Download

Download eBook for Free

FormatFile SizeNotes
PDF file 1.6 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback74 pages $25.00 $20.00 20% Web Discount

Research Question

  1. How can the U.S. Marine Corps Systems Command increase the transparency of decisionmaking related to the acquisition of cyberweapons in the JCW program?

U.S. Marine Corps Systems Command asked the RAND Corporation to assess the Marine Corps offensive cyber operations acquisition life cycle and identify ways to improve the transparency of related decisionmaking. The authors brought together data on operational capability, scheduling, and risk to develop a life-cycle cost-estimating framework. This framework should help Joint Cyber Weapons (JCW) program leadership understand the potential costs and provide additional guidance on budgeting considerations. It incorporates five classes of inputs and has three types of outputs.

In creating the framework, the authors considered the demand for exploits from the operational user, as well as the type of cyber weapon (e.g., exploit, implant, payload), the weapon's target environment (e.g., desktop or mobile systems), vulnerability decay rate, the adversary's defense capabilities, weapon cost, and how various acquisitions are phased in and out of service over time. The framework also addresses the production of cyber weapons, their costs, and how uncertainties are distributed over a specified period. The authors conducted exploratory modeling and simulation to better understand associated uncertainties and model inputs.

Key Findings

  • An assessment of the life spans of 133 historic vulnerabilities using open-source information found that the mean life span can be quite short for mobile and desktop vulnerabilities (three to five months, respectively) in situations in which potential adversaries have a high defense level (i.e., an ability to rapidly identify and patch a vulnerability).
  • The available data and assumptions about operational demand suggest significant uncertainty in the potential cost of the JCW program—a five-year total cost between $90 million and $290 million.
  • The cost-estimating framework presented in this report represents a foundation that will benefit from incremental improvements as understanding of the challenges improves and as additional historical data become available.

Recommendations

  • Consider the significant uncertainty of the life span of vulnerabilities during program planning and budgeting.
  • Collect historical data (and plan to collect future data) on the cost of procuring and operationalizing exploits.

Table of Contents

  • Chapter One

    Introduction

  • Chapter Two

    Cost-Estimating Framework

  • Chapter Three

    Exploratory Model and Simulation

  • Chapter Four

    Conclusions and Next Steps

  • Appendix

    Type, Cost, and Life Span of Exploits

This research was sponsored by U.S. Marine Corps Systems Command and conducted within the Navy and Marine Forces Center of the RAND National Security Research Division (NSRD).

This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.