Joe Lin, co-founder and CEO of the VC-backed cyber firm Twenty, said private capital isn’t pouring into cybersecurity at the same rate as other defense tech areas in part because it’s unclear whether “true winners” will emerge. 

​​”This was an ecosystem [that was] very, very hard for outsiders to come in and join. So that barrier has gone down. That's the good news,” Lin said during Second Front’s Offset Symposium earlier this month. “I think the question is still out as to whether or not a company that is able to take a lot of money invested into private R&D is able to actually be successful in the space where, historically, there's been a lot of peanut-butter spreading in terms of awards—funding awards, contract awards—and whether or not there will actually be true winners that will come out of this.”

Make it work, make it malleable

The winners will make versatile technology that works as the customer needs, said Brian Carbaugh, ex-CIA turned co-founder and CEO of Andesite, a VC-backed defensive cyber data analytics startup. 

“There is a tremendous amount of noise. There are a lot of marketing dollars being spent,” Carbaugh told Defense One. “From a customer, from a buyer standpoint, you can see some elements of fatigue because they're having to sift through just so many vendors and pitches that oftentimes don't materialize.” 

Buyers’ expectations for cyber tools and services are extremely high, Carbaugh said, and  companies must deliver products that can “do all the things, all the time. Because, I think, what most of us in this space thought would be sort of innovative in terms of features and functionality—increasingly it's becoming table stakes.”

That’s not a warning shot for nascent companies, it’s an opportunity, he said. 

“The warning lights are blinking red in a lot of these [security] operations centers. The work that CISOs and their teams put in are, it's nothing short of heroic on a daily basis,” Carbaugh said. There’s technology now that can "optimize” and level up analysts “by wrapping this tech around them” and are auditable with a “very, very high security compliance.”

But as cyber threats and industry grow, the Pentagon may need a more tightly coupled relationship with the cyber industrial base. 

“There's an assortment of different companies that provide tools or services that are the ones that build and operate the domain on which we fight. They build our battlefield. We need to start partnering together so that they don't build the battlefield and we operate on it in a very disjointed way,” said Katie Sutton, the Pentagon’s cyber policy chief, during the symposium. 

That relationship must also leave room for tweaks and changes to cyber tools, said Maria Barrett, former commanding general of U.S. Army Cyber Command.

“It's also got to be about the vendor being willing to work with us, and right side the operator, or whoever the user is, to tweak it. Because, I think, that quality of adaptability by the industry partner and the willingness to be able to do that and deliver it quickly…that's the new normal,” she said on the panel.

Welcome

You’ve reached the Defense Business Brief, where we dig into what the Pentagon buys, who they’re buying from, and why. Send along your tips, feedback, and song recommendations to lwilliams@defenseone.com. Check out the Defense Business Brief archive here, and tell your friends to subscribe!

HASC’s NDAA mark. The House Armed Services Committee dropped its draft of the annual defense policy bill this week. Two things that caught my eye are related to supply chains: 

• One provision seeks to boost the solid rocket motor industrial base by creating a Pentagon working group that “would require that certain covered munitions have more than one solid rocket motor supplier.” 
• Lawmakers urge the defense secretary to “obligate and expend funding that has been appropriated by Congress for this explicit effort” 
• They also worry about the Pentagon’s use of direct equity investments in an established industry, such as solid rocket motors. “The committee also remains concerned with the sole use of equity investments with regards to expanding solid rocket motor industrial base when there are other tools that could be used in a more expeditious manner given the importance of increasing munition production," the draft said. 

• Another provision would require the Pentagon's industrial policy shop create a “Defense Supply Chain Risk and Response Program” to “develop a common framework across the Department of Defense and with contractors to enable a holistic and coordinated approach for identifying managing risks,” including cyber vulnerabilities, foreign investments, financial distress, and supply chain disruptions. 

Around the horn 

• The Navy has created new leadership roles for information warfare: Jennifer Edgin has been appointed assistant deputy chief of naval operations for IW requirements and capabilities; and Rear Adm. Susan Bryer Joyner as IW director. 
• Deloitte landed a $249 million contract to support implementation of the Army’s organic industrial base modernization plan. It was the only bidder. 
• The Justice Department arrested two defense contractors for bribery and fraud related to Army Pacific Command’s innovation hub in Hawaii. 
• Someone robbed the SEC.
• SpaceX just landed a more-than-$2 billion satellite communications contract. 
• One more cyber thing: The Pentagon is updating its three-year-old cybersecurity strategy and implementation plan, which cyber policy chief Sutton said will “set a very definitive vision of where we need to go” with “a very detailed action plan” for attacking persistent challenges, such as building a skilled workforce and making sure cyber operators have the most current tools.