Category Archives: Security

Logistics Support is on the Rise – Air Force Awards Nearly $1B to Upgrade Landing Gear on Older Aircraft

Standard
C130 Landing Gear

910th Airlift Wing maintainers install a new C-130 main landing gear tire in 2014. (U.S. Air Force photo/Tech. Sgt. Jim Brock).

“DOD BUZZ”

“The Air Force plans to drop some serious cash to upgrade the landing gear on some of its oldest aircraft.

The service has awarded a contract to AAR to overhaul the landing gear on its C-130 HerculesKC-135 Stratotanker; and E-3 Sentry airborne warning and control system, or AWACS, fleets, according to an announcement.

AAR, an Illinois-based aviation services company, recently landed a $909.4 million fixed-price contract from the service for landing gear performance-based logistics, the company said in a release.

AAR will provide “total supply chain management,” including “purchasing, remanufacturing, distribution and inventory control to support all Air Force depot and field-level, foreign military sales, other services, and contractor requisitions received for all C-130, KC-135 and E-3 landing gear parts,” the release states.

“We are excited to get started on this important contract for the Air Force,” said Nicholas Gross, senior vice president of AAR’s government supply chain solutions, in a statement. “Serving as the prime contractor, AAR will support these three fleets utilizing our Landing Gear Repair and Overhaul center in Miami [Florida], as well as our supply chain network across the country.”

AAR also has offices and warehouses in Wood Dale, Illinois, and Ogden, Utah.

The work comes at a time when landing gear malfunctions have become more common, especially in older aircraft such as the Hercules.

A maintenance team with the 386th Air Expeditionary Wing, based in Southwest Asia, recently worked to fix a C-130’s landing gear after a tire blew out on landing at a forward operating base — days before this reporter took a flight in a sister C-130 over Iraq.

The team’s combat metals airmen ended up creating and installing the damaged Hercules’ landing gear door to salvage the wheels’ cover.

The repair cost the Air Force “229 man-hours, $400 in material, and 264 rivets for an engineer-approved air battle damage repair procedure,” the service said.

In total, it saved $107,000 in replacement cost for the Air Force, according to a release.”

https://www.dodbuzz.com/2017/08/16/air-force-awards-nearly-1b-update-landing-gear-older-aircraft/

 

 

 

Estonia Lesson Learned: “Every Country Should Have a Cyber War”

Standard

cyber-war-or-business-as-usual-10-728

“DEFENSE ONE”

” Estonia’s biggest turning point was 10 years ago, when the country came under sustained cyberattack.

The shock of a cyberwar united the community to take action.  Estonians don’t see cybersecurity as a phenomenon,  it’s about being empowered by technology, not controlled by it.”


“Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves.

In 1991, Estonia was part of the dying communist empire. Its economy was run by central planners in Moscow, less than half of all households had a phone line, and goods were so scarce that people had to line up for food.

Skip ahead 26 years, and Estonians don’t even have to queue to vote. They do that online.

In just over two decades, Estonia has become one of the world’s most digitally innovative and efficient countries. In fact, Estonians conduct all their civic responsibilities online. Offices and paper forms have become obsolete as state-issued digital identities allow all citizens to carry out any financial or government transaction from their laptops or cellphones. And that gives them an edge when it comes to cybersecurity.

Estonia’s journey down the digital road has been astonishingly fast. When it gained independence from the Soviet Union in 1991, it had almost no money and few natural resources. But it did have one advantage: It was the designated center for software and computer production for the USSR. After achieving independence, the country had a pool of tech expertise for them to build on.

During these early years of independence, Estonia needed to create the means for a new economy. And it wasn’t going to be easy. The country’s tiny population of just 1.3 million is spread over a relatively vast countryside. Outside the capital Tallinn, there’s an average of just four people per square kilometer. The new government didn’t have the resources to extend government offices or banking facilities to small towns and villages, so it decided to encourage self-service, and spread internet access across the country in order to do so.

