[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 111-176]
HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS
__________
HEARING
BEFORE THE
SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
HEARING HELD
JULY 28, 2010
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
U.S. GOVERNMENT PRINTING OFFICE
58-232 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES
LORETTA SANCHEZ, California, Chairwoman
ADAM SMITH, Washington JEFF MILLER, Florida
MIKE McINTYRE, North Carolina FRANK A. LoBIONDO, New Jersey
ROBERT ANDREWS, New Jersey JOHN KLINE, Minnesota
JAMES R. LANGEVIN, Rhode Island K. MICHAEL CONAWAY, Texas
JIM COOPER, Tennessee THOMAS J. ROONEY, Florida
JIM MARSHALL, Georgia MAC THORNBERRY, Texas
BRAD ELLSWORTH, Indiana CHARLES K. DJOU, Hawaii
BOBBY BRIGHT, Alabama
SCOTT MURPHY, New York
Kevin Gates, Professional Staff Member
Alex Kugajevsky, Professional Staff Member
Jeff Cullen, Staff Assistant
C O N T E N T S
----------
CHRONOLOGICAL LIST OF HEARINGS
2010
Page
Hearing:
Wednesday, July 28, 2010, Harnessing Small Business Innovation
for
National Security Cyber Needs.................................. 1
Appendix:
Wednesday, July 28, 2010......................................... 19
----------
WEDNESDAY, JULY 28, 2010
HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Miller, Hon. Jeff, a Representative from Florida, Ranking Member,
Subcommittee on Terrorism, Unconventional Threats and
Capabilities................................................... 2
Sanchez, Hon. Loretta, a Representative from California,
Chairwoman, Subcommittee on Terrorism, Unconventional Threats
and Capabilities............................................... 1
WITNESSES
Lee, Richard P., Consultant...................................... 6
Ricketson, John H., Chief Executive Officer, Dejavu Technologies,
Inc............................................................ 3
Thornton, Roger, Founder and Chief Technology Officer, Fortify
Software....................................................... 4
APPENDIX
Prepared Statements:
Lee, Richard P............................................... 46
Miller, Hon. Jeff............................................ 25
Ricketson, John H............................................ 27
Sanchez, Hon. Loretta........................................ 23
Thornton, Roger.............................................. 34
Documents Submitted for the Record:
[There were no Documents submitted.]
Witness Responses to Questions Asked During the Hearing:
[There were no Questions submitted during the hearing.]
Questions Submitted by Members Post Hearing:
[There were no Questions submitted post hearing.]
HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Terrorism, Unconventional Threats and
Capabilities,
Washington, DC, Wednesday, July 28, 2010.
The subcommittee met, pursuant to call, at 2:03 p.m., in
room 2118, Rayburn House Office Building, Hon. Loretta Sanchez
(chairwoman of the subcommittee) presiding.
OPENING STATEMENT OF HON. LORETTA SANCHEZ, A REPRESENTATIVE
FROM CALIFORNIA, CHAIRWOMAN, SUBCOMMITTEE ON TERRORISM,
UNCONVENTIONAL THREATS AND CAPABILITIES
Ms. Sanchez. The Subcommittee on Terrorism, Unconventional
Threats and Capabilities will come to order.
Good afternoon. I would like to thank everybody for coming
today, welcome you all for being before us on a very important
topic today.
As Congress looks to develop its comprehensive approach to
cybersecurity, we will need the perspective of many people,
including our private sector and especially, I believe, our
small businesses. Because, when you think about it, I think
over 90 percent of the businesses in our Nation are considered
small- and medium-sized businesses; and everybody, we hope, is
using a computer for efficiency and effectiveness these days.
And so it is important because you have a large majority of the
people who work in our United States under you all.
I am particularly excited about today's hearing because we
do have small business representatives in front of us, and that
is sometimes unusual for the Armed Services Committee. So we
are really thrilled about that. One of the things we do know
about our small businesses is that you are very capable of
innovating much quicker than large businesses or even
government. And if you have innovation, if a lot of the
innovation and technology agenda is driven by small business,
then that is actually one of those areas that we really do want
to protect from people stealing our information or your
information, as the case may be.
So, today, the subcommittee is looking to discuss three
main objectives for this hearing: One, the small business's
view of the cyber challenge facing all of us today; secondly,
the technologies that your business, along with others, are
pursuing to address those needs; and the third thing is to
identify systemic barriers to small businesses as they are
entering the marketplace.
The purpose is for the members of this subcommittee to
further develop greater cyberspace expertise and awareness but
also for us to have an open discussion of how Congress can
address certain barriers to small businesses while those small
businesses are trying to help us here in the government sector.
And as our country works hard to improve our economy, the
first place to take off will be small business. So in order to
expand our economy, to grow it as so many of us I think pray
every night right now, you really are key to getting that done.
So, today, we hope that the witnesses will provide the
subcommittee with a technical look at cybersecurity and what
technology and resources are currently available to further
protect the systems that small business actually plug into at
the Department of Defense [DOD]. That would be another area
where we are looking for tools and the hindrances or the things
that you might suggest.
So, today, we have three witnesses before us. The first, we
have Mr. John Ricketson; and he is the Chief Executive Officer
of Dejavu Technologies, Incorporated. So, welcome, and I do
believe you are from California, right?
Mr. Ricketson. Massachusetts.
Ms. Sanchez. Massachusetts. What did my people do?
And Mr. Roger Thornton, the Founder and Chief Technology
Officer of Fortify Software. I know he is a Californian.
And Mr. Richard Lee, an independent consultant who just
came out of the government sector.
So I hope you all will talk a little bit to us about the
interface; and, once again, I look forward to your testimony.
Without objection, we have put your written testimony into the
official record.
