Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 45
2
Accept Uncertainty:
Attack Risks and Exploit Opportunities
INNOVATION, PRECEDENT, AND DYNAMISM
Experience shows that there is a correlation between the degree of software system precedent,
routinization, and stability, on the one hand, and the ability to deliver results with predictable cost,
schedule, and operational test and evaluation (OT&E) success, on the other. Many of the Department of
Defenses’s (DoD’s) information technology (IT) systems are precedented, as are significant portions of
mission systems. These include the office automation and back-office systems for business operations
that are increasingly conventionalized in both commercial and national security contexts. There are
precedents for such systems in numerous institutions and environments. Such conventions enable the
DoD to build on wide internal experience, other government experience, and commercial experience,
reducing the uncertainty associated with predicting the outcomes of particular design decisions. This
happens when similar decision points have been experienced in other settings, experience was gained,
and it has been possible to transfer that experience to new projects that are sufficiently similar. For
precedented development efforts, managers can project plans further into the future of a development
process with higher accuracy. They can focus more closely on optimizing cost, schedule, and other fac -
tors while managing the various tradeoffs involved. For these routine systems, the DoD benefits when
it can adjust its practices to conform to government and industry conventions, because it is then able to
build more directly on precedent and also exploit a broader array of more mature market offerings.
The largest producibility challenges for the DoD come from its need for unprecedented, innovative
systems that can be rapidly adapted. The mission of the DoD requires it to constantly move forward in
advancing the capability of its systems. The committee uses the term “unprecedented” to refer to systems
concepts, designs, or capabilities that are not similar enough to the existing base of experience to benefit
from fully following an established pattern. As a result, development efforts may involve greater risk
(see next section). This report calls these innovative and agile projects software-intensi�e inno�ati�e de�el-
opment and reengineering/e�olution (SIDRE) efforts and focuses much of its attention on them. It must be
recognized, however, that most unprecedented systems designs, including very-large-scale interlinked
systems, generally incorporate significant portions that are themselves precedented and possibly also
associated with established commercial or open-source ecosystems.
4�
OCR for page 45
4� CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
Precedented Systems
Put simply, engineering practices and technology choices for precedented systems (such as stable
back-office systems capabilities) are guided by convention (such as commercial best practices for such
systems), while engineering practices and technology choices for unprecedented systems and compo -
nents are guided by processes for mitigating engineering risk. In fact, there is a constant pace of innova -
tion even for seemingly established functional capabilities, such as back-office systems, with some areas
of innovation and other areas that are more guided by convention.
Following precedent may require engaging in a process of adapting previously unique business
practices to reflect more “standard” or “conventional” operations practices that are more readily sup -
ported within mainstream systems and ecosystems, particularly when there is correspondence with
modern back-office systems in the commercial world. This adaptation of functional goals to achieve con-
sistency with normative practice is an explicit part of the commercial requirements engineering process.
The DoD and other government agencies may struggle more because they may find it more difficult to
compromise, and for many good reasons. But the extent to which the DoD can find commonalities (and
avoid unnecessary differentiation) with other government agencies creates opportunities for major cost
reduction, risk reduction, and process simplification.
Unprecedented Systems
As noted in the previous chapter, the need to develop unprecedented systems is a consequence of
the highly complex and rapidly evolving operational environment within which the DoD must oper-
ate and execute its mission. Complexity is increasing, as is the difficulty of the threats and challenges.
Highly capable information technology is now ubiquitous worldwide, and adversaries have ready access
to cutting-edge technology. Mission and deployment priorities are constantly shifting. The DoD must
collaborate extensively with other agencies, nongovernmental organizations (NGOs), coalition part -
ners, and others in constantly changing configurations over which the DoD has no control. Operational
decisions are derived from a broad diversity of inputs. Command-and-control models must adapt to
rapidly evolving threats. Success in this environment depends on systems designed for flexibility, agility,
and robustness, but it also requires flexibility, agility, and robustness in the process by which systems
are developed and continue to evolve. There is much less opportunity to rely on precedent and much
greater requirement to undertake a process of ongoing innovation. This process of innovation entails
acceptance of certain categories of risks. (See Box 2.1 for details.)
Commercial best practices have also evolved for developing unprecedented systems. Air traffic
control, telecommunications switches, middleware (such as from IBM and Oracle), operating systems
(such as from Apple and Microsoft), and large-scale web applications (such as from Google, Facebook,
and Amazon) have been developed under commercial best practices with varying degrees of success.
However, these large-scale, unprecedented systems emerged over a period of years from market oppor-
tunity without a specification-driven need, while others did not. Besides business savvy, the main criti -
cal success/failure factors in these situations have involved the ability to assess potentially disruptive
technologies and competitor strengths, and the corporate agility to adapt to change. 1
This chapter addresses the processes and practices by which these risks can be understood and
addressed in the engineering of systems. A principal conclusion is that a well-managed incremental
(iterative) process, supported by appropriate evaluation and measurement approaches, can more reli -
ably lead to successful outcomes even when there are significant engineering risks. On the other hand,
attempts to produce innovative or unprecedented systems using familiar linear (“waterfall”) processes
1Michael Cusumano and David B. Yoffie, 1998, Competing on Internet Time: Lessons from Netscape and Its Battle with Microsoft, New
York: The Free Press. See also Clayton M. Christensen, 1997, The Inno�ator’s Dilemma: The Re�olutionary Book That Will Change the
Way You Do Business, New York: Harper Business. See also Robert L. Glass and P. Edward Presson, 2001, ComputingFailure.com:
War Stories from the Electronic Re�olution, Upper Saddle River, NJ: Prentice Hall PTR.
OCR for page 45
4�
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
can very often lead to unhappy surprises—late-breaking negative feedback regarding early design com -
mitments that, when learned at a late stage in the process, can be very costly to revise. That is, what
appears to be a “safe,” conservative decision to follow the most basic process is in fact a dangerous
decision that can drastically increase programmatic risk—and the possibility of total project failure. 2
The key features of a well-managed incremental process for innovative systems are (1) measurements
that are informative and relevant, and (2) process feedback loops that are relatively short, with potential
major reductions in programmatic risk.
For many of the innovative systems at the heart of the DoD’s software producibility challenge, the
details of the future requirements are not—and in many cases cannot be—fully understood. Thus the
need to innovate is made more challenging by the simultaneous need to be agile as requirements neces -
sarily evolve over time.
MANAGING RISk AT SCALE
There are attempts to manage innovative software development following process patterns more
appropriate to precedented systems and to established predictable engineering disciplines. One con -
sequence is that linear development processes are inappropriately used despite the presence of high
engineering risk (and requirements risk also), with the consequence that those engineering risks are
unnecessarily transformed into increasing project risks. A second consequence is that there is unjusti -
fied emphasis on achieving excessive precision at the outset regarding functionality desired by the user,
choices of infrastructure platforms, and possibly also economic tradeoffs in various complex dimensions
of quality. This drive for excessive precision in these areas can yield a surfeit of specifications and other
early design artifacts, which may in fact give only false comfort—and lead to downstream scrap and
rework.
This is because these process patterns do not account for the engineering risks and uncertainties
inherent in developing innovative software, where there are no laws of physics and materials to constrain
solutions to particular structural patterns. In precedented software, the structural patterns derive from
established software ecosystems and from the body of precedent. In innovative SIDRE systems, these
patterns are lacking, which is both advantageous, in that opportunity is afforded for innovation and
creativity, and also disadvantageous, in that greater levels of uncertainty must be addressed.
Modern governance approaches for larger systems must account for the management of uncer-
tainty. At scale, they must exploit collaboration among distributed teams and in rich supply chains for
which there is a continuous negotiation of scope, quality, and resources to balance the opportunities in
delivering more value with the uncertainties inherent in software development cost and scope targets.
That is:
It is important to treat scope, plans and resources as �ariables (not frozen baselines) and explicitly manage
the �ariances in these �ariables until they con�erge on acceptable le�els to commit a project/product to full scale
production.
Fortunately, recent DoD and NRC studies3 have resulted in some very initial steps, as evidenced in
2 Some program managers sarcastically refer to an inappropriately used linear (waterfall) process model as the “requirements,
delay, surprise” process model. Fred Brooks’s recent book, The Design of Design (Boston: Addison-Wesley, 2010), succinctly con-
cludes, “The Waterfall Model is wrong and harmful; we must outgrow it.” This point was also made in Fred P. Brooks, 1987, “No
Silver Bullet—Essence and Accidents of Software Engineering,” Information Processing 20(4):10-19.
3 Assessment Panel of the Defense Acquisition Performance Assessment Project, 2006, Defense Acquisition Performance Assess-
ment; see also NRC, Richard W. Pew and Anne S. Mavor, eds., 2007, Human-System Integration in the System De�elopment Process:
A New Look, Washington, DC: National Academies Press. Available online at http://www.nap.edu/catalog.php?record_id=11893.