To achieve this, the government set up an investment group to build computer networking and infrastructure. By 1997, almost every school was connected to the internet, and by 2004, 300 wifi access points had been established, bringing the internet even to small villages—and mostly for free.

In 2007, Estonia was in the middle of a political fight with Moscow over plans to remove a Soviet war memorial from a park in Tallinn. Suddenly, it was hit with three weeks of D-DoS (designated denial of service) attacks. When this happens, multiple sources send multiple online requests, flooding a service or system and making it unable to function. It’s the digital equivalent of crowding an entrance to a building so that no one can come in or out.

As a result, the internet shut down as websites were bombarded with traffic. Russia denied any involvement, but Estonia didn’t believe it.

“War is the continuation of policy by other means,” Estonian president Kersti Kaljulaid told a NATO cyber-conference in Tallinn in June 2017. “Ten years on, it is clear that the decision made by Estonia not to withdraw but stay and fight for the security of our cyberspace was indeed the right one.”

The attacks made Estonia more determined than ever to develop its digital economy and make it safe from future attacks. “I think every country should have a cyber war,” says Taavi Kotka, the government’s former chief information officer. “Citizens get knowledge about what an attack means, about how phishing works, how D-DoS works, and they start to understand and live with that. People aren’t afraid if they know they can survive something. It’s the same thing as electricity going off: Okay, it’s an inconvenience, but you know how to deal with it.”

In Estonia, people are not afraid of cyber warfare, nor are they afraid of sharing personal data across public and private institutions. Go to a hospital, and the nurse or doctor can call up your entire health records from any doctor you ever visited without the need to call their offices and asking them to send files.

Full marks for convenience, simplicity, and efficiency. But what about the dangers of nameless bureaucrats accessing your personal data? Isn’t there a risk of future governments abusing the system and using your intimate details against you? Isn’t this inviting an Orwellian nightmare?

Estonia says no. Unlike an authoritarian state like the old Soviet Union, government transparency is built into the system. While all your private data is online, only you can give permission for any data to be accessed. And you can check who has accessed what. If a doctor you don’t know has viewed your records, it will be traceable, and you can have them sacked. As one software developer Quartz spoke to said, “You become your own Big Brother.”

Data is protected through a framework known as X-road, which helps exchange decentralized data between big government databases. X-road has built-in security measures that encrypt traffic and time-stamps so that the data cannot be manipulated. Taimar Peterkop, from Estonia’s Information System Authority, says that the security measures built into E-identity databases are all but impenetrable by outsiders. “Estonia takes data integrity very seriously because our society is so digitized,” he says. “If someone manipulates citizens’ data, that’s a challenge for us. We use blockchain-based technology to ensure the data is as it should be.”

When it comes to security, Peterkop says humans are usually the weak link. “Cybersecurity starts with us. If you have weak cyber hygiene, that’s a problem. We need to raise awareness and educate people about using strong authentication methods,” he says. For example, Estonia has public-education campaigns about how to use your smart devices wisely.

It seems like glaringly obvious advice, but a look at the recent USelection shows that basic cyber hygiene has been an after-thought, even for the powerful. When Democratic nominee Hilary Clinton’s campaign chief John Podesta’s Gmail account was hacked, Wikileaks founder Julian Assange claimed Podesta’s password was simply the word “password.” The campaign denied this claim and said they fell victim to a phishing scam. Whatever the case, it was an avoidable security breach that should never have occurred.

Peterkop also says that consumers need to ask more questions about the Internet of Things, especially when it comes to everyday household products and devices. “There is so much pressure to come up with new products in a hurry, so security measures are an after-thought,” he says. “As consumers, it’s essential that we start paying attention to it. We don’t do enough risk mitigation. Basically every TV is a computer now.” These issues are present already: A recent document dump from Wikileaks points to hacking tools that directly relate to Samsung televisions.

Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves. As well as creating a paperless public service, Estonia is now backing up government data on secure servers offsite in Luxembourg. It has also prioritized tougher international action for cyber-crime and encouraged private companies to review security measures and have stronger agreements with server providers.”

http://www.defenseone.com/technology/2017/08/every-country-should-have-cyber-war-what-estonia-learned-russian-hacking/140217/?oref=d-mostread

 

A New Tool for Looking at Federal Cybersecurity Spending

Standard
cyber Spending

Image:  “Taxpayers for Common Sense”

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“A new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.”


