Year-End Updates – Volume 3
Third and last in a series of year-end updates to previously reported stories, this time covering two previous topics—
Leaky UAV Video Feeds
We first wrote
about unencrypted video feeds allowing Iraqi insurgents to steal the
video signals by use of commercially available software (that costs
less than $30.00) just a few weeks ago. Prior to that article, we noted ever-increasing reliance on intelligence, surveillance, and reconnaissance (ISR) assets in the Southwest Asia theater of operations. We also posted on the impact of cyber-warfare on 21st
century military operations. We included a Pentagon statement that
alluded to the difficulties inherent in adding encryption to a network
that is more than a decade old.
Just
a few days after our article was posted (on 12/18/2009),
DefenseNews.com reported that “the U.S. Air Force has known for more
than a decade that the live video feeds from its unmanned aerial
vehicles can be intercepted by the enemy but opted not to do anything
about it until this year.” Sources cite “various reasons” for the delay in encrypting the signals. The article quotes one military source as saying
– “It's not just monetary, but technology readiness. We've taken
certain risks and mitigated those risks with our tactics, techniques
and procedures." The article reports that the Air Force now has established 2014 as the date by which video feeds will be encrypted.
According to the DefenseNews.com article—
The
Air Force isn't relying solely on encryption to protect the video
[signal]. An immediate solution is to narrow the area from which the
video feeds can be received, making it more likely that an insurgent
would be spotted trying to intercept them, a defense official said.
Typically, militants would need to be within 100 yards of the airman or
soldier receiving the signal.
However,
the Iraqi insurgents aren’t relying solely on COTS software to track
the UAVs. The DefenseNews.com article reports that—
‘We
noticed a trend when going after these guys; that sometimes they seemed
to have better early warning’ of U.S. actions, said [an] officer
briefed on the raid. ‘We went and did a raid on one of their safe
houses and found all of this equipment that was highly technical,
highly sophisticated. It was more sophisticated than any other
equipment we'd seen Iraqi insurgents use.’ … The [militia] group had a
‘very long and well-documented history’ of getting their training and
equipment from Iran, the officer said. ‘It was the technological
know-how to make the antennas,
computers and software go together and pick up the appropriate bands
that was impressive. It is something that would take some very smart
electrical engineers to put together. Iran had to choose the most loyal
and capable surrogates that they could trust with equipment like that.
They knew that we were flying Predators over their heads 24/7, so it's
easy to say 'yeah, I know that I'm going to do a signals analysis
search for [the drone]' and take advantage of it,’ the officer said.
Finally,
the DefenseNews.com confirms our suspicion that the lack of encryption
was at least partially caused by the “spiral development” of the
Predator UAV. The article quotes former Air Force Secretary Michael Wynne, who stated, “"I
would say that the enemy can find a flaw in a 70 percent solution and
they are going to exploit it. On the other hand, before they did
exploit it, you did get utility from it … in the case of the Predator,
we've extracted tremendous utility out of them."
 EADS Insider Trading Charges
In November we wrote
about several EADS/Airbus executives facing insider trading charges
with respect to the reporting of A380 program problems and delays. The
executives’ defense was, essentially, that they were unaware of the
program’s problems when they exercised stock options in March 2006,
opting to purchase shares (for resale) at the current stock
price—despite the company’s March 8 announcement of record 2005
profits. Such an announcement should logically lead to delays in the
exercise of the options (i.e., the options logically should be worth
more in the future, based on an expectation of continued earnings
growth).
We
questioned the executives’ defense. If true, why was it true? Why
were the executives unaware of the program’s problems—problems that
only three months later led to a 26% drop in the stock price? As we
opined in our article—
In
a risk-aware management culture, EADS and Airbus executives wouldn’t
need an email to tell them that turbulent times were ahead for the
program; they would already know it because they would be aware of
current program status. They would be actively monitoring program risks
and would clearly see inflection points in risk probabilities. Their management ‘radar screens’ would clearly show trouble ahead.