Last accessed August 20, 2010; and National Research Council (NRC), 2008, Pre-Milestone A and Early-Phase Systems Engineering:
A Retrospecti�e Re�iew and Benefits for Future Air Force Acquisition, Washington, DC: National Academies Press. Available online at
http://www.nap.edu/catalog.php?record_id=12065. Last accessed August 20, 2010.
OCR for page 45
4� CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
Box 2.1
Programmatic, Engineering, and Systems Risk
Programmatic Risk
Programmatic or project risks pertain to the successful completion of engineering projects with respect
to expectations and priorities for cost, schedule, capability, quality, and other attributes. A principal influ-
ence on programmatic risk is the process by which engineering risks are identified and addressed. This
applies particularly to engineering risks related to architecture and ecosystems choices, quality attributes,
and overall resourcing. With innovative projects, programmatic risk can be reduced through use of iteration,
incremental engineering, and modeling and simulation (as used in many engineering disciplines). Program-
matic risks that derive from overly aggressive functional or quality requirements, where engineering risks
are not readily mitigated, are often best addressed through moderation on the “value side,” for example,
through scoping of functional requirements. Indeed, for ambitious and innovative programs—those char-
acterized as “high risk, high reward”—for identifying and sorting engineering risks, it is often most effective
to focus as early as possible on architecture. Once overall scope of functionality is defined, architecture
risks may often dominate the detailed development of functional requirements.
A well-known example of negative consequences of unmitigated programmatic risks is the FBI Vir-
tual Case File (VCF) project.1 The project is documented in the IEEE Spectrum: “The VCF was supposed to
automate the FBI’s paper-based work environment, allow agents and intelligence analysts to share vital
investigative information, and replace the obsolete Automated Case Support (ACS) system. Instead, the FBI
claims, the VCF’s contractor, Science Applications International Corp. (SAIC), in San Diego, delivered 700,000
lines of code so bug-ridden and functionally off target that this past April [2005], the bureau had to scrap
the US $170 million project, including $105 million worth of unusable code. However, various government
and independent reports show that the FBI—lacking IT management and technical expertise—shares the
blame for the project’s failure.”2
Eight factors that contributed to the VCF's failure were noted in a 2005 Department of Justice audit.
These included “poorly defined and slowly evolving design requirements; overly ambitious schedules; and
the lack of a plan to guide hardware purchases, network deployments, and software development for the
bureau. . . .” Finally, “Detailed interviews with people directly involved with the VCF paint a picture of an
enterprise IT project that fell into the most basic traps of software development, from poor planning to bad
communication.” (Today, 5 years later, the program has been scrapped yet again.)
Supply chain risk is an area of engineering risk that is growing in significance and that often develops
into programmatic risk. This is evident in the DoD’s increasingly complex and dynamic supply-chain struc-
ture, with particular emphasis on concerns related to assurance, security, and evolution of components and
systems infrastructure. This risk can be mitigated through techniques outlined in Chapters 3 and 4 related
to architecture design, improved assurance and direct evaluation techniques, multi-sourcing, provenance
assessment, and tracking and auditing of sourcing information. Supply chain risk is particularly challenging
for infrastructure software and hardware, because of the astonishingly rapid evolution of computing tech-
nologies, with commercial replacement cycles typically every 3 to 5 years. In the absence of careful planning,
this means that early ecosystem commitments can potentially create programmatic risks in downstream
1Ben Bain, 2009, “FBI Pushes Back Completion Date for Sentinel File System ” November 10, 2009, Federal Computer
Week. Available online at http://fcw.com/Articles/2009/11/10/FBI-Sentinel-IG-report.aspx. Last accessed August 20, 2010.
2 Harry Goldstein, 2005, “Who Killed the Virtual Case File?” IEEE Spectrum 42(9):24-35. Available online at http://
spectrum.ieee.org/computing/software/who-killed-the-virtual-case-file. Last accessed August 20, 2010. See also James
C. McGroddy and Herbert S. Lin , eds., 2004, A Review of the FBI’s Trilogy Information Technology Modernization Program,
Washington, DC: National Academies Press. Available online at http://www.nap.edu/catalog.php?record_id=10991. Last
accessed August 20, 2010. See also the subsequent NRC letter report, 2004, Letter Report to the FBI, James C. McGroddy
and Herbert S. Lin, eds., Washington, DC: National Academies Press. Available online at http://www.nap.edu/catalog.
php?record_id=11027. Last accessed August 20, 2010.
OCR for page 45
4�
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
system-refresh cycles, when shifts in vendor strategy may create unanticipated incompatibilities. Indeed,
vendors may often institute incompatible changes in interface specifications in their ecosystems in order to
force user organizations to stay current with evolving technology. Thus, the advantage of “riding the curves”
with off-the-shelf infrastructure must be weighed against the loss of control by program managers. But this
is not a simple tradeoff, since savvy architects have ways to structure systems to increase the possibility of
“having it both ways” in many cases.
Related to supply chain is another kind of programmatic risk, derived from conflicting business incen-
tives. This kind of risk is often present in projects focused on enhancing interoperation among systems.
With interoperation, for example, data from sensors for one system can be used to enhance situation
awareness models in another system. Indeed, one of the strong arguments for net-centric approaches is the
benefit of broad sharing of sensor data to enhance situation awareness and better inform tactical decision
making.3 Despite the natural drivers for interlinking, there are risks and difficulties. A critical system risk, for
example, relates to security—poor architectural decision making at the outset could mean that successful
attacks could result in amplified consequences, due to the larger scale of the overall system.
There are also programmatic risks relating to potential conflicts in the business and mission interests of
the organizations responsible for the entities being interlinked. Vendors, for example, who are competing
at the level of ecosystems may see interlinking as an opportunity for competitors to benefit from network
effects associated with acceptance of the ecosystem by users—that is, interlinking with competitor systems
may be perceived as a threat to investment in ongoing ecosystems enhancement. There are also circum-
stances under which DoD contractors may also see enhanced interoperation (and open architectures, more
generally) as a threat to lock-in and an enhancement to opportunities of competitors.
Engineering Risk
Engineering risks pertain to uncertainties and consequences of particular choices to be made within
an engineering process. High engineering risk means that outcomes of immediate project commitments
are difficult to predict and consequently raise programmatic risk. Engineering risks can relate to many
different kinds of decisions—most significantly architecture, quality attributes, functional characteristics,
infrastructure choices, and the like. Except in the most routinized cases, much of the practice and tech-
nology of software engineering is focused not only on system capability, team productivity, and resource
requirements for development, but also on the reduction of the engineering risks that unavoidably arise
in unprecedented developments.
As DoD and commercial systems evolve with more and more functionality delivered in software, sys-
tems engineering and software engineering techniques are intersecting, leading to a critical area for new
research and the advancement of practice. The challenge is three-fold. First, traditional decision support
techniques need to be enhanced to address the diverse kinds of software engineering risks. Second, there
is need for modeling, simulation, prototyping, and other “early validation” techniques for many different
kinds of software engineering decisions, for example, those related to architecture, requirements, eco-
system choice, tooling and language choice, and many others. Third, system engineering models must be
developed through which appropriate “credit” can be given in earned value models for activities that miti-
gate identified engineering risks. This entails addressing a range of challenges related to measurement and
process design. Development of techniques to meet these challenges would benefit commercial industry
as well as the DoD.
An example of the identification and resolution of engineering risk is described in a workshop report
3 Metcalfe’s Law is an observation on network effects, stating that the “value” of a telecommunications network grows with
the square of the number of nodes in the network—when the number of nodes in a complete graph doubles, the number
of edges roughly quadruples. Of course, there are other ways scale influences “value” that may make actual value greater
or less than quadratic. But regardless of the model, it is clear that the effects are super-linear. This observation explains the
forces that drive the coalescing of separate networked systems into aggregates, including the internetworking initiatives of
the 1970s that coalesced diverse computer networks into the Internet.
OCR for page 45
�0 CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
Box 2.1 Continued
produced by this study committee.4 This case study concerns the internal ecosystem at Amazon.com.