“More and more of what the federal government does relies on complex computer systems and networks. This high tech infrastructure makes the government work better by making services more efficient and accessible.

But that digital revolution also comes with big risks—just think back to the massive data breach at the Office of Personnel Management disclosed in 2015, when hackers compromised sensitive information about tens of millions of Americans. Last year, there were at least “30,899 cyber incidents that led to the compromise of information or system functionality” at federal agencies, according to a White House report released in March. The number of attacks on federal computer systems have risen sharply over the last decade.

So how much is the government spending to protect itself (and us) in this brave new world?

Unfortunately, the answer is “we don’t really know.” But a new tool from nonpartisan watchdog group Taxpayers for Common Sense provides perhaps the most comprehensive analysis of federal cybersecurity spending.

Last week, Taxpayers released a new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.

Taxpayers used public budget documents to build the database, but it wasn’t easy. “There is no government-wide standard definition or method of accounting for what qualifies as cyber funding and, therefore, no way to fully track it,” the organization explains on its methodology page. Agencies also use a variety of different approaches to tackle the issue, making it even harder to pin down their spending. Then, there is the government’s murky “black budget” of classified spending. So Taxpayers “settled on providing the best picture [it] could develop from extensive research of government programs” that are unclassified, spending two years searching through thousands of budget documents for terms like “information security” and “information assurance.”

Taxpayers found the amount spent on cybersecurity has quadrupled over 11 years. The group was able to tally $7 billion in unclassified cybersecurity spending in 2007, as compared to $28 billion in 2016. But some of that growth could be attributed to improvements in how the government tracks cybersecurity funding.

The resulting snapshot isn’t perfect, but it’s an impressive start—and a necessary one. After all, you can’t figure out what bang the government gets for its cybersecurity buck if you don’t know where those bucks go.”

http://www.pogo.org/blog/2017/08/a-new-tool-for-looking-at-federal-cybersecurity-spending.html

 

 

 

 

 

New Policy: Military Bases Can Shoot Down Trespassing Drones

Standard

 

Shoot Down Drones

A small drone crash-landed at the White House in Washington, D.C. An increase in similar private drones above U.S. military complexes led to the Pentagon issuing guidance on how bases can now defend themselves against the private aircraft. (U.S. Secret Service via AFP)

“MILITARY TIMES”

“The Pentagon has signed off on a new policy that will allow military bases to shoot down private or commercial drones that are deemed a threat, Pentagon spokesman Navy Capt. Jeff Davis said Monday.

The policy itself is classified and was transmitted to the services in July, Davis said. Broadly, it outlines the rules of engagement for a base when a private or commercial drone is encroaching upon its airspace.

On Friday, unclassified guidance was sent to each of the services on how to communicate the new policy to local communities.

The installations “retain the right of self-defense when it comes to UAVs or drones operating over [them,]” Davis said. “The new guidance does afford of the ability to take action to stop these threats and that includes disabling, destroying and tracking.”

Davis said the private or commercial drones could also be seized.

However, in some instances where the military leases land for operations, the use of a drone may not always be a threat — and who owns the airspace may not always be clear.

The Air Force, for example, maintains its arsenal Minuteman III nuclear intercontinental ballistic missiles in 150 underground silos in vast fields around Minot Air Force Base, North Dakota. But the land is only leased from commercial and private farmers who use the rest of the area for crops or livestock. Those farmers sometimes find it easier to launch a drone to check on their cows or agriculture than to cover the miles by foot or truck.

As of last fall, the sky above the silos at Minot AFB was also not previously restricted airspace.

It was not immediately clear whether the new policy has changed access to the airspace above the silos or at other bases.

The policy would affect 133 military installations, DOD said.

