Defense agencies are bullish on commercial tech, but shortcomings persist
The Pentagon has placed increasing emphasis on adopting commercial tech to accelerate the pace at which the U.S. military can put the latest and greatest tools in the hands of warfighters.
But that doesn’t mean it’s a perfect fit for every use case, a panel of Defense Department leaders said Thursday at the MongoDB Public Sector Summit, produced by FedScoop.
Rather than a full-blown adoption of commercial tech, many DOD leaders find themselves integrating the solutions for a large part of their tech stack and building custom configurations on top of them when they can’t meet the department’s stringent compliance requirements.
For instance, Space Systems Command’s Commercial Space Office is naturally a commercial-first organization. But the outfit still finds itself going the route of bespoke tech about 20% of the time.
“So being in the Commercial Space Office, we’re really bullish on commercial, obviously,” said Col. Aaron Stevenson, the group’s deputy director. “But I think commercial really solves about 80% of the problem.”
For the rest, “you can just take a commercial tool and tweak it and make it useful for the government,” Stevenson said, because it doesn’t meet the department’s unique controls and security requirements, particularly as more sensitive information is introduced to those systems.
Still, that 80% is significant, particularly in terms of cost and time savings, he explained. “You’re going to have those exquisite tools that you can spend more money on later if you save money on the commercial tools upfront.”
The Defense Counterintelligence and Security Agency — the Pentagon agency responsible for running background checks and issuing security clearances — is taking a different approach.
“We’re adjusting the way that we do business,” said Mark Nehmer, DCSA’s chief of analytics and innovation, research and innovation for the security enterprise. “We’re adjusting the way that we operate our missions based on the latest innovations that are coming from the private sector.”
Inevitably, the agency faces the need to custom-configure commercial systems, but Nehmer said that’s an option he’d prefer to avoid.
“We’re all-in on commercial and as few configurations as possible,” he said. “We figured that the folks in [commercial industry] have spent a ton of money on R&D to figure out the best way to approach something — the best way, the most efficient way to operate.”
Indeed, commercial companies often have more resources and a larger market to guide them to deliver the best possible tech. But they aren’t immune to risks that could pose downstream threats to national security.
“The challenge with adopting a lot of commercial tech is we just don’t really have our hands on the way that’s designed, how your algorithms are trained, how your workforce is embedded, and that becomes a concern,” said Andrew Evans, director of strategy and transformation in the Army’s Office of the Deputy Chief of Staff.
Insider threats have the potential to loom more widely in multinational commercial firms, putting their tech at risk of theft or cyberattacks, Evans explained.
As an example, the Pentagon last year terminated a partnership with Microsoft after discovering that the company was working with engineers from China to support work on the department’s sensitive cloud systems.
“You guys can go very quickly, but you, in many cases, don’t have the same vetting criteria that we have,” he said. “And I’ll tell you what’s very useless for us is technology that we buy that has already been stolen by China or some other adversary because of a loose supply chain, or maybe some vulnerabilities that haven’t been closed.”
Because of that, the commercial-first partnership between government and industry requires compromise on both sides.
“Commercial first is vitally important. It helps us go fast. It also has some challenges, too,” Evans said. “So we got to think about that and ask you guys to all kind of double-down and look at how your products are being built, not just technologically, but who is building them and what vulnerabilities they have that may be exposing them to some incidents.”
