[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



                                     

                         [H.A.S.C. No. 111-176]

 
 HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS

                               __________

                                HEARING

                               BEFORE THE

   SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                              HEARING HELD

                             JULY 28, 2010

                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

                  U.S. GOVERNMENT PRINTING OFFICE
58-232                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]  
  


   SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES

                LORETTA SANCHEZ, California, Chairwoman
ADAM SMITH, Washington               JEFF MILLER, Florida
MIKE McINTYRE, North Carolina        FRANK A. LoBIONDO, New Jersey
ROBERT ANDREWS, New Jersey           JOHN KLINE, Minnesota
JAMES R. LANGEVIN, Rhode Island      K. MICHAEL CONAWAY, Texas
JIM COOPER, Tennessee                THOMAS J. ROONEY, Florida
JIM MARSHALL, Georgia                MAC THORNBERRY, Texas
BRAD ELLSWORTH, Indiana              CHARLES K. DJOU, Hawaii
BOBBY BRIGHT, Alabama
SCOTT MURPHY, New York
                 Kevin Gates, Professional Staff Member
               Alex Kugajevsky, Professional Staff Member
                      Jeff Cullen, Staff Assistant


                            C O N T E N T S

                              ----------                              

                     CHRONOLOGICAL LIST OF HEARINGS
                                  2010

                                                                   Page

Hearing:

Wednesday, July 28, 2010, Harnessing Small Business Innovation 
  for 
  National Security Cyber Needs..................................     1

Appendix:

Wednesday, July 28, 2010.........................................    19
                              ----------                              

                        WEDNESDAY, JULY 28, 2010
 HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS
              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Miller, Hon. Jeff, a Representative from Florida, Ranking Member, 
  Subcommittee on Terrorism, Unconventional Threats and 
  Capabilities...................................................     2
Sanchez, Hon. Loretta, a Representative from California, 
  Chairwoman, Subcommittee on Terrorism, Unconventional Threats 
  and Capabilities...............................................     1

                               WITNESSES

Lee, Richard P., Consultant......................................     6
Ricketson, John H., Chief Executive Officer, Dejavu Technologies, 
  Inc............................................................     3
Thornton, Roger, Founder and Chief Technology Officer, Fortify 
  Software.......................................................     4

                                APPENDIX

Prepared Statements:

    Lee, Richard P...............................................    46
    Miller, Hon. Jeff............................................    25
    Ricketson, John H............................................    27
    Sanchez, Hon. Loretta........................................    23
    Thornton, Roger..............................................    34

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    [There were no Questions submitted post hearing.]
 HARNESSING SMALL BUSINESS INNOVATION FOR NATIONAL SECURITY CYBER NEEDS

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
     Subcommittee on Terrorism, Unconventional Threats and 
                                              Capabilities,
                          Washington, DC, Wednesday, July 28, 2010.
    The subcommittee met, pursuant to call, at 2:03 p.m., in 
room 2118, Rayburn House Office Building, Hon. Loretta Sanchez 
(chairwoman of the subcommittee) presiding.

  OPENING STATEMENT OF HON. LORETTA SANCHEZ, A REPRESENTATIVE 
    FROM CALIFORNIA, CHAIRWOMAN, SUBCOMMITTEE ON TERRORISM, 
            UNCONVENTIONAL THREATS AND CAPABILITIES

    Ms. Sanchez. The Subcommittee on Terrorism, Unconventional 
Threats and Capabilities will come to order.
    Good afternoon. I would like to thank everybody for coming 
today, welcome you all for being before us on a very important 
topic today.
    As Congress looks to develop its comprehensive approach to 
cybersecurity, we will need the perspective of many people, 
including our private sector and especially, I believe, our 
small businesses. Because, when you think about it, I think 
over 90 percent of the businesses in our Nation are considered 
small- and medium-sized businesses; and everybody, we hope, is 
using a computer for efficiency and effectiveness these days. 
And so it is important because you have a large majority of the 
people who work in our United States under you all.
    I am particularly excited about today's hearing because we 
do have small business representatives in front of us, and that 
is sometimes unusual for the Armed Services Committee. So we 
are really thrilled about that. One of the things we do know 
about our small businesses is that you are very capable of 
innovating much quicker than large businesses or even 
government. And if you have innovation, if a lot of the 
innovation and technology agenda is driven by small business, 
then that is actually one of those areas that we really do want 
to protect from people stealing our information or your 
information, as the case may be.
    So, today, the subcommittee is looking to discuss three 
main objectives for this hearing: One, the small business's 
view of the cyber challenge facing all of us today; secondly, 
the technologies that your business, along with others, are 
pursuing to address those needs; and the third thing is to 
identify systemic barriers to small businesses as they are 
entering the marketplace.
    The purpose is for the members of this subcommittee to 
further develop greater cyberspace expertise and awareness but 
also for us to have an open discussion of how Congress can 
address certain barriers to small businesses while those small 
businesses are trying to help us here in the government sector.
    And as our country works hard to improve our economy, the 
first place to take off will be small business. So in order to 
expand our economy, to grow it as so many of us I think pray 
every night right now, you really are key to getting that done.
    So, today, we hope that the witnesses will provide the 
subcommittee with a technical look at cybersecurity and what 
technology and resources are currently available to further 
protect the systems that small business actually plug into at 
the Department of Defense [DOD]. That would be another area 
where we are looking for tools and the hindrances or the things 
that you might suggest.
    So, today, we have three witnesses before us. The first, we 
have Mr. John Ricketson; and he is the Chief Executive Officer 
of Dejavu Technologies, Incorporated. So, welcome, and I do 
believe you are from California, right?
    Mr. Ricketson. Massachusetts.
    Ms. Sanchez. Massachusetts. What did my people do?
    And Mr. Roger Thornton, the Founder and Chief Technology 
Officer of Fortify Software. I know he is a Californian.
    And Mr. Richard Lee, an independent consultant who just 
came out of the government sector.
    So I hope you all will talk a little bit to us about the 
interface; and, once again, I look forward to your testimony. 
Without objection, we have put your written testimony into the 
official record.
    I will remind the witnesses that you have 5 minutes to 
address. You don't have to read your statement. You can talk 
about the main points or anything you might have thought, oh, 
gosh, I should have put that in there and I forgot. And, after 
that, we will ask a series of questions and hopefully you can 
answer them.
    And I will now yield to the ranking member from Florida, 
Mr. Miller, for his opening statement.
    [The prepared statement of Ms. Sanchez can be found in the 
Appendix on page 23.]