Davis said the policy was worked through the Federal Aviation Administration and other federal agencies, and the specific actions a base takes when a drone encroaches upon it “will depend upon the specific circumstances,” Davis said.”

https://www.militarytimes.com/breaking-news/2017/08/07/dod-can-now-shoot-down-trespassing-uavs/

 

 

 

Northrop Grumman Expanding Grand Forks, North Dakota Unmanned Aerial Systems Facility

Standard
grand-sky1

Photo: Northrop Grumman

“NATIONAL DEFENSE MAGAZINE”

“Less than a year after Northrop Grumman opened the doors to its new unmanned aerial systems facility in North Dakota, the company will soon break ground on a new hangar to conduct testing and maintenance on its family of autonomous systems.

The company expects to employ 100 people by the end of 2017, with a mix of current Northrop employees coming from San Diego and other locations, and new hires from the North Dakota area.

The Grand Sky Park, for which Northrop Grumman is the anchor tenant, hosts several commercial tenants with ties to unmanned aerial systems, including General Atomics, Hambleton said. Northrop committed over $10 million to the initial Grand Sky project, and its initial 36,000 square-foot facility was completed in late 2016.

The company in April announced the opening of its new facility at the Grand Sky Unmanned Aerial Systems Business and Aviation Park near Grand Forks. The facility serves as a “nucleus” for research and development, pilot, operator and maintainer training, as well as operations and mission analysis and aircraft maintenance, according to Northrop.

Before the end of the summer, Northrop will start work on a new hangar that will allow it to take advantage of the proximity of Grand Forks Air Force Base’s remotely piloted aircraft squadron, David Hambleton, Grand Sky program manager and site lead, said in an interview with National Defense.

Northrop leased 10 acres of land from the Air Force to build the recently opened facility and the 35,000 square-foot hangar, which is expected to be complete by the end of 2018, he said. Flight testing and aircraft maintenance for the company’s family of autonomous systems will begin by the following year, he added.

The company’s facility in North Dakota will be an “offshoot” of its autonomous systems division in San Diego, California, he said. “In one place, we have access to both civil and restricted airspace [and] opportunities to collaborate with the universities nearby” such as the University of North Dakota and North Dakota State University, he said.

The Grand Sky team will have the ability to link different capabilities “through a modeling and simulation backbone,” he added. “We’ll be able to tie together system testing in a lab with monitoring mission data as it comes in, connecting to training simulators and linking them together in a technical way to enable new ways to doing what, in the past, we’ve done independently or separately.”

The FAA-designated Northern Plains unmanned aerial systems test site is also located in Grand Forks, and the Air Force’s fleet of RQ-4 Global Hawk unmanned surveillance aircraft, produced by Northrop, is based next door, he noted.

“Having all of these capabilities and infrastructure concentrated here makes Grand Sky a desirable place for us to pursue flight testing and system demonstration,” he added.

Northrop expects to perform flight testing and maintenance for the Global Hawk fleet at Grand Sky, but also intends to support other unmanned systems such as the Navy’s forthcoming MQ-4C Triton surveillance aircraft or the MQ-8 Fire Scout reconnaissance helicopter, he added.

Northrop committed over $10 million to the initial Grand Sky project, and its initial 36,000 square-foot facility was completed in late 2016, he added.

The local community and the state of North Dakota were interested in developing the unmanned aerial systems industry in the Red River Valley region, he said. A group of local actors that included the University of North Dakota and Grand Forks County developed the Red River strategic alliance agreement.

“Northrop Grumman signed on to this agreement to promote the UAS industry,” he said. “That set the stage for the goal of creating… the Grand Sky aviation business park for UAS.”

http://www.nationaldefensemagazine.org/articles/2017/8/3/northrop-prepares-for-new-hangar-construction-in-north-dakota

 

General Mattis and Special Inspector General Sopko Agree on “Spoils of War”

Standard

Mattis and SIGAR

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“When the head of an agency actually listens to the findings of an Inspector General (IG), great things can happen.

