The C4 and Cyber Domains – Open architecture and cyber-hardened networks

Key recommendations and themes (C4 and Cyber)

Summary of key recommendations

In the Command, Control, Communications, and Computers (C4) domain, the DSR recommends that:

• Defence adopts an open architecture approach in both hardware and software, in order to reduce integration complexity and costs, and break down technical barriers for Australian industry participation.
• Defence’s C4 networks and architectures must be resilient to persistent cyber-attacks.

In the Cyber domain, the DSR recommends that:

• Defence enhance its cyber domain capabilities to deliver the required responsiveness and breadth of capability to support Australian Defence Force (ADF) operations.
• Greater investments are made in targeting systems and processes required to support the use of advanced and long-range weapons, undersea warfare, and integrated air and missile defence capabilities.

What does this mean for Defence procurement?

• To facilitate the transition to an open architecture approach in both hardware and software, Defence may wish to utilise collaborative contracting approaches that incentivise vendor partnership and co-operation in high-risk and technically complex ICT projects.
• This could also include:
• adopting an ‘agile’ approach to contract delivery, which includes a framework for iterative delivery under the agile methodology for software development; and
• utilising contractual pricing models that incentivise contracted hardware and software architecture partners to deliver innovative solutions, collaborate openly with other vendors, and share the financial ‘gain’ and ‘pain’ associated with their performance under the relevant contract - against either schedule or cost.
• Defence may wish to consider the incorporation of penetration testing as part of the Verification and Validation (V&V) process, as well as the introduction of minimum ‘cyber-worthiness’ standards as part of the Function and Performance Specification (FPS) documentation used under the ASDEFCON suite of contract templates, to support the delivery of ‘cyber-hardened’ capabilities.
• Defence should consider the potential benefits of acquiring ‘in-service’ and off-the-shelf software and hardware products through limited tender and sole-source procurement methods, in order to more quickly and effectively support ADF operations within the C4 and cyber domains, and weigh these benefits against any risks in doing so - to ensure appropriate mitigations are in place during contract formation and delivery.

The Cyber and C4 domains (in detail)

Despite the DSR only making three recommendations across the C4 and Cyber domains, significant changes have been proposed to Defence’s C4 and Cyber capability investment priorities, systems and networks architectures, and procurement processes.

Open architecture approach

In the C4 domain, the DSR recommends that Defence adopt an open architecture approach to hardware and software, resulting in the reduction of integration complexity and costs, and the removal of technical barriers for Australian industry involvement in Defence’s major software and hardware procurement processes.

Of the 62 total recommendations made by the DSR, the adoption of an open architecture approach to hardware and software was one of only 13 that were agreed-in-principle by the Government, with greater fidelity on its implementation to be provided in the 2024 National Defence Strategy.  Deliberation on how this recommendation is to be implemented and adopted is a testament to its technical complexity.

Defence currently adopts a closed architecture approach, meaning the technical guidelines and specifications of its foundational hardware and software systems are proprietary, and not widely disclosed to other vendors. This approach is analogous to the system architecture approach taken by Apple, who tightly controls what hardware devices can run Apple iOS, and which software vendors are able to write and install applications on their operating system.

An open architecture approach would require the technical guidelines and specifications of Defence’s major C4 networks and systems to be more widely accessible by other vendors, making the integration and further development of software applications hosted on these networks and the upgrading of hardware components less technically challenging, and ultimately involve less integration risk for any new platforms or systems that are required in the future to inter-operate with the original platform.

Just how widely accessible these technical guidelines and specifications can be made is an open question, particularly where Defence has an obligation to maintain the security and integrity of its operational networks and systems to protect them from attacks by malicious actors.

Network resilience to cyber attacks

While not a formal recommendation, the DSR observes that Defence’s networks and architectures need to be resilient to persistent penetration attempts and cyber-attacks.

Reconciling the need to adopt an open architecture approach with the need for continued resilience to cyber-security threats will present a major challenge for Defence – one that it has previously mitigated through strict closed architecture controls.

Cyber capability enhancement

Within the Cyber domain, the DSR recommends that Defence enhance its cyber domain capabilities to deliver greater support to ADF operations. The recommended focus of these enhancements is:

• integrating and centralising the security and management of these networks and architectures;
• consolidating a single cyber domain capability development and management function; and
• building and sustaining a trained Defence cyber workforce.

Investments in targeting capabilities

The DSR proposes that Defence invest in targeting systems to support the use of advanced and long-range weapons, undersea warfare, and integrated air and missile defence capabilities.

This is closely related to the recommendation to enhance Defence’s cyber capabilities to better support ADF operations. Defence will need to upgrade existing targeting systems, and in some cases rapidly acquire entirely new targeting systems, to support newly introduced capabilities across all domains.

