the same time period, time required to deliver initial capabilities has increased by 30%, resulting in an average delay of more than two years.

https://breakingdefense.com/2020/06/major-dod-acquisition-programs-flounder-on-cybersecurity-gao

On the same subject

  • How the Biden administration is expected to approach tech research and development

    December 1, 2020 | International, Aerospace, Naval, Land, C4ISR, Security

    How the Biden administration is expected to approach tech research and development

    Andrew Eversden WASHINGTON — Experts expect President-elect Joe Biden's administration to build on the Trump administration's investments in emerging technologies, while adding to research and development budgets in the Defense Department and across the federal government. The incoming Biden administration signaled throughout the campaign that basic research and development funding would be a priority. Biden wrote in Foreign Affairs he would make research and development a “cornerstone” of his presidency and pointed to the United States having the “greatest research universities in the world.” “It's basic research that's the area where you get the breakthroughs, and you need long-term, sustained investments to build up a strong S&T base,” said Martijn Rasser, a senior fellow at the Center for a New American Security's technology and national security program. Biden's R&D investment is an expected change from the Trump administration's approach, which experts have noted is narrower in scope and focused on harnessing private sector innovation. “The reality is the U.S. private sector has eclipsed the government, which in some ways that can be good,” said Rep. Jim Langevin, D-R.I., chairman of the House Armed Services Committee's Subcommittee on Intelligence and Emerging Threats and Capabilities. “The private sector can move with greater agility than the government, but the private sector may not be focusing on developing those exquisite technologies that we need for the war fighter.” Experts told C4ISRNET they expect the Biden administration to invest more money in basic research areas and to reform immigration laws that slowed the innovation pipeline from abroad to the United States. “China is closing in. They are spending every year more and more on R&D. They will soon, if not already, be spending as much as we are, if not more on R&D,” Langevin said told C4ISRNET. “Congress has woken up to this problem.” Basic research Perhaps the most likely area the Biden administration is poised to change is basic research and development funding. According to annual reports from the Congressional Research Service, the Trump administration consistently proposed top-line cuts to federal research and development in yearly budget proposals. This included the fiscal 2021 budget proposal's $13.8 billion decrease in defense R&D over the fiscal 2020 funding enacted by Congress. While the Pentagon has often been spared from such cuts, the Trump administration has also suggested trimming the defense-related basic research budget line — money that is a “substantial source of federal funds for university R&D,” according to the Congressional Research Service. The White House's FY21 defense-related basic research budget line asked for a reduction of about 11 percent from FY20 enacted, or a $284.2 million decrease. Biden's campaign platform calls for a four-year investment of $300 billion in R&D for new technology such as 5G, artificial intelligence, advanced materials and electric cars. “A nation speaks to and identifies its priorities by where it puts its research dollars, where it puts its money,” Langevin said. “Basic research has to be more of a priority, and that's something I'm going to encourage the Biden administration to focus on.” Michèle Flournoy, thought to be a leading contender to become the next secretary of defense, has also written about the need to increase investment in emerging technologies to counter China. In Foreign Affairs in June, Flournoy wrote that “resilient battlefield networks, artificial intelligence to support faster decision-making, fleets of unmanned systems, and hypersonic and long-range precision missiles” will “ultimately determine military success.” “Continuing to underinvest in these emerging capabilities will ultimately have dire costs for U.S. deterrence,” she wrote. Congressional and think tank reports published during the Trump administration's tenure called for an increase in basic research funding. A report from the House Permanent Select Committee on Intelligence's strategic tech and advanced research subpanel, led by Rep. Jim Himes, D-Conn., recommended bumping up federal research and development funding from 0.7 percent to 1.1 percent of gross domestic product, or an increase of $146 billion to $230 billion. A report by the Council on Foreign Relations from 2019 applauded the Trump administration's requested increases in funding for the Defense Advanced Research Projects Agency, now funded at $3.46 billion, and the Defense Innovation Unit, for which the Trump administration requested $164 million. Laying the groundwork Initiatives started under the Trump administration did provide a groundwork on which the Biden administration can build. Under the Trump administration, DARPA kicked off a $1.5 billion microelectronics effort. In artificial intelligence, the administration launched the American AI Initiative. However, the Council on Foreign Relations criticized that effort because it had no funding and left agencies to prioritize artificial intelligence R&D spending without metrics, while also drawing funds from other research areas. The administration also made an $1.2 billion investment in quantum information science. “The Trump administration started bringing national attention and federal focus to many of these technologies,” said Lindsey Sheppard, a fellow at the Center for Strategic and International Studies. “I hope to see from the Biden administration perhaps a more cohesive guiding strategy for all of these pieces.” While the Trump administration has started many initiatives, the Council on Foreign Relations report also criticized the Trump administration's innovation strategy as an “incremental and limited approach,” writing that “action does not match the language officials use to describe the importance of AI to U.S. economic and national security.” While investment in future technology is important, defense budgets are expected to stay flat or decrease in the coming years. In her Foreign Affairs article, Flournoy acknowledge that the budgetary reality will require “tough tradeoffs.” Experts agree. “R&D programs are going to have to start being able to consistently, clearly articulate justifications for their budgets and the returns on investment,” Sheppard said. But the coronavirus pandemic has highlighted the need for increased investments in research and development, Himes and Langevin argued. Both lawmakers identified biothreats as something they fear for the future. Biological threats are one area that DARPA — an organization Langevin pointed to as a major federal R&D success story — has triumphantly address. Commercial partners from DARPA's 3-year-old pandemic prevention platform program announced they developed a COVID-19 therapeutic using new techniques. “There's absolutely going to be a rethink,” Himes told C4ISRNET in an interview. “Are we correctly allocating money between the possibility that there could be a pandemic that kills a million Americans, versus the possibility that we're going to have to fight the Russians in the Fulda Gap? I think there's going be a lot of thinking about that. And there should be thinking about that because our money should go to those areas where there's the highest probability of dead Americans.” Immigration innovation Another way to improve American innovation in critical future technologies is by allowing highly skilled foreigners to work in the United States. Biden has hinted at changes that will affect American innovation through the expected reversals of President Donald Trump's immigration policies, which limited high-skilled workers from legally working in the country. The Biden administration's platform states it wants to reform the H-1B visa process that the Trump administration restricted, much to the chagrin of American tech companies, which use the program to hire top talent from abroad. Think tanks have recommended reforming the current U.S. immigration policy to attract international students, entrepreneurs and high-skilled workers because of the innovative ideas they provide. For example, an analysis by Georgetown University's Center for Security and Technology found that 68 percent of the United States' top 50 artificial intelligence companies were co-founded by immigrants, most of whom came the U.S. as students. “A lot of the Trump administration's policies — we're shooting ourselves in the foot making it so much harder for people to come here,” said Rasser, who wrote a report for CNAS last year calling for H1-B caps to be increased. “Because of the fact that people want to come to the United States to live and work, that's one of our greatest competitive advantages. It's something I expect the Biden administration to reverse.” https://www.c4isrnet.com/smr/transition/2020/11/29/how-the-biden-administration-is-expected-to-approach-tech-research-and-development/