Amazon evolved from a relatively straightforward e-commerce model into a highly complex aggrega-
tion of sellers and buyers, with a business model that depended in part on realizing the synergies of
this aggregation and the growth in scale. “Amazon builds almost all of its own software because the
commercial and open source infrastructure available now does not suit Amazon.com’s needs.” When
it became clear that initial architectural approaches needed to be enhanced, a critical decision point
was reached, with developers at Amazon facing a choice between a “goal of building the ‘perfect’ sys-
tem (the ‘right’ system) whatever the cost” and a very different and “more modest goal of building a
smaller, less ambitious system that works well and can evolve.” Developers recognized that trying to
build the best possible system was a long, difficult, and potentially error-prone process. It also forced
anticipation of a comprehensive set of potential downstream business models. The developers instead
adopted an approach designed to support evolution and rapid organic growth. It necessarily embodied
fewer assumptions regarding the business model, but it was designed to be adaptive and robust. This
led to greater emphasis on infrastructure performance, scalability, and reliability, with a focus on imple-
mentation ideas such as redundancy, feedback, modularity, and loose coupling, under rubrics such as
“purging,” “spatial compartmentalization,” and “apoptosis.” This was the model that led to Amazon’s
rapidly growing venture into cloud computing and associated services.
Systems Risk
Systems risks pertain to the potential hazards—operational risks, mission risks, deployment chal-
lenges, and so on—associated with the deployment of a system. What are the kinds of failures, and
what kinds of hazards do they create? For example, cascading failures have been experienced in tele-
communications and power utilities. These are large-scale system failures resulting from unwanted
positive feedback of local failures triggering failures elsewhere, leading to more global failures with
the corresponding hazards. That is, the hazard of a single system failing can often be associated with
a much larger aggregate of systems, often spread across a wide geography. The consequences of a
single local failure thus extend well beyond the immediate locality of the failure. The hazard is at a
much greater scale.
A case study in systems risk is the Toyota Prius, a “highly computerized car,”5 that relies on software
programs to manage the various applications and features of the vehicle. This complex system is really
an amalgam of simpler subsystems interoperating with each other across a network fabric. Drivers of
the 2010 Prius had reported brake malfunctions, which would later be attributed to a glitch in the soft-
ware controlling the car’s brakes. It is unclear from reports from Toyota and in the press whether the
“software glitch” was an algorithmic fault faithfully encoded into the software or a fault in the software
encoding or the software infrastructure. Regardless, the repair of the fault was accomplished through
software updates: Toyota later issued a software patch for the brake problem.6 In February 2010, Ford
also resolved a braking issue through a software upgrade.7
4 NRC, 2006, Summary of a Workshop on Software Intensive Systems and Uncertainty at Scale, Washington, DC:
National Academies Press. Available online at http://www.nap.edu/catalog.php?record_id=11936. Last accessed Au-
gust 20, 2010.
5 Stephen Manning and Tom Krisher, 2010, “More Trouble for Toyota as Regulators Launch Investigation of Prius
Brake Problems,” Associated Press, February 4, 2010. Available online at http://autos.ca.msn.com/news/canadian-press-
automotive-news/article.aspx?cp-documentid=23387474. Last accessed August 20, 2010.
6 David Millward, 2010, “Toyota Offers UK Prius Owners Brake Software Upgrade,” Telegraph.co.uk, February 8,
2010. Available online at http://www.telegraph.co.uk/motoring/news/7189917/Toyota-offers-UK-Prius-owners-brake-
software-upgrade.html. Last accessed August 20, 2010.
7 David Bailey, 2010, “Ford offers fix for Fusion hybrid brake glitch,” Reuters.com, February 4, 2010. Available
online at http://www.reuters.com/article/idUSTRE61369I20100205. Last accessed August 20, 2010.
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
the DoD’s revision of DoD Instruction 5000.02 and the recent Congressional Weapon System Acquisition
Reform Act that establish such convergence as DoD acquisition policy. 4 However, the policy does not
provide detail about how such convergence can be achieved, particularly in the software arena.
Finding 2-1: Modern practice for innovative software systems at all levels of scale is geared toward
incremental identification and mitigation of engineering uncertainties, including requirements
uncertainties. For defense software, the challenge is doing so at a larger scale, and in ways that are
closely linked with an overall systems engineering process.
Innovation and agility are related. Innovation is the ability to create new systems concepts to address
emerging challenges and opportunities. Innovation can be in concept, functionality, architecture and
design, performance, and so on. Innovative functionalities have migrated into software realizations
because of the special characteristics of software. By improving our capability to manage uncertainty, we
are able to accelerate the delivery of more capable systems and reduce costs. The environments of defense
mission needs and of computing technology are both rapidly changing and often in unpredictable ways.
This creates uncertainty, particularly when systems must be designed to anticipate these changes in
mission and technology over periods of many years. Not all changes can be anticipated, which implies
that not only must architecture and design be forward-looking, but also that ongoing process must be
agile in facilitating ongoing innovation in response to changing needs and opportunities. What does it
mean to “manage uncertainty,” and what are good characterizations and, where possible, measurements
of the various dimensions of uncertainty?
It is often stated as a matter of principle that we must measure something if we are to manage it.
However, in the history of software engineering, the principal “measurables” have been time, effort,
lines of code produced, and defects found and fixed. These are only approximate surrogates for the
attributes of progress that matter in complex development projects, such as identification and resolu -
tion of engineering risks, assurance with respect to quality attributes, manifestation of critical functional
features, ability to support future evolution, and so on. The former set of measurables (e.g., time, effort,
etc.) are perhaps more useful for linear or waterfall developments, but they are of diminishing value
for innovative and agile projects. In these projects, not only must engineering risks be identified and
resolved, but also observable attributes must be created to provide evidence—and reduce the possibility
of “going into denial” regarding challenging engineering risks. This issue is elaborated in the section
below on earned value concepts.
From the perspective of quantitative measurement, the uncertainty of software producibility can be
understood through the following observations:
1. Best practices for software development resource estimates employ empirical, parametric models.
These models typically have 20 to 30 input parameters and produce a probability distribution of
outcomes.
2. The variance of the distribution of outcomes is a good measure of the uncertainty.
3. Managing this uncertainty means reducing the variance in the distribution of outcomes as esti -
mates to complete are recalculated on a periodic basis.
Process agility is needed to respond rapidly and effectively to changing circumstances. But often
those changing circumstances are in the form of late-breaking (in a development process) understand -
ing of key design commitments and emerging engineering risks. Thus effectiveness at the management
4 The 2010 National Defense Authorization Act (NDAA) language (Section 804) is also evidence of progress. National Defense
Authorization Act (NDAA) of Fiscal Year 2010, Pub. L. no. 111-84, 111 Congress, (2009). Available online at http://www.wifcon.
com/dodauth10/dod10_804.htm. Last accessed August 20, 2010.
OCR for page 45
�� CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
of uncertainty is one key to process agility in systems definition and conceptualization, as well as
realization.
Technology cannot overcome poor governance or management. However, in the past two decades,
considerable progress has been made in assessing organizational capability to enact process models
to manage complex software developments. This understanding has been packaged in a variety of
ways, such as the capability maturity model, ISO 9000, and the spiral development model. Even well-
managed software development can be hamstrung by poor selection of technology, but it can also be
enhanced significantly by the judicious use of technology. Software-intensive systems are complex. Tools
are needed to help manage complexity, track changes, maintain configuration control, and enforce the
integrity of the architecture—these help teams avoid mistakes often driven by that complexity. Indeed,
modern software teams at all levels of scale rely much more intensively on tooling for process support
than at any point in the past.
Software is distinctive in that it permits rapid iterations, aggressive prototyping, simulation, and
modeling, along with other techniques that can afford early validation with respect to many critical
acceptance criteria. Improved software infrastructure and practices also enable agility, as do improved
means to measure and assess software quality and other attributes. The governance and management
process for unprecedented systems can better exploit these unique software capabilities. This means, in
particular, the aggressive use of iterative risk-managed processes and the definition of suitable earned
value measures related to validation of requirements and architecture, team collaboration, and continu -
ous integration. It also means that platform automation support for measurement, resource estimation,
variance reduction, and change propagation must mature. Another recent study from the National
Research Council has assessed the potential, primarily from a management perspective, for the DoD
to more widely employ incremental and iterative processes to support risk-managed development of
SIDRE systems.5 The recommendations of this study are generally in harmony with the recommenda-
tions of this report, which focuses more on technological enablers and on attendant research and tech -
nology-development challenges.
Earned Value Management and Unprecedented Systems
Earned value management (EVM) is “a means of determining the financial health of a project by
measuring whether the work completed to date is in line with the budget and schedule planning.” One
of the goals of using EVM is to get early warning of potential problems. EVM tracks planning, progress,
cost, earned value (the planned cost of actual progress), and variance in cost and schedule.
Although the technique is seemingly straightforward, the application of EVM for innovative and
unprecedented software-intensive systems poses challenges. In particular, assessing and measuring
actual progress is difficult. Conventional EVM systems make several assumptions, namely: (1) The rela -
tionship between resources and progress is linear, (2) The effort needed to meet certain goals is predict -
able at the outset, (3) Progress is easily and accurately measurable, and (4) The expected outcome—as
articulated in requirements—is well understood. None of these assumptions applies in the case of
software-intensive unprecedented system development efforts where the level of uncertainty changes
the governance process from planning and tracking a straightforward production sequence of related
tasks to an emerging discovery process that requires continuous steering.