Legal and contractual implications for Defence

Open architecture and collaborative contracting

To achieve an open software and hardware architecture within the C4 domain, Defence may wish to consider adopting an ‘agile’ approach to contract delivery, which includes a framework for iterative delivery under the agile methodology for software development (ie, an iterative ‘feed-back’ loop which validates and corrects errors quickly, and can foster new innovations throughout the development cycle), rather than strictly defined entry and exit criteria commonly applicable under a ‘waterfall’ milestone-based delivery method.  This would require operational and functional requirements to be defined in the relevant contract, but with a less prescriptive process as to how those requirements are ultimately met.

Traditional ICT hardware and software development and delivery contracting approaches, including the approach taken under the ASDEFCON suite of contract templates, predominantly focus on arms-length ‘waterfall’ delivery models wherein the principal provides payment, and the contractor delivers supplies or services.

More specific considerations may include:

• IP and Technical Data:  In the context of open architecture, the requirement for software and hardware vendors to widely share the core technical specifications of software and hardware products that they have developed under contract with the Commonwealth may be at odds with the current Intellectual Property (IP) clauses in the ASDEFCON suite of contract templates.

In particular, software design data and source code are commonly excluded (often by default) from the Commonwealth’s IP licence under ASDEFCON contract templates. Additionally, under the Technical Data and Software Rights Schedule (TDSR), contractors are presented with the opportunity to designate source elements of their software and hardware products as Highly Sensitive Software and Technical Data, and impose restrictions on access by third parties.

Allowing other software and hardware vendors (including potential competitors) access the software design data, source code, and hardware technical configurations of products of the developing party, may present challenges and commercial risks to their proprietary tools.

• Partnering and collaboration:  The delivery of complete open architecture software and hardware solutions within the C4 domain will require collaboration between the developers of Defence’s software and hardware ‘baseline’ networks, and other software and hardware vendors that integrate additional applications and tools onto these networks and systems.
• Enterprise and ‘strategic partnering’ contracting arrangements, which seek to bring together multiple parties to deliver a coordinated contractual outcome (in this case, a complete open architecture ICT solution), may be more suitable commercial arrangements to drive collaboration among multiple parties in these circumstances.

For more information regarding the potential benefits of utilising collaborative contracting approaches, refer to our recently published article on this topic.

Penetration testing and ‘cyber-worthiness’

To strengthen the resilience of Defence’s C4 networks and systems, Defence may wish to explore the introduction of penetration testing requirements as part of the V&V process under ASDEFCON contracts.

• Penetration testing:  The current V&V engineering process for supplies delivered under ASDEFCON contracts requires the contractor to pass system demonstration and operational testing and evaluation trials. The inclusion of penetration testing requirements within the V&V process would tie the Commonwealth’s acceptance of new C4 networks and systems delivered under contracts to the level of resilience the networks and systems demonstrate to penetration attempts.
• Cyber-worthiness:  In addition, Defence could also consider incorporating ‘cyber-worthiness’ requirements as part of the FPS under ASDEFCON contracts. In the maritime and air domains, ships and aircraft must meet minimum ‘seaworthiness’ and ‘airworthiness’ requirements before they can be finally accepted into service by the Commonwealth. Accordingly, there may be cyber-security benefits to ensuring C4 networks and systems delivered under ASDEFCON contracts meet minimum ‘cyber-worthiness’ requirements before they are finally accepted and introduced into service.

Sole-source and off-the-shelf procurements

As noted in several of our entries in this series, the DSR has formally recommended that Defence utilise limited-tender and sole-source procurement methods more frequently, in particular where circumstances demand rapid delivery of ‘in-service’ capabilities that are utilised by Australia’s international partners.

Within the C4 and Cyber domains, Defence may achieve a faster speed to capability through the acquisition of software and hardware products from suppliers with a proven record of delivering similar capabilities to Australia’s key operational partners. Where such products can be readily identified in the market, limited tender and sole-source approaches to market may accelerate the procurement process, noting that an expedited procurement process does not always lead to expedited delivery of the required capability once in-contract.

Defence would need to carefully mitigate the risks associated with ‘limiting the field’ of potential suppliers, including through clear requirements setting prior to approaching the market, and the incorporation of contractual mitigations to closely manage schedule and delivery. Importantly, Defence would need to ensure compliance with the Commonwealth Procurement Rules (CPRs) and Defence procurement policies in respect of any limited tender approaches to market.

Further information

If you have any questions or would like further information on the commercial and legal impacts of DSR in the C4 and cyber domains, please feel free to contact us.

Authors:

Rory Alexander, Principal

Nick Faulks, Senior Associate

‍