I would like to assist the J’accuse readership in understanding the operations of America’s Department of War through a case study and policy proposal.

One of the great threats the conflicts in Ukraine-Russia and Israel-Palestine have exposed is the issue of GPS navigation jamming and spoofing, specifically among drone systems and guided munitions. In essence this is the process whereby an attacker imitates the operator’s command and control (C2) link for a weapon, using the relevant C2 frameworks, protocol exploits, or credential theft. Looking forward, the threats posed by electronic warfare (EW) and physical radio frequency (RF) attacks are estimated to be of utmost importance in a naval conflict in Taiwan. EW and RF attacks are characterized by proximate radio frequency emitters jamming or otherwise degrading links that transmit crucial data for proper flight and use. Publicly available EW kits have proven to undermine drones (UAVs) on battlefields.

Given this, it ought be concerning that the Cyber Resiliency Office for Weapons System (CROWS), one of the most effective bureaucratic bodies in this space, is an organization exclusive to the US Air Force. CROWS oversees the acquisition and sustainment of cyber technologies which are applied to a number of the Air Force’s major systems such as Lockheed’s F-22, General Atomics’ MQ-9, and Bell Textron-Boeing’s recently revived V-22. I argue that CROWS’s organizational architecture and Other Transactional Authority ought be expanded into the other major branches. With a number of venture-backed businesses^[1] and internal developments at the prime contractors (e.g., Lockheed Martin, RTX/Raytheon) oriented towards GPS-denied navigation, degraded environment maneuverability, and EW & RF capabilities it is necessary to adapt the success of CROWS to the other branches of the military to make full and effective use of these technologies.

The rapid innovation and implementation of unmanned ground vehicles (UGV), unmanned underwater vehicles (UUV), and unmanned surface vessels (USV) is also reliant on strong cyber standards and enforcement. A reader ought to glean from this essay how segmented, competent authority can more effectively acquire, update, and deploy government-focused technology. These small units of men can have outsized impact at relatively low expense (CROWS’s FY24 budget was a mere $37M) while operating outside all-too-common belaboring processes and constraints. Government startups, fresh and unlike today’s DARPA, can be more readily born out of the sort of bureaucratic infrastructure CROWS embodies.

The Cyber Resiliency Office for Weapons Systems finds its origin in the Congress. Every year Congress passes the National Defense Authorization Act (NDAA) which outlines the budget and expenditures for the Department of War, often rife with strategic priority recommendations. In 2016 the NDAA mandated the Pentagon evaluate in-house cyber vulnerabilities for all weapons systems. The Air Force Life Cycle Management Center (which oversees weapons systems over their “life cycle”, reviewing effectiveness and maintenance standards) stood up CROWS in response to the FY2016 NDAA, and the office was fully funded by Congress starting in 2018. The body directly reports to the Assistant Secretary for Acquisition, Technology, and Logistics and was chartered from the outset as a branch-wide organization (i.e., not merely as a unit within a single program and procurement office) thus enabling CROWS to influence all weapon systems across the Air Force. The two goals: “Bake cyber resiliency into new weapons systems”; “mitigate critical vulnerabilities in fielded weapon systems”. What is it about the office’s bureaucratic architecture that deserves praise and replication?

The key to CROWS’s advantage as an entity is its branch-unique integration with the acquisition lifecycle. Instead of performing cyber resilience checks after procurement of a new technology, CROWS establishes up-front requirements and contract language drafting. The office administers Cyber Focus Teams (CFTs) to the Program Executive Offices (the officers who review and acquire new technology for the Department) to effect this “baked in” approach. For offices of lesser priority the office publishes their Air Force System Security Engineering Cyber Guidebook, which was lauded by the Government Accountability Office (the seemingly lame, but ultimately triumphant DOGE predecessor and competitor) for unifying all cyber resilience standards and enabling implementation across the branch.

Beyond new acquisitions, the office was designed to facilitate updates on all existing weapons systems. Even decades-old jets and radars, like the B-52 bombers or the PAVE PAWS radar and E-3 Sentry AWACS, have relied significantly on the cyber resiliency office for upgrading avionics (in the case of the B-52 and E-3; avionics refer to the electronic systems used on an aircraft for communications and navigation) and securing patches to signal processing, filtering, and calibration in the case of the PAVE PAWS radar systems.