Extending EVM to SIDRE software requires some significant changes in how EVM assessment
and measurement strategies are applied. In particular, EVM in this context needs to be adapted from
tracking conformance to planned expenditures to steering toward planned value creation. For this to
happen, significant improvements are needed in our ability to value software assets. For example, a
major, unfinished software asset is no more than an option to guide further investments that, with some
5NRC, 2010, Achie�ing Effecti�e Acquisition of Information Technology in the Department of Defense , Washington, D.C: National
Academies Press. http://www.nap.edu/catalog.php?record_id=12823. Last accessed August 20, 2010.
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
remaining risk, will lead to a finished product that creates realized value for an organization. In other
words, software systems present very weak observables.6
But, such a product contains additional value in the form of flexibility to be better adapted, through
additional investments, to its evolving operating conditions. Placing value on adaptation flexibility is
essential for reasoning about investments in modular design architectures, such as those produced by
the application of product-line approaches. Unfortunately, except at the level of overall ecosystems and
vendor components, the value of most software design assets may be apparent only within a project and
may change according to architectural choices. Thus, valuation of these assets is difficult and risky. We
have neither the models we need to perform such valuation, nor adequate approaches to develop and
validate estimates needed as inputs to such models (e.g., of uncertainties about future conditions).
There is perhaps the potential to calibrate models over time based on past experience, though cali -
brations are always vulnerable to invalidation as operating conditions change. Nevertheless, some kind
of approach to valuation (not only accounting for costs but also for value created, even if in the form
of options) is important to managing iterative or other development processes to optimize for value
created, rather than merely for conformance to predicted cost flow streams.
Time-Certain Development and Feature Prioritization
The fact that (particularly SIDRE) software development effort and duration cannot be estimated
precisely means that it is unwise to try to lock a software project into simultaneously fixed budget,
schedule, and feature content (as has been found in many fixed-price, fixed-requirements software devel-
opment contracts). The concept of time-certain development recommended in the Defense Acquisition
Performance Assessment (DAPA) report and elsewhere7 avoids this problem by fixing duration as the
independent variable and feature content a dependent variable. This is basically the same concept as
the agile practice of timeboxing, but it needs more success conditions for large, mission-critical projects
for which, as time is running out, it is difficult (and time-consuming) to determine which features to
drop, and how to drop them without adverse side effects.
The critical success conditions for large-project time-certain development are to prioritize the fea -
tures in advance and to modularize the architecture to make it relatively easy to add or drop border-
line-priority features. In evolutionary development, this does not mean that the features will never be
available, but that they will be deferred to a later increment. Prioritizing features in multi-stakeholder
situations is never easy, but it becomes easier if the decision is just to determine what features are most
needed in the next increment.
A most significant side effect of feature prioritization is that it produces a consensus ranking of the
relative value of the system’s features. This provides the beginning of a way to reason about project risk,
as the key quantity in risk management is an item’s risk exposure, defined as the product of the probabil-
ity of loss times the size of the loss, which is known at least relatively from the feature prioritization.
6 This is in the sense of the traditional OODA (observe, orient, decide, act) loop, which underlies iterative processes and in -
cremental development. That is, as iterations and increments of effort yield results, future iterations and increments necessarily
build on those results. The challenges of software measurement and evaluation (as addressed throughout this report) relate to
the “observe” part of the loop, the process-related challenges relate to the “orient” and “decide” parts of the loop, and many of
the architecture/design and programming challenges relate to the “act” part of the loop.
7 This includes, most significantly, the NRC report on Achie�ing Effecti�e Acquisition of Information Technology in the Department of
Defense. NRC, 2010, Achie�ing Effecti�e Acquisition of Information Technology in the Department of Defense , Washington, D.C: National
Academies Press. Available online at http://www.nap.edu/catalog.php?record_id=12823. Last accessed August 10, 2010. Last
accessed August 20, 2010.
OCR for page 45
�4 CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
Evidence-Based Software Engineering and Risk Probability
Another major trend in software engineering and project management is to shift from schedule-
based milestones (“The contract says that the Preliminary Design Review (PDR) will be held on April
1, so that’s when we’ll hold the PDR, whether we have a design or not.”) to event-based milestones
(“We’ll finish all the design features by June 1, so we’ll hold the PDR then.”). However, such reviews
often fail because there is no way to tell from all the Unified Modeling Language (UML) diagrams and
PowerPoint charts whether the design will scale-up, handle crisis conditions, meet critical timelines, or
be buildable within the available budget and schedule.
This has led to the current trend toward evidence-based milestones, and evidence-based software
and systems engineering in general. This approach places responsibility on developers not only to create
artifacts for review such as operational concepts, requirements, designs, plans, budgets, and schedules,
but also to produce evidence that if a software system were built to the design, it would satisfy the
requirements, support the operational concept, and be buildable within the budgets and schedules in
the plan. This evidence would then be reviewed by independent experts, and shortfalls in evidence
would be treated as uncertainties or probabilities of loss. As with the relative sizes of loss determined
from requirements prioritization above, these probabilities are generally known only relatively, but they
can be combined with the relative sizes of loss to produce at least relative risk exposure quantities for
use in risk management.
Actually, evidence-based software and systems engineering has been practiced many times and
has been a consistently performed and high-payoff corporate practice at leading companies such as
AT&T since the 1980s.8 However, such evidence is usually asked for in contract data item descriptions
(DIDs) in optional appendices, where it is one of the first things to go when resources become strained.
Making appropriate evidence a first-class deliverable not only would ensure its development, but also
would make it an element of earned value management, in that it thus would have to be planned for
and its progress tracked with respect to the plans. The evidence should be parsimonious and focus on
enabling of action—rather than on the massing of “read-never” program documentation. These points
are summarized in the following findings and recommendations.
Finding 2-2: The prescription in DoD Instruction 5000.02 for the use of evolutionary develop-
ment needs to be supplemented by the development of related guidance on the use of such prac -
tices as time-certain development, requirements prioritization, evidence-based milestones, and risk
management.
Finding 2-3: Extensions to earned value management models to include evidence of feasibility and
to accommodate practices such as time-certain development are necessary conditions to enable suc -
cessful application of incremental development practices for innovative systems.
As noted throughout this report, the DoD would benefit from investing effort in developing
improved quantitative measures related to diverse software attributes such as quality, productivity,
architecture compliance, architecture modularity, process performance, and many others. But DoD
practices must also recognize that existing metrics do not fully reveal critical attributes of systems and
process status and that expert judgment also has a critical role, particularly with respect to architecture,
design, and many quality attributes associated with SIDRE systems. Evidence-based software and sys -
tems engineering approaches are being increasingly applied to address achievement of critical SIDRE
attributes and need to be better institutionalized into DoD acquisition practice.
8 Joseph F. Maranzano, Sandra A. Rozsypal, Gus H. Zimmerman, Guy W. Warnken, Patricia E. Wirth, and David M. Weiss, 2005,
“Architecture Reviews: Practice and Experience,” IEEE Software 22(2):34-43.
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
Finding 2-4: Research related to process, measurement, architecture, and assurance can contribute to
the improvement of measurement practice in support of both routine management of engineering
risks and value assessment as part of earned value management.
For example, keys to developing cost-effective evidence involve determination of feature and attri -
bute priorities, assessment of candidate evidence-generation capabilities (modeling, simulation, proto -
typing, bench marking, exercises, early working versions, citations of relevant previous experience), and
measurement of progress toward thorough evidence generation.9 Some initial steps in this direction are
provided in a report by Boehm and Lane.10
Recommendation 2-1: The DoD should take aggressive actions to identify and remove barriers to
the broader adoption of incremental development methods, including iterative approaches, staged
acquisition, evidence-based systems and software engineering, and related methods that involve
explicit acknowledgment and mitigation of engineering risk.
There are different kinds of barriers that can be addressed through combinations of established
best practice and emergent improved practice derived from technology and other improvements. These
potentially surmountable barriers include (1) improved measurement and associated technology, (2)
architecture validation using models, simulation, prototyping, etc., (3) program manager training and
evaluation of perceived career risks (see findings below), (4) accretion of an accessible experience base
and other shared resources that can facilitate sound decision making, and (5) acceptable shifts of early-
stage emphasis for innovative systems from detailed functional requirements to concurrent engineering
of requirements, architecture, process definition, and evidence of their compatibility and feasibility.
Similar barriers exist in commercial industry, of course. These are accentuated in DoD because of its
particular challenges of arm’s-length contractual relationships, high assurance requirements, potential
presence of adversaries in the systems development activity, and other barriers.
