It is virtually unheard of in government contracting for the Defense Department to be brief and straightforward in stating requirements.
So it was a surprise when a Pentagon solicitation this month for cybersecurity software was summed up in a single sentence: “The Department of Defense is interested in systems to automatically find previously unreported vulnerabilities in software without source code and automatically generate patches to remediate vulnerabilities with minimal false positives.”
The time window to bid on this opportunity also is unusually short. Responses will be accepted only from June 12 to June 20.
This is how business is done at the Defense Innovation Unit Experimental, known as DIUx. The Pentagon’s two-year-old enclave in Silicon Valley has moved rather quickly to shake up the contracting culture — and to prove that it is more interested in getting results than in forcing vendors to deal with red tape.
Necessity has forced the Pentagon to make innovation a top priority, especially in the cybersecurity field as the U.S. government and military information networks face unprecedented threats from hackers and malware. DIUx is being challenged to find solutions, and fast.
In technology-rich Silicon Valley, it falls on DIUx to spot relevant products, test them and select the ones that best solve problems for the Defense Department. DIUx has 40 people based in Mountain View, Calif., and smaller offices in Boston and Austin, Texas.
“We are becoming part of the technology ecosystem in Silicon Valley and our other cities,” said Enrique Oti, information technology portfolio manager at DIUx. “We can see what’s available in the commercial sector. Our goal is to bring commercial technology back into DoD.”
It was about a year ago that then-Defense Secretary Ash Carter fired the entire DIUx leadership following a stream of negative reviews. Old-school Pentagon bureaucrats were replaced with more entrepreneurial-minded officers, many with military experience. The new team then moved to implement a simpler contracting method, known as “other transactions authority” (OTA), to ease the way for vendors that typically would have shunned government work.
“After the OTA authority went through in June 2016, we’ve been able to do interesting things with companies,” Oti said in an interview with RealClearDefense. “The barriers to entry are much lower.”
DIUx reported $36 million worth of contract awards in fiscal year 2016. That amount likely will increase over time. Out of 35 contracts it has awarded so far, 15 relate to information technology and cybersecurity, said Oti. “A lot more are in the works.”
The Pentagon has a large army of cyberwarriors to combat foreign hackers. It is now also turning more attention to “insider threats” posed by people who work in government or for federal contractors. In a report this month, the Government Accountability Office called on the Defense Department to “take further action to strengthen its insider threat awareness program to address the increased risk of the unauthorized disclosure of classified information from defense information systems.”
Fears of insider leaks have fueled a demand for “multifactor authentication” technology that helps prevent unauthorized access to networks. DIUx recently worked with three companies in Silicon Valley on this problem and each offered different solutions.
Multifactor authentication requires network users to present several pieces of evidence to prove their identity. That technology has been widely implemented and perfected in many industries, and the Pentagon is trying to catch up.
One of contractors selected by DIUx was Plurilock, a company that sells software that uses artificial intelligence to detect insider threats. On its board of directors is retired Vice Adm. Mike McConnell, former director of the National Security Agency.
The other two contenders are Lastwall — a provider of cloud-based cybersecurity software that prevents unauthorized access with real-time risk and fraud analysis methods — and Yubico Networks, a firm that specializes in authentication software used by large corporations where employees bring their personal mobile devices to do their jobs.
All three firms are developing prototypes, Oti said.
An industry source who spoke on condition of anonymity said many companies in the tech sector are warming up to DIUx and regard it as their best chance to get their foot in the door of the defense market. “Everything DIUx does is open and transparent,” the source said. Business deals move within 30 to 60 days, compared to years in traditional contracting.
DIUx also is developing a reputation as a kingmaker of sorts. Once a company is selected to develop and prototype a product, the agency has Pentagon customers lined up to buy it.
The more accelerated OTA contracting still comes with significant oversight. “It’s not like we’re out here in the Wild West throwing money around,” Oti said.
“There’s oversight and accountability from legal, from the inspector general, from contracting officers, from Congress,” he said. “It’s a different approach to contracting but it doesn’t mean we’re operating outside of the rules.”
The military occasionally will ask for a product that is not commercially available, and DIUx has found that Silicon Valley can help with that, too. It signed a deal with the branding and design company Method to learn how to bring ideas to fruition. “We had a Navy customer that was looking for a product and we went to Method to help us design a solution because it didn’t exist,” Oti said.
DIUx has a broad portfolio that includes autonomous systems, space, artificial intelligence and human systems, in addition to information technology. Cybersecurity is now commanding more attention as politicians in Washington continue to press the Pentagon for assurances that networks are being protected.
The leaders of the House and Senate Armed Services Committees have criticized the Defense Department for not keeping up with technological advances. “That’s one reason why we were created,” Oti said. The military’s intricate acquisition system fits the bill for complex weapons systems but not for cyber. “It can never keep pace with the changing world,” he noted. “When we put up solicitations on our website, they’re only a couple of sentences. We’re not going to the commercial sector with a list of requirements and specs. We’re going to them with a very generic problem. We don’t dictate what the solution should be.”
Government labs, notably the Defense Advanced Research Projects Agency, are pushing their own innovation in cybersecurity, Oti said. But only the private sector is equipped to grab DARPA’s cool ideas and turn them into successful products. The agency sponsored a Cyber Grand Challenge last year where competing software systems had to defend a network and counterattack a hostile network using artificial intelligence with no human intervention. Pittsburgh-based ForAllSecure took first place, beating out six other teams. “This is fascinating research that will have huge commercial implications,” said Oti.
International Data Corp. projects that in 2020, businesses will spend more than $100 billion on cybersecurity software and hardware, a 38 percent increase since 2016.
The Pentagon’s Cyber Command has reached out to DIUx for help assembling a “cyber tool kit” for its network defenders. “They want data analytics, data forensics, network management tools that, when put together as a whole, can make a good cyber tool kit,” Oti said. “We’ve been working on this for a few months. Solutions are coming down the road.”
Cyber Command has assembled a force of 133 teams, currently made up of about 5,000 network defenders. It is expected to grow to 6,200 by next year. About 70 percent of the teams are now “fully operational capable,” the Pentagon said. The budget for the NSA and Cyber Command is on the rise as well. The Trump administration is seeking $647 million for fiscal year 2018, a nearly 16 percent increase from 2017.
Lawmakers on Capitol Hill last week grilled Defense Secretary Jim Mattis regarding Pentagon cybersecurity. “I'm really worried,” said Senate Armed Services Committee member Claire McCaskill. “We spend a lot of time worrying about the Russians hacking politicians. I'm worried about the Russian hacking our military. … Russia hacked the Twitter account of Central Command. We know that Russia has co-opted a very well-known veterans site that originally began in America.”
Mattis reassured McCaskill that the situation is under control. “We’ve got all sorts of things going on with NSA that puts protections, firewalls into place,” he said. “We've blocked malicious malware a number of times. That was not because we were lucky. That was because we were throwing obstacles in the path and building firewalls as fast as we could. … Training and constant attention to protective measures, I can guarantee you, is ongoing.”
The House Armed Services Committee last week introduced legislation that would strengthen congressional oversight of sensitive military cyber operations and cyber weapons.
“Cyberspace is a critical front on the 21st century battlefield,” said Rep. Elise Stefanik, who sponsored the bill. “Our adversaries — including North Korea, China, Iran and Russia — are actively investing and developing their cyber capabilities, and we must continue to modernize and develop ours as well.”