Biblio

The highly dynamic nature of the cyber domain demands that cyber operators are capable of rapidly evolving and adapting with exquisite timing. These forces, in turn, pressure acquisition specialists to accoutre cyber warfighters to keep pace with both cyber domain advancement and adversary progression. However, in the Department of Defense (DoD), a vigorous tug of war exists between time and risk pressures. Risk reduction is a crucial element of managing any complex enterprise and this is particularly true for the DoD and its acquisition program [1]. This risk aversion comes at significant cost, as obsolescence by risk minimization is a real phenomenon in DoD acquisition programs and significantly limits the adaptability of its operational cyber forces. Our previous research generated three recommendations for reforming policy to deliver performance at the “speed of relevance” [3]. In this paper we focus on one of the recommendations: “Manage rather than avoid risk—especially time-based risks”. While this advice can apply to many areas of human endeavor, it has elevated urgency in cyberspace. Incomplete risk metrics lead to overly conservative acquisition efforts that imperil timely procurement of advanced cyber capabilities and repel innovators. Effective cyber defense operations require acquisition risk models to be extended beyond fiscal and technical risk metrics of performance, to include risks associated with the cost of failing to meet immediate mission requirements. This paper proposes a time-shifting approach to simultaneously (a) accelerate capability delivery while maintaining traditional rigor, and (b) achieve optimal balance between fiscal, performance, and time risks.

The United States of America faces great risk in the cyber domain because our adversaries are growing bolder, increasing in number, improving their capabilities, and doing so rapidly. Meanwhile, the associated technologies are evolving so quickly that progress toward hardening and securing this domain is ephemeral, as systems reach obsolescence in just a few years and revolutionary paradigm shifts, such as cloud computing and ubiquitous mobile devices, can pull the rug out from the best-laid defensive planning by introducing entirely new regimes of operations. Contemplating these facts in the context of Department of Defense (DoD) acquisitions is particularly sobering because many cyber capabilities bought within the traditional acquisition framework may be of limited usefulness by the time that they are delivered to the warfighter. Thus, it is a strategic imperative to improve DoD acquisitions pertaining to cyber capabilities. This paper proposes novel ideas and a framework for addressing these challenges.