A Cost Estimating Framework for U.S. Marine Corps Joint Cyber Weapons

Bradley Wilson, Thomas Goughnour, Megan McKernan, Andrew Karode, Devin Tierney, Mark V. Arena, Michael J. D. Vermeer, Hansell Perez, Alexis Levedahl

ResearchPublished Feb 2, 2023

U.S. Marine Corps Systems Command asked the RAND Corporation to assess the Marine Corps offensive cyber operations acquisition life cycle and identify ways to improve the transparency of related decisionmaking. The authors brought together data on operational capability, scheduling, and risk to develop a life-cycle cost-estimating framework. This framework should help Joint Cyber Weapons (JCW) program leadership understand the potential costs and provide additional guidance on budgeting considerations. It incorporates five classes of inputs and has three types of outputs.

In creating the framework, the authors considered the demand for exploits from the operational user, as well as the type of cyber weapon (e.g., exploit, implant, payload), the weapon's target environment (e.g., desktop or mobile systems), vulnerability decay rate, the adversary's defense capabilities, weapon cost, and how various acquisitions are phased in and out of service over time. The framework also addresses the production of cyber weapons, their costs, and how uncertainties are distributed over a specified period. The authors conducted exploratory modeling and simulation to better understand associated uncertainties and model inputs.

Key Findings

  • An assessment of the life spans of 133 historic vulnerabilities using open-source information found that the mean life span can be quite short for mobile and desktop vulnerabilities (three to five months, respectively) in situations in which potential adversaries have a high defense level (i.e., an ability to rapidly identify and patch a vulnerability).
  • The available data and assumptions about operational demand suggest significant uncertainty in the potential cost of the JCW program—a five-year total cost between $90 million and $290 million.
  • The cost-estimating framework presented in this report represents a foundation that will benefit from incremental improvements as understanding of the challenges improves and as additional historical data become available.

Recommendations

  • Consider the significant uncertainty of the life span of vulnerabilities during program planning and budgeting.
  • Collect historical data (and plan to collect future data) on the cost of procuring and operationalizing exploits.

Order a Print Copy

Format
Paperback
Page count
74 pages
List Price
$25.00
Buy link
Add to Cart

Topics

Document Details

  • Availability: Available
  • Year: 2023
  • Print Format: Paperback
  • Paperback Pages: 74
  • Paperback Price: $25.00
  • Paperback ISBN/EAN: 978-1-9774-1020-7
  • DOI: https://doi.org/10.7249/RRA1124-1
  • Document Number: RR-A1124-1

Citation

RAND Style Manual
Wilson, Bradley, Thomas Goughnour, Megan McKernan, Andrew Karode, Devin Tierney, Mark V. Arena, Michael J. D. Vermeer, Hansell Perez, and Alexis Levedahl, A Cost Estimating Framework for U.S. Marine Corps Joint Cyber Weapons, RAND Corporation, RR-A1124-1, 2023. As of September 15, 2024: https://www.rand.org/pubs/research_reports/RRA1124-1.html
Chicago Manual of Style
Wilson, Bradley, Thomas Goughnour, Megan McKernan, Andrew Karode, Devin Tierney, Mark V. Arena, Michael J. D. Vermeer, Hansell Perez, and Alexis Levedahl, A Cost Estimating Framework for U.S. Marine Corps Joint Cyber Weapons. Santa Monica, CA: RAND Corporation, 2023. https://www.rand.org/pubs/research_reports/RRA1124-1.html. Also available in print form.
BibTeX RIS

This research was sponsored by U.S. Marine Corps Systems Command and conducted within the Navy and Marine Forces Center of the RAND National Security Research Division (NSRD).

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.