MANAGING REqUIREMENTS AND ARCHITECTURE
Software development complexities tend to increase non-linearly as systems scale up in complex -
ity, features, and quality goals. The challenge for the DoD is that its requirements must be addressed
at unusual scale, complexity, interconnection, security, and with life-critical mission requirements. This
challenge is exacerbated by the fact that the DoD is not sufficiently exploiting known techniques for the
management of complex and evolving requirements. These techniques have been a focus of research
for many years, but the known techniques are not widely employed on DoD applications—techniques
including spiral development, joint application development, agile development, etc. The resulting
difficulties are well known.11,12
There is widespread agreement that the requirements-delay-surprise (linear) approach to software
development is not effective for innovative systems. The committee proposes more extensive use of
an incremental, risk-assessment-driven approach. It is important to appreciate that, for incremental
approaches to succeed, there needs to be forward-looking up-front investment in the overall system and
process design. This enables problems to be decomposed in such a way that engineering risks can be
identified, initial architecture models developed, and overall programmatic risk is minimized. If this is
9 This concept of evidence generation is different but analogous to the discussion of evidence-based assurance in Chapter 4.
10 Barry Boehm and Jo Ann Lane, 2010, E�idence-Based Software Processes, Proceedings, �0�0 International Software Process Confer-
ence Springer, Berlin.
11 NRC, 2010, Achie�ing Effecti�e Acquisition of Information Technology in the Department of Defense , Washington, DC: National
Academies Press, Washington, DC. Available online at http://www.nap.edu/catalog.php?record_id=12823. Last accessed August
20, 2010.
12 Barry Boehm and Richard Turner, 2003, Balancing Agility and Discipline: A Guide for the Perplexed, Boston: Addison-Wesley.
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
just as cost and resources, schedule and work breakdown, quality (with respect to various attributes), and
other overall constraints are variables subject to ongoing negotiation. An example is the prioritization of
requirements and use of scope as a dependent variable in time-certain development. Even when scope
is treated as a seriously scrutinized and controlled variable in DoD projects, a collaborative, open, and
honest management style between customer and contractor, supported by constant effort to improve
measurement and observation capability, has proven to be another necessary ingredient for success.
These are the foundations of modern agile governance that demand executable capability demon -
strations over time. Modern agile governance of software delivery means managing uncertainty through
steering. In a healthy software project, each successive phase of development produces an increased
level of understanding in the evolving plans, specifications, and completed solution, because each phase
furthers a sequence of executable capabilities and the team’s knowledge of competing objectives. At any
point in the life cycle, the precision of the subordinate artifacts should be in balance with the evolving
precision in understanding, at compatible levels of detail and reasonably traceable to each other.
ESTIMATIONS, CONTRACTING, AND ITERATIVE DEVELOPMENT
The DoD operates within a complicated federal procurement and acquisition process. From the
outset the government typically awards to the contractor with a viable technical solution and the lowest
cost. For software-intensive systems there is a conventional wisdom that aggressive bids have driven
many programs to diminished probabilities of success.16 Although the reasons for cost overruns and
delays are complex, the choice of evaluation criteria in this process is undoubtedly a factor. The govern -
ment and contractors need to establish rigorous processes to ensure that we have a basis for size estimates
that have sound derivation from comparable systems, as well as thoughtful scaling factors to account
for degree of engineering risk, overall complexity and scale, and maturity of the various contributing
technologies and ecosystems. For innovative SIDRE systems, the variances in a sound estimate can rise
quite dramatically. For all systems, there is also the complication of the rapid evolution of the underlying
software technologies, which tends to reduce commensurability with historical comparables. The use of
evidence-based proposals and independent expert review is also helpful at the source selection stage.
Estimates
An additional difficulty is the lack of a rational standard by which the cost estimates are judged.
While there are well-used metrics for hardware, a uniform set of standards for software development
is lacking, although there are candidate models such as SEER-SEM, True S, or COCOMO. Also, analyz -
ing comparable probabilities of success should be a key element for awards. This analysis must avoid
conflating engineering risk with programmatic risk and instead account for process plans (and earned
value credit models) that acknowledge the reality of the engineering risk and indicate how it can be
mitigated (as outlined above). Product-line and framework efforts provide significant challenges to
development estimation, as do commercial, open-source, and vendor infrastructure and services. These
outsourced products and services, loosely considered as COTS (“commercial off the shelf”), although
often they may not be commercial or off the shelf, require further adaptation to the estimation models to
account for the costs of assimilating the product/service, including integration, configuration, ongoing
upgrade (and consequent adaptation to the subject system), licensing, sourcing risks, and other factors.
For example, many conventional commercial components and services have refresh cycles, which may
range from months to many years. The period of these cycles (and the extent of likely incompatibility)
can often be anticipated on the basis of industry standard practices, but it nonetheless needs to be
16 See reports from the Government Accountability Office including, GAO, 2004, Defense Acquisitions: Stronger Management
Practices Are Needed to Impro�e DoD’s Software-Intensi�e Weapon Acquisitions, GAO-04-393, Washington, DC: U.S. Printing Office.
OCR for page 45
�� CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
understood, along with the prospects for “support engagements” from vendors to address urgent and
critical issues should they arise.
Recommendation 2-2: The DoD should take steps to accumulate high-quality data regarding project
management experience and technology choices that can be used to inform cost estimation models,
particularly as they apply to innovative software development projects.
The current upgrade underway of the reporting quantities and guidance for the DI-MGMT-81739
and -81740 Software Resource Data Reports is a good example.
Contracting
There are a variety of contracting structures that are available to government program managers.
Choices are generally made on the basis of goals regarding incentives for the performer. For example,
the cost-plus-award-fee (CPAF) paradigm tends to front-load the incentives for performance where the
product is primarily a set of artifacts that define the design, but that do not necessarily provide functional
capability. It will be important to ensure that future contracts provide a balanced incentive for early
development of functioning products, as well as early evaluations of performance and robustness.
An iterati�e process for software development requires somewhat of an iterative or, more precisely,
an incremental contract with the customer, very much following the concept of a spiral model of soft-
ware engineering.17 For a company to respond to a request for proposals (RFP) with some accuracy, it
generally must have experience with multiple similar projects on the basis of which it can estimate with
confidence the resources and risks associated with building and testing a particular system. Some com -
panies frequently offer a fixed-price bid as well, perhaps for as many as half of their projects, although
the preferred contract is not a fixed price but rather an agreement on the general estimated figure for
the cost and delivery schedule in chunks, with more specificity for the critical initial deliveries, some
agreed upon process for continued negotiation around time and schedule for changes, and pricing of
later parts of the system as more of it is built and delivered.
A Scenario for SIDRE Incremental Development
One possible way to combine improvement in the precision of estimation with mitigation of early-
stage engineering risk (architecture, scope, hazard analysis) would be for a software customer to start a
project with an initial scoping and prototyping engagement, lasting a few weeks, depending on the size
or complexity of the system. This can serve to determine the scope of requirements, assess architecture
alternatives, identify constituent ecosystems, and address other potential sources of up-front engineer-
ing risk. This affords both the customer and the bidder opportunity to develop more precise (but still
crude) estimates of the cost and time potentially required for the project.
This scoping and prototyping phase can be used to identify what are the essential features of the
system that the customer must have, what are the lower-priority features, and what are the features or
functions that must be built first for the work to proceed. The company (and the customer) can then
generate estimates for this first phase of the development work. This can be viewed as developing an
immature design, but through a mature design process that will eventually lead to a well-validated
mature design. As this initial phase of the work nears its completion milestone, systems engineers,
architects, and requirements engineers can then work on a more detailed plan for the next milestone,
including more specific plans for value measurement that would be used to enhance a baseline overall
earned value model. The company, if it has experience with similar projects, can use historical data to
adjust its estimates and add buffer time in the schedule, which will also add costs for manpower.
17 Barry Boehm, 1986, “A Spiral Model of Software Development and Enhancement,” Communication of the ACM 11(4):14-24.
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
In short, the scenario is for the customer to pay for an upfront scoping and prototyping exercise,
agree to a general budget and timeframe, and then pay in increments as the work proceeds and changes.
It is critical for the development team to be working extremely closely with the customer such as through
having weekly or biweekly project updates and sharing information regarding architecture, features,
and quality attributes of the evolving system in frequent increments. This also affords opportunity for
risk mitigation regarding validation for critical requirements, enabling operational acceptance and pro -
viding evaluators an opportunity to mitigate the engineering risks they face regarding various kinds
of evaluation criteria. Regarding budget, it enables the customer to achieve a budget target with essen -
tial features of the system completed and to establish options regarding additional features or quality
improvements earlier in the lifecycle, thus facilitating negotiations regarding lower-priority features or
bug-fixing time later on in the project.