I will remind the witnesses that you have 5 minutes to
address. You don't have to read your statement. You can talk
about the main points or anything you might have thought, oh,
gosh, I should have put that in there and I forgot. And, after
that, we will ask a series of questions and hopefully you can
answer them.
And I will now yield to the ranking member from Florida,
Mr. Miller, for his opening statement.
[The prepared statement of Ms. Sanchez can be found in the
Appendix on page 23.]
STATEMENT OF HON. JEFF MILLER, A REPRESENTATIVE FROM FLORIDA,
RANKING MEMBER, SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL
THREATS AND CAPABILITIES
Mr. Miller. I thank my good friend for yielding.
Thank you, gentlemen, for being here. I hope you have at
least been to Florida, if you are not from Florida. You might
have traveled there once or twice.
This hearing does come at an appropriate moment, because
over the last several weeks General Alexander has in fact been
conducting an aggressive road show explaining his vision for
the U.S. Cyber Command, and the establishment of the Command
follows the 2010 QDR [Quadrennial Defense Review]
recommendations that centralized those operations. As the
Department implements its vision and as the Command becomes
fully operational this coming October, the Department has an
opportunity to renew its relationship with the industry and
small business in particular.
Given the vital role played by small businesses and the
community to develop innovative solutions to the challenges
that we all see today, it is critical that both Congress and
DOD have a thorough understanding of small businesses' view of
the cyber challenges facing our Nation and eliminate those
obstacles, as my good friend has already talked about, that
many small businesses face when they contract with the
Department of Defense.
I do know that our time is limited. We do have a vote
coming up in a little while. So I would like to ask that my
full statement be entered into the record. And I yield back.
[The prepared statement of Mr. Miller can be found in the
Appendix on page 25.]
Ms. Sanchez. Wonderful. I thank the ranking member of the
committee.
Now let us start with Mr. Ricketson for 5 minutes or less.
STATEMENT OF JOHN H. RICKETSON, CHIEF EXECUTIVE OFFICER, DEJAVU
TECHNOLOGIES, INC.
Mr. Ricketson. Well, thank you for inviting me.
My name is John Ricketson. For the last 2 years, I have
been managing Dejavu Technologies, which is a software provider
of network forensic analysis tools. In my 30-year career in
high technology, I have been associated with small companies
for my entire career and about 40 transactions, equity-related,
of small companies.
Our management team is made up of serial entrepreneurs. We
have four prior ventures, all successfully executed. This one
is our first primarily focused on government. So we have had a
fairly steep learning curve.
I thought what I would do with the brief statement is start
with the conclusion, which is we would strongly encourage small
business policies to do a bit more towards encouraging
innovation; and our view is that cybersecurity in particular is
an area where the more ideas, the better. It is an arms race.
Better defenses on more creative attacks and the more we can
bring new ideas in, the better.
I thought I would explain what we do just from the
perspective of the core innovative idea that we have to present
which has to do with, in the cybersecurity application,
managing what might be, in a military metaphor, might be damage
assessments.
There is an infrastructure of many tools that are designed
to block and prevent, but the fact is that breaches happen.
They are inevitable. So we are helping with the process of
discerning what happened, what machines were affected, what can
be done about it in the future.
The essence of our product is to search in a Google-like
fashion everything that has happened for what may be going on
that you don't know at the time it was captured. So it is a
fairly simple idea, but it has big implications in terms of
scale and features that make an analyst effective at that
process.
The principal challenge that we have with our big idea is
how to find the sponsors within agencies for whom this would be
helpful with their mission. It is harder to do that than one
might think as a small company.
So, in general, the small business policies have many noble
goals: furthering economic development and job creation
certainly, providing opportunities for groups that would not
have those opportunities otherwise. It is more--it is easier to
find those in the small-business-oriented programs than it is
to find the programs that would help make more efficient the
process of introducing new ideas and innovations.
I guess there are a couple of anecdotes I referred to in my
report which is I went to the local Small Business
Administration [SBA] who have a number of programs, none of
which really applied to our particular challenge.
I guess another anecdote is not much of an anecdote. There
was a lot of newspaper headlines about stimulus money, but we
were unsuccessful at finding any.
But, in general, there is a few hindrances to small
businesses presenting their ideas, one of which would be
software certification which is an important requirement
generally unique to each agency and there is a fairly steep
investment for a small company to provide.
Another hindrance in general is security clearances. Again,
very important, particularly in the area that we focused. But
that requires a sponsor. So there is a bit of a Catch 22. When
you introduce a new idea, to try to find the right people who
can bring your idea forward and into the realm where it can be
fully discussed.
We had experiences with the outreach and small business
programs at various agencies, which actually did their job
fairly well, which is to provide a mechanism for small
companies like us to register ourselves so that we are known. I
think that some attention to those programs is well deserved in
terms of funding and expansion, because the goal would be for
our good ideas to find the right people and agencies who would
care.
Another type of organization we encountered was the
technical intermediary, generally designed to represent the
government to do technical assessment. And that is another area
that would be very helpful.
Again, the goal is new idea, find the right application
that can really help the mission.
So, in conclusion, I am trying to encourage the idea of a
marketplace of ideas and smaller amounts of money distributed
more broadly to bring those ideas forward and an information
flow that is fair and can give every good new idea a chance.
[The prepared statement of Mr. Ricketson can be found in
the Appendix on page 27.]
Ms. Sanchez. Thank you, Mr. Ricketson.
Now we will hear from Mr. Thornton for 5 minutes or less.
STATEMENT OF ROGER THORNTON, FOUNDER AND CHIEF TECHNOLOGY
OFFICER, FORTIFY SOFTWARE
Mr. Thornton. Thank you very much, Chairwoman Sanchez,
Ranking Member Miller.
I have prepared a short statement to accompany my written
testimony today.
