[House Hearing, 111 Congress] [From the U.S. Government Publishing Office] [H.A.S.C. No. 111-176] HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS __________ HEARING BEFORE THE SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES OF THE COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED ELEVENTH CONGRESS SECOND SESSION __________ HEARING HELD JULY 28, 2010 [GRAPHIC] [TIFF OMITTED] TONGRESS.#13 U.S. GOVERNMENT PRINTING OFFICE 58-232 WASHINGTON : 2010 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]. SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES LORETTA SANCHEZ, California, Chairwoman ADAM SMITH, Washington JEFF MILLER, Florida MIKE McINTYRE, North Carolina FRANK A. LoBIONDO, New Jersey ROBERT ANDREWS, New Jersey JOHN KLINE, Minnesota JAMES R. LANGEVIN, Rhode Island K. MICHAEL CONAWAY, Texas JIM COOPER, Tennessee THOMAS J. ROONEY, Florida JIM MARSHALL, Georgia MAC THORNBERRY, Texas BRAD ELLSWORTH, Indiana CHARLES K. DJOU, Hawaii BOBBY BRIGHT, Alabama SCOTT MURPHY, New York Kevin Gates, Professional Staff Member Alex Kugajevsky, Professional Staff Member Jeff Cullen, Staff Assistant C O N T E N T S ---------- CHRONOLOGICAL LIST OF HEARINGS 2010 Page Hearing: Wednesday, July 28, 2010, Harnessing Small Business Innovation for National Security Cyber Needs.................................. 1 Appendix: Wednesday, July 28, 2010......................................... 19 ---------- WEDNESDAY, JULY 28, 2010 HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS STATEMENTS PRESENTED BY MEMBERS OF CONGRESS Miller, Hon. Jeff, a Representative from Florida, Ranking Member, Subcommittee on Terrorism, Unconventional Threats and Capabilities................................................... 2 Sanchez, Hon. Loretta, a Representative from California, Chairwoman, Subcommittee on Terrorism, Unconventional Threats and Capabilities............................................... 1 WITNESSES Lee, Richard P., Consultant...................................... 6 Ricketson, John H., Chief Executive Officer, Dejavu Technologies, Inc............................................................ 3 Thornton, Roger, Founder and Chief Technology Officer, Fortify Software....................................................... 4 APPENDIX Prepared Statements: Lee, Richard P............................................... 46 Miller, Hon. Jeff............................................ 25 Ricketson, John H............................................ 27 Sanchez, Hon. Loretta........................................ 23 Thornton, Roger.............................................. 34 Documents Submitted for the Record: [There were no Documents submitted.] Witness Responses to Questions Asked During the Hearing: [There were no Questions submitted during the hearing.] Questions Submitted by Members Post Hearing: [There were no Questions submitted post hearing.] HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS ---------- House of Representatives, Committee on Armed Services, Subcommittee on Terrorism, Unconventional Threats and Capabilities, Washington, DC, Wednesday, July 28, 2010. The subcommittee met, pursuant to call, at 2:03 p.m., in room 2118, Rayburn House Office Building, Hon. Loretta Sanchez (chairwoman of the subcommittee) presiding. OPENING STATEMENT OF HON. LORETTA SANCHEZ, A REPRESENTATIVE FROM CALIFORNIA, CHAIRWOMAN, SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES Ms. Sanchez. The Subcommittee on Terrorism, Unconventional Threats and Capabilities will come to order. Good afternoon. I would like to thank everybody for coming today, welcome you all for being before us on a very important topic today. As Congress looks to develop its comprehensive approach to cybersecurity, we will need the perspective of many people, including our private sector and especially, I believe, our small businesses. Because, when you think about it, I think over 90 percent of the businesses in our Nation are considered small- and medium-sized businesses; and everybody, we hope, is using a computer for efficiency and effectiveness these days. And so it is important because you have a large majority of the people who work in our United States under you all. I am particularly excited about today's hearing because we do have small business representatives in front of us, and that is sometimes unusual for the Armed Services Committee. So we are really thrilled about that. One of the things we do know about our small businesses is that you are very capable of innovating much quicker than large businesses or even government. And if you have innovation, if a lot of the innovation and technology agenda is driven by small business, then that is actually one of those areas that we really do want to protect from people stealing our information or your information, as the case may be. So, today, the subcommittee is looking to discuss three main objectives for this hearing: One, the small business's view of the cyber challenge facing all of us today; secondly, the technologies that your business, along with others, are pursuing to address those needs; and the third thing is to identify systemic barriers to small businesses as they are entering the marketplace. The purpose is for the members of this subcommittee to further develop greater cyberspace expertise and awareness but also for us to have an open discussion of how Congress can address certain barriers to small businesses while those small businesses are trying to help us here in the government sector. And as our country works hard to improve our economy, the first place to take off will be small business. So in order to expand our economy, to grow it as so many of us I think pray every night right now, you really are key to getting that done. So, today, we hope that the witnesses will provide the subcommittee with a technical look at cybersecurity and what technology and resources are currently available to further protect the systems that small business actually plug into at the Department of Defense [DOD]. That would be another area where we are looking for tools and the hindrances or the things that you might suggest. So, today, we have three witnesses before us. The first, we have Mr. John Ricketson; and he is the Chief Executive Officer of Dejavu Technologies, Incorporated. So, welcome, and I do believe you are from California, right? Mr. Ricketson. Massachusetts. Ms. Sanchez. Massachusetts. What did my people do? And Mr. Roger Thornton, the Founder and Chief Technology Officer of Fortify Software. I know he is a Californian. And Mr. Richard Lee, an independent consultant who just came out of the government sector. So I hope you all will talk a little bit to us about the interface; and, once again, I look forward to your testimony. Without objection, we have put your written testimony into the official record. I will remind the witnesses that you have 5 minutes to address. You don't have to read your statement. You can talk about the main points or anything you might have thought, oh, gosh, I should have put that in there and I forgot. And, after that, we will ask a series of questions and hopefully