Forging the Army’s cyber defense

Courtesy Photo | Lt. Gen. Stephen G. Fogarty, commanding general of U.S. Army Cyber Command, and...... read more read more

Courtesy Photo | Lt. Gen. Stephen G. Fogarty, commanding general of U.S. Army Cyber Command, and Chérie Smith, PEO EIS, mark the official opening of the Forge May 16 at Fort Belvoir. (Photo by Cecilia Tueros)  see less | View Image Page

VA, UNITED STATES

10.11.2019

Courtesy Story

U.S. Army Acquisition Support Center

✔ ✗ Subscribe

9

The Forge is an open door for industry to collaborate with the Army on cybersecurity operations, fostering innovation and speeding solution delivery.

by Ellen Summey

It’s a lesson most of us learned as children, playing the game of “telephone”: The more people involved in passing along a message, the greater the likelihood that things will go awry. That concept also applies to acquisition. Requests are submitted, formatted and passed through so many sets of hands that in some cases, a final result may no longer meet the original intent.

“A lot of information in acquisition and procurements is lost in translation,” explained Joe Kobsar, director of Applied Cyber Technologies at the Program Executive Office for Enterprise Information Systems (PEO EIS). “A Soldier will express a need for something. By the time it reaches paper format, it’s been transformed into this entirely new creature. People just keep adding things to them, which were never part of the initial requirements. That doesn’t work for rapid acquisition.”

To tackle this problem, PEO EIS is bringing everyone to the table. Through its Defensive Cyber Operations (DCO) project, it has created an innovation hub called “The Forge” at Fort Belvoir, Virginia. Tucked away between the bowling center and the Specker Field House, the Forge is inconspicuously located inside the former garden center building. Though unassuming from the outside, its interior is bright and modern. It provides office space for roughly a dozen full-time staff, representing the U.S. Army Cyber Command’s Data Warfare Division, Army Contracting Command – Rock Island (ACC-RI), the DCO program office, the U.S. Army Test and Evaluation Command and the U.S. Army Communications-Electronics Command, with ample meeting rooms and event spaces for collaboration with industry.

“The Forge is a location we created to foster collaboration between industry and government,” explained Lt. Col. Scott Helmore, then-product manager for Cyber Platforms and Systems at PEO EIS and a driving force behind the initiative. “It is a location where people can come and talk about common problems, work on those problems, and then start to integrate and develop products into actual solutions that we can take off the shelf and insert into the warfighter’s hands,” he said.

“It’s great to see the Forge connecting those dots and linking everyone together, bringing speed to the acquisition process like we’ve wanted to for a long time,” added Brendan Burke, deputy program executive officer for EIS. No more games of telephone.

IT’S ALL ABOUT SPEED

The Forge worked with ACC-RI to establish its very own other-transaction authority agreement, which they named COBRA. It has its own unique parameters, specific to the Forge, and functions as a sort of blanket purchasing authority. Agreements under other-transaction authority allow DOD to bypass many procurement regulations for certain prototype projects. Bonnie Evangelista, a procurement analyst with ACC-RI, works at the Forge full time, and explained the advantages of other-transaction agreements for defensive cyber. With other-transaction authority, “you have a lot of flexibility and opportunity to enable the things the Forge is designed to do,” she said. “Not just prototyping, but innovation, collaboration, the speed of operational relevance.”

Helmore explained that flexibility as a mandate from Army leaders. The only limitation, he said, is the requirement to stay within the boundaries of the “IT Box,” a mechanism introduced in 2014 to allow greater flexibility for certain technological capabilities. “Most folks in traditional acquisition are told, ‘Go buy or get me this,’ ” Helmore said. “We’re not told that. We’re told, ‘Go get me something that you think can solve these types of problems.’ We have a ton of flexibility.”

Beyond the obvious benefits of speed and flexibility for cyber defense, Evangelista said other-transaction authority is great for cyber and for nontraditional government contractors because the barriers to entry are lower. “You can bring in companies that normally don’t do business with the government,” she said (though other-transaction agreements can also be used to contract with traditional defense contractors, as long as they agree to cost-sharing). Because the Forge’s other-transaction agreement uses layman’s terms and allows simplified submissions (white papers, technical charts or fact sheets, rather than formal proposals). “You don’t have to be a great proposal writer. You just submit your idea or your commercial solution or technology.”

“Everybody talks about bringing innovation,” said Col. Chad Harris, project manager for Defensive Cyber Operations, which houses Applied Cyber Technologies and the Forge, “but then it has to be transitioned to programs of record, and then it has to be sustained long term. The Forge sits at a unique point, bringing innovators together with our programs of record.” The Forge is using other-transaction authority to spark those new relationships and solutions, and is setting the stage for those innovations to eventually comply with the Federal Acquisition Regulation (FAR).

NO LONGER AT ARM’S LENGTH

Under traditional, FAR-based contracting, the government is limited in how it can communicate with industry. The idea is to ensure fairness, but this approach can be problematic for technology and cybersecurity projects. “Everything is firewalled,” Helmore said. “You can’t tell one contractor about another contractor.” This is sometimes referred to as the “arm’s length” principle, which would discourage any sort of collaborative relationship between buyer and seller in the name of bargaining.

“We don’t have that,” said Helmore. “The purpose of the [other-transaction authority] was to collaborate—to find a way to make industry feel like they can come to you and foster an idea with you, refine that idea, turn it into a prototype capability.” In fact, the Forge team hopes to encourage collaboration between contractors through the System of Systems Consortium, which serves as the administrative organization for its other-transaction authority. In simple terms, the consortium is the prime contractor for the Forge, and it handles day-to-day administration and management of all subcontracts. This arrangement simplifies communication between the Forge and consortium members.