I currently serve as the Chief Technology Officer at
Fortify Software. I have worked in the information technology
[IT] industry in the Silicon Valley for the past 23 years.
My technical expertise is in finding and fixing and
preventing software vulnerabilities that are at the very core
of our cybersecurity dilemma. My current responsibilities
involve the development and design of technologies that
eliminate these vulnerabilities in order to make IT systems
more resilient to attack, making software ``hacker-proof.''
Fortify is a small company. It is a classic Silicon Valley
startup. It was founded by myself and my three cofounders in
the spring of 2003. Our customers include 8 of the 10 largest
banks in the world, all the major branches of the U.S.
military, and a majority of the telecommunication firms across
the U.S. and Europe.
Through the course of my work, I am familiar with the types
of vulnerabilities found in our Nation's most critical
infrastructure; and I can tell you with emphatic certainty we
are in a desperate situation. My firm's technologies have
helped conduct audits on thousands of critical IT systems and
not once have we found a system without critical
vulnerabilities. Typically, we find thousands of such
vulnerabilities.
One example set comes from a Fortify team that conducts
audits and reviews of military systems. Over the course of 2
years, that team has audited 601 applications across 141 major
programs and found over 3.8 million security vulnerabilities,
over 400,000 of which were deemed critical. Sadly, this is not
an exception but has become the norm, as it represents a
problem that is not currently receiving appropriate attention.
There are two compelling reasons for you to consider and
actively support the role that small businesses like mine have
to play in solving cybersecurity issues.
The first is economic. As Chairwoman Sanchez has noted,
small businesses have historically been an incredibly important
driver for job growth in our country, and cybersecurity is no
exception to that rule.
The second is innovation. Only a small company would have
the audacity and impetus to challenge the status quo and offer
an entirely new approach when there are entrenched solutions in
place. Like many small businesses, my company was founded on a
simple observation that challenged conventional wisdom and led
to innovation.
Our observations were this. I will share them with you
today.
IT systems are compromised of network, computers, and
software running on those computers. The prevailing strategy
for IT up to now has been to secure the networks by limiting
access and attempting to block attacks. That traditional
security strategy has failed us. It is outdated. It is
fundamentally flawed. Simply put, nearly all software delivered
today, including that which the Defense Department is going to
use and all the critical infrastructure, will be constructed
with major vulnerabilities.
Consider those vulnerabilities as open doors for hackers to
gain access to systems. Our adversaries have shifted their
approach to leverage those open doors in software at the same
time we have responded with more network security. The results
speak for themselves.
If we eradicate software vulnerability, then the attacks
won't work. We can build software systems to be resilient to
attack. This is very similar to the practice of building
buildings that are resilient to fire, but we need to do a
better job.
This line of thinking represented a radical departure from
the status quo, and in the Silicon Valley that means a new
small business determined to solve an old problem in a new way.
In spite of the strides we have made at Fortify and other small
innovative firms, there are some extraordinary challenges that
the status quo pose that I would ask for your support in
overcoming.
The first is a disproportionate focus on protecting
hardware networks while the majority of the attacks are at the
software layer; second, lack of clear policy relating to
software security that leads to vague software security
requirements and inadequate funding for software security
initiatives; and the third is inadequate funding for fixing the
vulnerabilities that companies like mine and others are finding
every day.
We have a strong conviction and have established high
confidence that the right combination of technology, human
capital, and process can confront the advanced persistent
threat and ultimately protect us from cyber warfare. We look to
Congress to establish a strategic policy guidance for cyber,
and we applaud Congress for being so active. This inspires
mature companies, mature small companies like Fortify, and also
gives hope to the next generation of innovators.
In conclusion, please let me compliment this subcommittee
for your cybersecurity leadership. In particular, we strongly
support the certification and the accreditation language
included in the House-passed 2011 NDAA [National Defense
Authorization Act]. Combined with the language contained in
Section 932 of the Senate companion bill, these provisions are
sorely needed to protect the United States in the domain of
cybersecurity.
I would like to personally thank Chairwoman Sanchez,
Ranking Member Miller, and the members of the subcommittee for
holding the hearing. We look forward to working with you and
the talented House Armed Services Committee staff to help
better strengthen our Nation's cybersecurity defense through
effective software security. Thank you.
[The prepared statement of Mr. Thornton can be found in the
Appendix on page 34.]
Ms. Sanchez. Thank you, Mr. Thornton.
Now we will hear from Mr. Lee for 5 minutes or less.
STATEMENT OF RICHARD P. LEE, CONSULTANT
Mr. Lee. Well, thank you, Congresswoman Sanchez. I
appreciate the opportunity to address the subcommittee.
I believe that we have got--as you commented; I am an
independent consultant previously working inside the Federal
sector as an acquisition professional and am now in the small
business sector attempting to assist others to understand how
to bring their products to market.
I believe we have to deal with the intersecting demands of
the need to share information, whether it is in the commercial
sector or in the Defense Department or government sector, and
the need to protect that information, the three pillars of
information assurance: the confidentiality, the integrity, and
the availability.
Our economy has become very dependent on the Internet. We
are not going to be able to abandon that battle space but must
be able to work through attacks on our Internet connectivity.
Almost all of the things that we do on a daily basis, from
personal banking to managing the logistics trail to get things
into the warfighting theaters, for example, depend on Internet
connectivity.
I also understand that the subcommittee's focus is on
harnessing the passion and innovation and originality and
resourcefulness of American know-how. One of the things that I
believe that my colleagues have mentioned is that we failed to
take a holistic systems engineering approach to the problem and
instead look at component piece part fixes that don't seem to
ever solve the big problems. The issue of a Maginot line as a
wall of defense is not going to work. It never has, and it
won't work in the cyber domain, either. And we need to find
solutions from a systems engineering perspective to harness
that innovation.