you can answer them. And I will now yield to the ranking member from Florida, Mr. Miller, for his opening statement. [The prepared statement of Ms. Sanchez can be found in the Appendix on page 23.] STATEMENT OF HON. JEFF MILLER, A REPRESENTATIVE FROM FLORIDA, RANKING MEMBER, SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES Mr. Miller. I thank my good friend for yielding. Thank you, gentlemen, for being here. I hope you have at least been to Florida, if you are not from Florida. You might have traveled there once or twice. This hearing does come at an appropriate moment, because over the last several weeks General Alexander has in fact been conducting an aggressive road show explaining his vision for the U.S. Cyber Command, and the establishment of the Command follows the 2010 QDR [Quadrennial Defense Review] recommendations that centralized those operations. As the Department implements its vision and as the Command becomes fully operational this coming October, the Department has an opportunity to renew its relationship with the industry and small business in particular. Given the vital role played by small businesses and the community to develop innovative solutions to the challenges that we all see today, it is critical that both Congress and DOD have a thorough understanding of small businesses' view of the cyber challenges facing our Nation and eliminate those obstacles, as my good friend has already talked about, that many small businesses face when they contract with the Department of Defense. I do know that our time is limited. We do have a vote coming up in a little while. So I would like to ask that my full statement be entered into the record. And I yield back. [The prepared statement of Mr. Miller can be found in the Appendix on page 25.] Ms. Sanchez. Wonderful. I thank the ranking member of the committee. Now let us start with Mr. Ricketson for 5 minutes or less. STATEMENT OF JOHN H. RICKETSON, CHIEF EXECUTIVE OFFICER, DEJAVU TECHNOLOGIES, INC. Mr. Ricketson. Well, thank you for inviting me. My name is John Ricketson. For the last 2 years, I have been managing Dejavu Technologies, which is a software provider of network forensic analysis tools. In my 30-year career in high technology, I have been associated with small companies for my entire career and about 40 transactions, equity-related, of small companies. Our management team is made up of serial entrepreneurs. We have four prior ventures, all successfully executed. This one is our first primarily focused on government. So we have had a fairly steep learning curve. I thought what I would do with the brief statement is start with the conclusion, which is we would strongly encourage small business policies to do a bit more towards encouraging innovation; and our view is that cybersecurity in particular is an area where the more ideas, the better. It is an arms race. Better defenses on more creative attacks and the more we can bring new ideas in, the better. I thought I would explain what we do just from the perspective of the core innovative idea that we have to present which has to do with, in the cybersecurity application, managing what might be, in a military metaphor, might be damage assessments. There is an infrastructure of many tools that are designed to block and prevent, but the fact is that breaches happen. They are inevitable. So we are helping with the process of discerning what happened, what machines were affected, what can be done about it in the future. The essence of our product is to search in a Google-like fashion everything that has happened for what may be going on that you don't know at the time it was captured. So it is a fairly simple idea, but it has big implications in terms of scale and features that make an analyst effective at that process. The principal challenge that we have with our big idea is how to find the sponsors within agencies for whom this would be helpful with their mission. It is harder to do that than one might think as a small company. So, in general, the small business policies have many noble goals: furthering economic development and job creation certainly, providing opportunities for groups that would not have those opportunities otherwise. It is more--it is easier to find those in the small-business-oriented programs than it is to find the programs that would help make more efficient the process of introducing new ideas and innovations. I guess there are a couple of anecdotes I referred to in my report which is I went to the local Small Business Administration [SBA] who have a number of programs, none of which really applied to our particular challenge. I guess another anecdote is not much of an anecdote. There was a lot of newspaper headlines about stimulus money, but we were unsuccessful at finding any. But, in general, there is a few hindrances to small businesses presenting their ideas, one of which would be software certification which is an important requirement generally unique to each agency and there is a fairly steep investment for a small company to provide. Another hindrance in general is security clearances. Again, very important, particularly in the area that we focused. But that requires a sponsor. So there is a bit of a Catch 22. When you introduce a new idea, to try to find the right people who can bring your idea forward and into the realm where it can be fully discussed. We had experiences with the outreach and small business programs at various agencies, which actually did their job fairly well, which is to provide a mechanism for small companies like us to register ourselves so that we are known. I think that some attention to those programs is well deserved in terms of funding and expansion, because the goal would be for our good ideas to find the right people and agencies who would care. Another type of organization we encountered was the technical intermediary, generally designed to represent the government to do technical assessment. And that is another area that would be very helpful. Again, the goal is new idea, find the right application that can really help the mission. So, in conclusion, I am trying to encourage the idea of a marketplace of ideas and smaller amounts of money distributed more broadly to bring those ideas forward and an information flow that is fair and can give every good new idea a chance. [The prepared statement of Mr. Ricketson can be found in the Appendix on page 27.] Ms. Sanchez. Thank you, Mr. Ricketson. Now we will hear from Mr. Thornton for 5 minutes or less. STATEMENT OF ROGER THORNTON, FOUNDER AND CHIEF TECHNOLOGY OFFICER, FORTIFY SOFTWARE Mr. Thornton. Thank you very much, Chairwoman Sanchez, Ranking Member Miller. I have prepared a short statement to accompany my written testimony today. I currently serve as the Chief Technology Officer at Fortify Software. I have worked in the information technology [IT] industry in the Silicon Valley for the past 23 years. My technical expertise is in finding and fixing and preventing software vulnerabilities that are at the very core of our cybersecurity dilemma. My current responsibilities involve the development and design