 STATEMENT OF HON. JEFF MILLER, A REPRESENTATIVE FROM FLORIDA, 
   RANKING MEMBER, SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL 
                    THREATS AND CAPABILITIES

    Mr. Miller. I thank my good friend for yielding.
    Thank you, gentlemen, for being here. I hope you have at 
least been to Florida, if you are not from Florida. You might 
have traveled there once or twice.
    This hearing does come at an appropriate moment, because 
over the last several weeks General Alexander has in fact been 
conducting an aggressive road show explaining his vision for 
the U.S. Cyber Command, and the establishment of the Command 
follows the 2010 QDR [Quadrennial Defense Review] 
recommendations that centralized those operations. As the 
Department implements its vision and as the Command becomes 
fully operational this coming October, the Department has an 
opportunity to renew its relationship with the industry and 
small business in particular.
    Given the vital role played by small businesses and the 
community to develop innovative solutions to the challenges 
that we all see today, it is critical that both Congress and 
DOD have a thorough understanding of small businesses' view of 
the cyber challenges facing our Nation and eliminate those 
obstacles, as my good friend has already talked about, that 
many small businesses face when they contract with the 
Department of Defense.
    I do know that our time is limited. We do have a vote 
coming up in a little while. So I would like to ask that my 
full statement be entered into the record. And I yield back.
    [The prepared statement of Mr. Miller can be found in the 
Appendix on page 25.]
    Ms. Sanchez. Wonderful. I thank the ranking member of the 
committee.
    Now let us start with Mr. Ricketson for 5 minutes or less.

STATEMENT OF JOHN H. RICKETSON, CHIEF EXECUTIVE OFFICER, DEJAVU 
                       TECHNOLOGIES, INC.

    Mr. Ricketson. Well, thank you for inviting me.
    My name is John Ricketson. For the last 2 years, I have 
been managing Dejavu Technologies, which is a software provider 
of network forensic analysis tools. In my 30-year career in 
high technology, I have been associated with small companies 
for my entire career and about 40 transactions, equity-related, 
of small companies.
    Our management team is made up of serial entrepreneurs. We 
have four prior ventures, all successfully executed. This one 
is our first primarily focused on government. So we have had a 
fairly steep learning curve.
    I thought what I would do with the brief statement is start 
with the conclusion, which is we would strongly encourage small 
business policies to do a bit more towards encouraging 
innovation; and our view is that cybersecurity in particular is 
an area where the more ideas, the better. It is an arms race. 
Better defenses on more creative attacks and the more we can 
bring new ideas in, the better.
    I thought I would explain what we do just from the 
perspective of the core innovative idea that we have to present 
which has to do with, in the cybersecurity application, 
managing what might be, in a military metaphor, might be damage 
assessments.
    There is an infrastructure of many tools that are designed 
to block and prevent, but the fact is that breaches happen. 
They are inevitable. So we are helping with the process of 
discerning what happened, what machines were affected, what can 
be done about it in the future.
    The essence of our product is to search in a Google-like 
fashion everything that has happened for what may be going on 
that you don't know at the time it was captured. So it is a 
fairly simple idea, but it has big implications in terms of 
scale and features that make an analyst effective at that 
process.
    The principal challenge that we have with our big idea is 
how to find the sponsors within agencies for whom this would be 
helpful with their mission. It is harder to do that than one 
might think as a small company.
    So, in general, the small business policies have many noble 
goals: furthering economic development and job creation 
certainly, providing opportunities for groups that would not 
have those opportunities otherwise. It is more--it is easier to 
find those in the small-business-oriented programs than it is 
to find the programs that would help make more efficient the 
process of introducing new ideas and innovations.
    I guess there are a couple of anecdotes I referred to in my 
report which is I went to the local Small Business 
Administration [SBA] who have a number of programs, none of 
which really applied to our particular challenge.
    I guess another anecdote is not much of an anecdote. There 
was a lot of newspaper headlines about stimulus money, but we 
were unsuccessful at finding any.
    But, in general, there is a few hindrances to small 
businesses presenting their ideas, one of which would be 
software certification which is an important requirement 
generally unique to each agency and there is a fairly steep 
investment for a small company to provide.
    Another hindrance in general is security clearances. Again, 
very important, particularly in the area that we focused. But 
that requires a sponsor. So there is a bit of a Catch 22. When 
you introduce a new idea, to try to find the right people who 
can bring your idea forward and into the realm where it can be 
fully discussed.
    We had experiences with the outreach and small business 
programs at various agencies, which actually did their job 
fairly well, which is to provide a mechanism for small 
companies like us to register ourselves so that we are known. I 
think that some attention to those programs is well deserved in 
terms of funding and expansion, because the goal would be for 
our good ideas to find the right people and agencies who would 
care.
    Another type of organization we encountered was the 
technical intermediary, generally designed to represent the 
government to do technical assessment. And that is another area 
that would be very helpful.
    Again, the goal is new idea, find the right application 
that can really help the mission.
    So, in conclusion, I am trying to encourage the idea of a 
marketplace of ideas and smaller amounts of money distributed 
more broadly to bring those ideas forward and an information 
flow that is fair and can give every good new idea a chance.
    [The prepared statement of Mr. Ricketson can be found in 
the Appendix on page 27.]
    Ms. Sanchez. Thank you, Mr. Ricketson.
    Now we will hear from Mr. Thornton for 5 minutes or less.