I believe there are three fundamental things that are
causing difficulty for small businesses to get into the
solution space: The first is the acquisition process itself,
which I will address a little bit later. The second is the
evaluation and the certification process that we go through in
order to bring products and solutions into the cyber domain.
And, finally, are the financial resources available to the
small business sector in just being able to get their products
to market.
With respect to the acquisition process, I think that one
of the issues we have and continue to have is that there are a
number of large integrators who understand the acquisition
process and can navigate it. Because of that, it is difficult
to get innovation into their tool kit; and, consequently, when
we are solving a problem, identifying and resolving a
vulnerability, we seem to fall back on the same guys that got
us here.
If you recall Albert Einstein's comment, no problem can be
solved from the same level of consciousness that created it
and, thus, I believe your effort to harness small business
innovation in this vital area.
The evaluation and certification process is king in the
governmental cyberspace domain. There is a whole army of people
who can say no, very few people who can say yes when you want
to insert technology into our environment. Most small
businesses do not have the resources to navigate the
certification process to be able to get their products into the
domain to provide either vulnerability fixes or completely new
and innovative ways to approach a cyber issue.
And, finally, the ability to get into the cyber domain to
identify the resources necessary requires a champion on the
inside of government pulling that solution into the cyberspace.
I believe that there are some programs in the executive
departments and in the Defense Department specifically that do
a good job of identifying and incubating innovative solutions.
The Defense Advanced Research Project Agency [DARPA] has a
number of programs, as does Defense Research and Engineering
specifically on their ability to do the Defense Acquisition
Challenge and their Joint Capability Technology Demonstrations.
But, as always, transition into sustainment is the difficult
part.
As you noted, Congresswoman Sanchez, my remarks are in the
record. So I will conclude there and await your questions.
Thank you for the opportunity to address you.
[The prepared statement of Mr. Lee can be found in the
Appendix on page 46.]
Ms. Sanchez. Thank you very much, Mr. Lee.
I will remind members that--well, I will let you know that
each of the members has up to 5 minutes to ask their questions.
We will start with those who arrived to the committee prior to
the gavel closing, and so I will begin by asking my questions
of the panel.
This morning, I met with Zachary Lemnios--he is the
Director of Defense Research and Engineering [DDR&E]--in order
to discuss this very topic of cybersecurity, and one of the
main issues that was brought up was how we get the technical
base right. I think that that is one of the crucial questions
that we have for DARPA and for DDR&E working on that answer of
what are the technical underpinnings to build a secure system.
I know they are working with universities and with the private
sector to try to answer that question. So I guess I would like
to start by asking our witnesses here today what do you think
are some of the technical underpinnings to build a secure
system?
And anybody can take a stab at it. None of you can take a
stab at it. I know it is a ``why are we alive'' question, but
it is one that we are struggling with.
Mr. Thornton. Chairwoman Sanchez, I would be happy to give
some comment on that.
The gentleman you had a conversation with was definitely
right on focusing on that. You can think about the resiliency
of a system, and let us use this room to say its resiliency to
not catch on fire. If we only focused on the fabric, let us
say, and we knew the fabric was fireproof, what about the wood
tables? What about the articles we bring in? What about the
sprinkler systems and what have you?
Cybersecurity today is fragmented into those that worry
about access to the networks, those that worry about access to
the computers, and my area of expertise, those that worry about
the software programs themselves. And our adversary is not.
They will look at our systems, they will look at all those
components, they will look at the human interaction, find the
weakest point and attack.
So one of the things that has escaped us is in our systems
engineering, the people that are ultimately responsible for an
inventory management system for the military or a financial
accounting system, is having those people with the purview of
the entire system be the ones responsible for security. They
still may need experts to help them, but we need to push the
responsibility of security up the system to the senior-most
people. That means a change in the thinking of education, what
is the educational requirement to be a system designer, a
change in roles and responsibilities----
Ms. Sanchez. Are you talking from a hardware or software or
both standpoint?
Mr. Thornton. Both, both. So the key is every system has--
in information technology world, we call them system
architects--people whose responsibility purviews across all the
technical components, ensuring that security responsibility is
held at that level.
Ms. Sanchez. Great.
Anybody else? Mr. Lee.
Mr. Lee. Yes, ma'am.
To pick up on the comments about systems engineering, one
of the things that we don't do a good job of is recognizing
that when we approach the certification of networks or the
software that operates those networks, the computers and the
software that runs on them, the evaluation process desires the
use of standards which are good in and of themselves because
they provide a bound for the evaluation process.
Unfortunately, most of the standards that we rely on were
built when the Internet was being evolved and were conceived in
an academic environment where trust sort of existed between the
colleagues. But as we have gone into a cyber world we can no
longer trust the users, and sometimes we can't even trust each
other.
So we need to perhaps take a step back and figure out are
there some inherent vulnerabilities and standards that we use
in architecting our systems that will perpetuate
vulnerabilities that we just can't solve. If that is the case,
we need to take a look at, from a system's perspective, what we
might do to change that environment; and I believe that is
where small business innovation fits right into the sweet spot
of that solution space.
Ms. Sanchez. Thank you, Mr. Lee.
Mr. Ricketson, would you like to comment or----
Mr. Ricketson. Yes, I would.
I guess my comment is maybe to challenge the underlying
assumption of the question. I am skeptical that we could find
what you referred to, technical underpinnings. I think the
history of the Internet shows that all of the hierarchically
driven networks fell by the wayside, and the Internet, with all
of its decentralization and messiness, was the best solution.
So I am skeptical of vendors that would promote their
underlying technical solution, and I am skeptical of an
organized body that would decide to pick winners. I think that
we have an Internet that is decentralized, and we need to work
on the issues of trust and monitoring and statistical analysis
and stay on top of it.