of technologies that eliminate these vulnerabilities in order to make IT systems more resilient to attack, making software ``hacker-proof.'' Fortify is a small company. It is a classic Silicon Valley startup. It was founded by myself and my three cofounders in the spring of 2003. Our customers include 8 of the 10 largest banks in the world, all the major branches of the U.S. military, and a majority of the telecommunication firms across the U.S. and Europe. Through the course of my work, I am familiar with the types of vulnerabilities found in our Nation's most critical infrastructure; and I can tell you with emphatic certainty we are in a desperate situation. My firm's technologies have helped conduct audits on thousands of critical IT systems and not once have we found a system without critical vulnerabilities. Typically, we find thousands of such vulnerabilities. One example set comes from a Fortify team that conducts audits and reviews of military systems. Over the course of 2 years, that team has audited 601 applications across 141 major programs and found over 3.8 million security vulnerabilities, over 400,000 of which were deemed critical. Sadly, this is not an exception but has become the norm, as it represents a problem that is not currently receiving appropriate attention. There are two compelling reasons for you to consider and actively support the role that small businesses like mine have to play in solving cybersecurity issues. The first is economic. As Chairwoman Sanchez has noted, small businesses have historically been an incredibly important driver for job growth in our country, and cybersecurity is no exception to that rule. The second is innovation. Only a small company would have the audacity and impetus to challenge the status quo and offer an entirely new approach when there are entrenched solutions in place. Like many small businesses, my company was founded on a simple observation that challenged conventional wisdom and led to innovation. Our observations were this. I will share them with you today. IT systems are compromised of network, computers, and software running on those computers. The prevailing strategy for IT up to now has been to secure the networks by limiting access and attempting to block attacks. That traditional security strategy has failed us. It is outdated. It is fundamentally flawed. Simply put, nearly all software delivered today, including that which the Defense Department is going to use and all the critical infrastructure, will be constructed with major vulnerabilities. Consider those vulnerabilities as open doors for hackers to gain access to systems. Our adversaries have shifted their approach to leverage those open doors in software at the same time we have responded with more network security. The results speak for themselves. If we eradicate software vulnerability, then the attacks won't work. We can build software systems to be resilient to attack. This is very similar to the practice of building buildings that are resilient to fire, but we need to do a better job. This line of thinking represented a radical departure from the status quo, and in the Silicon Valley that means a new small business determined to solve an old problem in a new way. In spite of the strides we have made at Fortify and other small innovative firms, there are some extraordinary challenges that the status quo pose that I would ask for your support in overcoming. The first is a disproportionate focus on protecting hardware networks while the majority of the attacks are at the software layer; second, lack of clear policy relating to software security that leads to vague software security requirements and inadequate funding for software security initiatives; and the third is inadequate funding for fixing the vulnerabilities that companies like mine and others are finding every day. We have a strong conviction and have established high confidence that the right combination of technology, human capital, and process can confront the advanced persistent threat and ultimately protect us from cyber warfare. We look to Congress to establish a strategic policy guidance for cyber, and we applaud Congress for being so active. This inspires mature companies, mature small companies like Fortify, and also gives hope to the next generation of innovators. In conclusion, please let me compliment this subcommittee for your cybersecurity leadership. In particular, we strongly support the certification and the accreditation language included in the House-passed 2011 NDAA [National Defense Authorization Act]. Combined with the language contained in Section 932 of the Senate companion bill, these provisions are sorely needed to protect the United States in the domain of cybersecurity. I would like to personally thank Chairwoman Sanchez, Ranking Member Miller, and the members of the subcommittee for holding the hearing. We look forward to working with you and the talented House Armed Services Committee staff to help better strengthen our Nation's cybersecurity defense through effective software security. Thank you. [The prepared statement of Mr. Thornton can be found in the Appendix on page 34.] Ms. Sanchez. Thank you, Mr. Thornton. Now we will hear from Mr. Lee for 5 minutes or less. STATEMENT OF RICHARD P. LEE, CONSULTANT Mr. Lee. Well, thank you, Congresswoman Sanchez. I appreciate the opportunity to address the subcommittee. I believe that we have got--as you commented; I am an independent consultant previously working inside the Federal sector as an acquisition professional and am now in the small business sector attempting to assist others to understand how to bring their products to market. I believe we have to deal with the intersecting demands of the need to share information, whether it is in the commercial sector or in the Defense Department or government sector, and the need to protect that information, the three pillars of information assurance: the confidentiality, the integrity, and the availability. Our economy has become very dependent on the Internet. We are not going to be able to abandon that battle space but must be able to work through attacks on our Internet connectivity. Almost all of the things that we do on a daily basis, from personal banking to managing the logistics trail to get things into the warfighting theaters, for example, depend on Internet connectivity. I also understand that the subcommittee's focus is on harnessing the passion and innovation and originality and resourcefulness of American know-how. One of the things that I believe that my colleagues have mentioned is that we failed to take a holistic systems engineering approach to the problem and instead look at component piece part fixes that don't seem to ever solve the big problems. The issue of a Maginot line as a wall of defense is not going to work. It never has, and it won't work in the cyber domain, either. And we need to find solutions from a systems engineering perspective to harness that innovation. I believe there are three fundamental things that are causing difficulty for small businesses to get into the solution space: The first is the