The committee notes that real-world project experience has shown time and again that it is the early
phases that make or break a project. It is therefore of paramount importance to have a strong start-up
team for the early planning and architecture activities. If these early phases are done right with good
teams, projects can more often be completed successfully with (stable) nominal teams of capable devel -
opers evolving the applications into the final product. If the early planning and architecture phases are
not performed adequately, however, then programmatic risks escalate dramatically—even tremendous
expertise may not succeed in overcoming the consequences of early bad decisions.
The committee also notes that for the largest and most complex systems, and also for many of the
more innovative systems, the DoD has a strong and direct interest in architecture definition in the early
project phases. DoD interests in architecture bear on longer-range issues such as interoperability, flex -
ibility, and shifts in quality attributes as infrastructure and associated ecosystems evolve. This implies
that the DoD must have capability to assess architectural decisions at the early stages as part of the
overall process. There is a challenge in finding the right balance—on the one hand, contractors must
fully “buy in” to architecture designs with respect to owning responsibility for outcomes, but, on the
other hand, the DoD and contractors must be able to collaborate in refactoring or adapting architectures
when required.
Finding 2-5: Architectural expertise is becoming dramatically more important for the DoD, its advi -
sors, and its contractors. There will be significant and immediate benefits from advances in the state
of technical support for architecture.
Recommendation 2-3: Update procurement, contracting, and governance methods to include an early
and explicit architecture phase that reduces the predominant uncertainties in software-intensive
systems.
Technical support for architecture includes architecture development, modeling, simulation, evalu -
ation of quality attributes (such as performance and security), evaluation of structural attributes (such
as code compliance, modularity, etc.), and techniques for adaptation. This also includes capture of
architectural experience to support building on experience.
Recommendation 2-4: Define architectural leadership roles for major SIDRE projects and provide
program managers with channels for architectural expertise.
With respect to risk management, if a project is structured in short cycles or milestones, such as
every 4 or 8 weeks,18 then estimates and teams can be adjusted to try to make up time on the schedule.
For example, if part of the system is proving to be more difficult than planned to build or to test, then
18 Agile cycles are typically 30 days, with a deliberate commitment for schedule-driven milestones to provide the dominant
constraining structure in the management of process.
OCR for page 45
�0 CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
it may be possible to restructure the work plan to enable switching of people from different tasks with -
out running afoul of Brooks’s Law.19 Mitigating risk from a contractual perspective requires reducing
development cycles, system testing intervals, and feedback opportunities with the customer. Although
this would vary based on scale, it would typically change release cycle times from units of months to
units of weeks. This is predicated on identifying the most useful observables to support effective deci -
sion making in the feedback loop implemented in project iterations. Project managers should also be
identifying early on what parts of the system have high engineering risk—such as complex components
that are different from systems they have built successfully in the past.
The use of evolutionary acquisition as emphasized in DoD Instruction (DoDI) 5000.2 implies the
need for continuing architectural adjustments to accommodate changing priorities, independently
evolving external interfaces, new releases of COTS products, and termination of support of older COTS
releases. This will be discussed next.
REALIzING DOD SOFTWARE BENEFITS VIA DOD INSTRUCTION 5000.02
AND EVOLUTIONARY ACqUISITION
As discussed above, recent DoD policy in DoDI 5000.02 has established the concept that “evolu -
tionary acquisition” is the recommended way to acquire DoD systems, but the policy does not provide
detail about how successful evolutionary acquisition can be achieved, particularly in the software arena,
and in a way that is compatible with the concepts of incremental iterative development. The issue is
that evolutionary acquisition requires “a militarily useful and supportable operational capability” (DoD
Instruction 5000.2, p. 13, 2.c.) at each iteration, whereas incremental iterative development does not (and
should not) require operational capability at every iteration. This is because the iterations in incremental
iterative development may be focused on discharging particular engineering risks rather than on mani -
festing operational capability. Further, DoD projects currently preparing to apply evolutionary acquisi -
tion find that much of the available acquisition infrastructure (contract forms, exhibits, and data item
descriptions for reviews and audits, work breakdown structures, requirements, design, test, milestone
pass/fail criteria, progress payments, award fees, etc.) is still oriented around a model of single-step
development to prespecified full-system requirements, with portions pre-allocated to software.
The usual result is a hardware-driven functional-hierarchy system architecture that is incompatible
with preferred layered, service-oriented software architectures, and accompanying hardware-oriented
work breakdown structures that encourage software suboptimization20 and translate into management
structures that hinder rapid software adaptation to change.21 Further, projects are often unaware that
there are several forms of evolutionary acquisition and choose a form that is poorly matched to their
project situation. Some initial work has been done to determine the various forms of evolutionary acqui -
sition and to provide top-level criteria for choosing among them, as shown in Box 2.2.
This top-level guidance is a good first step, but it needs considerably more detailed guidance and
associated methods and tools to ensure its successful application on DoD projects. 22 What is most sorely
needed at this point is an elaboration of the necessary guidance to ensure early software participation in
19 Brooks’s Law states that adding people to troubled software projects only puts them further behind schedule. See Fred Brooks,
1975, The Mythical Man Month: Essays on Software Engineering, Reading: Addison-Wesley.
20 See the current revision of MIL-STD-881.
21 Barry Boehm, A. Winsor Brown, Victor Basili, and Richard Turner, “Spiral Acquisition of Software-Intensive System of Sys -
tems,” CrossTalk, May 2004: 4-9.
22 Specific practices for incremental iterative development are discussed in several studies, including DSB, 2009, Report of the
Defense Science Board Task Force on Department of Defense Policies and Procedures for the Acquisition of Information Technology , Wash-
ington, DC: Office of the Under Secretary of Defense for Acquisition, Technology and Logistics. Available online at http://www.
acq.osd.mil/dsb/reports/ADA498375.pdf. Last accessed August 20, 2010. See also NRC, 2010, Achie�ing Effecti�e Acquisition of
Information Technology in the Department of Defense, National Academies Press, Washington, DC. Available at at http://www.nap.
edu/catalog.php?record_id=12823. Last accessed August 20, 2010. The practices are also elaborated in Congressional language
in the National Defense Authorization Act 2010, Section 804. National Defense Authorization Act (NDAA) of Fiscal Year 2010,
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
systems engineering and criteria for evaluating whether adequate evidence of software feasibility has
been produced at major DoD acquisition milestones. A particular need is for guidance on stabilizing the
current increment of evolutionary development while concurrently evolving the software and system
architecture and plans to enable stabilized development of the next increment. 23
Recommendation 2-5: Develop the technical and management infrastructure necessary to simultane -
ously support stabilized, high-assurance development of the current evolutionary increment while
concurrently evolving the plans and specifications for stabilized development of the next high-assur-
ance increment.
INTRINSIC DOD SOFTWARE ExPERTISE—BEING A SMART CUSTOMER
The Current State of DoD Software Expertise
It is widely acknowledged, including within the DoD, that the department does not have sufficient
organic personnel with the software expertise to meet its needs for today’s more software-intensive pro -
grams.24 Although the DoD develops some software internally, the committe’s focus here is on access to
expertise that is needed for the DoD to be effective as a savvy and outstanding customer for software.
This includes the expertise to effectively purchase the larger and less precedented systems as well as the
precedented systems for which sensitivity to issues such as the choice of ecosystem is key. The necessary
expertise includes understanding of process, architecture, requirements, and assurance. It also includes
understanding of the trajectories and adoption trends for both the major commercial ecosystems and
any involved DoD-intrinsic software ecosystems. The DoD faces challenges in attracting and retaining
software and systems engineering personnel and also in keeping up to date the skills of the personnel
they do have.25 Commercial industry also faces challenges because demand for software expertise is
high and the competition for top project managers and top architects can be particularly fierce because
these two skills are both critical to success and their ranks are few.
Challenges Particular to the DoD
The defense environment poses further challenges, notably the difficulty in competing with industry
to hire the most capable software architects and other experts. This is not simply a matter of salaries. For
instance, it is noted by the committee that many software engineers and architects become frustrated
and discouraged working within the constraints of the DoD acquisition process and with the tendency
toward calcification of their “hands-on” skills that made them valuable to the DoD acquisition process
in the first place.26 Especially in recent years, the DoD has not shown the desire or ability to develop
Pub. L. no. 111-84, 111 Congress, (2009). Available online at http://www.wifcon.com/dodauth10/dod10_804.htm Last accessed
August 20, 2010.
23 See related discussion in Chapter 4.
24 “The quantity and quality of software engineering expertise is insufficient to meet the demands of government and the
defense industry.” Excerpted from presentation by Kristin Baldwin, 2008, “DoD Software Engineering and System Assurance,”
January 15, 2008, p. 4. Available online at http://www.acq.osd.mil/se/briefs/2008-01-15-SSA-Boeing-Interchange.pdf. Last ac -
cessed August 18, 2010.