   STATEMENT OF ROGER THORNTON, FOUNDER AND CHIEF TECHNOLOGY 
                   OFFICER, FORTIFY SOFTWARE

    Mr. Thornton. Thank you very much, Chairwoman Sanchez, 
Ranking Member Miller.
    I have prepared a short statement to accompany my written 
testimony today.
    I currently serve as the Chief Technology Officer at 
Fortify Software. I have worked in the information technology 
[IT] industry in the Silicon Valley for the past 23 years.
    My technical expertise is in finding and fixing and 
preventing software vulnerabilities that are at the very core 
of our cybersecurity dilemma. My current responsibilities 
involve the development and design of technologies that 
eliminate these vulnerabilities in order to make IT systems 
more resilient to attack, making software ``hacker-proof.''
    Fortify is a small company. It is a classic Silicon Valley 
startup. It was founded by myself and my three cofounders in 
the spring of 2003. Our customers include 8 of the 10 largest 
banks in the world, all the major branches of the U.S. 
military, and a majority of the telecommunication firms across 
the U.S. and Europe.
    Through the course of my work, I am familiar with the types 
of vulnerabilities found in our Nation's most critical 
infrastructure; and I can tell you with emphatic certainty we 
are in a desperate situation. My firm's technologies have 
helped conduct audits on thousands of critical IT systems and 
not once have we found a system without critical 
vulnerabilities. Typically, we find thousands of such 
vulnerabilities.
    One example set comes from a Fortify team that conducts 
audits and reviews of military systems. Over the course of 2 
years, that team has audited 601 applications across 141 major 
programs and found over 3.8 million security vulnerabilities, 
over 400,000 of which were deemed critical. Sadly, this is not 
an exception but has become the norm, as it represents a 
problem that is not currently receiving appropriate attention.
    There are two compelling reasons for you to consider and 
actively support the role that small businesses like mine have 
to play in solving cybersecurity issues.
    The first is economic. As Chairwoman Sanchez has noted, 
small businesses have historically been an incredibly important 
driver for job growth in our country, and cybersecurity is no 
exception to that rule.
    The second is innovation. Only a small company would have 
the audacity and impetus to challenge the status quo and offer 
an entirely new approach when there are entrenched solutions in 
place. Like many small businesses, my company was founded on a 
simple observation that challenged conventional wisdom and led 
to innovation.
    Our observations were this. I will share them with you 
today.
    IT systems are compromised of network, computers, and 
software running on those computers. The prevailing strategy 
for IT up to now has been to secure the networks by limiting 
access and attempting to block attacks. That traditional 
security strategy has failed us. It is outdated. It is 
fundamentally flawed. Simply put, nearly all software delivered 
today, including that which the Defense Department is going to 
use and all the critical infrastructure, will be constructed 
with major vulnerabilities.
    Consider those vulnerabilities as open doors for hackers to 
gain access to systems. Our adversaries have shifted their 
approach to leverage those open doors in software at the same 
time we have responded with more network security. The results 
speak for themselves.
    If we eradicate software vulnerability, then the attacks 
won't work. We can build software systems to be resilient to 
attack. This is very similar to the practice of building 
buildings that are resilient to fire, but we need to do a 
better job.
    This line of thinking represented a radical departure from 
the status quo, and in the Silicon Valley that means a new 
small business determined to solve an old problem in a new way. 
In spite of the strides we have made at Fortify and other small 
innovative firms, there are some extraordinary challenges that 
the status quo pose that I would ask for your support in 
overcoming.
    The first is a disproportionate focus on protecting 
hardware networks while the majority of the attacks are at the 
software layer; second, lack of clear policy relating to 
software security that leads to vague software security 
requirements and inadequate funding for software security 
initiatives; and the third is inadequate funding for fixing the 
vulnerabilities that companies like mine and others are finding 
every day.
    We have a strong conviction and have established high 
confidence that the right combination of technology, human 
capital, and process can confront the advanced persistent 
threat and ultimately protect us from cyber warfare. We look to 
Congress to establish a strategic policy guidance for cyber, 
and we applaud Congress for being so active. This inspires 
mature companies, mature small companies like Fortify, and also 
gives hope to the next generation of innovators.
    In conclusion, please let me compliment this subcommittee 
for your cybersecurity leadership. In particular, we strongly 
support the certification and the accreditation language 
included in the House-passed 2011 NDAA [National Defense 
Authorization Act]. Combined with the language contained in 
Section 932 of the Senate companion bill, these provisions are 
sorely needed to protect the United States in the domain of 
cybersecurity.
    I would like to personally thank Chairwoman Sanchez, 
Ranking Member Miller, and the members of the subcommittee for 
holding the hearing. We look forward to working with you and 
the talented House Armed Services Committee staff to help 
better strengthen our Nation's cybersecurity defense through 
effective software security. Thank you.
    [The prepared statement of Mr. Thornton can be found in the 
Appendix on page 34.]
    Ms. Sanchez. Thank you, Mr. Thornton.
    Now we will hear from Mr. Lee for 5 minutes or less.

