Public Contract Law Journal

Still too Slow for Cyber Warfare: Why Extension of the Rapid Approach from Its Ad Hoc Beginnings

by Daniel E. Schoeni

Daniel Schoeni (dschoeni@law.gwu.edu) has been with the U.S. Air Force JAG Corps since 2004. He is a graduate of Brigham Young University, the University of Iowa, and George Washington University, and is a Ph.D. candidate in public  procurement law at the University of Nottingham. An earlier  version of this Article was presented in Montreal at McGill  University’s Legal Challenges in Cyberspace conference in May  2016. The author is indebted to Sean Hannaway and Allan  Detert for their substantive contributions, to Scott Sheffler for his uncommonly thorough editing, and to his wife, Alicia, for  her patience and support. The views expressed are those of the  author and do not necessarily reflect the official policy or  position of the Air Force, the Department of Defense, or the U.S.  Government.  

We prepare for war — in order to deter war.

John F. Kennedy1

I. Introduction

Cyber warfare is no longer science fiction.2 Millions of times each day, adversaries scan the Department of Defense’s (DoD) networks seeking vulnerabilities.3 They find and exploit such weaknesses.4 As Paul Rosenzweig warns, the DoD is poised for “catastrophic failure” in part because it “us[es] the wrong tools” for the fight in the cyber domain.5 Among these wrong tools lie “stifling acquisition rules.”6 In short, the DoD is too slow for cyber.7

Recognizing that the DoD’s acquisition process has proven unable to keep pace with the emerging threat, Congress relieved some of the regulatory burden on cyber procurement in the 2016 and 2017 National Defense Authorization Acts (NDAAs).8 The 2016 NDAA extended to cyber the rapid acquisition authority previously reserved for contingency contracting.9 The 2017 NDAA extended coverage of the special emergency procurement previously limited to defense from or response to nuclear, biological, chemical, or radiological attacks.10

Although welcome, these changes are insufficient. They cover only a fraction of DoD’s cyber spending, are of limited use for offensive cyber weapons, and neglect industry development methods.11

A word about this Article’s limited scope is in order. Cyber threats are complicated, and this Article concentrates on the software-procurement dimension.12 While an important component of the military’s cyber defenses, the recommendations for software procurement discussed here must be coupled with hardware and non-procurement considerations.13 Further, although much of the software the DoD buys is commercial and is bought under FAR Part 12 simplified procedures,14 this Article concentrates on the DoD’s bespoke requirements that are unavailable commercially.15

Premium Content For:
  • Public Contract Law Section
Join - Now