On
December 21, 2009 AviationWeek.com reported that “French stock market
regulators cleared 17 individuals and two main shareholders” and
dismissed the insider trading charges implicating the executives. AviationWeek.com reported that—
EADS
applauded the decision, noting it was ‘satisfied that the Sanctions
Commission has recognized that EADS has complied with all applicable
market information duties, in particular in respect of risks affecting
the A380 program and its development, and that there has been no breach
of insider trading rules. EADS is confident that this point of view
will also prevail in all other pending proceedings based on the same
facts.’
The Wall Street Journal reported that “The
AMF ruling doesn't mark the end of the protracted EADS case, because a
parallel judicial investigation into alleged insider trading at the
aerospace company is still under way. But EADS said it was confident
that similar facts would lead to similar rulings.”
We
see no reason to doubt the veracity of the EADS/Airbus executives, and
we believe they were unaware of the A380’s problems prior to exercising
their stock options. But we also continue to ask why were these executives so oblivious to the program’s problems? This was the largest aircraft
development effort in the company’s history. It was a bet-the-company
program. How could the executives be so blissfully unaware of the
significant development and production problems, especially since one program delay had already been reported? Did the program
manager(s) successfully hide the new problems from management scrutiny, or were the executives merely incompetent?
Year-End Updates – Volume 1
 First in a series of updates to previously reported stories-
The FMTV Protest
Earlier in December 2009, we reported that GAO had sustained not one, but two, separate protests of the Army's decision to award the next Family of Medium Tactical Vehicles (FMTV) to Oshkosh, Inc., replacing the BAE Systems' subsidiary, Stewart & Stevenson-who had been producing FMTV trucks for almost 20 years.
Just before Christmas, InsideDefense.com carried a story that quoted a BAE Systems executive as saying that the bid evaluations should be "reexamined in the context of the Weapon Systems Acquisition Reform Act." Readers of this site will recall that we reported on the Act here. We subsequently discussed the Act in the context of the KC-X aerial tanker completion, reporting whispers that the draft KC-X RFP might violate the Act, and thus be illegal, because it allegedly converted the "best value" competition in to a "low-price, technically acceptable" completion, and failed to address several mandatory requirements of the Act.
The InsideDefense.com article also reported-
BAE officials were also highly critical of Oshkosh's price estimate. Though GAO denied BAE and Navistar's claims that the Army failed to reasonably evaluate the realism of Oshkosh's price, [BAE executives] stressed that auditors did not validate the price.
'While the GAO supported that the Army's process was adequate under the circumstances, we still believe that the pricing offered is still significantly low, and it's unbelievable in a number of cases,' [BAE] told reporters, adding that in some instances the total price proposed by Oshkosh [was] below BAE's cost.
Additionally, [BAE] contended that an unrealistic offering on a firm-fixed-price contract could have serious repercussions for the service.
'Any statement that the contractor is the one who ultimately bears the risk needs to be taken with a grain of salt because if you have a situation where Oshkosh is required to build these vehicles, and they're building these vehicles at a loss and they incur significant financial difficulties -- who is going to step in and take over this contract and build these trucks? … And if the answer is that there is not someone available, then the government is going to have to bail out Oshkosh in order to have these trucks [continue] to be produced."
A separate InsideDefense.com article provided more details into the FMTV bid evaluation "flaws". According to the article, Oshkosh's bid listed more than "100 items of key tooling and equipment" that it would have to obtain should it be awarded the contract. According to the article-
In its evaluation of Oshkosh's proposal, the Army called it 'an excellent approach,' but the selection decision stated Oshkosh already had the necessary equipment. The source-selection authority told GAO officials that the quote from the decision was inaccurate and that she 'understood the RFP as merely requiring offerors to demonstrate a 'credible plan' for obtaining the required key tooling and equipment.'