June 2017 report by the Special Inspector General for Afghanistan Reconstruction (SIGAR) prompted Secretary of Defense Jim Mattis to acknowledge and denounce the Department of Defense’s (DoD) dismissive attitude towards reigning in its overspending of taxpayer dollars, and to highlight the good work done by SIGAR.

The official memo to DoD leadership, dated July 21, discusses SIGAR’s report on camouflage uniform misspending in Afghanistan, while also pointing out and decrying DoD’s “complacent mode of thinking” when it comes to spending in general. Mattis found that SIGAR’s report highlighted two truths about DoD work:

1) Every action contributes to the larger missions of defending the country

2) Procurement decisions have a lasting impact on the larger defense budget

Mattis uses these truths to reinforce the importance of effective spending at DoD, and wants to use SIGAR’s report and the instances of misspending it found as a “catalyst to bring to light wasteful practices – and take aggressive steps to end waste in [DoD].”

While this is potentially great news and a marked shift in DoD rhetoric, it is important to note that stating a problem exists is not the same as taking concrete action to fix it. Just last year, DoD was working to discredit SIGAR over a report on a $43 million gas station in Afghanistan, rather than working to fix the problem. Moreover, the $28 million in misspending that this most recent SIGAR report focused on and that drew Mattis’s attention is nothing compared to the waste, fraud, and abuse occurring in the larger defense budget (over $300 billion of which was spent on goods and services in 2016). It is important to remember that DoD is not known for its willingness to proactively address its spending issues, but is rather known for actively resisting efforts to increase transparency and accountability. (See, for instance, POGO’s work on DoD’s reluctance to examine its contracts for improper payments & DoD still not being able to pass an audit.)

It will take more than this memo for DoD to change the way it spends taxpayer money, but publically acknowledging the truth of SIGAR’s findings and trying to leverage that work for change—rather than fighting against and resisting the IG at every turn—is an important first step.

It is even more important, however, that DoD truly works towards achieving effective spending on an agency-wide scale.”

http://www.pogo.org/blog/2017/07/secdef-mattis-commends-ig-efforts-highlights-dod-shortcomings.html

Pentagon To Unveil New Acquisition Structure

Standard

Pentagon Reorganization

“DEFENSE NEWS”

“The Pentagon is scheduled to deliver its new acquisition structure to Congress,  a major step toward redesigning how the building researches and procures equipment.

The 2017 National Defense Authorization Act instructed the Pentagon to devolve the undersecretary of acquisition, technology and logistics, or AT&L, into two separate jobs: undersecretary for acquisition and sustainment, or A&S; and a new undersecretary for research and engineering, or R&E, essentially a chief technology officer.

Those changes are expected to be in place by Feb. 1, 2018.

Congress purposefully allowed time for the Department of Defense to come up with its own road map on how the split should occur, which the department is supposed to deliver to Capitol Hill on Aug 1[2017].

Sources say there were discussions about delaying that delivery, in order to allow newly installed Deputy Secretary of Defense Patrick Shanahan a chance to weigh in. However, all indications are that the department intends to hit its Tuesday deadline.

It is important to note that this report will not be the final say in the issue. Its purpose is to inform Congress of how the department will split the duties of AT&L and the broad organizational strategy, but does not need to detail the nuts and bolts of currently shared services. That also means that Shanahan and Ellen Lord, the longtime Textron executive-turned-AT&L nominee who may be confirmed this week, will have a chance to continue to give input going forward.

An interim, two-page memo to Congress was delivered March 1, which contained few details about how the building is approaching the question of devolving AT&L into the new offices.

Congress, meanwhile, is trying to balance out how to give senior leaders a chance to weigh in and making sure the DoD meets the Feb. 1 deadline. And while the report will be happily received in Congress, there is skepticism about what the DoD will actually deliver and how closely it will hew to Congress’ vision of how the new structure should look.

Bill Greenwalt, a longtime defense acquisition expert who spent two years as a staffer on the Senate Armed Services Committee where he had a central role crafting McCain’s acquisition changes, emphasized that the Pentagon’s thoughts are recommendations and that Congress will have final say.

