Is It Time for the Iron Square?
David M. Riel
The one-star program director’s steel-blue eyes pierced into this then young captain who was in his first program management assignment. Then, in a raspy voice, the brigadier general said, “Dave, do you know the secret of successfully managing a program? It’s the Iron Triangle: cost, schedule, and performance. If you balance those three, you’ll do well in this business.”
That was a lifetime ago. However, I fondly remember that moment like it was yesterday. And for the last nearly 30 years, that is exactly the approach that I have followed and preached. Until now. No longer will we, or can we, guarantee war-winning capability by simply balancing the Iron Triangle. There’s a fourth dimension that deserves equal billing: security. If we fail to focus on it from Day One of a program’s life cycle, it could render our efforts fruitless. Is it time for the Iron Square? Yes! Cost, schedule, performance, and security.
Speed is important. Speed is critical. Congress passed and the President signed the Fiscal Year (FY) 2016 National Defense Authorization Act (NDAA) with its expanded use of urgent capacity authority (Sec. 803), expanded use of Other Transaction Authority (Sec. 815), and, most important, the “Middle Tier of Acquisition” (MTA) authority (Sec. 804) for reducing bureaucracy and accelerating prototyping and fielding. Since then, the defense acquisition community has increasingly become aware of and is pursuing new, innovative technologies at the “speed of relevance.” MTA programs take advantage of these precepts to prototype and field war-winning technologies faster for our Warfighters. But what happens if all that great technology is usurped by our near-peer competitors? It’s like buying state-of-the art entertainment electronics for your home but not buying a lock for the front door. In time, someone else will have that great equipment.
The importance of security is prominently noted in the Department of Defense Instructions (DoDI) for our traditional acquisition pathway, now known as Major Capability Acquisition. DoDI 5000.85’s policy section notes that the “DoD will prioritize speed of delivery, security, continuous adaptation, and frequent modular upgrades to ensure a highly effective and lethal force.” “Yes,” to speed of delivery and adding the latest innovative technologies, but also a huge “YES” to baking in security! The Iron Square will be a tough balance as a keen eye on security may add cost and schedule for development and testing. However, finding that balance is critical.
While security can mean various things to everyone, let’s focus on two known threats from our near-peer competitors, specifically using China as our example—intellectual property (IP) theft and cybersecurity. IP theft has been a known issue with the People’s Republic of China (PRC) for many years from a commercial perspective. It was a major factor in the imposition of additional tariffs by the Trump administration, and it remains a concern for the Biden administration. While the efficacy of certain counter tactics, such as tariffs, can be debated, there is a national acknowledgment that the IP theft problem exists.
As early as 2012, the then director of the U.S. National Security Agency, Gen. Keith Alexander, described the Chinese IP theft issue as the “greatest transfer of wealth in history.” More recently, former Secretary of Defense Mark Esper called China’s practices “the greatest intellectual property theft in human history.” A number of sources estimate that the private sector loses between $225 billion and $600 billion per year due to IP theft. William Evanina, former Director of the National Counterintelligence and Security Center, has said, “That’s like taking $4,000 to $6,000 annually from every family of four in America.”
Chinese courts have recently instituted injunctions globally blocking U.S. companies from suing for patent violations, even providing for fines of roughly $1 million per week to be imposed on U.S. companies that don’t withdraw their IP theft lawsuits. How does that affect the DoD and the defense industry? Two major concerns are commercial-military transfer and counterfeit parts.
The expanded authority for Other Transaction Authorities (OTAs) (Sec. 815) and the MTA authorization (Sec. 804) in the FY 2016 NDAA has rapidly increased the use of OTAs to encourage innovative, non-traditional companies (i.e., private, commercial firms) to provide war-winning technology for our Warfighters. While we continue seeing benefits from these innovative acquisition strategies and increased non-traditional company participation, barriers remain that continue to discourage commercial companies’ engagement with the DoD, including concerns about profit margins and even anti-military sentiments on the part of their employees. For example, Google refused to continue artificial intelligence work on Project Maven after 4,000 Google employees signed a petition to oppose working with the DoD. This is America and private companies can make that decision. Not so in China.
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
—Sun Tzu
The Chinese Communist Party instituted an aggressive, national strategy in 2015 known as Military Civil Fusion (MCF) to enable the PRC to develop the most technologically advanced military by eliminating barriers between China’s civilian research and commercial sectors and its military and defense industry. China’s President Xi Jinping in 2017 said, “We should ensure that efforts to make our country prosperous and efforts to make our military strong go hand in hand. We will strengthen unified leadership, top-level design, reform, and innovation. We will speed up implementation of major projects, deepen reform of defense-related science, technology, and industry … and build integrated national strategies and strategic capabilities.”
While those goals remain aspirational, China’s authoritarian government dictates the implementation of top-down policies, compliance, and state resources for long-term industrial planning and investments, which gives China a strategic path for its MCF initiatives.