'We think that the solicitation's ground rules for evaluating the key tooling element clearly intended to differentiate between existing and non-existing production capabilities,' GAO state[d], adding that the [evaluators] 'failed to reasonably consider the comparative risk in Oshkosh's ability to procure, install, and 'prove out' the required key tooling and equipment.'
With respect to the past performance rating given to Navistar, InsideDefense.com reported that GAO decided that "Navistar received only an adequate rating for its MRAP work based on some adverse comments from the Marine Corps program manager. However, the Army … could not produce the … negative comments and ratings because the response was not saved electronically and the paper copy was shredded." Because GAO could not review the supporting documentation, they could not conclude that the adverse past performance rating was reasonable, and hence sustained Navistar's protest.
A couple of points before we move on:
- The idea that the Weapon Systems Acquisition Reform Act should be applied to the KC-X competition has some appeal, because that evaluation scheme has not yet been finalized. Applying the same requirements retroactively to the FMTV competition lacks the same appeal, because it would be subjecting a completed evaluation to requirements ex post facto. We would opine that doing so would impermissibly taint the competition.
- BAE's complaints about Oshkosh's pricing may have a grain of truth to them--in that if Oshkosh is locked into prices that result in a loss per vehicle produced, that could negatively impact the company's financial capability. That said, the FAR is clear (at § 3.501) that the practice of ":buying-in" is not prohibited. The only prohibition is on buying-in with the intention of "getting well" through unnecessary or overpriced change orders, or through inflating prices of follow-on contract work. It may, in fact, be the case that Oshkosh is able to offer prices significantly below BAE Systems' cost, given the various overhead structures, allocation of corporate home office expenses, and other cost accounting practices. Each cost proposal was thoroughly reviewed by DCAA auditors, and we assume that any deviations from established or disclosed cost accounting practices would have been flagged.
- The evaluation of the tooling is a bit tricky. GAO contends that the evaluation criteria "clearly intended to differentiate between existing and non-existing production capabilities" and, since Oshkosh didn't have tooling while BAE Systems did, BAE Systems should have been rated higher in this area. First, we're not sure that BAE Systems should necessarily have been rated higher-if Oshkosh could procure the tooling without impacting the delivery schedule, then the matter is one of risk. The Army evaluators may well have been willing to take the addition risk in return for Oshkosh's lower prices. After all, that's what a "best value" tradeoff analysis is all about.
- · Navistar's negative past performance evaluation should be easy to deal with. All the evaluators would seem to need to do is obtain the same comments from the original sources and show that the initial evaluation was supported.
In short, unless the Army seriously misevaluated the offers, or seriously misled the GAO, we don't think the original award to Oshkosh will be changed. But we've been wrong before ….
|
Year-End Updates – Volume 2
Second in a series of year-end updates to previously reported stories-
The JSF Program
We first wrote about the F-35 "Lightning II" Joint Strike Fighter in August 2009, asking whether Lockheed Martin was ready to ramp up production to the record-setting pace of 20 aircraft per month. It turned out to be our single most popular article.
(For the record, we expressed some doubt, stating, "the JSF program team has set for itself an incredibly ambitious goal of producing a finished aircraft every single working day. It's set the goal despite early design and supply chain problems, and despite almost universal history among other aircraft programs that says it can't be done.")
Two months later, in November 2009, we asked how much the JSF was going to cost, reporting rumors that the Pentagon's Joint Estimate Team (JET) was telling Defense Department leaders that the program would need anywhere from $7 to $15 billion more funding than originally baselined, and would require anywhere from 6 months to 2 years of additional schedule. At least one source predicted a dire breach of the Nunn-McCurdy Act thresholds.
In that article, we also noted a very pessimistic report from the Center for Defense Information, in which the authors asserted that the JET report addressed only known problems, and predicted that new problems (as well as new cost and schedule impacts) were "sure to emerge."
