Navy: Faster acquisition key to cyber defense

Faced with a rapidly evolving cyber threat, the Navy is developing new strategies for acquiring cyber defense capabilities.

The problem is that the Defense Department’s existing acquisition model — DOD 5000 — is ill-equipped to meet the fast-moving needs of cyber defense.

“DOD 5000 doesn’t work for cyber defense,” said Kevin McNally, the Navy's program manager for information assurance and cybersecurity. “It’s built for the acquisition of ships, aircraft and weapons systems. Full operational capability can take seven years. Cyberattack tools progress far more rapidly than that.”

McNally, speaking June 28 at the IDGA Cyber Warfare and Security Summit in Washington, D.C., said the new acquisition approach would allow the Navy to work in six-month increments of spiral development, with multiple efforts working in parallel. A group composed of key naval departments will meet periodically to assess progress, identify new threats and re-evaluate needs, McNally said.

“Every six months, we’re looking at requirements, defenses and tools," he added. "We ask, ‘Do we need to field new capabilities? What capabilities do we need, and how should we deploy?’”

The Navy is also implementing DOD’s broader acquisition reform efforts but is taking a proactive approach with the new measures.

“There’s a big push to do acquisition reform, and we’re hoping that’s successful,” McNally said. “But I haven’t seen anything come out yet that simplifies acquisition for IT or cyber.”

For now, the Navy is looking forward to some of the advantages of its new approach, such as being better able to keep up with technology, introducing new commercial products more quickly and closing in on evolving threats. The department is also focusing on issues such as identifying network anomalies and behaviors, moving from reactive to predictive measures, and addressing advanced persistent and insider threats, McNally said.

“I don’t think we’ll ever close the gap [with rapidly evolving threats completely], but we can get closer,” he said.

Still, there are challenges, including securing resources and planning ahead for a future that is constantly changing. The broader DOD acquisition process is also cumbersome and can slow cyber development, he said.