“I think it will be a back and forth between the Congress and administration in terms of how to make this work,” he told Defense News. “The key thing for Congress is R&E should be driving innovation. A&S should be providing the oversight structure. The boxes shouldn’t be transferred around, it should be a cultural shift.”

SCO, DIUx likely folded under R&E

While the majority of the changes to the AT&L structure will entail a reshuffling of offices already under central control, there are two notable offices that may be brought in house, whether they desire it or not.

The Strategic Capabilities Office, or SCO, and the Defense Innovation Unit Experimental, or DIUx, were two pet projects of former Secretary of Defense Ash Carter. The SCO is focused on finding innovative solutions to near-term challenges, while DIUx is charged with creating ties between the DoD and the commercial technology sector.

Notably, both offices have existed as quasi-independent entities. DIUx actually started as a report inside the AT&L structure before being relaunched a year ago following a lack of progress in its mission; it then became a direct report to Carter. The SCO, meanwhile, was created by Carter during his time as deputy secretary of defense and was formally introduced to the world by Carter during the fiscal 2017 budget rollout.

With Carter gone and Congress seeking to improve innovation inside the building, there is pressure from the Hill to see those groups folded into the new R&E portfolio. In a May 18 interview, Mary Miller, acting assistant secretary of defense for research and engineering, said SCO and DIUx “would naturally fit in the USDR&E, that’s the intent.”

“If we set this undersecretary up as we believe we will, as we’re hoping this turns out to be and it will be a select-in to this whole new culture we’re establishing, we don’t need to have special groups that were set up just to be different, because that will be the undersecretary mission,” Miller said during the interview.

Greenwalt said that if the Pentagon crafts the R&E spot “right,” groups like DIUx, SCO, the various rapid capabilities offices and perhaps the Defense Advanced Research Projects Agency should all fall under its control.

When it was pointed out to him that regardless what the Pentagon says, Congress could step in and demand those groups fall under R&E’s control, Greenwalt smiled. “Right. That’s the back and forth,” he said. ”We’ll have to see how it works.”

Greenwalt isn’t the only one who thinks those outside groups should come inside. Frank Kendall, whose tenure of four-plus years as AT&L ended with the Obama administration, believes that for the R&E spot to work, it must include all the research groups scattered around the department.

“It would have basic research, 6.1, 6.2 and 6.3, it would have DARPA, it would have SCO and DIUx, it would have the existing office that does experimentation,” Kendall said in April, adding that he had provided that recommendation to Deputy Secretary of Defense Bob Work.

Andrew Hunter, an analyst with the Center for Strategic and International Studies, noted that the Senate clearly has been leaning toward putting SCO, DIUx and DARPA into the R&E portfolio. But that may be an imperfect fit, he warned.

“DARPA, by mandate, deals with that leap-ahead tech, 6.1, 6.2, 6.3 work, research that is early stage. Once it gets to prototypes, that’s no longer DARPA territory. SCO is on the other end,” Hunter said. “Both have a fit in the R&E position. But it seems the department is heading towards having R&E have more of an early stage focus, so they might come to a different answer.”

Leadership questions

While the future of the R&E office is uncertain, the A&S job appears to be more stable — in part because its leadership seems intact.

Lord, the former Textron executive, has already gone through a confirmation hearing for the AT&L job, during which she reaffirmed she would be sliding over to A&S once the AT&L office goes away in February.

The Senate’s version of this year’s defense authorization bill would require Lord to be reconfirmed for the A&S job, but given how little headwind she faced in her confirmation hearing, the assumption is she would easily be reconfirmed for the new title.

Which brings up the question of who her counterpart would be. It is understandable that no names have been put forth for the job, as the White House and Pentagon have been focused on filling existing roles, plus the R&E job does not exist. But waiting too long to put forth a nominee could have “risk,” Hunter said.