On December 16, 2009, InsideDefense.com reported that "Key lawmakers today expressed strong reservations about the state of the Joint Strike Fighter program following a closed-door briefing on the findings of a recent independent assessment of the effort that suggested billions of additional dollars and more time is required to develop the aircraft."
According to the InsideDefense.com article, "A draft fiscal year 2011 budget directive issued last week by the Office of the Secretary of Defense directed the military services to fund the JSF program to the JET estimate, a move that Pentagon sources say will result in the fighter program's immediate breach of 'critical' Nunn-McCurdy cost thresholds."
InsideDefense.com reports that "the draft resource management decision … would extend JSF development by at least a year, reduce production by approximately 100 aircraft between FY-11 and FY-15 and require the addition of billions of dollars to the effort through 2015."
Meanwhile, the Fort-Worth Star Telegram published an article on the same date (12/19/2009) wonders if the F-35 program is entering the same "death spiral" that beset the F-111 and F-22 programs, noting-
First, unrealistic technical requirements, cost estimates and schedules lead to delays and rising costs. Then, far fewer planes are bought than originally planned. That means the cost of each one rises, resulting in even fewer planes being bought, which produces even higher costs per copy, etc. … One internal study, by the Joint Estimate Team, has predicted it will take an additional 30 months, until 2016, and an additional $16.5 billion to complete development work, test and bring the Lockheed production line up to speed, goals that were to be met in 2013-14. If that were to occur, the F-35 would trigger congressionally imposed budget reviews that would lead to ever more scrutiny.
Lockheed Martin had this to say about the doomsayers' predictions-
The F-35 is meeting or exceeding every single one of its performance requirements. That performance is being reinforced in both flight testing and laboratory testing. There are no technical showstoppers on the F-35 program.
Costs across the program are declining at significant rates. All F-35 production aircraft under contract to date cost less than Defense Department forecasts. Production efficiency continues to improve dramatically.
The government's procurement-cost forecast for the life of the F-35 program has remained constant for the last two years.
While we acknowledge schedule and cost pressures in the development phase of the program and are working directly with the Office of the Secretary of Defense to resolve them, program trends are very positive overall, and have us on path to meet each of the services' F-35 Initial Operational Capability Requirements beginning in 2012.
We are on track to field the F-35's tremendous capabilities to our war fighters and recapitalize our nation's aging fighter fleet. The program enjoys solid funding support from the Office of Secretary of Defense and Congress. The president's budget recommendations reflect DoD's commitment to international partnerships and common defense solutions.
The aircraft designs are largely complete. All three F-35 variants have been built and two types flown. Early test results are very encouraging and we are preparing to ramp up flight test and production.
Just for the record, we note that the Lockheed Martin response focuses on technical issues while glossing over at-completion estimates. We wonder what the program internal EACs look like, and whether they have been rigorously evaluated by independent reviewers such as Lockheed Martin's Internal Audit staff?
U.S. Cyber Challenge Looking for 10,000 Good Hackers
From the White House—
Tan Dailin was a graduate student at Sichuan University when he was noticed (for attacking a Japanese site) by the People’s Liberation Army (PLA) in the summer of 2005. He was invited to participate in a PLA-sponsored hacking contest and won. He subsequently participated in a one-month, 16-hour-per-day training program where he and the other students simulated various cyber invasion methods, built dozens of hacking exploits, and developed various hacking tactics and strategies. He was chosen for the Sichuan regional team to compete against teams from Yunnan, Guizhou, Tibet, and Chongqing Military Districts. His team again ranked number one and he won a cash prize of 20,000 RMB.
Then, under the pseudonym Wicked Rose, he formed a group called Network Crack Program Hacker (NCPH) and recruited other talented hackers from his school. He found a funding source (an unknown benefactor) and started attacking US sites. After an initial round of successful attacks, his funding was tripled. All through 2006, NCPH built sophisticated rootkits and launched a barrage of attacks against multiple US government agencies. By the end of July, 2006, NCPH had created some 35 different attack variants for one MS Office vulnerability. During the testing phase, NCPH used Word document vulnerabilities. They switched to Excel and later to PowerPoint vulnerabilities. The result of all of this activity is that the NCPH group siphoned thousands, if not millions, of unclassified US government documents back to China.
