Slow moving procurement process in the armed forces makes it difficult to have latest IT systems
The procurement, by most nations, of major defence information technology (IT) systems has increasingly become a problematic undertaking for their armed forces; and India is no exception. Technology is moving faster than at any time in history, and the nature of the different threats that face democratic nations are developing at an alarming rate. This is partly because the people behind the threats understand what the latest technology can achieve and where there are holes in the security, and partly because by the time IT-based systems are introduced into service, the software and hardware are usually older generations with their vulnerabilities widely known.
Why should this matter to countries, such as India, who undertake large defence IT procurement programmes such as the ambitious Battlefield Management Systems (BMS)? As with many nations, it matters due to the way in which defence procurement is undertaken. In the case of the BMS procurement, its scope, size and complexity are compounded by both the very lengthy timescale that it has already taken to get started, and then inevitably the time it will take to implement it into the Indian Army. The speed of procurement is simply too slow, and I would suggest, the way procurement is undertaken is too rigid, all of which inevitably results in the bidders proposing established, older generation technologies as these are more likely to be successfully evaluated and accepted into service. This means that semi-obsolete technologies are likely to end up being deployed within the Indian armed forces, and will remain in service for decades making the problem of cyber threats even more likely to be realised. To summarise, the pace of technology development far outpaces traditional procurement process.
Most procurement of defence systems tend to be structured to make the act of buying more easily managed, as against ensuring that the procured system is best suited to software updates and migration to more efficient and cost-effective hardware adoption. Almost all IT procurements are made with accompanying through-life support, although these are usually small enhancements to the existing technological approach, but seldom involve a true migration path from an older type of technology to the latest. In the case of the BMS programme, it is likely that the initial system will be based around a set of distributed networks with third party sub-systems supplying and using data. However, the next generation of systems utilise multi-cloud environments where the cloud owners may be from different parts of the armed forces or even other nations and coalition partners, all of which may have different data protocols and security procedures. Indeed, some clouds may be stacked one-inside-the-other like the Russian toy dolls with many individual clouds existing within a larger cloud environment. Trying to include future technology into initial requirements, even over a limited period of a few years, is unlikely to succeed but resorting to buying old technology, in the traditional way, is also unacceptable. So, is there a solution to this apparent dilemma?
Large multi-national companies, such as those involved in banking or aerospace etc. all invest significant amounts of money into their IT systems. They do this because their technology controls almost every aspect of their international operations and any failure of these systems, or a successful cyber-attack, can be catastrophic to the whole business. As a result, their IT improvements are not a series of staccato steps but rather a continuum where the latest technologies are continually incorporated once they have been evaluated and their interoperability and security assured. This means that the IT departments of these companies are continually looking at multiple development paths, where interoperability and migration are all factored into their thinking and the final decision as to which route is adopted to the nature of the evolving cyber threats. Often, these companies employ ‘attack teams’ whose sole job is to attack their own system to find any gaps in their security.
I would suggest that a key differentiator that makes this approach possible for large commercial companies is the quality and size of their IT and cyber protection teams. These are invariably made up from some of the brightest people in their fields, and they are certainly not there to mend office printers for the staff!
Unfortunately, most government procurement organisations simply do not have this capability within their structures, nor really understand the need for it. Excuses can be readily made why this is not possible, but in reality, I believe it comes down to an organisation’s acceptance of risk management. Too often large organisations have the attitude that all risks are a bad thing and need removal even if that reduces the effectiveness of the business. This response misses the two main points. Firstly, risks can also equate to opportunity if you prepare to address them in a coherent manner, and secondly, you cannot avoid risks unless you stand still, do not buy new IT systems, upgrade the software and try not to do anything that generates uncertainty. For any commercial business this means certain death. So, the only sensible route forward is to embrace the risks, by understanding them and turning them to your advantage. In doing so, you stand a better chance of not only staying ahead of the threats, but also possibly turning the tables on the attackers.