Ms. Sanchez. I, too, had that question this morning. I am a
little bit more--after having spoken to both the DARPA Director
and to Zachary this morning, I think they are going both ways.
I think they are doing a double track to ensure that maybe
there are, and maybe they are not. So that is a keen
observation that you have just made. But I think they are
looking at it from both standpoints: Is there a better way or
is the Internet, with all its failings, the way we are going to
go?
Mr. Miller, my ranking member, please, 5 minutes.
Mr. Miller. I would like to--and I will keep it brief--talk
a little bit about the impediments.
Mr. Ricketson, you talked about it as far as your visit to
your local SBA office. SBA, small business initiative research
programs, technology transition programs have all been
successful for small businesses. I mean, it has been proven so.
You talked about some specific instances with the others.
You didn't really go into great detail. But what I would like
to know is, have you used them in the past? Did you see the
same thing Mr. Ricketson saw when you tried to avail yourself
of some of the programs that were there? And what changes would
you recommend to allow for greater participation of companies
like yours in the software field?
So if I could start with Mr. Lee and then work back to Mr.
Ricketson, I would appreciate it.
Mr. Lee. Yes, sir, Mr. Miller.
So to go right to your question, I think one of the
advantages that the Defense Department may have is to follow
the lead of DARPA that they did with their challenge program
where they put a problem out there and bring--or ask people to
bring solutions to them in competition for an award. That
certainly exposes innovation and innovative technologies for
use.
And from a prior government-side person, the two questions
one always had to ask a contractor with a great solution was,
A, how much is it going to cost and how do I get to you? What
is the contract vehicle?
The contracting process is so cumbersome that it is very
difficult to get innovation inserted into our existing systems.
We can do pilots, and we can do cultivation and incubation, but
the transition into the environment is very difficult.
Many of the innovators like Apple and their iPhone go to
the commercial marketplace because they can get out there
quickly. They have to identify their certification
implementation process.
The government is an extraordinarily difficult labyrinth to
navigate for the small businessman, and he necessarily has to
get married up with a big innovator who has different
motivations sometimes than the insertion of technology.
So I think there is a challenge in how you weigh, on one
hand, open competition kinds of activities and the other is the
insertion of new and innovative technology to solve the
problems that we have. The programs exist. It is in the
transition into the environment that it seems to be just so
difficult to solve.
Mr. Thornton. Congressman Miller, I would answer your
question in thinking about two different ways that the
government helps make streamline working with small businesses.
One, driving requirements that require innovation, thereby
giving the small business an equal footing on the playing
field. And I would like to come back to that, because the other
is more directly what you were asking, which is the programs
that are in place for small businesses like ours to work with
the government.
I have been to a lot of seminars and sessions where small
businesses complain that it is difficult to access the
government and what have you. And I wouldn't sit here and say
it is easy, but, in my experience, it is not all that harder
than the banking industry or the manufacturing industry in that
the government demands that you understand their environment,
that you understand their processes, that you understand how
they do work.
So I think part of it is a little bit of level setting the
education or what does it take to work with the government. The
programs were there for us, but we--our very first revenue as a
company came through an SBIR [Small Business Innovation
Research] program with the U.S. Air Force, and neither myself
nor any of my founders had any connection with the Air Force.
We simply worked our way through the system and found that. The
National Security Agency has been very helpful, sponsored our
company for the right clearances that we need.
So I do think programs that are in place, from what I
understand and from talking to other entrepreneurs, there could
be more education. My counsel to those other entrepreneurs is,
if you want to work with the government and sell to the
government, you are going to need to hire people that work in
that arena, just like we have hired people that have worked in
the banking arena and can help us navigate.
If I could finish on my first point, though. When
requirements that the status quo are not good enough are fed
from the government to the IT industry, that gives the small
innovator a giant advantage. So, from my vantage point, that
is, security of just my network, it is not good enough. I need
security of my software. But there is opportunities for that in
just about every realm of cybersecurity. Demand more or better
than what is currently being offered by the status quo.
Mr. Ricketson. Nothing much more to add than what I had
said. I think my modest proposal is to simply bring the
criteria ``does it help innovation'' into the small business
programs. Every program that I mentioned there was--it was a
worthy program. So I am not knocking any of those. But we just
need to do more. Thank you.
Ms. Sanchez. Thank you, Mr. Miller. Thank you, gentlemen.
I will now call on my good friend, Mr. Smith, from the
State of Washington for his questions.
Mr. Smith. Thank you, and I appreciate the chairwoman
holding this hearing. It is a critical issue for our
subcommittee.
I think that for the government to get small business more
involved the best ideas are out there I believe in the small
business community, in many instances; and, as all of you have
mentioned, it oftentimes is impossible for them to do business
with the government and we in the government lose out,
particularly on this subcommittee that works on IT
infrastructure. But this expands out. We do a lot of work with
the Special Operations Command. A lot of their needs requires
updated better technology, and small businesses are the
companies that can provide it. So we appreciate that.
I think most of the questions have been answered. I will
just throw this out there, if you gentlemen have anything to
say about it in particular. What is the one thing you would say
we could change about our acquisition or procurement policy
that would most help small businesses get greater access, have
the opportunity to be able to sell what they make or their
services to government, in this case the DOD?
Mr. Lee. Sir, I would like to take a cut at that.
I think that because we in the acquisition process tend to
wind up with the big integration companies that have deep
pockets that can navigate the bidding process system and know
how to write a proposal that a government evaluator can read,
understand, and accept, we tend to get the sameness of the
solution competing on price.