Sponsored by the White House, the US Cyber Challenge is a national talent search and skills development program. Its official purpose is to find 10,000 young Americans with the interests and skills to fill the ranks of cyber security practitioners, researchers, and warriors. Some will become the top guns in cyber security.
The program promises to nurture and develop the participants’ skills, and enable them to get access to advanced education and exercises. Moreover, the program will enable them to be recognized by employers where their skills can be of the greatest value to the nation.
The Cyber Challenge includes several different programs, including:
-
“CyberPatriot” (an introductory program designed for high school students), in which participants compete in computer system network defense by defending their networks from attacks by a hostile “Red Team”.
-
The “DC3 Digital Forensics Challenge” (conducted by the DOD’s Cyber Crime Center), in which “contestants attempt to uncover evidence on digital media.”
-
The Network Attack Competition (conducted by the SANS Institute), which is a “competition in network vulnerability discovery and exploitation”—also described as “ NetWars” or a “capture the flag competition” in which players attempt to exploit the computer networks of the other players while defending their own.
The Network Attack Competition is the sexy, newsworthy competition. It is described as follows—
You can play the game as an analyst, a penetration tester, a defender, or any combination. You earn points by finding keys, moving to higher levels, capturing services such as a website, overcoming obstacles (attack techniques) and protecting resources (defensive techniques). You can see the other players' scores and your own points scored, live, or on an overall scoreboard.
The NetWars game is a collection of computer and network security challenges. It is designed to represent real-world security issues: their flaws and their resolutions. Each player can follow an independent path based on individual problem solving skills, technical skills, aptitude, and creativity. The game is played in a fun but safe environment using the technology that drives our lives every day.
The game starts when a player downloads and starts a CD-ROM image on a PC or in a virtual environment such as VMware Player. The image contains a brief tutorial and the game's full instructions.
The player must find a hidden key within the image that is downloaded and then uses that key to enter an online environment where knowledge of security vulnerabilities and their exploits can be turned into points.
This year’s NetWars winner was determined in December, 2009, when 21 year-old Chris Benedict of Nauvoo, Illinois was declared the “king of the hacker hill.” CNN reported on the competition here. Two of the other three winners were Michael Coppola (a 17 year-old high school senior) and Matt Bergin (age not reported), who beat out twelve other finalists.
What do the winners get? According to the White House—
Promising candidates will be immediately recognized and will be invited to attend regional “camps” at local colleges, run jointly by college faculty and cyber security experts from the community, where they will develop their skills more fully and participate in additional competitions. The students who rise to the top in these regional programs will be invited to live national challenges like those conducted by schools coordinated by the University of Texas at San Antonio and NYU Polytechnic. Greatly promising candidates from these programs will be given either Federal Service grants or SANS Institute scholarships to study advanced cyber security programs and may earn scholarships to colleges and graduate programs at participating schools. Finally, the best of the candidates will be brought into federal agencies like the National Security Agency, the FBI, DoD DC3, US-CERT, and US Department of Energy Laboratories, all of which are helping to make this program effective.
So we can expect Messrs. Benedict, Coppola, and Bergin to be offered pretty much whatever they want, if only they will agree to join the United States’ nascent cybersecurity infrastructure and help defend against the likes of Tan Dailin and his ilk.
We have previously written about the challenges of 21st century warfare, asserting that it was “not your father’s war” and noting that “our adversaries are making advances … in areas in which we are vulnerable to exploitation.” New challenges require innovative approaches, and we applaud our government for implementing this unique approach to identifying and developing individuals with the aptitude to excel in the cyberspace wars of the 21st century.
|