“You might not be able to get the quality person you want because of how it is cast. The earlier you name a person, the more they have a chance to shape the structure of the office,” he added. “However you slice the piece, what used to be one really powerful job is now two jobs, each of which is slightly less powerful — so how appealing are they for someone who wants to put their stamp on the future?”

http://www.defensenews.com/pentagon/2017/07/31/pentagon-to-unveil-new-acquisition-structure-on-aug-1/

 

 

 

Senate Attempt to Reduce Contract Protests Ignores Root Cause

Standard
Protests Myislandcity dot net

Sour Grapes Image:  Myislandcity.net

“WASHINGTON TECHNOLOGY” By Stan Soloway

“There are things that can be done to reduce the negative effects and frequency of protests. And they start with enhanced transparency—before, during and after award.

The current Senate proposal fails to consider protests in the context of the broader procurement regime and its innumerable government-unique requirements.”


“When it comes to federal procurement, the frequency and expectation of protests has had a palpable, costly, and sometimes deleterious effect on the process and those competing in it. Most companies now add an extra six to 12 months to their revenue projections in order to account for possible protests.

There is good reason to believe (including surveys) that “low price/technically acceptable” (LPTA) procurement strategies are, with some frequency, driven by a desire to avoid protests, since protesting such procurements is near impossible.

And, of course, there have been cases where incumbents, having lost a re-competition, submit a protest and, as a result, effectively get a contract extension while the protest is decided.

All of these represent unintended and undesirable impacts of the protest process. As a result, many have believed for some time that significant remedial action is needed. This includes the Senate Armed Services Committee, which, for the second year in a row, has included provisions in the defense authorization bill that would require losing protestors to reimburse the government for the costs of a protest when none of the plaintiff’s allegations are sustained.

The legislation would also require the withholding of all profits from incumbent contractors who lose a recompetition and file a protest. The funds would only then be released if some portion of the protest is sustained. If it is fully rejected, the money would be paid to the company that won the competition over which the protest was filed.

Some, including my friend and former federal procurement administrator Steve Kelman would go even further. He has at times argued we should consider doing away with protests altogether since no such equivalent exists in the commercial sector. Unfortunately, sympathetic as I am to the issues driving these views, we are putting the cart before the horse.

First and foremost, we have to remember that protests exist principally to ensure that the outcome of a procurement is in the best interests of the taxpayer. Hence, when mistakes are made, it is in the government’s, and taxpayer’s, interest to take corrective action.

Second, the federal acquisition regulation makes clear that all bidders on a federal procurement must be treated fairly. To the extent the government fails to follow its own rules or stated procurement strategy, remediation is required. There is no such requirement in the commercial world.

Third, even if a protest is dismissed in its entirety one cannot make the leap to assuming nefarious intent on the part of the protestor. That’s like saying everyone who loses a lawsuit was being frivolous in filing it. Obviously that’s not always the case.

For these reasons, and more, the Senate language is the wrong answer. But that does not mean a problem doesn’t exist and that some meaningful action is not possible. Quite the contrary.

Ironically, the proposed legislation includes a crucial part of the answer. In addition to the provisions cited above, it would also mandate quality, detailed debriefings for all significant procurements.

We learned in the 1990s that good debriefings result in far fewer protests. In fact, the data is clear that many companies use the protest process as a means of discovery; of trying to understand why they lost a given competition. In the years immediately following the added emphasis on debriefings, the number of protests dropped significantly.

As but one good example, the IRS had a policy of sharing in a debriefing all information that might otherwise be released during a formal protest (with appropriate redactions). And they executed numerous, significant procurements without a single protest. To its credit, the Senate committee would require that the IRS’s debriefing policy become the norm.

The bill would also require release of the government’s internal, written source selection criteria, which could and should be done anyway. Taken together, these two important steps toward greater transparency could have a very substantial effect. It should also be noted that the IRS was also particularly good in its pre-award communications to bidders, which undoubtedly also facilitated effective and credible competitions. Yet, such communications remain all too inconsistent.

Assigning motive is always a slippery slope. And much of what we think we know remains based on presumption rather than good data. Thus, it would also be helpful if there were better data on the frequency and nature of incumbent protests. How often are they actually sustained, in whole or in part? Is it possible to measure the frequency with which incumbents file protests focused on issues that, while valid, are so minor they would not result in a changed outcome?

