COTS Is Only as Good as the Shelf

January 2001
By Col. Alan D. Campen, USAF (Ret.)

Commercial off-the-shelf procurement is now a fact of life for the U.S. Defense Department. This thrust is driven as much by economics as it is by technology advances. However, the headlong rush to commercialize the defense technology base is producing unwanted complications that threaten to undermine the original goals of commercial acquisition.

During the summer of 2000, several Defense Department components produced a flurry of contracts, pronouncements and vision statements about the changing roles and capabilities of the military services in today’s information age. These documents and actions clearly are intended to be mutually supportive. But on critical analysis, they seem at odds over the realities of a chaotic information marketplace, the utility of commercial products in war, the dictates of fully integrated joint or coalition operations, and above all, the conduct of asymmetric warfare with a host of nonpeer but still technically competent adversaries abroad and at home.

With the concurrence of the chiefs of each of the military services, the Joint Staff issued Joint Vision 2020. This milestone document elevates information operations (IO)—of which information systems are the key component—to equal status with dominant maneuver and precision engagement in the domains of sea, land, air and space operations. Joint Vision 2020 also forewarns of the transitory state of information superiority: that adversaries have access to the same information technology; that information systems add their own sources of friction and fog of war; and, above all, that commanders must be capable of command and control in the face of technology failure.

Concurrent with Joint Vision 2020, each of the military services has accelerated the acquisition of the best state-of-the-art commercial information equipment, systems and services that the marketplace can provide. That is the good news. The commercial marketplace can produce where the classic military arsenals could only promise. However, there is bad news too:

• Digital marvels that instantly materialize on the desktop can disappear precipitously.

• Software is produced in an industry where requirements for security and reliability routinely give way to functionality.

• Faulty software becomes the foundation of networks that cannot withstand disruption by willful adolescents, let alone focused, skillful and well-financed attacks from foreign and rogue states.

• Commercial digital networks may be incompatible with those of sister services or allies that may join in coalition operations (SIGNAL, November, page 41).

The U.S. Navy is well in the lead in both the scope and the speed of digital transformation, but it is far from alone. The Navy is seeking to emulate industry with its Navy/Marine Corps intranet (NMCI) that will lash shore and ships together into a network encompassing “the naval enterprise.” This initiative makes sense from a perspective of business, economics, modernization and efficiency. But, from the perspective of system security and fully integrated joint military operations, it may not be the right one. It leaves uncertainties, dependencies and incompatibilities that are largely beyond the control of the Joint Staff or any military service.

Nothing is inherently wrong with the employment of commercial information services in direct support of military operations. In truth, there often is no alternative. The uncertainty and risk with commercial off-the-shelf (COTS) products and services come from failing to recognize and losing direct control of “inherently governmental functions” to a contractor as well as with extending the reach of commercial products and services too far into the combat zone.

The fledgling U.S. Air Force would have fallen out of the tree in the 1950s were it not for technical representatives from companies such as Philco and Collins Radio. These representatives fleshed out communications staffs at major headquarters and kept receivers and transmitters operating at remote foreign sites, sometimes within earshot of gunfire. Korea and Vietnam were military operations where—strategic nuclear excepted—essential combat missions still could be conducted despite degraded communications.

But, communications now is a weapon of choice and necessity. Industry leaders such as Art Collins and Robert Sarnoff are long gone from the scene. Their seats are filled by a host of imaginative but intensively competitive entrepreneurs who are fighting their own wars in a marketplace and who are reluctant to add cost to products to satisfy more stringent military standards ordered by a minor consumer.

It is one thing to supplement military staffs with contractual support to meet the continually changing and unpredictable demands of technology or to gain operational efficiencies, modernization and cost savings through centralized network management. Often, no practicable alternative will emerge. However, it is another thing for the military to turn over the operation and maintenance of an entire warfighting information system to sources who will compete with the military for the same precious and limited talent and skills, and then be unable to reconsider and recover critical functions later because the in-house talent has departed (SIGNAL, November, page 46). It is also quite another thing to end up with a contractor brigade at the tactical level with civilians near the trigger (or keyboard) where a tactical mistake can result in a strategic catastrophe.

The U.S. armed forces are delighted to equip the 21st century soldier with broadband commercial information technology that enables the centralized control of military operations through global videoconferencing. But, the services are dismayed to discover that some digital devices will not function reliably in rain or dust, that fiber optic cables and tank treads do not mix, or that forces can be disconnected from a satellite that has fallen victim to fratricide and been deorbited, not by a foe, but by a competitor in the marketplace.

COTS and outsourcing will not go away—nor should they. The key to their successful employment is anticipating and managing their disadvantages as well as exploiting their potentials. The current but often ignored buzzword for this is “risk and consequence management.” Seat management contracts provide a new means of markedly reducing vulnerability to computer network attack. If system security is given top priority in procurement specifications, if government red teams continuously and ruthlessly scrutinize contractor products, and if substantial penalties for security breaches are assessed against the contractor—as a spokesman for the U.S. Navy promises with its NMCI initiative—then outsourcing can be a boon to security.

However, if the military wishes to emulate industry in the adoption of information technology, then it must heed painful lessons as well. One industry survey reports that half of the automated systems were never completed, and half of those that survived did not meet functional requirements. That is a dismal track record that industry can afford but the military cannot. Industry learned that nothing useful happens without commitment from top management and sweeping organizational changes to pave the way for innovative exploitation of technology.

A decade of experimentation with commercial products and services yields what could be called COTS constants:

• An inverse ratio—possibly exponential—exists between the utility of COTS and their proximity to the fog and friction of war.

• Ruggedization of COTS can be more costly and troublesome than a MIL-SPEC solution. Therefore, it is important to maintain a healthy in-house research and development capability.

• In system design, it is vital to establish the specific handoff point between COTS and military platforms and weapons.

• Integration of COTS and MILSPEC is a fitting task only for experienced systems integrators. This quality is not normally found in dot-com companies.

• The responsibility for determining the handoff to COTS is a management and operational responsibility that must not be left solely to technicians. Uninstructed and ignored—as they too often have been in the past—“techies” will deliver what is technically possible, not necessarily what is operationally essential.


Col. Alan D. Campen, USAF (Ret.), is manager of AFCEA International Press, contributing editor to SIGNAL, a member of the adjunct faculty, School of Information Warfare and Strategy, National Defense University, and contributing co-editor of the latest AFCEA book: Cyberwar 3.0: Human Factors in Information Operations and Future Conflict.