acquisition process itself, which I will address a little bit later. The second is the evaluation and the certification process that we go through in order to bring products and solutions into the cyber domain. And, finally, are the financial resources available to the small business sector in just being able to get their products to market. With respect to the acquisition process, I think that one of the issues we have and continue to have is that there are a number of large integrators who understand the acquisition process and can navigate it. Because of that, it is difficult to get innovation into their tool kit; and, consequently, when we are solving a problem, identifying and resolving a vulnerability, we seem to fall back on the same guys that got us here. If you recall Albert Einstein's comment, no problem can be solved from the same level of consciousness that created it and, thus, I believe your effort to harness small business innovation in this vital area. The evaluation and certification process is king in the governmental cyberspace domain. There is a whole army of people who can say no, very few people who can say yes when you want to insert technology into our environment. Most small businesses do not have the resources to navigate the certification process to be able to get their products into the domain to provide either vulnerability fixes or completely new and innovative ways to approach a cyber issue. And, finally, the ability to get into the cyber domain to identify the resources necessary requires a champion on the inside of government pulling that solution into the cyberspace. I believe that there are some programs in the executive departments and in the Defense Department specifically that do a good job of identifying and incubating innovative solutions. The Defense Advanced Research Project Agency [DARPA] has a number of programs, as does Defense Research and Engineering specifically on their ability to do the Defense Acquisition Challenge and their Joint Capability Technology Demonstrations. But, as always, transition into sustainment is the difficult part. As you noted, Congresswoman Sanchez, my remarks are in the record. So I will conclude there and await your questions. Thank you for the opportunity to address you. [The prepared statement of Mr. Lee can be found in the Appendix on page 46.] Ms. Sanchez. Thank you very much, Mr. Lee. I will remind members that--well, I will let you know that each of the members has up to 5 minutes to ask their questions. We will start with those who arrived to the committee prior to the gavel closing, and so I will begin by asking my questions of the panel. This morning, I met with Zachary Lemnios--he is the Director of Defense Research and Engineering [DDR&E]--in order to discuss this very topic of cybersecurity, and one of the main issues that was brought up was how we get the technical base right. I think that that is one of the crucial questions that we have for DARPA and for DDR&E working on that answer of what are the technical underpinnings to build a secure system. I know they are working with universities and with the private sector to try to answer that question. So I guess I would like to start by asking our witnesses here today what do you think are some of the technical underpinnings to build a secure system? And anybody can take a stab at it. None of you can take a stab at it. I know it is a ``why are we alive'' question, but it is one that we are struggling with. Mr. Thornton. Chairwoman Sanchez, I would be happy to give some comment on that. The gentleman you had a conversation with was definitely right on focusing on that. You can think about the resiliency of a system, and let us use this room to say its resiliency to not catch on fire. If we only focused on the fabric, let us say, and we knew the fabric was fireproof, what about the wood tables? What about the articles we bring in? What about the sprinkler systems and what have you? Cybersecurity today is fragmented into those that worry about access to the networks, those that worry about access to the computers, and my area of expertise, those that worry about the software programs themselves. And our adversary is not. They will look at our systems, they will look at all those components, they will look at the human interaction, find the weakest point and attack. So one of the things that has escaped us is in our systems engineering, the people that are ultimately responsible for an inventory management system for the military or a financial accounting system, is having those people with the purview of the entire system be the ones responsible for security. They still may need experts to help them, but we need to push the responsibility of security up the system to the senior-most people. That means a change in the thinking of education, what is the educational requirement to be a system designer, a change in roles and responsibilities---- Ms. Sanchez. Are you talking from a hardware or software or both standpoint? Mr. Thornton. Both, both. So the key is every system has-- in information technology world, we call them system architects--people whose responsibility purviews across all the technical components, ensuring that security responsibility is held at that level. Ms. Sanchez. Great. Anybody else? Mr. Lee. Mr. Lee. Yes, ma'am. To pick up on the comments about systems engineering, one of the things that we don't do a good job of is recognizing that when we approach the certification of networks or the software that operates those networks, the computers and the software that runs on them, the evaluation process desires the use of standards which are good in and of themselves because they provide a bound for the evaluation process. Unfortunately, most of the standards that we rely on were built when the Internet was being evolved and were conceived in an academic environment where trust sort of existed between the colleagues. But as we have gone into a cyber world we can no longer trust the users, and sometimes we can't even trust each other. So we need to perhaps take a step back and figure out are there some inherent vulnerabilities and standards that we use in architecting our systems that will perpetuate vulnerabilities that we just can't solve. If that is the case, we need to take a look at, from a system's perspective, what we might do to change that environment; and I believe that is where small business innovation fits right into the sweet spot of that solution space. Ms. Sanchez. Thank you, Mr. Lee. Mr. Ricketson, would you like to comment or---- Mr. Ricketson. Yes, I would. I guess my comment is maybe to challenge the underlying assumption of the question. I am skeptical that we could find what you referred to, technical underpinnings. I think the history of the Internet shows that all of the hierarchically driven networks fell by the wayside, and the Internet, with all of its decentralization and messiness, was the best solution. So I am skeptical of vendors that would promote their underlying technical solution, and I am skeptical of an organized body that would decide to pick winners. I think