  • Project Overmatch budget details too sensitive to share, Navy says

    March 19, 2024 | International, Naval

    Project Overmatch budget details too sensitive to share, Navy says

    At least three carrier strike groups have Project Overmatch capabilities aboard, a U.S. Navy spokesperson told C4ISRNET.

  • Indonesia plans to buy C-130J Super Hercules, CH-47 Chinooks

    September 17, 2018 | International, Aerospace

    Indonesia plans to buy C-130J Super Hercules, CH-47 Chinooks

    By: Mike Yeo MELBOURNE, Australia — Indonesia's defense minister has said the country intends to acquire new tactical airlifters and heavy-lift helicopters from the United States, as it continues its gradual drive to modernize its military. Speaking in the capital Jakarta earlier this week, Ryamizard Ryacudu said Indonesia is looking to acquire five Lockheed Martin C-130J Super Hercules transport aircraft and the Boeing CH-47 Chinook heavy-lift helicopter, according to the country's state-owned Antara News Agency. He did not specify the number of helicopters Indonesia is seeking, but Defense News understands from an Indonesian source the number of Chinooks will be between three and five. This expected procurement is likely to be just the first step in the southeast Asian archipelago nation's effort to recapitalize its airlift inventory. Earlier this year, the Indonesian Air Force's chief of staff, Air Marshal Yuyu Sutisna, was reported by Antara as saying that the service plans for all six of its airlift squadrons to have new aircraft by 2024, which currently operates a mix of light and medium transports alongside older variants of the C-130. Indonesia's current Hercules fleet consists of about a dozen "B" and "H" variants of the C-130 aircraft, the oldest of which date back to the early 1960s. The inventory has also been bolstered in recent years by the ongoing transfer of nine C-130Hs from Australia, which has retired the type from service in favor of the C-130J. However, this has been offset by the loss of five C-130s since 2000, including one of the former Australian aircraft, which crashed while landing in bad weather at one of Indonesia's remote eastern islands in December 2016, while the older aircraft have suffered from ongoing serviceability issues. This is not the first time Ryacudu has said Indonesia was seeking the C-130J. He first flagged the intention to do so back in May, following a meeting with U.S. Defense Secretary Jim Mattis in Hawaii. There have also been earlier reports that Indonesia was interested in acquiring Chinooks; however, this is the first time the defense minister has confirmed that it will go ahead with the acquisition. Antara also quoted him as saying Indonesia had evaluated the Russian Mi-26T2 heavy-lift helicopter, but found it unsuitable for the country's requirements. The Indonesian military currently does not operate any heavy-lift helicopters, and alongside its relatively small airlift fleet represents a key capability gap for a country made up of more than 17,000 islands that are also prone to natural disasters. Any Indonesian acquisition of the C-130J and CH-47 will likely be done through Foreign Military Sales channels. It is unclear if Indonesia has formally submitted a request to acquire the types, which must first be approved by the U.S. State Department. https://www.defensenews.com/air/2018/09/14/indonesia-plans-to-buy-c-130j-super-hercules-ch-47-chinooks

All news