The Air Force should use industry systems for cybersecurity, even the information highway that the Advanced Battle Management System will run on, because the infrastructure necessary isn’t within the service’s expertise and would require a culture and a workforce the Air Force doesn’t have, service Chief Scientist Victoria Coleman said.
Speaking during an AFA Mitchell Institute for Aerospace Studies streaming event May 18, