Federal Cyber Security: Are We Winning or Losing?

At the recent Security Innovation Network (SINET) event held in Washington D.C recently a sober assessment of our nation’s capacity to maintain an adequate cyber defense emerged.

The state of our cyber defense was summarized by Michael Chertoff, former Secretary of the Department of Homeland Security when he concluded that it may take “a digital 9-11” to get business, consumers and governments to fortify their cyber security defenses. In effect we are fighting an asymmetrical war and, at present, we appear to be losing.

Echoing this theme, Mr. Vivek Wadhwa, a respected cyber security analyst, argues, “Government simply can’t innovate fast enough to keep pace with the threats and dynamics of the Internet or Silicon Valley’s rapidly changing technologies.”

Wadhwa goes on to point out that innovative entrepreneurial technology advancements are needed but the government, because of it overwhelming dependencies on large contractors, is not equipped to take advantage of new and powerful cyber defense technology.

Wadhwa concludes that true innovation developed through smaller entrepreneurial firms is being stifled by Federal Government procurement practices.

The Federal Government Acquisition Strategy is Inadequate:

Although Wadhwa’s argument is focused on technology development only it also applies equally to service providers who adapt new technology to new and improving defensive tactics such as vulnerability assessment, analysis of threats and remedial action.

Since effective defense against cyber attacks is an on going process of monitoring and taking coercive action, the role of services and the cyber warrior is also critical and outdated Federal buying patterns are equally harmful.

Much of the problem stems from the present buying and acquisition patterns of the government. For years now the government has preferred to bundle requirements in to large “omnibus” or IDIQ contracts (with negotiated task orders) that favor the largest contractors but stifle innovation and flexibility. Cyber security requirements are treated on a like basis with Information technology requirements and this is a mistake.

In addition, recent Congressional contracting “reforms” have encouraged protest actions on new contracts and task orders for both new and existing contracts, resulting in a significant delay of the procurement process. In the fast evolving world of cyber security, delayed deployment of often obsolete technology solutions increases the risk of a successful attack.

Because these contracts are extremely large, they require many levels of approval-usually by Congress or senior administration officials. It typically takes 3-4 years for government to award these and successful bidders frequently have to go through a grueling “certification” process to get approved to bid. Proposal efforts for large bundled contracts cost millions of dollars to prepare and to lobby government officials and political leaders in order to win.

Because of buying patterns that are slanted toward large, slower moving contractors new technology required to meet the multitude of cyber threats will be ignored in the coming years. This puts the nation at risk.

Small contractors are often overlooked in favor of large contractors who frequently use contract vehicles to provide services and solutions that are often out of date in the rapidly changing cyber world.

Startups can’t wait this long or afford the cost of bidding. But it is not enough to demonize large contractors when the root cause lies is how the government procures technology.

In order to remedy this problem an overhaul of the acquisition and procurement process is required to level the playing field for small cyber security companies: it must be made easier for startups and small service providers to bid for government contracts.

One effective way to do this is to unbundle the cyber requirements for IT acquisitions and use more small business set asides for contract awards. In addition protests at the General Accounting Office must be discouraged and reserved only for obvious abuses of the contracting process.

Procurement times should be reduced to months rather than years; some projects should be done in smaller steps so that the major contractors, whose goal is often revenue maximization and placing unqualified bench staff, aren’t the only ones qualified to complete them.

Cyber attacks on our sensitive infrastructure and government agencies have increased significantly. We need the latest technology and best tools in order to win the cyber war.