China also already has the distinct advantage that its top Chinese defense companies are heavily involved in commercial enterprises (only between 20 percent and 38 percent of their revenue is generated by defense) whereas U.S. defense industry leaders, such as Lockheed Martin, gain most of their revenues from defense work (between 56 percent and 96 percent). This disparity provides China a comparatively easier transition of advanced commercial technology into defense products than is the case for the United States.
So, what is the security concern about the combined threat of the Military-Civilian Fusion and the current heavily leveraged commercial duality within the PRC’s top defense firms? Add IP theft to the equation and you have a triple-headed monster. Without a solution to IP theft, any leading-edge, war-winning technologies usurped by China will directly and necessarily increase the lethal power of the People’s Liberation Army (PLA). The solution to IP theft must also cover our commercial firms that, until recently, were not required to report such thefts but volunteered any information they chose to report.
Vital Signs 2022, the National Defense Industrial Association’s annual report on the health and readiness of the defense industry, states: “The Defense Industrial Base (DIB) faces sustained and increasing threats of intellectual property theft, economic espionage, and ransomware hacks among other security breaches.” The DIB relies on its intellectual property for its profitability. Lack of IP protection can negatively influence industry’s willingness to invest in research and development (R&D) and to venture into commercial activities.
The good news reported in Vital Signs is that the number of new FBI investigations into IP theft has steadily declined since 2011. These investigations include counterfeiting, a prominent concern due to America’s global supply chain. The U.S. Intellectual Property Commission, citing U.S. Customs and Border Protection data, reported in 2017 that 87 percent of the counterfeit goods seized by Customs officials originated in China. The DoD has been aggressively contesting counterfeit parts for nearly a decade. In 2012, the Assistant Secretary of Defense for Sustainment published a memorandum titled, “Overarching DoD Counterfeit Prevention Guidance,” acknowledging that “counterfeit items are a serious threat to the safety and operational effectiveness of DoD systems.” While threats to IP remain a concern for the defense industry, the greater contributor to industry’s failing security score of 50 (as reported in Vital Signs) is the threat posed to information security (i.e., cybersecurity), which scored a dismally low score of 20.
The cybersecurity threat cannot be overstated. DoDI 5000.90, “Cybersecurity for Acquisition Decision Authorities and Program Managers,” notes that “the Department must inculcate cyber security into all aspects of the DAS [Defense Acquisition System] and operations.” The bold visual of cybersecurity’s expansion across the Adaptive Acquisition Framework in DoD instructions underscores our need to focus on this area of critical vulnerability. Almost daily, news accounts illuminate the depth and breadth of attacks on commercial institutions. We have seen how aggressively Russia used cyber attacks prior to its invasion of Ukraine. Our defense industry and government agencies are not immune. Vital Signs 2022 reports, “Known cybersecurity vulnerabilities continue to rise at a very high rate. New cybersecurity vulnerabilities have seen a 263 percent increase since 2016.”
According to the National Security Agency, “One of the greatest threats to U.S. National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and DoD information networks is Chinese state-sponsored malicious cyber activity.” Chinese state-sponsored cyber attackers aggressively target a wide range of industries, academia, and medical institutions to advance China’s long-term economic and military development objectives. In addition to theft of intellectual property, another critical advantage our near-peer competitors derive from cyber attacks is the ability to collect intelligence on our defense systems and capabilities.
In the nearly 3,000-year-old words of Sun Tzu, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Vulnerabilities in our cybersecurity can lead to just such a situation, and the easiest way for our near-peer competitors, like China and Russia, or even a rogue nation such as Iran or North Korea, to gain insight into our future innovations is by attacking our most vulnerable partners, the small and medium businesses.
As former Under Secretary of Defense for Acquisition and Sustainment Ellen Lord stated, “We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain.” One recent DoD initiative, the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, aims to reduce that risk. The CMMC framework institutes three levels of certification that indicate the maturity and reliability of each defense company’s cybersecurity infrastructure to protect our critical war-winning information.
CMMC is intended to be a starting place and should provide the foundation for our defense industry partners to provide continual monitoring and agile responses to evolving threats. As DoDI 5000.90 explains, “Designs and architectures must address technology and cyber threat evolution to maintain mission effectiveness beyond the near term.” Although the goal of CMMC is to be cost-effective and affordable for small business, you can be sure that achieving security will be a balancing act.
Security must move above its current standing as an annex of the Program Protection Plan; it is foundational to maintaining our Warfighters’ technological edge. It must become part of an Iron Square of cost, schedule, performance, and security—an equal concern to be balanced in pursuit of a successful acquisition program.
Is it time for program managers to value security as much as cost, schedule, and performance? Is it time for the America’s near-peer competitors to be thwarted in their efforts to usurp our innovative, war-winning technologies? The answer is a resounding YES! It is time for the Iron Square!
Read the full issue of
Defense Acquisition magazine
RIEL is a DAU Professor of Acquisition Management who instructs future program managers. He previously worked with the U.S. Air Force and industry over a 25-year period.
The author can be contacted at [email protected].
The views expressed in this article are those of the author alone and not the Department of Defense. Reproduction or reposting of articles from Defense Acquisition magazine should credit the author and the magazine.