            STATEMENT OF RICHARD P. LEE, CONSULTANT

    Mr. Lee. Well, thank you, Congresswoman Sanchez. I 
appreciate the opportunity to address the subcommittee.
    I believe that we have got--as you commented; I am an 
independent consultant previously working inside the Federal 
sector as an acquisition professional and am now in the small 
business sector attempting to assist others to understand how 
to bring their products to market.
    I believe we have to deal with the intersecting demands of 
the need to share information, whether it is in the commercial 
sector or in the Defense Department or government sector, and 
the need to protect that information, the three pillars of 
information assurance: the confidentiality, the integrity, and 
the availability.
    Our economy has become very dependent on the Internet. We 
are not going to be able to abandon that battle space but must 
be able to work through attacks on our Internet connectivity.
    Almost all of the things that we do on a daily basis, from 
personal banking to managing the logistics trail to get things 
into the warfighting theaters, for example, depend on Internet 
connectivity.
    I also understand that the subcommittee's focus is on 
harnessing the passion and innovation and originality and 
resourcefulness of American know-how. One of the things that I 
believe that my colleagues have mentioned is that we failed to 
take a holistic systems engineering approach to the problem and 
instead look at component piece part fixes that don't seem to 
ever solve the big problems. The issue of a Maginot line as a 
wall of defense is not going to work. It never has, and it 
won't work in the cyber domain, either. And we need to find 
solutions from a systems engineering perspective to harness 
that innovation.
    I believe there are three fundamental things that are 
causing difficulty for small businesses to get into the 
solution space: The first is the acquisition process itself, 
which I will address a little bit later. The second is the 
evaluation and the certification process that we go through in 
order to bring products and solutions into the cyber domain. 
And, finally, are the financial resources available to the 
small business sector in just being able to get their products 
to market.
    With respect to the acquisition process, I think that one 
of the issues we have and continue to have is that there are a 
number of large integrators who understand the acquisition 
process and can navigate it. Because of that, it is difficult 
to get innovation into their tool kit; and, consequently, when 
we are solving a problem, identifying and resolving a 
vulnerability, we seem to fall back on the same guys that got 
us here.
    If you recall Albert Einstein's comment, no problem can be 
solved from the same level of consciousness that created it 
and, thus, I believe your effort to harness small business 
innovation in this vital area.
    The evaluation and certification process is king in the 
governmental cyberspace domain. There is a whole army of people 
who can say no, very few people who can say yes when you want 
to insert technology into our environment. Most small 
businesses do not have the resources to navigate the 
certification process to be able to get their products into the 
domain to provide either vulnerability fixes or completely new 
and innovative ways to approach a cyber issue.
    And, finally, the ability to get into the cyber domain to 
identify the resources necessary requires a champion on the 
inside of government pulling that solution into the cyberspace.
    I believe that there are some programs in the executive 
departments and in the Defense Department specifically that do 
a good job of identifying and incubating innovative solutions. 
The Defense Advanced Research Project Agency [DARPA] has a 
number of programs, as does Defense Research and Engineering 
specifically on their ability to do the Defense Acquisition 
Challenge and their Joint Capability Technology Demonstrations. 
But, as always, transition into sustainment is the difficult 
part.
    As you noted, Congresswoman Sanchez, my remarks are in the 
record. So I will conclude there and await your questions. 
Thank you for the opportunity to address you.
    [The prepared statement of Mr. Lee can be found in the 
Appendix on page 46.]
    Ms. Sanchez. Thank you very much, Mr. Lee.
    I will remind members that--well, I will let you know that 
each of the members has up to 5 minutes to ask their questions. 
We will start with those who arrived to the committee prior to 
the gavel closing, and so I will begin by asking my questions 
of the panel.
    This morning, I met with Zachary Lemnios--he is the 
Director of Defense Research and Engineering [DDR&E]--in order 
to discuss this very topic of cybersecurity, and one of the 
main issues that was brought up was how we get the technical 
base right. I think that that is one of the crucial questions 
that we have for DARPA and for DDR&E working on that answer of 
what are the technical underpinnings to build a secure system. 
I know they are working with universities and with the private 
sector to try to answer that question. So I guess I would like 
to start by asking our witnesses here today what do you think 
are some of the technical underpinnings to build a secure 
system?
    And anybody can take a stab at it. None of you can take a 
stab at it. I know it is a ``why are we alive'' question, but 
it is one that we are struggling with.
    Mr. Thornton. Chairwoman Sanchez, I would be happy to give 
some comment on that.
    The gentleman you had a conversation with was definitely 
right on focusing on that. You can think about the resiliency 
of a system, and let us use this room to say its resiliency to 
not catch on fire. If we only focused on the fabric, let us 
say, and we knew the fabric was fireproof, what about the wood 
tables? What about the articles we bring in? What about the 
sprinkler systems and what have you?
    Cybersecurity today is fragmented into those that worry 
about access to the networks, those that worry about access to 
the computers, and my area of expertise, those that worry about 
the software programs themselves. And our adversary is not. 
They will look at our systems, they will look at all those 
components, they will look at the human interaction, find the 
weakest point and attack.
    So one of the things that has escaped us is in our systems 
engineering, the people that are ultimately responsible for an 
inventory management system for the military or a financial 
accounting system, is having those people with the purview of 
the entire system be the ones responsible for security. They 
still may need experts to help them, but we need to push the 
responsibility of security up the system to the senior-most 
people. That means a change in the thinking of education, what 
is the educational requirement to be a system designer, a 
change in roles and responsibilities----
    Ms. Sanchez. Are you talking from a hardware or software or 
both standpoint?
    Mr. Thornton. Both, both. So the key is every system has--
in information technology world, we call them system 
architects--people whose responsibility purviews across all the 
technical components, ensuring that security responsibility is 
held at that level.
    Ms. Sanchez. Great.
    Anybody else? Mr. Lee.
    Mr. Lee. Yes, ma'am.
    To pick up on the comments about systems engineering, one 
of the things that we don't do a good job of is recognizing 
that when we approach the certification of networks or the 
software that operates those networks, the computers and the 
software that runs on them, the evaluation process desires the 
use of standards which are good in and of themselves because 
they provide a bound for the evaluation process.
    Unfortunately, most of the standards that we rely on were 
built when the Internet was being evolved and were conceived in 
an academic environment where trust sort of existed between the 
colleagues. But as we have gone into a cyber world we can no 
longer trust the users, and sometimes we can't even trust each 
other.
    So we need to perhaps take a step back and figure out are 
there some inherent vulnerabilities and standards that we use 
in architecting our systems that will perpetuate 
vulnerabilities that we just can't solve. If that is the case, 
we need to take a look at, from a system's perspective, what we 
might do to change that environment; and I believe that is 
where small business innovation fits right into the sweet spot 
of that solution space.
    Ms. Sanchez. Thank you, Mr. Lee.
    Mr. Ricketson, would you like to comment or----
    Mr. Ricketson. Yes, I would.
    I guess my comment is maybe to challenge the underlying 
assumption of the question. I am skeptical that we could find 
what you referred to, technical underpinnings. I think the 
history of the Internet shows that all of the hierarchically 
driven networks fell by the wayside, and the Internet, with all 
of its decentralization and messiness, was the best solution.
    So I am skeptical of vendors that would promote their 
underlying technical solution, and I am skeptical of an 
organized body that would decide to pick winners. I think that 
