Pages

25 March 2023

DoD’s Software Acquisition Strategy Could Result In Dangerous Security Vulnerabilities

Dan Gouré

The Department of Defense (DoD) is about to acquire enterprise software in a way that could grant one company a near-certain monopoly and potentially create serious cybersecurity risks. For years, the Pentagon has licensed Microsoft’s Office 365 (O365) as the basis for its essential productivity functions. But now the department is poised to acquire a particular version of Office 365 with enhanced features, particularly related to cybersecurity.

While some would argue that this is an efficient solution, depending on one software bundle that does everything from e-mail and word processing to advanced security may not be the most effective or safe approach. Buying the enhanced license will not only extend Microsoft’s virtual monopoly on productivity software for the Pentagon, but lock DoD into reliance on its security applications. In the constantly evolving world of cyber threats and responses, it is a serious mistake to rely solely on one company for all network security needs.

For years, when it comes to back-office and productivity software, DoD has been like the proverbial Tower of Babel, with different services, components, agencies, and offices relying on distinct and often incompatible applications. This resulted in enormous inefficiencies and unnecessarily high costs. Depending so much on a myriad of different applications and associated databases also created barriers to the exchange of critical information and vulnerabilities that could be exploited by cyber threats.

The defense department went through a long struggle to move away from legacy back-office and productivity software in favor of a single, unifying set of capabilities able to integrate the work of the entire defense enterprise. Finally, it settled on one: O365. While Microsoft products were widely used through DoD, it now will define a single suite of applications as its go-to capability.

For the defense department, the Defense Information Systems Agency (DISA) is making O365 the standard for cloud-based back-office and productivity software through the Defense Enterprise Office Solution, or DEOS, contract. This means millions of laptops and devices across DoD will use O365, otherwise known as DoD365.

O365 has a number of versions from which clients can choose. The most advanced version of O365, E5, includes everything in Office 365 E3 plus advanced capabilities, particularly for security. The versions acquired by the Pentagon must meet additional departmental and federal security standards.

As O365 is installed on millions of DoD computers and devices, the department became concerned that it was leaving itself open to major security problems. In response, DISA is reported to have decided to acquire a license for the E5 version of O365 in order to avail itself of the enhanced security features.

While it might make sense to standardize all back-room and productivity software on the O365 suite of applications and, in view of security concerns, acquire the E5 variant, there are significant downsides to the pending acquisition decision. According to a 2021 study by Omdia, Microsoft’s share of the U.S. government’s office productivity market is a staggering 85 percent. This is a virtual monopoly, or what the study calls a “monoculture.”

Even if Microsoft does not exercise its monopoly position to increase prices, its sheer dominance of this software sector may create inertia in government software acquisitions that favors Microsoft. Pentagon procurement officials would be able to justify limiting procurement of productivity software to Microsoft products based on the company’s current dominance across DoD. As a consequence, smaller firms will be frozen out of future acquisitions, resulting in less competition and innovation.

The decision to acquire a department-wide license for the E5 version of O365 is particularly problematic. The software ecosystem that O365 represents is so massive and complex that it inevitably has security vulnerabilities that hackers can exploit. The Cybersecurity and Infrastructure Security Agency has documented numerous vulnerabilities in Microsoft’s Windows operating system. These could be exploited by hackers to gain entry into government communications and databases. Once inside the network, the ubiquity of Microsoft products across the defense department provides an open highway for hackers.

DISA’s decision to rely largely, if not exclusively, on Microsoft security products with the E5 license poses additional potential serious risks to national security. In effect, Microsoft is being asked to secure itself. This creates an inherent conflict of interest. Will the company focus its attention and resources on expanding O365’s productivity software or fixing vulnerabilities and improving security features?

In addition, by relying on Microsoft to secure its own ecosystem, DoD risks vendor lock. In the ever-changing world of cyber threats, it is important that acquisition officials seek out the best in class when it comes to security capabilities. While having a single vendor across any enterprise may seem appealing for efficiency and near-term potential cost-saving measures, the defense department risks relying on inferior security products to defend its network while also creating innovation and independent auditing deficiencies.

It is problematic to have a single provider on contract for both functional software such as enterprise productivity applications and also for security software that, among other functions, is required to monitor and assess the status of the functional software. It makes better sense for the provider of cloud services and security capabilities to be separate entities. The lack of a third-party operator or an independent entity for cybersecurity leads to vulnerabilities across the enterprise. There is merit in having independent providers focused on the core responsibility of defending a software ecosystem.

Federal agencies in general and DoD in particular should pursue fair and open competition that ensures procurements for cybersecurity solutions are based on technical merits and the total cost of ownership. This is best done by competitive procurements requiring companies to compete head-to-head on the merits of the effectiveness of their cybersecurity solutions and total cost of ownership to the agency. The government should avoid procurements in which functional software and security software are provided from the same source.

No comments:

Post a Comment