“Quite a few times,” Helmore said, “we have recognized the potential for collaboration with another consortium member, and we have directly recommended that they consider working together to strengthen their offering or solution. On one of our most recent projects, we took a piece of hardware that was being built by one company but was missing a good software component, and we put those two companies together, and that end result was recently awarded a production contract for us.”

“We’ve got to turn to our industry might,” Helmore added. “Use the brains of all the commercial entities that are out there, that have been working on these problems and are analyzing it, and put them together. That’s what the Forge is about.”

REDUCING RISKS THROUGH EXPERIMENTATION

When you’re dealing with new technologies and planning to introduce them to the Army’s network, there is inherent risk. How do cyber experts know the products are trustworthy and effective? The Forge provides a “sandbox,” or cyber test environment, to allow for safe, controlled access to government systems. This way, industry can demonstrate how well their solutions would actually monitor and detect attacks on the Army’s networks.

“We meet with hundreds of companies and they always say, ‘We have the best product, just use our product,’ ” Helmore said. “Show me. Take it back here, put it on a platform, and show it to me. We need to have industry build their capability and show us how it fits into our network.”

Test-driving the software is one thing, but the Forge takes it a step further. The Army’s networks face a constant barrage of cyberattacks, and its cyber protection teams rely on lessons learned from prior attacks to improve their defenses. “We are able to do a side-by-side comparison,” Helmore said. “I can rerun that entire attack here (in a controlled or simulated environment) and take a look to see how new technologies could have prevented it, or take a look at the things we’ve already done, and see how we could fine-tune what we’ve already bought to stop a future attack.”

A tweak here, a change there; Helmore sees it all as a science experiment. Take away the acquisition-speak and the fancy technology and it’s really simple. “Go back to basic science,” Helmore said. “What did you do? You changed one or two variables and you saw what happened. That’s all we’re doing here.” The Forge is not looking for one end-all, be-all solution, but is building cyber defense through incremental improvements.

CONCLUSION

The Forge and PEO EIS are keenly aware that they are in a literal race for cyber dominance. “As fast as we build a capability to defend the network, three other [threats] have been found to penetrate it,” Helmore said. “On a daily basis, we have hundreds of thousands of attacks on our networks.”

Training and retaining Soldiers with advanced technical skills sets is another challenge, as many are tempted to leave the Army for high-paying jobs in the private sector. Kobsar, director of Applied Cyber Technologies, is centralizing some of those technical duties to allow Soldiers with basic cyber skills to operate their deployable kits and defend the network.

“Previously, the Soldiers would have to maintain all the kits themselves,” Kobsar said. “DCO has taken that over for them. We have something called an Armory. It’s a small building that has enough space to hold all the kits. The Armory has a network connection, so when I have an update, I push it to all the kits that are connected in that facility down there. It’s automatically updated. It’s not taking the Soldiers away from their mission. It’s done automatically for them.”

This race for cyber dominance is a balancing act. It’s about supporting tomorrow’s cyber protection Soldiers, collaborating with industry partners and staying a step ahead of adversaries. Kobsar sees the cyber front as the Army’s new battlefield. “We’re just not flying airplanes anymore,” he explained. “I’m taking a virus, or I’m taking control of your nuclear power plant, or I’m taking control of that dam, or I’m going to turn your entire power grid off. That’s the battlespace today.”

Much as the United States relied on industry partners to out-manufacture and out-compete its opponents in World War II, Kobsar believes industry will be the key to victory in tomorrow’s battles. “We have to enable them to help us,” he said.

“That’s the whole vision for the building,” Evangelista explained. “We’re trying to foster that relationship and that trust with industry, so they start to take the reins and feel at home in this building. Like Lt. Col. Helmore and Mr. Kobsar often say, ‘Government is not going to solve these problems alone. Industry has the answers. You’ve just got to let them in.’ ” Open the door.

USING WHAT WE PAY FOR?

If you buy a new computer at a big-box retailer, chances are good that it will come preloaded with lots of software. Some you will use frequently (the web browser, for instance), but other pieces of software, you may never open. It is a package deal, so there’s no use declining the spreadsheet software you didn’t want. The price won’t change.

When it comes to the Army’s cyber protection teams, however, their deployable cyber kits aren’t purchased that way. Each processing unit (core), each tool and each piece of software is specifically chosen and purchased for the identified threat. Joe Kobsar, director of Applied Cyber Technologies at PEO EIS, wants to understand how effectively those tools are being used to make sure government dollars are spent wisely.

After the kits are deployed and used, they are returned to Defensive Cyber Operations. “When the kits are done, they come back to us and we extrapolate the data,” Kobsar said; the team physically connects the kits to computers at the Forge to extract the data, because the Army’s networks aren’t generally equipped to handle the amount of data the kits contain and some regulations prevent this kind of cyber data from being sent electronically. “We want to find out which tools are being used, so we can better pinpoint and refine our numbers. How many software licenses do we need? Are we actually using all these software licenses we’re procuring? Right now, the answer is, ‘We don’t know.’ In acquisition, for us to justify spending those dollars, we need that data.”

That data can also help with size, weight and power, the trio of competing forces for computers. Increased processing power might mean a larger, heavier product, so it’s about determining the right balance of all three. If DCO can eliminate unused software and tools on those cyber kits, it frees up memory for other uses.

For more information, email usarmy.peoeis@mail.mil or go to https://www.eis.army.mil/programs/dco.

ELLEN SUMMEY provides contract support to PEO EIS at Fort Belvoir, Virginia, for Bixal Solutions Inc. She holds an M.A. in human relations from the University of Oklahoma and a B.A. in mass communication from Louisiana State University. She has more than a decade of communication experience in both the government and commercial sectors.

This article is posted in the Fall 2019 issue of Army AL&T magazine.