we have an Internet that is decentralized, and we need to work 
on the issues of trust and monitoring and statistical analysis 
and stay on top of it.
    Ms. Sanchez. I, too, had that question this morning. I am a 
little bit more--after having spoken to both the DARPA Director 
and to Zachary this morning, I think they are going both ways. 
I think they are doing a double track to ensure that maybe 
there are, and maybe they are not. So that is a keen 
observation that you have just made. But I think they are 
looking at it from both standpoints: Is there a better way or 
is the Internet, with all its failings, the way we are going to 
go?
    Mr. Miller, my ranking member, please, 5 minutes.
    Mr. Miller. I would like to--and I will keep it brief--talk 
a little bit about the impediments.
    Mr. Ricketson, you talked about it as far as your visit to 
your local SBA office. SBA, small business initiative research 
programs, technology transition programs have all been 
successful for small businesses. I mean, it has been proven so.
    You talked about some specific instances with the others. 
You didn't really go into great detail. But what I would like 
to know is, have you used them in the past? Did you see the 
same thing Mr. Ricketson saw when you tried to avail yourself 
of some of the programs that were there? And what changes would 
you recommend to allow for greater participation of companies 
like yours in the software field?
    So if I could start with Mr. Lee and then work back to Mr. 
Ricketson, I would appreciate it.
    Mr. Lee. Yes, sir, Mr. Miller.
    So to go right to your question, I think one of the 
advantages that the Defense Department may have is to follow 
the lead of DARPA that they did with their challenge program 
where they put a problem out there and bring--or ask people to 
bring solutions to them in competition for an award. That 
certainly exposes innovation and innovative technologies for 
use.
    And from a prior government-side person, the two questions 
one always had to ask a contractor with a great solution was, 
A, how much is it going to cost and how do I get to you? What 
is the contract vehicle?
    The contracting process is so cumbersome that it is very 
difficult to get innovation inserted into our existing systems. 
We can do pilots, and we can do cultivation and incubation, but 
the transition into the environment is very difficult.
    Many of the innovators like Apple and their iPhone go to 
the commercial marketplace because they can get out there 
quickly. They have to identify their certification 
implementation process.
    The government is an extraordinarily difficult labyrinth to 
navigate for the small businessman, and he necessarily has to 
get married up with a big innovator who has different 
motivations sometimes than the insertion of technology.
    So I think there is a challenge in how you weigh, on one 
hand, open competition kinds of activities and the other is the 
insertion of new and innovative technology to solve the 
problems that we have. The programs exist. It is in the 
transition into the environment that it seems to be just so 
difficult to solve.
    Mr. Thornton. Congressman Miller, I would answer your 
question in thinking about two different ways that the 
government helps make streamline working with small businesses. 
One, driving requirements that require innovation, thereby 
giving the small business an equal footing on the playing 
field. And I would like to come back to that, because the other 
is more directly what you were asking, which is the programs 
that are in place for small businesses like ours to work with 
the government.
    I have been to a lot of seminars and sessions where small 
businesses complain that it is difficult to access the 
government and what have you. And I wouldn't sit here and say 
it is easy, but, in my experience, it is not all that harder 
than the banking industry or the manufacturing industry in that 
the government demands that you understand their environment, 
that you understand their processes, that you understand how 
they do work.
    So I think part of it is a little bit of level setting the 
education or what does it take to work with the government. The 
programs were there for us, but we--our very first revenue as a 
company came through an SBIR [Small Business Innovation 
Research] program with the U.S. Air Force, and neither myself 
nor any of my founders had any connection with the Air Force. 
We simply worked our way through the system and found that. The 
National Security Agency has been very helpful, sponsored our 
company for the right clearances that we need.
    So I do think programs that are in place, from what I 
understand and from talking to other entrepreneurs, there could 
be more education. My counsel to those other entrepreneurs is, 
if you want to work with the government and sell to the 
government, you are going to need to hire people that work in 
that arena, just like we have hired people that have worked in 
the banking arena and can help us navigate.
    If I could finish on my first point, though. When 
requirements that the status quo are not good enough are fed 
from the government to the IT industry, that gives the small 
innovator a giant advantage. So, from my vantage point, that 
is, security of just my network, it is not good enough. I need 
security of my software. But there is opportunities for that in 
just about every realm of cybersecurity. Demand more or better 
than what is currently being offered by the status quo.
    Mr. Ricketson. Nothing much more to add than what I had 
said. I think my modest proposal is to simply bring the 
criteria ``does it help innovation'' into the small business 
programs. Every program that I mentioned there was--it was a 
worthy program. So I am not knocking any of those. But we just 
need to do more. Thank you.
    Ms. Sanchez. Thank you, Mr. Miller. Thank you, gentlemen.
    I will now call on my good friend, Mr. Smith, from the 
State of Washington for his questions.
    Mr. Smith. Thank you, and I appreciate the chairwoman 
holding this hearing. It is a critical issue for our 
subcommittee.
    I think that for the government to get small business more 
involved the best ideas are out there I believe in the small 
business community, in many instances; and, as all of you have 
mentioned, it oftentimes is impossible for them to do business 
with the government and we in the government lose out, 
particularly on this subcommittee that works on IT 
infrastructure. But this expands out. We do a lot of work with 
the Special Operations Command. A lot of their needs requires 
updated better technology, and small businesses are the 
companies that can provide it. So we appreciate that.
    I think most of the questions have been answered. I will 
just throw this out there, if you gentlemen have anything to 
say about it in particular. What is the one thing you would say 
we could change about our acquisition or procurement policy 
that would most help small businesses get greater access, have 
the opportunity to be able to sell what they make or their 
services to government, in this case the DOD?
    Mr. Lee. Sir, I would like to take a cut at that.
    I think that because we in the acquisition process tend to 
wind up with the big integration companies that have deep 
pockets that can navigate the bidding process system and know 
how to write a proposal that a government evaluator can read, 
understand, and accept, we tend to get the sameness of the 
solution competing on price.
    One of the things that might help is if there were some tax 
code incentives or other kinds of things where some of the debt 
and/or operating loss that a small business necessarily incurs 
while they are trying to do this innovative thing and get their 
product to market could be used somehow by the large integrator 
to help offset some of his financial activity. He may be 
incentivized to try to bring in some of the new innovative or 
novel ways to solve some of these cyber problems.
    Some of the people that I have worked with have taken a 
systems engineering perspective and have a new way of looking 
at the networking architecture to be able to insert distributed 
defense-in-depth kinds of activities, firewalls, for example, 
instead of building it at the boundary like the Maginot line. 
But that technology is extraordinarily difficult to stick into 
the system because the large integrators are unfamiliar with it 
and just don't have a way.
    Mr. Smith. Shouldn't there be a way to do this without the 
large integrators, in some instances? I guess that is--we have 
small businesses come to us all the time; and, regrettably, one 
of the first things we have to tell them is here is the eight 
biggest defense companies; find one and partner with them. But 
shouldn't there be a way that a small business can simply do it 
without having to go to a large integrator?
    Mr. Lee. Sir, one of the problems from my perspective is 
that the evaluation and certification process has so many 
people demanding ``certify me'' because it is great to have 
that certification label on your product. And, in some cases, 
particularly for government networks and environments, you need 