One of the things that might help is if there were some tax
code incentives or other kinds of things where some of the debt
and/or operating loss that a small business necessarily incurs
while they are trying to do this innovative thing and get their
product to market could be used somehow by the large integrator
to help offset some of his financial activity. He may be
incentivized to try to bring in some of the new innovative or
novel ways to solve some of these cyber problems.
Some of the people that I have worked with have taken a
systems engineering perspective and have a new way of looking
at the networking architecture to be able to insert distributed
defense-in-depth kinds of activities, firewalls, for example,
instead of building it at the boundary like the Maginot line.
But that technology is extraordinarily difficult to stick into
the system because the large integrators are unfamiliar with it
and just don't have a way.
Mr. Smith. Shouldn't there be a way to do this without the
large integrators, in some instances? I guess that is--we have
small businesses come to us all the time; and, regrettably, one
of the first things we have to tell them is here is the eight
biggest defense companies; find one and partner with them. But
shouldn't there be a way that a small business can simply do it
without having to go to a large integrator?
Mr. Lee. Sir, one of the problems from my perspective is
that the evaluation and certification process has so many
people demanding ``certify me'' because it is great to have
that certification label on your product. And, in some cases,
particularly for government networks and environments, you need
that evaluated product certification in order to even be
considered. If you don't have the champion inside the
government pulling on your solution, then you need that
integrator to be pushing you into the environment as part of a
systems approach that he has recommended or has been hired to
implement.
Mr. Smith. What I would like to do--and it is something we
have worked on a lot with different companies--is get the
acquisition people out there to be looking for you guys.
Instead of seeing one of you guys coming and going, they don't
know what they are doing, better call somebody bigger, they
say, I am going to take a closer look.
So I think, from our perspective, we need--and this has
particular application on the cybersecurity side. Because, as
you gentlemen have noted, you are cutting-edge innovators on
that, in many instances, but we need acquisition people who can
move past that.
I accept your answer. I am running out of time. I don't
know if the other two gentlemen wanted to comment at all on how
you would change the process.
Mr. Ricketson. My big idea may not actually be a good idea.
I would love to have someone validate it. So my idea--I make a
technical claim. That technical claim may or may not be valid.
Even if it is valid, it may or may not forward the mission.
So I will give you an example. We have a search capability
that is supposed to scale. That means you can search into huge
amounts of data. The word ``petabyte'' comes up. The petabyte
is bigger than I can count, and products break down in
situations of stress like that.
So if there is a technical intermediary that represents the
government that can take a claim and say, yes, this is true and
has the credibility inside the government with the technical
sponsors, that is a major step forward and is independent and
is a level playing field between a big and small company. It is
just about the idea.
Mr. Thornton. And, Congressman Smith, if I can add--and I
will caveat with I am not an expert in Federal acquisition. So
this is an idea from a person who----
Mr. Smith. That may be helpful, actually, that you are not
buried in the minutia of Federal acquisition and can simply
look at it from a practical standpoint. But go ahead.
Mr. Thornton [continuing]. That is what I was thinking, is
when I--in my experience, I have seen the Federal Government
make some really smart acquisitions and other times where I
questioned it, whether it was the best technical solution. One
thing I noticed was the technical capability to define the
requirements were employees of the Federal Government. I can
give some examples. But, in general, when the system integrator
is writing the requirements for the Federal Government, I think
a lot of times those requirements are going to be not demanding
the highest, latest innovations.
So maybe a radical shift in theory but building up the
capabilities inside of each of the agencies to have some top-
of-field technical people that can drive requirements, from
personal experience I have seen that work quite well.
Mr. Smith. That makes a great deal of sense.
I think two directions we need to go in to get there. We
have talked about this in a number of contexts, but our
somewhat obsessive reliance or I should say excessive reliance
on contractors since 9/11 has downgraded the number of people
within the acquisition process who are talented and
knowledgeable. There just aren't as many of them there, for one
thing.
But the second thing I always want to emphasize is to
empower those people. I think part of what drives some people
out who do have experience in the acquisition process is, if
you are the type of go-getter, really knowledgeable, you are a
person who wants to be empowered, you want to know if you make
a smart decision you can implement it and see the result of it.
If you are in the acquisition process and you can't make
the decision and say, you know what, this company or--to your
idea--this guy has this idea and you know what, it works, it is
great, it is what we are going to do, but I cannot do it
because there is an 18-month procurement process and it doesn't
fit the RFP [Request for Proposal] that was written sometimes 2
years ago. It doesn't really fit that RFP. So I would have to
go back in, I would have to change the RFP, I would have to go
through another 12 months, and then I come back to you and you
go I don't remember who you are because it has been so long. So
I think we need to empower people within the acquisition
process.
Thank you, Madam Chairwoman.
Ms. Sanchez. I like the observations you made, Mr. Smith.
And, of course, the other problem is, at a time when we
have such a calling on the government to stop making government
bigger and having this push to somehow--it is difficult,
because we are dealing with very complex issues. We are dealing
with people who get paid a lot of money. Everybody who is worth
their salt in your industry is making money, and then we want
them to come and work for the Federal Government. So that----
Mr. Smith. If I could just comment. It is not a matter of
making the government bigger. It is a matter of making it
better. And we are paying the contractors. We are paying for
those RFPs. We are paying for this acquisition process, which
in many cases just winds up costing more. So I think you can
accomplish both.
Ms. Sanchez [continuing]. Well, we always try to do that,
and I think that is part of what we did in the slimmed-downed
acquisition programs that we are putting in place led by Mr.
Andrews. But there is always that overlap time where we are
trying to get out of one system and really make the other
system work, and it is a difficulty. So I would agree with you.
It is just difficult how we get to that.
Mr. Ricketson, you said at one point in your testimony that
we should encourage small business policy, that we should
change small business policy or make small business policy to
encourage innovation. If you were a Congressperson sitting up
here and you wanted to change small business policy of the
government to encourage innovation, how would you go about
that? What would you propose would be----
We have already got our small business innovation programs.