For programmes like the Indian BMS ‘make’ programme there are some obvious implications. Either do things differently in terms of how the procurement takes place or run the very real risk of seeing old technology being delivered to your army along with the associated cyber risks that will accompany it.
At the departmental level, one alternative would be to adopt a more flexible procurement process, but it is recognised that this may be simply too big a change from where current Indian defence procurement currently sits. In this case an easier option would be to simply adopt one of the many ‘BMS’ that other nations already operate. However, the immediate issue that would have to be faced is that no ‘BMS’ solutions currently operated by other nations are the same as another, and, more significantly, none of them will match the aspirations of the Indian ministry of defence.
However, this need not be a show-stopper as India has the buying power to insist on significant technology transfer of both the hardware and software used in other nation’s BMS, although if the procurement model is to rapidly adopt new technology then the ownership of Intellectual Property Rights (IPR) to older technology becomes less important. This should produce immediate cost savings and could be realised by buying an ‘off-the peg’ system, but the key to this approach must be to immediately instigate a modernisation programme for the key data handling modules.
Inherently, this would make the Indian BMS different to the original version, and would reduce threats linked to the original system and starts the process of continual small changes to adopt new technologies. Clearly this is a non-trivial approach but it avoids the fixation with the need for large-scale one-off technology transfer with more emphasis being on interface exchange definitions and data structures, as these then open up the market to commercial solutions that are more timely and benefit from the wider investments made by other major IT users such as the banking and aerospace sectors. The obvious alternative is that the Indian procurement authorities just withdraw the programme as being ‘too expensive’, ‘too ambitious’ and leave the Indian Army with a system that does not meet their needs or aspirations.
Personally, I think this would be a retrograde step, albeit obviously very attractive to those civil servants and staff officers tasked with trying to untangle the requirements from what can be easily delivered now (established/old technology) or what new technology may deliver.
Almost any initial BMS procurement will inevitably be some kind of distributed network of many different systems, most of which may be working on well-established hardware, software and interface protocols. This is perfectly rational and to be expected, except that as time passes the risks of cyber-attack or simple obsolescence will, at best make individual systems vulnerable and at worst make the whole network redundant and not fit for purpose. The commercial world is moving towards secure clouds, and clouds within clouds, where differing ‘communities of interest’ are required to have dynamically changing access protocols to different data clouds. This is the model that needs pulling through to defence thinking and subsequently to procurement.
Possibly the only certainty is that the companies that supply and deliver the first BMS are unlikely to be the leading companies in five years’ time. The old, established approach to procurement is changing in many countries as budgets become tighter and response times for procurement are squeezed to meet operational realities. The big commercial gorillas of international and national defence manufacture have to change. To try and remedy this, in some cases they are trying to buy up the smaller, more nimble companies but unless the small businesses are allowed to retain their autonomy this seldom works for the very reasons that make the big companies unresponsive and costly in the first place. These smaller companies, with expertise in specific areas, are increasingly becoming the suppliers of choice for tomorrows defence needs. They are simply faster, cheaper and more rapidly adopt and deliver the latest technology in a coherent manner using open architectural designs which have really only been given lip-service in the past by the established industrial gorillas.
Key to all of this will be a strong governmental technical team that can help direct requirements for systems enhancements. The only certainty is that traditional government departments using procurement process that fit more readily with buying battleships, are not tuned to purchase modern network systems. As a result, such departments may turn their backs on an obvious operational need, leaving nations with capability gaps compared to with their counterparts.
The world does not stop and nor do the threats. It may be the case that the BMS ‘Make in India’ programme, is no longer possible due to any of the reasons stated above, so, then a novel solution must be found to support the Indian Army at the battalion level. A potential solution has been outlined above and, whilst this may not be the correct one, withdrawing into the back of the ‘procurement cave’ to spend a few years re-thinking will certainly do nothing but endanger India’s forces and make the work of those who would like to weaken India’s position far easier. The world does not stop for indecision.