that evaluated product certification in order to even be 
considered. If you don't have the champion inside the 
government pulling on your solution, then you need that 
integrator to be pushing you into the environment as part of a 
systems approach that he has recommended or has been hired to 
implement.
    Mr. Smith. What I would like to do--and it is something we 
have worked on a lot with different companies--is get the 
acquisition people out there to be looking for you guys. 
Instead of seeing one of you guys coming and going, they don't 
know what they are doing, better call somebody bigger, they 
say, I am going to take a closer look.
    So I think, from our perspective, we need--and this has 
particular application on the cybersecurity side. Because, as 
you gentlemen have noted, you are cutting-edge innovators on 
that, in many instances, but we need acquisition people who can 
move past that.
    I accept your answer. I am running out of time. I don't 
know if the other two gentlemen wanted to comment at all on how 
you would change the process.
    Mr. Ricketson. My big idea may not actually be a good idea. 
I would love to have someone validate it. So my idea--I make a 
technical claim. That technical claim may or may not be valid. 
Even if it is valid, it may or may not forward the mission.
    So I will give you an example. We have a search capability 
that is supposed to scale. That means you can search into huge 
amounts of data. The word ``petabyte'' comes up. The petabyte 
is bigger than I can count, and products break down in 
situations of stress like that.
    So if there is a technical intermediary that represents the 
government that can take a claim and say, yes, this is true and 
has the credibility inside the government with the technical 
sponsors, that is a major step forward and is independent and 
is a level playing field between a big and small company. It is 
just about the idea.
    Mr. Thornton. And, Congressman Smith, if I can add--and I 
will caveat with I am not an expert in Federal acquisition. So 
this is an idea from a person who----
    Mr. Smith. That may be helpful, actually, that you are not 
buried in the minutia of Federal acquisition and can simply 
look at it from a practical standpoint. But go ahead.
    Mr. Thornton [continuing]. That is what I was thinking, is 
when I--in my experience, I have seen the Federal Government 
make some really smart acquisitions and other times where I 
questioned it, whether it was the best technical solution. One 
thing I noticed was the technical capability to define the 
requirements were employees of the Federal Government. I can 
give some examples. But, in general, when the system integrator 
is writing the requirements for the Federal Government, I think 
a lot of times those requirements are going to be not demanding 
the highest, latest innovations.
    So maybe a radical shift in theory but building up the 
capabilities inside of each of the agencies to have some top-
of-field technical people that can drive requirements, from 
personal experience I have seen that work quite well.
    Mr. Smith. That makes a great deal of sense.
    I think two directions we need to go in to get there. We 
have talked about this in a number of contexts, but our 
somewhat obsessive reliance or I should say excessive reliance 
on contractors since 9/11 has downgraded the number of people 
within the acquisition process who are talented and 
knowledgeable. There just aren't as many of them there, for one 
thing.
    But the second thing I always want to emphasize is to 
empower those people. I think part of what drives some people 
out who do have experience in the acquisition process is, if 
you are the type of go-getter, really knowledgeable, you are a 
person who wants to be empowered, you want to know if you make 
a smart decision you can implement it and see the result of it.
    If you are in the acquisition process and you can't make 
the decision and say, you know what, this company or--to your 
idea--this guy has this idea and you know what, it works, it is 
great, it is what we are going to do, but I cannot do it 
because there is an 18-month procurement process and it doesn't 
fit the RFP [Request for Proposal] that was written sometimes 2 
years ago. It doesn't really fit that RFP. So I would have to 
go back in, I would have to change the RFP, I would have to go 
through another 12 months, and then I come back to you and you 
go I don't remember who you are because it has been so long. So 
I think we need to empower people within the acquisition 
process.
    Thank you, Madam Chairwoman.
    Ms. Sanchez. I like the observations you made, Mr. Smith.
    And, of course, the other problem is, at a time when we 
have such a calling on the government to stop making government 
bigger and having this push to somehow--it is difficult, 
because we are dealing with very complex issues. We are dealing 
with people who get paid a lot of money. Everybody who is worth 
their salt in your industry is making money, and then we want 
them to come and work for the Federal Government. So that----
    Mr. Smith. If I could just comment. It is not a matter of 
making the government bigger. It is a matter of making it 
better. And we are paying the contractors. We are paying for 
those RFPs. We are paying for this acquisition process, which 
in many cases just winds up costing more. So I think you can 
accomplish both.
    Ms. Sanchez [continuing]. Well, we always try to do that, 
and I think that is part of what we did in the slimmed-downed 
acquisition programs that we are putting in place led by Mr. 
Andrews. But there is always that overlap time where we are 
trying to get out of one system and really make the other 
system work, and it is a difficulty. So I would agree with you. 
It is just difficult how we get to that.
    Mr. Ricketson, you said at one point in your testimony that 
we should encourage small business policy, that we should 
change small business policy or make small business policy to 
encourage innovation. If you were a Congressperson sitting up 
here and you wanted to change small business policy of the 
government to encourage innovation, how would you go about 
that? What would you propose would be----
    We have already got our small business innovation programs. 
We have pilot programs. We have got Mr. Lee saying, well, you 
know, the problem really isn't that you are not encouraging 
innovation in small business. By having some of these programs 
is when you get to a point these programs, that falls off--when 
we tell you, okay, here, we are going to throw you out of the 
nest and go fly, there is nobody to help you figure out how to 
fly as you spiral downwards into never-never land.
    So what would you say? If you were a Congressperson, when 
you say change small business policy or mold small business 
policy to encourage innovation, what would that look like? 
Because we also have R&D [Research and Development] tax write-
offs, for example. What would be--from your angle, what does 
that mean to you?
    Mr. Ricketson. I am honored to be asked, though I come here 
from the perspective of our small company trying to move 
forward, seeing some hindrances, offering constructive 
suggestions about areas to focus on. Far be it from me to make 
a lot of specific proposals.
    However, a comment you made a minute ago I wanted to 
respond to that I think is relevant. All of us--there is the 
challenge of big government versus--bigger government versus 
what we want government to do. And in the area of fostering 
innovation, small amounts of money at earlier stages yields 
much better returns than large amounts of money that are 
deployed in mature programs. So I would encourage the 
government to provide for small businesses that have ideas that 
seem like they might be interesting, services that eliminate 
those companies having to come up with the money and take that 
risk themselves.
    So a suggestion a moment ago, which is some technical 
claims are difficult to validate because they take an 
infrastructure that is beyond the small company to fully judge. 
And a technical claim goes beyond technology but also involves 
risk. Large companies, large integrators, complex procurement 
programs are, to some extent, a proxy for risk assessment. So 
if you can at least ask the organizations that are assigned to 
look after technology and small companies to bring innovation 
into their criteria and find ways to measure whether they are 
doing a good job, we are going in the right direction.
    Ms. Sanchez. The problem for somebody who is working in the 
government--I am not talking about us, because we are taking 
risks all the time. We have 2-year jobs, and then we have to go 
out and campaign again--is that it seems to me within the 
Federal Government, from what I learned, is that somebody who 
goes with the known quantity, a Rockwell or a Raytheon or 
something, is never going to get in trouble if he suggested or 
gave the contractor somebody like that. Because when those guys 
mess up--and somewhere along a large project there are a lot of 
mess-ups. You have to look at some of the subcommittees I have 