We have pilot programs. We have got Mr. Lee saying, well, you
know, the problem really isn't that you are not encouraging
innovation in small business. By having some of these programs
is when you get to a point these programs, that falls off--when
we tell you, okay, here, we are going to throw you out of the
nest and go fly, there is nobody to help you figure out how to
fly as you spiral downwards into never-never land.
So what would you say? If you were a Congressperson, when
you say change small business policy or mold small business
policy to encourage innovation, what would that look like?
Because we also have R&D [Research and Development] tax write-
offs, for example. What would be--from your angle, what does
that mean to you?
Mr. Ricketson. I am honored to be asked, though I come here
from the perspective of our small company trying to move
forward, seeing some hindrances, offering constructive
suggestions about areas to focus on. Far be it from me to make
a lot of specific proposals.
However, a comment you made a minute ago I wanted to
respond to that I think is relevant. All of us--there is the
challenge of big government versus--bigger government versus
what we want government to do. And in the area of fostering
innovation, small amounts of money at earlier stages yields
much better returns than large amounts of money that are
deployed in mature programs. So I would encourage the
government to provide for small businesses that have ideas that
seem like they might be interesting, services that eliminate
those companies having to come up with the money and take that
risk themselves.
So a suggestion a moment ago, which is some technical
claims are difficult to validate because they take an
infrastructure that is beyond the small company to fully judge.
And a technical claim goes beyond technology but also involves
risk. Large companies, large integrators, complex procurement
programs are, to some extent, a proxy for risk assessment. So
if you can at least ask the organizations that are assigned to
look after technology and small companies to bring innovation
into their criteria and find ways to measure whether they are
doing a good job, we are going in the right direction.
Ms. Sanchez. The problem for somebody who is working in the
government--I am not talking about us, because we are taking
risks all the time. We have 2-year jobs, and then we have to go
out and campaign again--is that it seems to me within the
Federal Government, from what I learned, is that somebody who
goes with the known quantity, a Rockwell or a Raytheon or
something, is never going to get in trouble if he suggested or
gave the contractor somebody like that. Because when those guys
mess up--and somewhere along a large project there are a lot of
mess-ups. You have to look at some of the subcommittees I have
had before to know all the failings that I have seen. Well, it
couldn't be done. We are the biggest, we are the best, and it
couldn't be done. Or we just--you scoped it wrong or the specs
were wrong.
But if a government employee goes and gives it to a small,
innovative company and you do fail, then it is like, well,
didn't you know that was going to happen? Here is a company
that has no track record or doesn't have the resources to cover
the losses or look at all the time we have wasted.
So it is really--it is a very difficult thing when I look
at these government employees to be able to really take that
type of risk.
I would also say that is one of the reasons why we put
DARPA in, because that is our risk taking, that is almost throw
caution to the wind and go with bold ideas. It is almost a
contrarian type of an agency.
So I don't know if we need more DARPAs or what we need in
order to give government ability to feel comfortable working
with so many of these new issues and what is really a risk to
your environment by definition because it is new and a bad
attack of cybersecurity can get to all of us at once.
Mr. Miller, do you have any other questions?
Mr. Miller. Yeah. I would like to follow up on Mr. Smith's
line of questioning in regards to insourcing.
I would say that in the First Congressional District it is
of great concern not only to me but to some of my constituents
because I believe that the standards used in determining which
jobs are to be insourced don't really use any true methodology.
I think that, in many cases, the numbers seem to be arbitrary.
But what I want to know and, Mr. Thornton, you had--when we
were talking a minute ago, you were nodding your head. I
couldn't tell if it was in agreement or dissent. My question
is, have any of your companies been affected by DOD's
insourcing? And, if it has, could you explain and offer your
guidance to the committee on what jobs could be insourced from
your field?
So, Mr. Thornton, if you would; and then if the other two
want to chime in, you can. If not, that is fine, too.
Mr. Thornton. Thank you, Congressman Miller.
I cannot say specifically that we have been affected by
insourcing on any particular instance, but I can give an
example where the government had in its employ some very sharp
technical people that were ultimately driving the architecture
of a major purchase. And this was at the Veterans
Administration [VA], some of the people that work for Mr. Baker
there, very technically astute, as good as you are going to
find in private industry and what have you. And when you have
an environment like that, the government as a customer is being
very clear in terms of its expectations of your technical
performance.
I could cite some other examples where our company is
working with a large integrator and the government employees
are more program managers and financial folks and it is really
the large integrator that is driving the technical
requirements. And from my not expansive number of times I have
seen that--I have only seen that a couple of times--it does
make sense to me what Congressman Smith was saying. Were the
government able to insource technical architecture, empowered
individuals that can drive requirements, we will probably end
up with more effective, cost-effective, more demanding
requirements.
Now, what does that mean to small business? I believe in my
heart of hearts more demanding requirements is an unfair
advantage for small business. When you ask for something that
is not currently being built today, more times than not it is a
small business that is going to be able to meet that
requirement than a large company.
And so one other way I might contrast that. My company does
a lot of work with the Federal Government and a lot of work
with the banking industry. As I mentioned with the VA, there
were technical people in there that could easily work in the
banking industry and drive the same requirements. Just about
every bank we come into has technical people that manage the
entire requirements process, set the bar for what is good
enough, determine if the small business is making legitimate
technical claims or not and really owns that. And as we talk
here today--this is not an idea I came to bring to you, but as
I listen to the discussion that does make a lot of sense to
me--I think you would benefit from that.