25 Matthew Weigelt, 2009, “Officials Wants Their Own Software Engineering Experts, But They Don’t Want to Disregard
Industry’s Experts,” Federal Computer Week. Available online at http://fcw.com/Articles/2009/07/09/DOD-IT-systems-engineers-
outsourcing.aspx. Last accessed August 20, 2010.
26 The committee did note that federally funded research and development centers (FFRDCs) and labs can provide the op -
portunity to technical staff to take breaks from direct support and move to programs under acquisition. These breaks enable
staff to pursue research and re-connect with their “hands-on” skills that made them valuable to the DoD acquisition process in
the first place. It keeps their skills current and allows them to cycle back to another acquisition activity with fresh thoughts and
approaches to developing DoD capabilities.
OCR for page 45
�� CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
Box 2.2
Software Risks
The phrase “software risks” often appears in discussions regarding software development projects
and software-intensive systems engineering projects. It suggests danger and something that should be
prevented or avoided by project managers. But in fact there are different kinds of risks, and not all of them
involve danger. Indeed, some have an appropriate and sometimes valuable place in any innovative engineer-
ing process and its management. Most importantly, by acknowledging and managing the various categories
of risks early in the process, particularly engineering risks but also system risks, overall risks related to both
the engineering process and the product it develops are reduced. Differences in software risks characterize
the difference between the development of precedented (routine) capabilities and unprecedented (innova-
tive) system capabilities. Differences in different kinds of software risks characterize the difference between
“critical systems” and other systems.
Risk, generally speaking, is a product of the probability of occurrence of a consequence with the degree
of severity or cost of the consequence. Risk can be reduced by reducing the probability or by lessening the
extent or severity of consequence or both. There are different types of risk; for software categorization is in
terms of programmatic, system, and engineering risk. (Box 2.1 describes each form of risk in detail.) There
are often tradeoffs and interactions among these risks.
An example is response time. To illustrate the differences and interactions, consider an example relat-
ing to a decision regarding response time of a system—for example, how frequently the tracks of enemy
and friendly units are updated on a display. A longer response time may enable designers to employ prec-
edented infrastructure and other architectural elements, yielding a more predictable engineering process.
That is, from the perspective of the planning phases, a mostly linear plan to engineer the product is more
likely to yield a successful outcome. In other words, programmatic risks (or project risks) are low.
The long response time may, however, create operational difficulties due to insufficient timeliness. This
is a kind of system risk—the possibility of a system failing to accomplish its mission. That is, while there
may be low risk in producing a system with a long response time, it may be less likely to be operationally
valuable. More generally, system risks can pertain to a wide range of hazards and suitability factors in opera-
tions, such as performance, security, usability, valid functionality, and integration and interoperation. System
risks can also include “long-tail” risks—events with high consequence and low (perceived) likelihood. In
this latter case it can be difficult to assess how much effort should be applied to mitigate the risk.
Suppose, on the basis of up-front user studies, it is decided to require a guarantee of a specific short
response time. This would certainly reduce the system risk related to suitability of the response time. But the
short response time may preclude use of the commodity infrastructure and, in the absence of validated al-
ternatives, create uncertainties in the engineering phases of the project regarding architectural choices. The
resulting uncertainties and consequences created within the engineering process are engineering risks.
Which is the correct architectural choice to make? If the answer is not known until the system is put
into an operational environment for test and evaluation, then the uncertainty persists for a longer period,
more engineering investment is made prior to resolution of the uncertainty, and more rework is required
should the choice need to be revised. Additionally, when one possibility is eliminated, uncertainty may
remain regarding the choice among the remaining candidate options, and further effort may be required
to resolve this choice. This adds to engineering risk, and it may add to project risk as well if there is insuf-
ficient allowance in cost and schedule for rework in the project budget. In many cases, the costs of unwind-
ing previous bad decisions become prohibitive, and as a consequence the mismatched architecture (or
other aspects of the system design) becomes a legacy infliction that is constantly worked around, adding
to downstream costs and risks.
Evaluation of architectural alternatives through full development and operational tests is rarely re-
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
quired, however. Techniques such as architectural modeling and simulation, for example, would enable
the architectural alternatives to be evaluated earlier in the process and at lower cost, lowering engineering
risk. (See Chapter 5 for a discussion of the associated research challenges.)
The probabilistic models for risk assessment have limitations. A software manager may find it tempting,
when considering the mathematical characterization of risk as the product of consequence and probability,
to develop mathematical models for probabilities. This is sometime useful but also can be dangerous, since
probabilistic models often fail us in software. For example, a security vulnerability could be perceived as
high consequence, but very low likelihood, and so may be left unaddressed. But once the vulnerability
becomes known to adversaries (e.g., as a zero-day vulnerability), then the probability can rise dramatically,
and with it the extent of risk. Unfortunately, probabilistic models fail also because of aspects other than
security. The possibility of intermittent problems such as deadlocks, for example, can change quite dramati-
cally with changes in processor, communication, or storage infrastructure. Additionally, traditional models
of redundancy as a means to reduce risk are most effective when event probabilities are not coupled. But
this proves to be a dangerous expectation in the engineering of software.1
On the other hand, in systems engineering efforts where software is embedded as part of a cyber-
physical system, there are abundant probabilistic models for faults in attached physical components, and
these models may have dependencies on other probabilistic models relating to aspects of the operating
environment. In these cases, the familiar engineering mathematics for reliability must be employed, and the
results of these analyses will inform the design of software to support tolerance or containment of errors
resulting from faults in the attached components.
Credit for engineering risk reduction. The Apollo moon missions of the 1960s had systems risk (hazard)
related to delivering and returning astronauts safely. This risk could be mitigated through various safety
mechanisms. In general, there may be little correlation between system risks and the other kinds of risks,
especially when the systems risk derives primarily from the context of operational use—system risks may
be much more dependent on characteristics of the operating environment than on precedent regarding
engineering decisions. But in the case of the Apollo missions, there was also considerable engineering risk,
particularly early in the process when basic decisions were being made and experimentation and prototyp-
ing was being done to achieve early validation (i.e., prior to operational use) of the decisions made.
The experience of the prior Mercury and Gemini missions created precedent for many design consid-
erations and so served to discharge certain engineering risks. In addition to relying on hard-won experi-
ence with prior systems, the principal approaches to mitigation of engineering risks involve incremental
development, prototyping, and modeling and simulation. These methods reduce the cost of consequence
through early feedback and response afforded.
For innovative projects, efforts to resolve engineering risks can be a significant component of overall
project progress, and therefore in an earned value measurement regime there need to be ways to “give
credit” for identification and discharge of critical engineering risks. This can be a challenge: How, for
example, can the value to Apollo of the experience of Mercury and Gemini be weighed? Or, at a much
smaller scale, how can the value of the agile practice of ongoing refactoring be assessed at a time when
the costs are incurred? The refactoring practice enables teams to retain ongoing control over architectural
decisions and to enhance the potential for architecture-level adaptation on the basis of future needs. But
the benefits associated with the refactoring costs may appear only in later cycles, perhaps several months
later, and until then the return on the refactoring investment may be difficult to assess despite the long-
term value to the project.
1 See, e.g., Susan Brilliant, John Knight, and Nancy Leveson, 1989, “The Consistent Comparison Problem in N-Version
Programming,” IEEE Transactions on Software Engineering 15(11):1481-1485.
OCR for page 45
�4 CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
and retain top technical experts within its own ranks, both in the military and civilian, except in very
particular circumstances.27 Additionally, as discussed below, it has historically proven challenging for
those software experts who have remained within the DoD to maintain strong technical currency on an
ongoing basis. Indeed, the committee believes that the extent of software expertise within the DoD is
shrinking both relative to that of the commercial sector, and perhaps also in absolute terms.
The false perceptions that software and IT generally are reaching a plateau may lead to erroneous
conclusions that the DoD can fully delegate such leadership into its supply chain. This is inconsistent
with the reality of the rapid ongoing growth of software technology (as elaborated in Chapter 1) and
the essential and growing importance of successful early architecture-focused decision making in the
development of interlinking defense systems (as elaborated in Chapter 3).
An additional challenge to the DoD is that the split between technical and management roles will
result in leaders who, on moving into management, face the prospect of losing technical excellence
and currency over time. This means that their qualifications to lead in architectural decision making
may diminish unless they can couple project management with ongoing architectural leadership and
technical engagement. The DoD does not have strong technical career paths that build on and advance
software expertise with the exception of the service labs. Upward career progression trends leading
closer to senior management-focused roles and further away from technical involvement tend to stress
general management rather than technical management experience. This is not necessarily the case in
technology-intensive roles in industry. Many of the most senior leaders in the technology industry have
technical backgrounds and continue to exercise technical roles and be engaged in technology strategy.
