The Defense Department isn’t built to handle cybersecurity defense well.
Its acquisition system is designed to develop and purchase large, expensive weapons systems while holding to the tenets of competition, transparency and integrity. That means it can’t keep up with cybersecurity defense.
“The defense acquisition process is slow by design,” Lt. Col. Dan Schoeni, judge advocate at the Air Force, said on Cybersecurity Month. “And that’s completely understandable — when you’re spending billions of dollars of other peoples’ money, the number-one thing on taxpayers’ minds is fraud, waste and abuse. They’re concerned about, ‘Where are our tax dollars going?’ So the system has been built, has been skewed in favor of overarching principles.”
But taking seven-to-10 years to develop a new fighter jet or weapons system is one thing; taking that long to develop cybersecurity systems is another. It can’t keep up with the speed of attacks, much less the speed with which the threat environment itself evolves.
Schoeni said Congress has tried to help by expanding authorities for purchasing cybersecurity technology, including rapid acquisition and special emergency procurement, but neither one does enough.