Yes, it could reduce the number of protests. But it might well do so for the wrong reasons and based on the wrong assumptions.”

https://washingtontechnology.com/articles/2017/07/25/insights-soloway-bid-protests.aspx

About the Author:

Stan Soloway

Stan Soloway is a former deputy undersecretary of Defense and former president and chief executive officer of the Professional Services Council. He is now the CEO of Celero Strategies.

$9.29 Billion In F-35 Fighter Contract Awards to Lockheed in July 2017

Standard
F-35 Award

F-35As at Luke Air Force Base

“BREAKING DEFENSE”

” [Friday, July 27 2017] – A $3.69 billion contract was awarded Lockheed Martin for 50 foreign F-35s and work on the Lot 11 LRIP.

Separately, Lockheed won an interim payment of $5.6 billion in early July to help pay for the 91 American F-35s jets in LRIP 11.”


“After the markets closed on a sleepy and rainy summer Friday afternoon, White House Chief of Staff Reince Priebus was ousted and DHS Secretary John Kelly named to take his place, and, oh, by the way, a $3.69 billion contract was awarded Lockheed Martin for 50 foreign F-35s and work on the Lot 11 LRIP.

What’s in play here?

Most of the money, $2.2 billion, goes to buy one British F-35B, one Italian F-35A, eight Australian F-35As, eight Dutch F-35As, four Turkish F-35As, six Norwegian F-35As aircraft, and 22 F-35As for Foreign Military Sales customers.

The F-35 Joint Program Office said the Pentagon would continue to negotiate the 11th low rate initial production contract with Lockheed Martin and expected an agreement by the end of 2017. The full contract should be finished by the end of the year, the JPO said in a statement. At the same time, they said they are negotiating a separate deal with Pratt & Whitney for the F135 engines, which should be done about the same time.”

http://breakingdefense.com/2017/07/one-big-f-35-contract-2-8b-of-3-7b-for-foreign-planes/

Flush Times for Hackers in Booming Cyber Security Job Market

Standard
A recruiter advertises a QR code to attract hackers to apply for jobs at the Black Hat security conference in Las Vegas

A recruiter advertises a QR code to attract hackers to apply for jobs at the Black Hat security conference in Las Vegas, Nevada, U.S. July27, 2017.     Joseph Menn

“REUTERS”

“One of the outside firms that handle such programs, HackerOne, said it has paid out $18.8 million since 2014 to fix 50,140 bugs, with about half of that work done in the past year.

Mark Litchfield made it into the firm’s “Hacker Hall of Fame” last year by being the first to pull in more than $500,000 in bounties through the platform, well more than he earned at his last full-time security job, at consulting firm NCC Group.”


“In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”

There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.

“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.

“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”

Reporting by Joseph Menn and Jim Finkle; additional reporting by Dustin Volz; Editing by Jonathan Weber and Grant McCool

The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security.

The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting.

“Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people,” said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on Wednesday at one of the week’s most popular parties.

Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies.

But as tech has taken over the world, the opportunities in the security field have exploded.

Whole industries that used to have little to do with technology now need protection, including automobiles, medical devices and the ever-expanding Internet of Things, from thermostats and fish tanks to home security devices.

More insurance companies now cover breaches, with premiums reduced for strong security practices. And lawyers are making sure that cloud providers are held responsible if a customer’s data is stolen from them and otherwise pushing to hold tech companies liable for problems, meaning they need security experts too.

The non-profit Center for Cyber Safety and Education last month predicted a global shortage of 1.8 million skilled security workers in 2022. The group, which credentials security professionals, said that a third of hiring managers plan to boost their security teams by at least 15 percent.

For hackers who prefer to pick things apart rather than stand guard over them, an enormous number of companies now offer “bug bounties,” or formal rewards, for warnings about vulnerabilities that leave them exposed to criminals or spies.

In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”

There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.

“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.

“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”

https://www.reuters.com/article/us-cyber-conference-business-idUSKBN1AD001