Nonetheless, certain DoD software needs remain sufficiently complex and unique and are not covered
by the commercial world, and therefore call for internal DoD software expertise. In the DoD, however,
as software personnel take on more management responsibility, they have less opportunity and incentive
to stay technically current. At the same time, there is an increasing need for an acquisition workforce
that has a strong understanding of the challenges in systems engineering and software-intensive systems
development. It is particularly critical to have program managers who understand modern software
development and systems.
Commercial industry also continues to have a strong need for the same types of basic software
expertise that the DoD needs and in many areas is competing with the DoD for the same pool of talent.
Notwithstanding the economic downturn, salaries for personnel in these areas remain highly competi -
tive in order to attract key talent. Although there have been improvements in recent years to accom -
modate highly paid technical experts, the DoD and other government pay scales remain generally not
as competitive with commercial industry, making it more difficult for the DoD to attract and retain
the expertise it needs. Additionally, the DoD could strengthen its ability to tap into the talent base in
DoD-aligned research organizations and universities—for example, by sponsoring security clearances
for technology leaders.
An additional challenge that DoD faces in obtaining and attracting key talent is the requirement for
cleared U.S. citizens. Security considerations that often preclude the hiring of non-citizens markedly
shrink the pool of available software talent. The pool of currently cleared U.S. citizens with the right
skills is not sufficient to meet the demand, and this pool could be shrinking because of the reduction in
support by the various agencies (principally the DoD, NASA, and the Department of Energy) of U.S.
universities in areas related to software producibility. (The Networking and Information Technology
Research and Development (NITRD) coordination categories are Software Design and Productivity
(SDP) and High Confidence Software and Systems (HCSS); see Box 1.5.) University programs create
the most highly qualified technical personnel, from the standpoint of pure technical expertise, which
can complement DoD expertise in program management. It is the nature of university economics that
27 See, for example, pp. 8-9 in DSB, November 2000, Report of the Defense Science Board Task Force on Defense Software , Office of
the Under Secretary of Defense for Acquisition, Technology, and Logistics. Available online at http://www.dtic.mil/cgi-bin/
GetTRDoc?AD=ADA385923&Location=U2&doc=GetTRDoc.pdf. Last accessed August 18, 2010
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
production of PhDs, in particular, closely tracks external research support for university projects. The
recent reductions therefore mean not only that there is less U.S. research in software producibility,
but also that the pipeline of software-savvy talent is diminishing. Because the DoD will not be able to
directly hire the necessary talent in the short term to meet its growing needs, it needs to improve access
to “DoD-aligned” talent through federally funded research and development centers (FFRDCs), Service
labs, and university and industry research contractors. Flexibility regarding government personnel poli -
cies could allow more movement for leading technical experts in and out of government service, which
could facilitate DoD maintenance of technical excellence and currency in rapidly changing fields.
For example, because of the rapid growth in the significance of architecture-related capability on the
DoD side of major systems engineering projects, the committee has considered processes by which the
DoD can gain access to the very best architectural talent to address cross-cutting architectural require -
ments and validation challenges. These processes include the assembly of architectural study groups and
review panels of top experts, including experts drawn not just from the intrinsic DoD talent pool, but
also from industry and research. Options may include focusing on trying to get engineers in mid-career
in addition to young software engineers and improving the career environment so that, irrespective of
age, a DoD software engineer can develop and maintain her skills by actually producing software. By
bringing some software engineering work in-house, the DoD may be able to stimulate interest in DoD
careers and opportunities.
The question then becomes, How does the DoD effectively become a savvy customer for these
important IT and software-related services? Traditional methods have involved some combination of
developing know-how internally and acquiring it from contractors. In each case, the necessary com -
petence must be available to execute the programs, with particular emphasis on technology-intensive
decision making. In much of this decision making, the DoD must define the “operating environment”
for major software and systems development efforts performed by its contractors. This operating envi -
ronment includes certain DoD-specific standards for interoperation, assurance, security, and so on. The
expertise required in the DoD is not identical to the corresponding commercial software engineering
expertise. For example, DoD large-scale software development is almost always undertaken at arm’s
length by contractors. This can complicate the implementation of practices that deviate significantly from
the “requirements-first” RFP model. For innovative systems, as the committee has noted throughout
the report, there must be ongoing interaction on topics related to architecture, incremental develop -
ment, and preventive practices in support of assurance. Without appropriate expertise and experience,
these interactions—and associated management of incentives—can be difficult to manage successfully.
In addition, a growing number of areas of technology-intensive decision making where the DoD has
particular interests and incentives vary from those of its contractors.
Access to Talent
Although access needs to be improved, the DoD does, however, have access to a considerable base
of talent through three DoD-aligned sources: (1) DoD FFRDCs, (2) Service labs, and (3) research con -
tractors in universities and industry. Despite the reduction in funding related to software (see Box 1.5),
the DoD has nonetheless taken modest but valuable actions to cultivate talent and introduce leading
young scientists to defense systems and the defense mission. A prominent example is the Computer
Science Study Group (CSSG) sponsored by DARPA28 that affords opportunities for younger researchers
to engage more directly with defense technical challenges.
28 For more information, see http://www.darpa.mil/dso/solicitations/ra07-43.html. Last accessed August 18, 2010.
OCR for page 45
�� CRITICAL CODE: SOFTWARE PRODUCIBILITY FOR DEFENSE
Opportunities to Strengthen the DoD’s Software Expertise
There are two significant building blocks for strengthening the DOD’s intrinsic software expertise
that leverage the DoD’s particular expertise and responsibilities in two areas—operational test and
evaluation (OT&E) and information assurance (IA). As noted elsewhere in this report, there are oppor-
tunities to expand the role of OT&E organizations to support preventive approaches to assurance and
early validation, generally for innovative large-scale systems engineering projects, particularly regard -
ing architecture, process, and key quality attributes—even when detailed decisions regarding specific
aspects of functional capability are deferred. A successful IA regime will require similar engagement,
as well as sophisticated interaction between defensive and offensive programs and activities, engage -
ment with those who operate and defend the DoD’s communications networks, and intelligence about
threats and vulnerabilities.
In the cases of both OT&E and IA, leaders in practice and technology are understood to reside in
the DoD (and in similar institutions in other countries). By creating a visible culture of elite technol -
ogy-intensive leadership in these areas, the DoD has the potential to attract top talent, in a manner
analogous to the ability of the National Security Agency (NSA) to attract top mathematicians. Although
it is important to “grow the ranks” in these areas, the DoD cannot sustain leadership unless it recruits
and engages top technical talent.
Summary
Because the DoD does not currently have the requisite expertise and talent it needs for effective
software producibility and because the rapid pace of software development demands ongoing interac -
tion with the field, the DoD must engage experts outside the DoD and its primes. This engagement, to
be effective, should be accompanied by internal processes to apply and incorporate contributions and
feedback to software projects throughout the systems engineering lifecycle. In other words, the DoD
should adapt processes to facilitate input from outside experts throughout the systems engineering
lifecycle for software-intensive systems, with particular emphasis on innovative/unprecedented and
large-scale systems and on systems engineering efforts involving iterative processes.
It is essential to sponsor high-quality software-related research projects. Investing in cutting-edge
software defense projects creates value not only in advancing innovation, but also in developing a
pipeline of technical experts with experience tackling DoD software producibility issues. University
research funding supports research opportunities for undergraduates, graduates students, and post -
doctoral researchers. DoD engagement with the next generation of software experts at formative stages
in their careers can encourage exploring a career within the DoD, thus increasing the available pool of
cleared software professionals.
Also crucial is support for defense-relevant top-tier educational programs in U.S. universities to
strengthen the pipeline of top technical experts. Targeted postdoctoral grants may be another avenue
through which the DoD can encourage emerging software professionals to choose careers in the DoD.
Finding 2-6: The DoD has a growing need for software expertise, and it is not able to meet this need
through intrinsic resources. Nor is it able to fully outsource this requirement to DoD primes. The DoD
needs to be a smart software customer. This need is particularly significant for large-scale innovative
software-intensive projects for which there are cross-cutting software architectural requirements and
validation challenges.
The case for the DoD to have software expertise on its side of the table is compelling. Increasing
complexity, scale, and interoperability in a context of rapid innovation and sophisticated incremental
and iterative processes require the DoD to become a knowledgeable customer of software tools and
OCR for page 45
��
ACCEPT UNCERTAINTY: ATTACK RISKS AND EXPLOIT OPPORTUNITIES
systems. Direct access to this necessary expertise, in light of industry’s competing interest in hiring
similar professionals, is limited. For these reasons, a combination of (1) outreach to FFRDCs and similar
DoD focused organizations, academia, and industry and (2) internal DoD education and development
of software expertise is needed to bridge the gap.
Print
Share
Research
Rights & Permissions