Mr. Lee. Mr. Miller, I think one of the issues you have in
trying to insource is--I am going to bet, looking at us, that
my colleagues and I grew up shortly after Sputnik went up and
the Mercury space program kicked off and the United States went
nuts for science and math and engineering expertise and the
kids that I was growing up with were focused on that.
The kids today are not as focused on that. We see our
universities, particularly engineering schools, being more
inundated by foreign students who take that expertise home.
Those are the people that you need, the young kids coming out
of school that you need to figure out a way to incentivize into
the government.
Unfortunately, there is a whole culture that seems to
believe that a government job is, A, to serve the Nation but
more, and as importantly, to generate a good pension coverage
for when you get older. So the issue becomes, how do you
incentivize those kids to come into the service, the government
service to do the engineering work needed in order to make sure
we are pulling the best out of the small business and getting
it into our processes?
I don't know if you can think outside the box and say,
well, let us have a project, maybe run by DARPA, maybe run by
some other organization. I know the services all have good and
vibrant laboratories that do innovative things. Perhaps you run
a pilot effort for a 2-year initiative to suspend the FAR
[Federal Acquisition Regulations] and the DFAR [Defense Federal
Acquisition Regulations], write some letter contracts and see
what we can do, as my colleagues have said. And if the
technical expertise and the delivery is good and the government
side can figure out that it is good and can understand how to
specify that on a grander scale, you now are in a position that
government has learned, industry has learned, and we got out
from under the acquisition umbrella that just seems to impede
the process, which seems to be where we constantly found
ourselves stuck in the labyrinth.
Ms. Sanchez. Well, do you have any more questions, Mr.
Miller?
Mr. Miller. No.
Ms. Sanchez. Okay. We are going to have votes in a few
minutes so we will conclude this, but I just wanted to make
some observations.
I can't tell you how many times--and I live in Orange
County, California, which is, as you know, an innovative--we
carry the innovative agenda, as so many in California, and
especially the defense, the aerospace, NASA [National
Aeronautics and Space Administration]-driven issues, we have a
lot of small companies that work in Orange County that have
their people in Orange County, and there have been plenty of
times I have seen where these small companies come to the
Federal Government--they come to me and they say, we really
have some ideas, and someone needs to hear these. You need to
help us. Of course, we start banging on doors and stuff.
The reality is, it is very difficult. As you say, unless
you have someone who has been in the Pentagon day in, day out,
or contracting, it is a very difficult thing for a small
business and they really can't afford tons of lobbyists and
specialists and everything and to put them out there for a year
or two.
As many of you know, the specs are written with, you know--
because a technical aspect may not be within one of the
government departments that is doing this, they rely a lot on
industry coming in and talking to them about what those specs
for those RFPs should be. That is a long process. It is usually
a year, two, three years before you see the RFP; and it has
been written by somebody who already, you know, knows it is
coming out. And yet you have the small business who wants to
compete. It is very difficult, and they can't afford to
compete. That is the truth.
So we do need to find a new way in which we allow this
innovation to get in here. Because I certainly see it out in
the commercial area day in and day out where I live out there
in California, and you don't see it here as much in Washington,
DC.
So I would hope that if you do have, given that some of you
have hit your head against that wall or been at companies or
heard stories, that you might do us a favor of sitting down and
writing specifics about what we might change, what we might
really try to change in order for these innovative ideas to get
a fair shake out here in Washington, DC. That is what this
subcommittee is about, at least with respect to the Department
of Defense.
I want to thank all of you for being here today. We really
appreciated your testimony, and I would appreciate any follow-
up that you might have to this issue that I just laid out.
Thank you very much. The subcommittee is now adjourned.
[Whereupon, at 3:05 p.m., the subcommittee was adjourned.]
?
=======================================================================
A P P E N D I X
July 28, 2010
=======================================================================
?
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
July 28, 2010
=======================================================================
[GRAPHIC] [TIFF OMITTED] T8232.001
[GRAPHIC] [TIFF OMITTED] T8232.002
[GRAPHIC] [TIFF OMITTED] T8232.003
[GRAPHIC] [TIFF OMITTED] T8232.004
[GRAPHIC] [TIFF OMITTED] T8232.005
[GRAPHIC] [TIFF OMITTED] T8232.006
[GRAPHIC] [TIFF OMITTED] T8232.007
[GRAPHIC] [TIFF OMITTED] T8232.008
[GRAPHIC] [TIFF OMITTED] T8232.009
[GRAPHIC] [TIFF OMITTED] T8232.010
[GRAPHIC] [TIFF OMITTED] T8232.011
[GRAPHIC] [TIFF OMITTED] T8232.012
[GRAPHIC] [TIFF OMITTED] T8232.013
[GRAPHIC] [TIFF OMITTED] T8232.014
[GRAPHIC] [TIFF OMITTED] T8232.015
[GRAPHIC] [TIFF OMITTED] T8232.016
[GRAPHIC] [TIFF OMITTED] T8232.017
[GRAPHIC] [TIFF OMITTED] T8232.018
[GRAPHIC] [TIFF OMITTED] T8232.019
[GRAPHIC] [TIFF OMITTED] T8232.020
[GRAPHIC] [TIFF OMITTED] T8232.021
[GRAPHIC] [TIFF OMITTED] T8232.022
[GRAPHIC] [TIFF OMITTED] T8232.023
[GRAPHIC] [TIFF OMITTED] T8232.024
[GRAPHIC] [TIFF OMITTED] T8232.025
[GRAPHIC] [TIFF OMITTED] T8232.026
[GRAPHIC] [TIFF OMITTED] T8232.027
[GRAPHIC] [TIFF OMITTED] T8232.028
[GRAPHIC] [TIFF OMITTED] T8232.029
[GRAPHIC] [TIFF OMITTED] T8232.030
[GRAPHIC] [TIFF OMITTED] T8232.031