that we have an Internet that is decentralized, and we need to work on the issues of trust and monitoring and statistical analysis and stay on top of it. Ms. Sanchez. I, too, had that question this morning. I am a little bit more--after having spoken to both the DARPA Director and to Zachary this morning, I think they are going both ways. I think they are doing a double track to ensure that maybe there are, and maybe they are not. So that is a keen observation that you have just made. But I think they are looking at it from both standpoints: Is there a better way or is the Internet, with all its failings, the way we are going to go? Mr. Miller, my ranking member, please, 5 minutes. Mr. Miller. I would like to--and I will keep it brief--talk a little bit about the impediments. Mr. Ricketson, you talked about it as far as your visit to your local SBA office. SBA, small business initiative research programs, technology transition programs have all been successful for small businesses. I mean, it has been proven so. You talked about some specific instances with the others. You didn't really go into great detail. But what I would like to know is, have you used them in the past? Did you see the same thing Mr. Ricketson saw when you tried to avail yourself of some of the programs that were there? And what changes would you recommend to allow for greater participation of companies like yours in the software field? So if I could start with Mr. Lee and then work back to Mr. Ricketson, I would appreciate it. Mr. Lee. Yes, sir, Mr. Miller. So to go right to your question, I think one of the advantages that the Defense Department may have is to follow the lead of DARPA that they did with their challenge program where they put a problem out there and bring--or ask people to bring solutions to them in competition for an award. That certainly exposes innovation and innovative technologies for use. And from a prior government-side person, the two questions one always had to ask a contractor with a great solution was, A, how much is it going to cost and how do I get to you? What is the contract vehicle? The contracting process is so cumbersome that it is very difficult to get innovation inserted into our existing systems. We can do pilots, and we can do cultivation and incubation, but the transition into the environment is very difficult. Many of the innovators like Apple and their iPhone go to the commercial marketplace because they can get out there quickly. They have to identify their certification implementation process. The government is an extraordinarily difficult labyrinth to navigate for the small businessman, and he necessarily has to get married up with a big innovator who has different motivations sometimes than the insertion of technology. So I think there is a challenge in how you weigh, on one hand, open competition kinds of activities and the other is the insertion of new and innovative technology to solve the problems that we have. The programs exist. It is in the transition into the environment that it seems to be just so difficult to solve. Mr. Thornton. Congressman Miller, I would answer your question in thinking about two different ways that the government helps make streamline working with small businesses. One, driving requirements that require innovation, thereby giving the small business an equal footing on the playing field. And I would like to come back to that, because the other is more directly what you were asking, which is the programs that are in place for small businesses like ours to work with the government. I have been to a lot of seminars and sessions where small businesses complain that it is difficult to access the government and what have you. And I wouldn't sit here and say it is easy, but, in my experience, it is not all that harder than the banking industry or the manufacturing industry in that the government demands that you understand their environment, that you understand their processes, that you understand how they do work. So I think part of it is a little bit of level setting the education or what does it take to work with the government. The programs were there for us, but we--our very first revenue as a company came through an SBIR [Small Business Innovation Research] program with the U.S. Air Force, and neither myself nor any of my founders had any connection with the Air Force. We simply worked our way through the system and found that. The National Security Agency has been very helpful, sponsored our company for the right clearances that we need. So I do think programs that are in place, from what I understand and from talking to other entrepreneurs, there could be more education. My counsel to those other entrepreneurs is, if you want to work with the government and sell to the government, you are going to need to hire people that work in that arena, just like we have hired people that have worked in the banking arena and can help us navigate. If I could finish on my first point, though. When requirements that the status quo are not good enough are fed from the government to the IT industry, that gives the small innovator a giant advantage. So, from my vantage point, that is, security of just my network, it is not good enough. I need security of my software. But there is opportunities for that in just about every realm of cybersecurity. Demand more or better than what is currently being offered by the status quo. Mr. Ricketson. Nothing much more to add than what I had said. I think my modest proposal is to simply bring the criteria ``does it help innovation'' into the small business programs. Every program that I mentioned there was--it was a worthy program. So I am not knocking any of those. But we just need to do more. Thank you. Ms. Sanchez. Thank you, Mr. Miller. Thank you, gentlemen. I will now call on my good friend, Mr. Smith, from the State of Washington for his questions. Mr. Smith. Thank you, and I appreciate the chairwoman holding this hearing. It is a critical issue for our subcommittee. I think that for the government to get small business more involved the best ideas are out there I believe in the small business community, in many instances; and, as all of you have mentioned, it oftentimes is impossible for them to do business with the government and we in the government lose out, particularly on this subcommittee that works on IT infrastructure. But this expands out. We do a lot of work with the Special Operations Command. A lot of their needs requires updated better technology, and small businesses are the companies that can provide it. So we appreciate that. I think most of the questions have been answered. I will just throw this out there, if you gentlemen have anything to say about it in particular. What is the one thing you would say we could change about our acquisition or procurement policy that would most help small businesses get greater access, have the opportunity to be able to sell what they make or their services to government, in this case the DOD? Mr. Lee. Sir, I would like to take a cut at that. I think that because we in the acquisition process tend to wind up with the