Under Secretary of the Air Force Matthew Donovan and Assistant Secretary of the Air Force for Acquisition, Technology, and Logistics Will Roper speak to reporters at the Farnborough International Air Show in England on July 17. Staff photo by Amy McCullough.
FARNBOROUGH, England—As the Air Force moves toward an even more connected force that utilizes open architecture systems, artificial intelligence, and machine-to-machine learning, it must also change the way it acquires and develops those systems to ensure they are protected.
“Cyber is something you worry about every day if you do acquisition because software is in nearly everything,” Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics, told reporters Tuesday at the Farnborough International Air Show. “It’s embedded in things that 10 years ago did not have software.”
Aircraft today have many touch points where malware can be introduced, from the diagnostic systems used by maintainers to the smart bombs hanging off the wings to the data links that enable pilots to talk to each other in the air. Pilots wear helmets that pull in data from highly sophisticated sensors to give them better situational awareness, and in many cases even their flight bags are now digital.
But all that technology can also pose grave risks to the warfighter.
Roper said most of the conversations he’s had here at Farnborough have centered around networking, saying DOD has a lot to learn from industry on how it can improve software development—one of his top priorities.
While industry regularly looks inside its software for things that are unusual or seem out of place, the Defense Department has traditionally opted to build a perimeter to keep cyber attackers out, assuming that anyone operating inside the network had already cleared security.
“That’s probably not the right way to build a cyber defense,” said Roper. He compared it to the many once-grand castles throughout Europe that were burned to the ground, noting how the mote that once surrounded them proved to be a pretty poor defense.
The 2016 National Defense Authorization Act required the Defense Department to conduct a vulnerability assessment on all of its weapons systems by 2019. Kevin Fahey, assistant Secretary of Defense for Acquisition, told reporters on Monday those assessments will let DOD know where it should be spending money, and though he said the department is on track to meet its goal, he noted the work will never quite be complete. “It will be ongoing,” he said.
Fahey said there is a “concerted effort” across the department to incorporate cyber security into acquisition programs from the very beginning. “We’re calling it, ‘delivered uncompromised,’” he said.
Eric Chewning, the deputy assistant secretary of defense, said DOD is still working on a timeline for the delivered uncompromised initiative, though he said industry has requested—and DOD plans to provide—regular red teaming exercises to ensure industry is included in the process and there are no security gaps.
At its chalet at the air show, Raytheon had a fairly large cyber dome. Once inside you were transported into an intricate, 3D cyber world that took the viewer inside the anatomy of a hack, providing a first-hand look at what could happen if an aircraft, or military network, was attacked.
“Everything is connected, everything is vulnerable,” cautioned one of the videos playing in the dome. That’s why the company, which is most known for its missiles, has made cyber security a “major focus” area.?
“We deal with high-consequence mission operations and everything that goes with that,” said Todd Probert, Raytheon’s vice president of mission support modernization. He said the company has “tools we don’t regularly talk about that” that will help its customers “close off vulnerabilities.”
Raytheon also has a 31,000 square-foot cyber center located in northern Virginia, just outside Washington, D.C., where it researches vulnerabilities of platforms, systems, and software. Inside that center it also conducts training exercises for “folks working inside” air operations centers, said Michael Daly, Raytheon’s chief technology officer for cyber.
As Roper mentioned, many of Raytheon’s cyber security capabilities look inside the system and try to understand what’s normal and then flag what is not.
Cybersecurity is “never done. It’s constantly changing,” said Probert, who noted that Raytheon has “deployed numerous systems … across all manners of aviation platforms,” included fixed and rotary aircraft across all the services.