had before to know all the failings that I have seen. Well, it 
couldn't be done. We are the biggest, we are the best, and it 
couldn't be done. Or we just--you scoped it wrong or the specs 
were wrong.
    But if a government employee goes and gives it to a small, 
innovative company and you do fail, then it is like, well, 
didn't you know that was going to happen? Here is a company 
that has no track record or doesn't have the resources to cover 
the losses or look at all the time we have wasted.
    So it is really--it is a very difficult thing when I look 
at these government employees to be able to really take that 
type of risk.
    I would also say that is one of the reasons why we put 
DARPA in, because that is our risk taking, that is almost throw 
caution to the wind and go with bold ideas. It is almost a 
contrarian type of an agency.
    So I don't know if we need more DARPAs or what we need in 
order to give government ability to feel comfortable working 
with so many of these new issues and what is really a risk to 
your environment by definition because it is new and a bad 
attack of cybersecurity can get to all of us at once.
    Mr. Miller, do you have any other questions?
    Mr. Miller. Yeah. I would like to follow up on Mr. Smith's 
line of questioning in regards to insourcing.
    I would say that in the First Congressional District it is 
of great concern not only to me but to some of my constituents 
because I believe that the standards used in determining which 
jobs are to be insourced don't really use any true methodology. 
I think that, in many cases, the numbers seem to be arbitrary.
    But what I want to know and, Mr. Thornton, you had--when we 
were talking a minute ago, you were nodding your head. I 
couldn't tell if it was in agreement or dissent. My question 
is, have any of your companies been affected by DOD's 
insourcing? And, if it has, could you explain and offer your 
guidance to the committee on what jobs could be insourced from 
your field?
    So, Mr. Thornton, if you would; and then if the other two 
want to chime in, you can. If not, that is fine, too.
    Mr. Thornton. Thank you, Congressman Miller.
    I cannot say specifically that we have been affected by 
insourcing on any particular instance, but I can give an 
example where the government had in its employ some very sharp 
technical people that were ultimately driving the architecture 
of a major purchase. And this was at the Veterans 
Administration [VA], some of the people that work for Mr. Baker 
there, very technically astute, as good as you are going to 
find in private industry and what have you. And when you have 
an environment like that, the government as a customer is being 
very clear in terms of its expectations of your technical 
performance.
    I could cite some other examples where our company is 
working with a large integrator and the government employees 
are more program managers and financial folks and it is really 
the large integrator that is driving the technical 
requirements. And from my not expansive number of times I have 
seen that--I have only seen that a couple of times--it does 
make sense to me what Congressman Smith was saying. Were the 
government able to insource technical architecture, empowered 
individuals that can drive requirements, we will probably end 
up with more effective, cost-effective, more demanding 
requirements.
    Now, what does that mean to small business? I believe in my 
heart of hearts more demanding requirements is an unfair 
advantage for small business. When you ask for something that 
is not currently being built today, more times than not it is a 
small business that is going to be able to meet that 
requirement than a large company.
    And so one other way I might contrast that. My company does 
a lot of work with the Federal Government and a lot of work 
with the banking industry. As I mentioned with the VA, there 
were technical people in there that could easily work in the 
banking industry and drive the same requirements. Just about 
every bank we come into has technical people that manage the 
entire requirements process, set the bar for what is good 
enough, determine if the small business is making legitimate 
technical claims or not and really owns that. And as we talk 
here today--this is not an idea I came to bring to you, but as 
I listen to the discussion that does make a lot of sense to 
me--I think you would benefit from that.
    Mr. Lee. Mr. Miller, I think one of the issues you have in 
trying to insource is--I am going to bet, looking at us, that 
my colleagues and I grew up shortly after Sputnik went up and 
the Mercury space program kicked off and the United States went 
nuts for science and math and engineering expertise and the 
kids that I was growing up with were focused on that.
    The kids today are not as focused on that. We see our 
universities, particularly engineering schools, being more 
inundated by foreign students who take that expertise home. 
Those are the people that you need, the young kids coming out 
of school that you need to figure out a way to incentivize into 
the government.
    Unfortunately, there is a whole culture that seems to 
believe that a government job is, A, to serve the Nation but 
more, and as importantly, to generate a good pension coverage 
for when you get older. So the issue becomes, how do you 
incentivize those kids to come into the service, the government 
service to do the engineering work needed in order to make sure 
we are pulling the best out of the small business and getting 
it into our processes?
    I don't know if you can think outside the box and say, 
well, let us have a project, maybe run by DARPA, maybe run by 
some other organization. I know the services all have good and 
vibrant laboratories that do innovative things. Perhaps you run 
a pilot effort for a 2-year initiative to suspend the FAR 
[Federal Acquisition Regulations] and the DFAR [Defense Federal 
Acquisition Regulations], write some letter contracts and see 
what we can do, as my colleagues have said. And if the 
technical expertise and the delivery is good and the government 
side can figure out that it is good and can understand how to 
specify that on a grander scale, you now are in a position that 
government has learned, industry has learned, and we got out 
from under the acquisition umbrella that just seems to impede 
the process, which seems to be where we constantly found 
ourselves stuck in the labyrinth.
    Ms. Sanchez. Well, do you have any more questions, Mr. 
Miller?
    Mr. Miller. No.
    Ms. Sanchez. Okay. We are going to have votes in a few 
minutes so we will conclude this, but I just wanted to make 
some observations.
    I can't tell you how many times--and I live in Orange 
County, California, which is, as you know, an innovative--we 
carry the innovative agenda, as so many in California, and 
especially the defense, the aerospace, NASA [National 
Aeronautics and Space Administration]-driven issues, we have a 
lot of small companies that work in Orange County that have 
their people in Orange County, and there have been plenty of 
times I have seen where these small companies come to the 
Federal Government--they come to me and they say, we really 
have some ideas, and someone needs to hear these. You need to 
help us. Of course, we start banging on doors and stuff.
    The reality is, it is very difficult. As you say, unless 
you have someone who has been in the Pentagon day in, day out, 
or contracting, it is a very difficult thing for a small 
business and they really can't afford tons of lobbyists and 
specialists and everything and to put them out there for a year 
or two.
    As many of you know, the specs are written with, you know--
because a technical aspect may not be within one of the 
government departments that is doing this, they rely a lot on 
industry coming in and talking to them about what those specs 
for those RFPs should be. That is a long process. It is usually 
a year, two, three years before you see the RFP; and it has 
been written by somebody who already, you know, knows it is 
coming out. And yet you have the small business who wants to 
compete. It is very difficult, and they can't afford to 
compete. That is the truth.
    So we do need to find a new way in which we allow this 
innovation to get in here. Because I certainly see it out in 
the commercial area day in and day out where I live out there 
in California, and you don't see it here as much in Washington, 
DC.
    So I would hope that if you do have, given that some of you 
have hit your head against that wall or been at companies or 
heard stories, that you might do us a favor of sitting down and 
writing specifics about what we might change, what we might 
really try to change in order for these innovative ideas to get 
a fair shake out here in Washington, DC. That is what this 
subcommittee is about, at least with respect to the Department 
of Defense.
    I want to thank all of you for being here today. We really 
appreciated your testimony, and I would appreciate any follow-
up that you might have to this issue that I just laid out.
    Thank you very much. The subcommittee is now adjourned.
    [Whereupon, at 3:05 p.m., the subcommittee was adjourned.]
?