big integration companies that have deep pockets that can navigate the bidding process system and know how to write a proposal that a government evaluator can read, understand, and accept, we tend to get the sameness of the solution competing on price. One of the things that might help is if there were some tax code incentives or other kinds of things where some of the debt and/or operating loss that a small business necessarily incurs while they are trying to do this innovative thing and get their product to market could be used somehow by the large integrator to help offset some of his financial activity. He may be incentivized to try to bring in some of the new innovative or novel ways to solve some of these cyber problems. Some of the people that I have worked with have taken a systems engineering perspective and have a new way of looking at the networking architecture to be able to insert distributed defense-in-depth kinds of activities, firewalls, for example, instead of building it at the boundary like the Maginot line. But that technology is extraordinarily difficult to stick into the system because the large integrators are unfamiliar with it and just don't have a way. Mr. Smith. Shouldn't there be a way to do this without the large integrators, in some instances? I guess that is--we have small businesses come to us all the time; and, regrettably, one of the first things we have to tell them is here is the eight biggest defense companies; find one and partner with them. But shouldn't there be a way that a small business can simply do it without having to go to a large integrator? Mr. Lee. Sir, one of the problems from my perspective is that the evaluation and certification process has so many people demanding ``certify me'' because it is great to have that certification label on your product. And, in some cases, particularly for government networks and environments, you need that evaluated product certification in order to even be considered. If you don't have the champion inside the government pulling on your solution, then you need that integrator to be pushing you into the environment as part of a systems approach that he has recommended or has been hired to implement. Mr. Smith. What I would like to do--and it is something we have worked on a lot with different companies--is get the acquisition people out there to be looking for you guys. Instead of seeing one of you guys coming and going, they don't know what they are doing, better call somebody bigger, they say, I am going to take a closer look. So I think, from our perspective, we need--and this has particular application on the cybersecurity side. Because, as you gentlemen have noted, you are cutting-edge innovators on that, in many instances, but we need acquisition people who can move past that. I accept your answer. I am running out of time. I don't know if the other two gentlemen wanted to comment at all on how you would change the process. Mr. Ricketson. My big idea may not actually be a good idea. I would love to have someone validate it. So my idea--I make a technical claim. That technical claim may or may not be valid. Even if it is valid, it may or may not forward the mission. So I will give you an example. We have a search capability that is supposed to scale. That means you can search into huge amounts of data. The word ``petabyte'' comes up. The petabyte is bigger than I can count, and products break down in situations of stress like that. So if there is a technical intermediary that represents the government that can take a claim and say, yes, this is true and has the credibility inside the government with the technical sponsors, that is a major step forward and is independent and is a level playing field between a big and small company. It is just about the idea. Mr. Thornton. And, Congressman Smith, if I can add--and I will caveat with I am not an expert in Federal acquisition. So this is an idea from a person who---- Mr. Smith. That may be helpful, actually, that you are not buried in the minutia of Federal acquisition and can simply look at it from a practical standpoint. But go ahead. Mr. Thornton [continuing]. That is what I was thinking, is when I--in my experience, I have seen the Federal Government make some really smart acquisitions and other times where I questioned it, whether it was the best technical solution. One thing I noticed was the technical capability to define the requirements were employees of the Federal Government. I can give some examples. But, in general, when the system integrator is writing the requirements for the Federal Government, I think a lot of times those requirements are going to be not demanding the highest, latest innovations. So maybe a radical shift in theory but building up the capabilities inside of each of the agencies to have some top- of-field technical people that can drive requirements, from personal experience I have seen that work quite well. Mr. Smith. That makes a great deal of sense. I think two directions we need to go in to get there. We have talked about this in a number of contexts, but our somewhat obsessive reliance or I should say excessive reliance on contractors since 9/11 has downgraded the number of people within the acquisition process who are talented and knowledgeable. There just aren't as many of them there, for one thing. But the second thing I always want to emphasize is to empower those people. I think part of what drives some people out who do have experience in the acquisition process is, if you are the type of go-getter, really knowledgeable, you are a person who wants to be empowered, you want to know if you make a smart decision you can implement it and see the result of it. If you are in the acquisition process and you can't make the decision and say, you know what, this company or--to your idea--this guy has this idea and you know what, it works, it is great, it is what we are going to do, but I cannot do it because there is an 18-month procurement process and it doesn't fit the RFP [Request for Proposal] that was written sometimes 2 years ago. It doesn't really fit that RFP. So I would have to go back in, I would have to change the RFP, I would have to go through another 12 months, and then I come back to you and you go I don't remember who you are because it has been so long. So I think we need to empower people within the acquisition process. Thank you, Madam Chairwoman. Ms. Sanchez. I like the observations you made, Mr. Smith. And, of course, the other problem is, at a time when we have such a calling on the government to stop making government bigger and having this push to somehow--it is difficult, because we are dealing with very complex issues. We are dealing with people who get paid a lot of money. Everybody who is worth their salt in your industry is making money, and then we want them to come and work for the Federal Government. So that---- Mr. Smith. If I could just comment. It is not a matter of making the government bigger. It is a matter of making it better. And we are paying the contractors. We are paying for those RFPs. We are paying for this acquisition process, which