With respect to accountability and resourcing, the Air Force has structured CROWS such that it exists as a single Program Element in the budget. Program Elements are the most compact units of resources within the Department of War budget and they enable both structured oversight and much greater flexibility by virtue of not having to rely on Program Officers to dole out money from their already constrained budgets. This allows CROWS to quickly open new projects and experiments. For a recent example of this, we can look to CROWS’s facilitation of the Airspace Mission Planning Division overhauling their entire software suite with cyber resilience in mind. In essence the entity operates as a one-stop shop for all Air Force weapons system cybersecurity. Major General Patrick Higby, Air Force Director of Development Operations, referred to the office as “the cop on the beat” because of its direct authority to hold programs accountable.

Perhaps most important, CROWS has been granted Other Transaction Authority (OTA) which directly influences swift procurement. OTA is a unique contracting mechanism that defense agencies employ to speed up acquisition. It is a separate legal instrument authorized by Congress and was designed with the purpose of enabling research & development, prototyping, and follow-on production with fewer bureaucratic constraints than traditional Federal Acquisition Regulation (FAR) contracts.

Normally, with FAR, there are requirements regarding cost accounting, auditing, and socioeconomic clauses (these include small business participation goals, labor standards, equal opportunity and federal affirmative action, and domestic sourcing requirements). Without such requirements in place, OTA permits an office like CROWS to bypass procurement timelines for the acquisition of emerging, high risk technologies like cyber, autonomy, and EW. Moreover, the lack of small business and affirmative action goals allows CROWS to procure from startups and commercial tech firms, both of which are hindered by FAR contract structure’s associated cost and overhead.

IP rights, data, and cost are shared between the partners of the contract in order to make the opportunity more attractive for private businesses. Moreover, OTAs allow for non-competitive follow-on production and development so that, as long as prototyped technology has met the DoW-established standards, a technology can continue without competition. Beyond flexibility, OTA gives CROWS the ability to quickly and authoritatively solicit patches or seek out new encryption solutions in the case of, for example, the discovery of a zero-day vulnerability in a missile system (i.e., when a system’s software possesses a previously unknown flaw that an adversary could exploit before awareness).

By leveraging Other Transaction Authority and Cyber Focus Teams through a “baked-in” approach, CROWS delivers a less costly and more effective method of securing weapon system cybersecurity than retrofitting protections onto already completed Air Force systems. Allow me to provide some concrete examples. The US Navy’s Littoral Combat Ship (LCS—ships used near a shore or coastline) and Mine Countermeasures (MCM—tactics employed by the Navy to identify and counteract sea mines) package was delayed in FY24 deployment on the back of poor cyber survivability evaluations, resulting in no operational tests being conducted on the package.

Ultimately, the issue was caused by an unavailability of test assets spurred on by an expiration in cyber test funding at the end of FY24. This deferral means the Director, Operational Test and Evaluation (the individual responsible for ensuring systems are up to date and deployable) was unable to determine whether this LCS+MCM mission package was capable of combating cybersecurity threats and effectively defusing sea mines. This deferral is not a one-time slip-up caused simply by a misallocation of resources. Had CROWS been present, ring-fenced funding for cyber testing and red teaming (a stress testing operation in war games) would have already existed and contingency plans for test slips would have enabled alternative paths (e.g., surrogate platforms or hardware-in-the-loop simulation) to avoid the complete deferral witnessed in the LSM+MCM mission package situation.

Cyber testing assets would have matured earlier in the program’s lifecycle if they had an already existing Program Element. Deviations in cyber survivability evaluation would have triggered earlier oversight, thus avoiding slippage without visibility. All of the oversight and evaluation of the LCS+MCM’s situation was deferred to the Government Accountability Office, an organization separate from the Department of War, and it took months for a proper understanding and corresponding resolution to emerge. Similar examples abound.

