Could DoD cheapskatery create cyber-peril?
In the old days, everything was so much simpler.
An Air Force pilot would plop into his airplane, put the keys in the ignition, and notice the odometer: Uh oh! This jet’s sure got a lot of miles on it — better buy a new one!
So the Air Force would announce a competition. America’s airplane builders would jostle and elbow to undercut each other, and officials looking out for you, the taxpayer, would buy the best jet they could at the lowest price possible. Soon our friend the pilot would have a brand-new, factory-fresh airplane to fly. Or maybe it was a little more complicated than that …
… Anyway, the miracle of competition isn’t always effective, argues defense industry advocate Daniel Goure of the Lexington Institute. These days, DoD isn’t just buying widgets. In the world of cyberwarfare, it has to buy talent, directly or indirectly, and you can’t do that in the same way you buy tanks or airplanes, he says. The Pentagon’s myopia about this, he warns, could lead to real peril if it leads to a less-prepared cybersecurity infrastructure.
You would think that if any organization would be interested in buying the services of professionals with the best skills and greatest experience it would be the Pentagon. Unfortunately, over the past few years, in its zeal to reform the acquisition process and reduce costs, the Department of Defense has instituted contracting policies that virtually guarantee that national security will suffer. More and more contracts, particularly for IT and cyber services but in other areas as well, are being written so that the winner is the lowest cost bidder who meets minimum technical qualifications. In addition, under the banner of acquisition reform, DoD is pushing for increased competitions based on shorter contract periods. As a result, winning contractors have little or no time in which to recoup their costs and generate a profit, take advantage of the learning curve or grow a cadre of more experienced personnel.
The consequences of this approach to acquisition reform are simple and stark. Defense contractors can no longer compete by offering the best product and most capable people if it means bidding a higher price. They cannot afford to grow and retain the best personnel if they become expensive. So defense companies are forced to recruit younger, less skilled but cheaper people with the minimum qualifications. The result is a “brain drain.” This phenomenon is most severe in the IT and cyber sectors where there is growing commercial demand, particularly for highly skilled and experienced workers.
DoD can’t stop talking about the importance of cyberwarfare, Goure writes, and yet its policies are creating a “race to the bottom” that leaves the U.S. vulnerable to a “cyber Pearl Harbor.”
Uniformed cyber-bosses have long talked about the challenge of recruiting the kind of workforce they’ll need for the cyber realm, but it’s one of those perpetual cyber-issues that never actually goes anywhere. The Navy and Air Force in particular used to get chuckles when leaders mused about how difficult it might be to get stereotypically un-athletic, basement-dwelling, introverted cyber-nerds into the hale-fellow-well-met, buzz-cut, PT at oh-dark-thirty hoo-yah military services. But like the Coast Guard’s icebreaker dilemma or naval near-shore fire support, it’s a problem that never seems to get solved, only rehashed.
Still, Goure’s warning seems pretty overblown. The “cyber Pearl Harbor” that Secretary Panetta has nightmares about is so dangerous because it would afflict computers that are outside of DoD’s purview. The Pentagon and many other federal agencies have spent years playing not-me when asked about “Die Hard 4″-style mass power outages, or the potential demise of the financial system, or a huge attack on U.S. telecommunications. There’s also an argument that the “Pearl Harbor” has already happened, and continues to happen, as “advanced adversaires” and “peer competitors” vacuum up defense firms’ trade secrets under their noses and blunt away America’s onetime technical edge.
If the U.S. is in cyber-peril, it may be because it has opened Pandora’s box with its own highly sophisticated cyber-attacks around the world. Steve Coll warns in The New Yorker that at very least, Washington risks some kind of blowback. At worst, he warns, cyberwar could involve strategic consequences, referring to the Bush and Obama administrations’ “Olympic Games” cyber-weapons:
During the nineteen-fifties, a shocking number of American generals believed that a nuclear war could be won. “Olympic Games” suggests a comparably self-aggrandizing strain among our new class of digital fighters. Here the comparison to the early nuclear era does seem apt. As a citizen, will it once again seem tempting to buy land, guns, gold, and bottled water?
One certainly hopes not, but the problems at issue here are a lot bigger than Pentagon contracting policies.