in many cases just winds up costing more. So I think you can accomplish both. Ms. Sanchez [continuing]. Well, we always try to do that, and I think that is part of what we did in the slimmed-downed acquisition programs that we are putting in place led by Mr. Andrews. But there is always that overlap time where we are trying to get out of one system and really make the other system work, and it is a difficulty. So I would agree with you. It is just difficult how we get to that. Mr. Ricketson, you said at one point in your testimony that we should encourage small business policy, that we should change small business policy or make small business policy to encourage innovation. If you were a Congressperson sitting up here and you wanted to change small business policy of the government to encourage innovation, how would you go about that? What would you propose would be---- We have already got our small business innovation programs. We have pilot programs. We have got Mr. Lee saying, well, you know, the problem really isn't that you are not encouraging innovation in small business. By having some of these programs is when you get to a point these programs, that falls off--when we tell you, okay, here, we are going to throw you out of the nest and go fly, there is nobody to help you figure out how to fly as you spiral downwards into never-never land. So what would you say? If you were a Congressperson, when you say change small business policy or mold small business policy to encourage innovation, what would that look like? Because we also have R&D [Research and Development] tax write- offs, for example. What would be--from your angle, what does that mean to you? Mr. Ricketson. I am honored to be asked, though I come here from the perspective of our small company trying to move forward, seeing some hindrances, offering constructive suggestions about areas to focus on. Far be it from me to make a lot of specific proposals. However, a comment you made a minute ago I wanted to respond to that I think is relevant. All of us--there is the challenge of big government versus--bigger government versus what we want government to do. And in the area of fostering innovation, small amounts of money at earlier stages yields much better returns than large amounts of money that are deployed in mature programs. So I would encourage the government to provide for small businesses that have ideas that seem like they might be interesting, services that eliminate those companies having to come up with the money and take that risk themselves. So a suggestion a moment ago, which is some technical claims are difficult to validate because they take an infrastructure that is beyond the small company to fully judge. And a technical claim goes beyond technology but also involves risk. Large companies, large integrators, complex procurement programs are, to some extent, a proxy for risk assessment. So if you can at least ask the organizations that are assigned to look after technology and small companies to bring innovation into their criteria and find ways to measure whether they are doing a good job, we are going in the right direction. Ms. Sanchez. The problem for somebody who is working in the government--I am not talking about us, because we are taking risks all the time. We have 2-year jobs, and then we have to go out and campaign again--is that it seems to me within the Federal Government, from what I learned, is that somebody who goes with the known quantity, a Rockwell or a Raytheon or something, is never going to get in trouble if he suggested or gave the contractor somebody like that. Because when those guys mess up--and somewhere along a large project there are a lot of mess-ups. You have to look at some of the subcommittees I have had before to know all the failings that I have seen. Well, it couldn't be done. We are the biggest, we are the best, and it couldn't be done. Or we just--you scoped it wrong or the specs were wrong. But if a government employee goes and gives it to a small, innovative company and you do fail, then it is like, well, didn't you know that was going to happen? Here is a company that has no track record or doesn't have the resources to cover the losses or look at all the time we have wasted. So it is really--it is a very difficult thing when I look at these government employees to be able to really take that type of risk. I would also say that is one of the reasons why we put DARPA in, because that is our risk taking, that is almost throw caution to the wind and go with bold ideas. It is almost a contrarian type of an agency. So I don't know if we need more DARPAs or what we need in order to give government ability to feel comfortable working with so many of these new issues and what is really a risk to your environment by definition because it is new and a bad attack of cybersecurity can get to all of us at once. Mr. Miller, do you have any other questions? Mr. Miller. Yeah. I would like to follow up on Mr. Smith's line of questioning in regards to insourcing. I would say that in the First Congressional District it is of great concern not only to me but to some of my constituents because I believe that the standards used in determining which jobs are to be insourced don't really use any true methodology. I think that, in many cases, the numbers seem to be arbitrary. But what I want to know and, Mr. Thornton, you had--when we were talking a minute ago, you were nodding your head. I couldn't tell if it was in agreement or dissent. My question is, have any of your companies been affected by DOD's insourcing? And, if it has, could you explain and offer your guidance to the committee on what jobs could be insourced from your field? So, Mr. Thornton, if you would; and then if the other two want to chime in, you can. If not, that is fine, too. Mr. Thornton. Thank you, Congressman Miller. I cannot say specifically that we have been affected by insourcing on any particular instance, but I can give an example where the government had in its employ some very sharp technical people that were ultimately driving the architecture of a major purchase. And this was at the Veterans Administration [VA], some of the people that work for Mr. Baker there, very technically astute, as good as you are going to find in private industry and what have you. And when you have an environment like that, the government as a customer is being very clear in terms of its expectations of your technical performance. I could cite some other examples where our company is working with a large integrator and the government employees are more program managers and financial folks and it is really the large integrator that is driving the technical requirements. And from my not expansive number of times I have seen that--I have only seen that a couple of times--it does make sense to me what Congressman Smith was saying. Were the government able to insource technical architecture, empowered individuals that can drive requirements, we will probably end up with more effective, cost-effective, more demanding requirements. Now, what does that mean to small business? I believe in my