Portal de Periódicos da CAPES

Long on Rhetoric, Short on Results: Agile Methods and Cyber Acquisitions in the Department of Defense

2014; Routledge; Volume: 31; Issue: 3 Linguagem: Inglês

0882-3383

Schoeni Usaf, Elizabeth Daniel,

Information and Cyber Security

What is of the greatest importance in war is speed. (1) --Sun Tzu Amateurs talk about tactics, but professionals study logistics. (2) --General Robert H. Barrow, USMC TABLE OF CONTENTS INTRODUCTION I. BACKGROUND A. Hackers, Cyberattacks, and the Need for Cybersecurity B. Cyberattacks on the DoD and National Security C. The DoD and Cyber Acquisitions D. Three Qualifications II. THE AGILE SOFTWARE DEVELOPMENT METHOD A. Pre-Agile Software Development Methods B. The Agile Method of Software Development C. Agile's Proven Success III. THE HISTORY OF FEDERAL SOFTWARE PROCUREMENT AND DEVELOPMENT A. An Overview of IT Procurement Policy Since the 1960s B. The Federal Government's Experience with Iterative, Waterfall, and Agile Software Development Methods IV. PROBLEMS WITH ADOPTING AGILE IN THE DoD AND HOW TO FIX THEM A. DoD Software Development Still Resembles The waterfall Method B. Federal Law or Regulations Do Not Preclude Agile; Instead, Culture and Bureaucratic Inertia Impede Change C. To the Extent That Federal Procurement Law and Regulations Are To Blame, There Are Several Reforms That May Help CONCLUSION Introduction Cyber warfare has arrived. The Department of Defense (DoD) is under attack, and our security is at stake. Yet in a field defined by its rapid growth, the DoD arms itself at the same pace that that it buys maj or weapons systems, an acquisition cycle of 7-10 years. It thus buys obsolete cyber-defense tools. The arsenal of democracy (3) has already provided us the tools for overcoming this impediment in the form of agile software-development methods. Yet the DoD has been reluctant to set aside decades of experience and utilize different methods for software than it does for other acquisitions. But unless it does so, it may well lose its edge, and not only in the cyber domain. The next four sections will proceed as follows. The first describes the growing threat of cyberattacks generally, discusses how they affect the DoD and our security specifically, and then explains the relationship between DoD cybersecurity and rapid-cyber procurement. (4) The second summarizes agile software development--its history, methods, and track record. The third recounts the history of federal and DoD IT acquisitions and the DoD's attempt at agile reforms. Though underway for a decade or more, there is little to show for it. The last section focuses on the analysis of why agile has not taken root, how to foster such reforms in the DoD, and benefits that may accrue. I. BACKGROUND This section first considers cyberspace dangers generally, then the unique threat to the DoD, and finally problems with its acquisitions practices. After discussing these dangers and the DoD's unpreparedness in this domain, the next section turns to the agile method as alternative to the current software-development model. To avoid any confusion, it bears mentioning that this paper uses the terms cyber, software, and information technology (IT) almost interchangeably--the first as an adjective, and the latter two as nouns for the same concept. Although both the introduction and background that follows concentrate on cybersecurity, concerns about software development and acquisition practices apply more broadly. Because the DoD relies on software for more than cyberattack and defense, (5) its acquisition practices are of wider concern. Thus, while there are admittedly differences between cyber, software, and IT, (6) they are related terms and this paper will not dwell on their distinctions. The fight for security, in both private and public sectors, is part of what Michael Gross calls World War 3.0' in his eponymous Vanity Fair article. (7) He explains that the Web's openness makes users vulnerable to various kinds of hacking, including corporate and government espionage, personal surveillance, the hijacking of Web traffic, and remote manipulation of computer-controlled military and industrial processes. …