FARNBOROUGH, England—As the Air Force moves toward an even
more connected force that utilizes open architecture systems, artificial
intelligence, and machine-to-machine learning, it must also change the way it
acquires and develops those systems to ensure they are protected.
“Cyber is something you worry about every day if you do
acquisition because software is in nearly everything,” Will Roper, assistant
secretary of the Air Force for acquisition, technology, and logistics, told
reporters Tuesday at the Farnborough International Air Show. “It’s embedded in
things that 10 years ago did not have software.”
Aircraft today have many touch points where malware can be
introduced, from the diagnostic systems used by maintainers to the smart bombs
hanging off the wings to the data links that enable pilots to talk to each
other in the air. Pilots wear helmets that pull in data from highly sophisticated
sensors to give them better situational awareness, and in many cases even their
flight bags are now digital.
But all that technology can also pose grave risks to the
Roper said most of the conversations he’s had here at
Farnborough have centered around networking, saying DOD has a lot to learn from
industry on how it can improve software development—one of his top priorities.
While industry regularly looks inside its software for
things that are unusual or seem out of place, the Defense Department has
traditionally opted to build a perimeter to keep cyber attackers out, assuming
that anyone operating inside the network had already cleared security.
“That’s probably not the right way to build a cyber
defense,” said Roper. He compared it to the many once-grand castles throughout
Europe that were burned to the ground, noting how the mote that once surrounded
them proved to be a pretty poor defense.
The 2016 National Defense Authorization Act required the
Defense Department to conduct a vulnerability assessment on all of its weapons
systems by 2019. Kevin Fahey, assistant Secretary of Defense for Acquisition,
told reporters on Monday those assessments will let DOD know where it should be
spending money, and though he said the department is on track to meet its goal,
he noted the work will never quite be complete. “It will be ongoing,” he said.
Fahey said there is a “concerted effort” across the
department to incorporate cyber security into acquisition programs from the
very beginning. “We’re calling it, ‘delivered uncompromised,’” he said.
Eric Chewning, the deputy assistant secretary of defense,
said DOD is still working on a timeline for the delivered uncompromised
initiative, though he said industry has requested—and DOD plans to
provide—regular red teaming exercises to ensure industry is included in the
process and there are no security gaps.
At its chalet at the air show, Raytheon had a fairly large
cyber dome. Once inside you were transported into an intricate, 3D cyber world
that took the viewer inside the anatomy of a hack, providing a first-hand look
at what could happen if an aircraft, or military network, was attacked.
“Everything is connected, everything is vulnerable,” cautioned one of the videos playing in the dome. That’s why the company, which is most
known for its missiles, has made cyber security a “major focus” area.
“We deal with high-consequence mission operations and
everything that goes with that,” said Todd Probert, Raytheon’s vice president
of mission support modernization. He said the company has “tools we don’t
regularly talk about that” that will help its customers “close off
Raytheon also has a 31,000 square-foot cyber center located
in northern Virginia, just outside Washington, D.C., where it researches
vulnerabilities of platforms, systems, and software. Inside that center it also
conducts training exercises for “folks working inside” air operations centers,
said Michael Daly, Raytheon’s chief technology officer for cyber.
As Roper mentioned, many of Raytheon’s cyber security
capabilities look inside the system and try to understand what’s normal and
then flag what is not.
Cybersecurity is “never done. It’s constantly changing,”
said Probert, who noted that Raytheon has “deployed numerous systems … across
all manners of aviation platforms,” included fixed and rotary aircraft across all
Daily Report: Read the day's top news on the US Air Force, airpower, and national security issues.
Tweets by @AirForceMag