heart of hearts more demanding requirements is an unfair advantage for small business. When you ask for something that is not currently being built today, more times than not it is a small business that is going to be able to meet that requirement than a large company. And so one other way I might contrast that. My company does a lot of work with the Federal Government and a lot of work with the banking industry. As I mentioned with the VA, there were technical people in there that could easily work in the banking industry and drive the same requirements. Just about every bank we come into has technical people that manage the entire requirements process, set the bar for what is good enough, determine if the small business is making legitimate technical claims or not and really owns that. And as we talk here today--this is not an idea I came to bring to you, but as I listen to the discussion that does make a lot of sense to me--I think you would benefit from that. Mr. Lee. Mr. Miller, I think one of the issues you have in trying to insource is--I am going to bet, looking at us, that my colleagues and I grew up shortly after Sputnik went up and the Mercury space program kicked off and the United States went nuts for science and math and engineering expertise and the kids that I was growing up with were focused on that. The kids today are not as focused on that. We see our universities, particularly engineering schools, being more inundated by foreign students who take that expertise home. Those are the people that you need, the young kids coming out of school that you need to figure out a way to incentivize into the government. Unfortunately, there is a whole culture that seems to believe that a government job is, A, to serve the Nation but more, and as importantly, to generate a good pension coverage for when you get older. So the issue becomes, how do you incentivize those kids to come into the service, the government service to do the engineering work needed in order to make sure we are pulling the best out of the small business and getting it into our processes? I don't know if you can think outside the box and say, well, let us have a project, maybe run by DARPA, maybe run by some other organization. I know the services all have good and vibrant laboratories that do innovative things. Perhaps you run a pilot effort for a 2-year initiative to suspend the FAR [Federal Acquisition Regulations] and the DFAR [Defense Federal Acquisition Regulations], write some letter contracts and see what we can do, as my colleagues have said. And if the technical expertise and the delivery is good and the government side can figure out that it is good and can understand how to specify that on a grander scale, you now are in a position that government has learned, industry has learned, and we got out from under the acquisition umbrella that just seems to impede the process, which seems to be where we constantly found ourselves stuck in the labyrinth. Ms. Sanchez. Well, do you have any more questions, Mr. Miller? Mr. Miller. No. Ms. Sanchez. Okay. We are going to have votes in a few minutes so we will conclude this, but I just wanted to make some observations. I can't tell you how many times--and I live in Orange County, California, which is, as you know, an innovative--we carry the innovative agenda, as so many in California, and especially the defense, the aerospace, NASA [National Aeronautics and Space Administration]-driven issues, we have a lot of small companies that work in Orange County that have their people in Orange County, and there have been plenty of times I have seen where these small companies come to the Federal Government--they come to me and they say, we really have some ideas, and someone needs to hear these. You need to help us. Of course, we start banging on doors and stuff. The reality is, it is very difficult. As you say, unless you have someone who has been in the Pentagon day in, day out, or contracting, it is a very difficult thing for a small business and they really can't afford tons of lobbyists and specialists and everything and to put them out there for a year or two. As many of you know, the specs are written with, you know-- because a technical aspect may not be within one of the government departments that is doing this, they rely a lot on industry coming in and talking to them about what those specs for those RFPs should be. That is a long process. It is usually a year, two, three years before you see the RFP; and it has been written by somebody who already, you know, knows it is coming out. And yet you have the small business who wants to compete. It is very difficult, and they can't afford to compete. That is the truth. So we do need to find a new way in which we allow this innovation to get in here. Because I certainly see it out in the commercial area day in and day out where I live out there in California, and you don't see it here as much in Washington, DC. So I would hope that if you do have, given that some of you have hit your head against that wall or been at companies or heard stories, that you might do us a favor of sitting down and writing specifics about what we might change, what we might really try to change in order for these innovative ideas to get a fair shake out here in Washington, DC. That is what this subcommittee is about, at least with respect to the Department of Defense. I want to thank all of you for being here today. We really appreciated your testimony, and I would appreciate any follow- up that you might have to this issue that I just laid out. Thank you very much. The subcommittee is now adjourned. [Whereupon, at 3:05 p.m., the subcommittee was adjourned.] ? ======================================================================= A P P E N D I X July 28, 2010 ======================================================================= ? ======================================================================= PREPARED STATEMENTS SUBMITTED FOR THE RECORD July 28, 2010 ======================================================================= [GRAPHIC] [TIFF OMITTED] T8232.001 [GRAPHIC] [TIFF OMITTED] T8232.002 [GRAPHIC] [TIFF OMITTED] T8232.003 [GRAPHIC] [TIFF OMITTED] T8232.004 [GRAPHIC] [TIFF OMITTED] T8232.005 [GRAPHIC] [TIFF OMITTED] T8232.006 [GRAPHIC] [TIFF OMITTED] T8232.007 [GRAPHIC] [TIFF OMITTED] T8232.008 [GRAPHIC] [TIFF OMITTED] T8232.009 [GRAPHIC] [TIFF OMITTED] T8232.010 [GRAPHIC] [TIFF OMITTED] T8232.011 [GRAPHIC] [TIFF OMITTED] T8232.012 [GRAPHIC] [TIFF OMITTED] T8232.013 [GRAPHIC] [TIFF OMITTED] T8232.014 [GRAPHIC] [TIFF OMITTED] T8232.015 [GRAPHIC] [TIFF OMITTED] T8232.016 [GRAPHIC] [TIFF OMITTED] T8232.017 [GRAPHIC] [TIFF OMITTED] T8232.018 [GRAPHIC] [TIFF OMITTED] T8232.019 [GRAPHIC] [TIFF OMITTED] T8232.020 [GRAPHIC] [TIFF OMITTED] T8232.021 [GRAPHIC] [TIFF OMITTED] T8232.022 [GRAPHIC] [TIFF OMITTED] T8232.023 [GRAPHIC] [TIFF OMITTED] T8232.024 [GRAPHIC] [TIFF OMITTED] T8232.025 [GRAPHIC] [TIFF OMITTED] T8232.026 [GRAPHIC] [TIFF OMITTED] T8232.027 [GRAPHIC] [TIFF OMITTED] T8232.028 [GRAPHIC] [TIFF OMITTED] T8232.029 [GRAPHIC] [TIFF OMITTED] T8232.030 [GRAPHIC] [TIFF OMITTED] T8232.031