In FY21, the Navy deviated from an approved test plan for the Tomahawk Weapon System (cruise missiles which strike land targets from a surface ship) by placing the Tomahawk “‘off limits’ due to the concern of inadvertently damaging these tests assets.” In turn, the Tomahawks’ cyber survivability assessments did not consider some cyber attacker profiles. In this situation, CROWS would have swiftly mandated a Cyber Survivability Key Performance Parameter (KPP) and Key System Attribute (KSA) at program initiation, so that architectural trade-offs would have considered cyber resilience (e.g., segmentation, zero-trust, fail-safe modes). In both situations the development of cyber testbeds and simulation environments early on would have avoided any “no test assets” delays.

Success of the CROWS’s model has been acknowledged internally. The Air Force intends to replicate CROWS’s structure having recently announced plans to prop up sister offices focused on Operational Technology (normally software & hardware systems that control physical infrastructure, e.g., programmable logic controllers or human machine interfaces), and Control Systems Cybersecurity (securing Operational Technology systems).

When we look at the cyber situation in the other services (e.g., Army, Navy, Marines, etc.) we ought take notice of the GAO’s identification of the Air Force as “the only service that has issued service-wide guidance” on cybersecurity acquisition and requirements. To start, funding allocation for cyber technologies in the non-Air Force branches is difficult to trace. It is divided among individual program budgets or general research & development and operations funds. Such funding architecture produces a “tragedy of the commons” scenario wherein program managers in the other services defer cybersecurity initiatives to another manager while they pour their focus into their sole delineated incentive: immediate performance goals.

When funding gets tight for cyber technology in these budget lines, procurement for, e.g., a communications bus on a M1A2 SEPv3 Abrams (the most up to date Abrams tank class) or encrypting a ship’s maintenance diagnostic port falls off the list of priorities. Back at the National Defense Industrial Association (NDIA) symposium in 2020, a retired Navy Acquisition official joked that while everyone supports cybersecurity in theory, few genuinely seek out funding in their specific program.

To be clear, there are various groups within the Army and Navy that address cyber technology’s deployment; however, neither service houses a holistic weapons-focused mandate and office like the Air Force’s CROWS. The Army hosts a Cyber Command (ARCYBER) and Futures Command (AFC), and the Navy has a Naval Sea Systems Command (NAVSEA) and Naval Air Systems Command (NAVAIR) with system security engineering teams, but neither has embedded these groups in the program executive offices in the way that the Air Force has with CROWS’s Cyber Focus Teams. The Space Force, in fact, relied on CROWS to embed cyber teams within their own acquisition programs.

Space Force Colonel Joseph Wingo praised the CROWS deployment, offering, “bringing folks like CROWS who have experience doing cyber resiliency work and thinking through that with weapon systems and then marrying them up with the engineers and [program executive officers] and bringing those forces together is going to get us a long way”. Such reliance demonstrates that no parallel organization exists across the commands to facilitate cyber acquisition and technology updates. At present, in the situation that, say, one of the Navy’s Aegis destroyers had an exploitable cybersecurity flaw, the solution would be distributed between the Program Manager, the Navy’s CIO (Chief Information) Office, and the Fleet Cyber Command.

From another point of view, no single entity or Program Element is dedicated to owning the cybersecurity problem end-to-end. CROWS, by contrast, would have been informed of the issue and directly addressed it through their own funding capability. The wide distribution of resolution authority likewise inhibits knowledge sharing across the service, opening up duplication (one of the major problems DOGE identified across the executive administration early on in their crusade) and also potential gaps in coverage with some programs avoiding rigorous assessment. When the GAO first issued their cybersecurity review in 2018 they noted the testing of weapons systems across the services was uneven.

The key to speeding up the deployment of advanced cyber weapons is fielding such technologies on schedule with bureaucratic confidence and support. Centralized Other Transaction Authority and early cyber tests enable CROWS to handle this better than the cyber commands in other services. While it would seem that increased oversight would delay advanced development, the fact of the matter is that both the international order and particular American military interests demand testing for conflict suitability and lethality.

Defining test authority and frameworks by technological category in the case of cyber, and not by geography or the applied weapons system, is the superior method for ensuring meritocratic excellence within the military bureaucracy. Any early stage and deep tech innovator or investor familiar with the government’s “Valley of Death” (the stage between demonstrated ability and production + deployment) will see how CROWS’s Other Transaction Authority paired with framework and standards authority can keep projects afloat amidst the broader bureaucratic structure of technology procurement. Fear and endless testing are overcome in this resolution.