      
=======================================================================




                            A P P E N D I X

                             July 28, 2010

=======================================================================

      
?

      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             July 28, 2010

=======================================================================

      
      
    [GRAPHIC] [TIFF OMITTED] T8232.001
    
    [GRAPHIC] [TIFF OMITTED] T8232.002
    
    [GRAPHIC] [TIFF OMITTED] T8232.003
    
    [GRAPHIC] [TIFF OMITTED] T8232.004
    
    [GRAPHIC] [TIFF OMITTED] T8232.005
    
    [GRAPHIC] [TIFF OMITTED] T8232.006
    
    [GRAPHIC] [TIFF OMITTED] T8232.007
    
    [GRAPHIC] [TIFF OMITTED] T8232.008
    
    [GRAPHIC] [TIFF OMITTED] T8232.009
    
    [GRAPHIC] [TIFF OMITTED] T8232.010
    
    [GRAPHIC] [TIFF OMITTED] T8232.011
    
    [GRAPHIC] [TIFF OMITTED] T8232.012
    
    [GRAPHIC] [TIFF OMITTED] T8232.013
    
    [GRAPHIC] [TIFF OMITTED] T8232.014
    
    [GRAPHIC] [TIFF OMITTED] T8232.015
    
    [GRAPHIC] [TIFF OMITTED] T8232.016
    
    [GRAPHIC] [TIFF OMITTED] T8232.017
    
    [GRAPHIC] [TIFF OMITTED] T8232.018
    
    [GRAPHIC] [TIFF OMITTED] T8232.019
    
    [GRAPHIC] [TIFF OMITTED] T8232.020
    
    [GRAPHIC] [TIFF OMITTED] T8232.021
    
    [GRAPHIC] [TIFF OMITTED] T8232.022
    
    [GRAPHIC] [TIFF OMITTED] T8232.023
    
    [GRAPHIC] [TIFF OMITTED] T8232.024
    
    [GRAPHIC] [TIFF OMITTED] T8232.025
    
    [GRAPHIC] [TIFF OMITTED] T8232.026
    
    [GRAPHIC] [TIFF OMITTED] T8232.027
    
    [GRAPHIC] [TIFF OMITTED] T8232.028
    
    [GRAPHIC] [TIFF OMITTED] T8232.029
    
    [GRAPHIC] [TIFF OMITTED] T8232.030
    
    [GRAPHIC] [TIFF OMITTED] T8232.031