The Air Force is beginning to see glimmers of progress under a sweeping plan that aims to eventually give its weapons systems the same amount of cybersecurity attention the service devotes to its traditional IT networks. But the effort is likely to take between five and seven years, partially because, at least for now, there’s little-to-no money behind it.
Officials working within the Air Force’s Task Force Cyber Secure settled on seven “lines of attack” for the Cyber Campaign Plan about a year ago. Among other objectives, they aim to ensure cybersecurity is “baked in” to new weapons systems and that existing platforms are secured as much as possible, deliver cybersecurity training to the acquisition workforce and use threat data from the intelligence community to inform the acquisition process.
Gen. Ellen Pawlikowski, the commander of Air Force Materiel Command, said nailing down the focus areas has let the Air Force start to take meaningful action to secure its weapons systems after having spent far too long “admiring the problem.”
Sponsored content: Is your agency prepared to defend the next cyber attack? Download the results of 2016 network security survey.
“We spent a couple years acting like Chicken Little and really didn’t do anything to get at this issue of our weapons systems,” she said Wednesday at the Air Force Association’s annual symposium in National Harbor, Maryland. “We all got trained on our networks. I still get sick to my stomach whenever I see a thumb drive because of all the training we’ve gone through about not sticking one of those in our computers, but we never really took a look at what to do on our weapons.”
Pawlikowski estimated only about $10 million-$20 million has been spent on the campaign in its first year, but all seven areas have shown some signs of progress, including through a new process in which the Air Force is assessing the vulnerability of its systems sorted by “mission threads”, not necessarily by big weapons platforms. The first such analysis is almost completed, she said.
“We have identified certain classes of equipment that we know we need to focus on first, including what I would generically call ‘support equipment,’” she told reporters following her speech. “That’s not been an area that’s gotten a lot of cybersecurity attention, but almost all aircraft get connected to some kind of automatic test equipment. There may be some fairly low-cost ways to secure those, such as training for the operators, because there’s only so many times per day that piece of equipment is exposed to a network.”
The campaign has led to new projects at the Air Force Research Laboratory, including one that’s meant to automatically detect variances in the data patterns that normally flow through a weapons system’s micro-circuitry and might be a signal of a cyber intrusion.
The Air Force has also held its first class designed to help acquisition professionals understand how to design their programs so they’re hardened and resilient against cyber attacks at their beginning. Until that expertise is more distributed throughout the Air Force’s acquisition community, it’s also assembled an expert team of cybersecurity engineers within the Air Force Lifecycle Management Center to advise program managers on an as-needed basis.
“We know this is going to be a high-demand, low-density capability in the beginning,” Pawlikowski said. “They’re going to support the program offices as they develop their cybersecurity, but it also includes education of the entire workforce. This is not something where a program manager or a financial manager can say, ‘I don’t do IT.’ We need all our airmen to be part of this, but right now I’m focused mostly on the people who can contribute to baking cybersecurity into our engineering processes.”
To help with that, the Air Force has also created a cyber test group to evaluate potential cybersecurity weaknesses within each of the new systems it builds as part of the routine developmental and operational testing that all systems have to go through prior to various milestone decisions in their development cycles.
As to the systems the Air Force already has in its inventory, Pawlikoski said the service would use the mission thread analyses it’s developing to close the most common vulnerabilities that tend to show up over and over again on various weapons.
“It’s a combination of the assessment of those systems to understand where the threats to them are, and the development of new techniques and approaches to plug those holes,” she said. “We are leveraging every expertise we can find. The RAND Corporation and MITRE are key players in helping us develop the mission thread analyses and we’ve been able to leverage that to figure out what to do with the systems we have today. But we’re looking for a combination of man-in-the-loop defenses and built-in hardening. We’re not expecting our industry partners to make our systems impenetrable.”
Pawlikowski told reporters the cost of secure existing systems is likely to vary widely — mostly according to how complex they are and how many of their respective “surfaces” are prone to external attack, but that it’s important to engineer security solutions that are also affordable.
“GPS, for example, is a capability that the U.S. Air Force provides to the rest of the world, and so our OCX program that provides command and control to those satellites has lots of interfaces with different systems,” she said. “It ran into a lot of challenges as we imposed what we thought were proper cyber requirements, because we tried to impose public key infrastructure between all of the software segments. We almost broke the bank of the PKI program office because of the number of certifications we were requiring. So the requirements flowdown process is going to require an evaluation of what’s the best technique to provide cyber protection. In some cases, it’s going to require a cyber operator monitoring the system at all times with a specific set of tools.”
The plan also points to the need for a flattening of the terminology the Air Force uses across different security echelons. Classified programs might have their own standards and terms for cybersecurity, but those are largely opaque to the rest of the acquisition community and tend to use a different lexicon than completely unclassified systems.
Open architectures also play a heavy role in the cybersecurity campaign. While the virtues of open systems are usually thought of in terms of speed and agility, including the ability to quickly swap new hardware or software components for others that aren’t as effective at meeting current missions, they also offer security benefits, Pawlikowski said.
“It lets us be responsive to a cyber threat,” she said. “I ought to be able to take a security improvement we’ve made on one weapons system and plug it into another weapons system rapidly, and at low cost. All of our systems need to be more adaptable and flexible to counter what will definitely be a changing cyber threat.”