Now, if one buys everything I’ve said up to now, one ought ask how to actualize this proposal. The first step revolves around senior leadership endorsement from Hegseth and the relevant Deputy Assistant Secretary for Cyber Policy (Laurie Buckhout — Trump’s appointee) followed by Congressional backing through FY27 National Defense Authorization Act language detailing how to establish such offices and with what amount of funding.

Once secured, one has to look to how to fit them into the other branches. The most sensible place in the Army would be their Materiel Command (covers the lifecycle of Army equipment—R&D, acquisition, distribution, maintenance, disposal) or under the Assistant Secretary for Acquisition, Logistics, and Technology (mirroring CROWS’s establishment). For the Navy, placing a CROWS under the Assistant Secretary of the Navy for Research, Development, and Acquisition (ASN RDA) would facilitate interaction with NAVSEA, NAVAIR, and their Fleet Cyber Command. The Air Force ensures CROWS’s legitimacy by having it report to a high level steering group which ought be replicated in the Army and Navy. Liaising with the Air Force’s cyber resiliency office would also permit the leveraging of existing tools like the Systems Security Engineering Guidebook.

Following on from my previous piece regarding the development and harnessing of the West’s young men, it is clear the most competent and visionary of our youth focus themselves on the technology sector. For the most part, government and bureaucracy needs to get out of their way for their excellence to shine. Lately I’ve been thinking in greater depth about the decline of the RAND Corporation (covered to some extent in Soldiers of Reason) and how to recreate, or reimagine, a government entity which can avoid democratic pressures while nevertheless harboring strong talent of our type. I admit I know little about the day-to-day life of CROWS (perhaps it’s as shoddy as that of DARPA), but it combines authority and a focus on frontier technology that I can’t help but imagine would attract men of some degree of cunning and hardness.

There ought be few illusions about “infiltrating the DoD” (in fact, that is probably more deluded than the capture of the judiciary), but any realistic “meritocratic” approach to the affairs of state must seek out all inexpensive, durable havens which can supplant exhausted, petrified bureaucratic systems and modes of order. Though Congress must guarantee offices such as CROWS, the Trump administration can effectively steer the early development and hirings of these offices which would be protected from administration turnover by de facto “lock-in”, like with most business software systems, caused by the requisite competence and tribal knowledge. If “American Dynamism” and “Reindustrialize” are to be actualized, not only will a tremendous amount of regulation need to be overturned by Congress but also military acquisition will need to orient itself towards technological expertise before mere “experience” or “credentials” (the great hurdle in the development of modern Western state) and grant contract authority on this basis. A more ambitious exploration of the American military bureaucracy would take on the socioeconomic clauses embedded in Federal Acquisition Regulation contracts, but for now this will do.

Anduril was founded in 2017 with the allegedly novel acknowledgment by Trae Stephens and Palmer Luckey that venture-backed startups, outside of Palantir, were inadvertently kneecapping their revenue growth by ignoring government technology allocation. It was believed that, at least in the defense space, that prime contractors were so entrenched with the government that no pockets of meritocratic acquisition existed. After major cultural changes in the then-Department of Defense (including the standing up of the Defense Innovation Unit as well as the development of offices like CROWS), this is less the case than before.

The next step in public--private development and partnership is to recognize the inverse of Anduril’s founders. As “public intellectual” or “grinder” status clouds the judgment of Silicon Valley’s investor class, its basis for determining talented founders—which effectively results in them “picking winners”—has withered such that it might as well be on par with the government’s emphasis on credentials and experience. More, as government contracts are increasingly competed on by venture-backed startups, an opportunity re-emerges for a halcyonic DARPA shogunate which places complete focus on technological development backed by government security. CROWS, to be clear, is not that; however, its combination of funding allocation authority and forward-deployed cyber teams is the type of leeway which functions as the prerequisite for this idea. Small, agile teams thinking from “first principles” and provided hands-on experience with the most important technologies for the empire’s dominion can be a hot-bed for this “government startup” notion which I intend to elaborate in the near future.

^[1] Example Startups: Theseus, PrismaX, Polymath Robotics, Albacore, Guardian RF, and Impossible Metals—not to mention major players in the space like Anduril and Saronic.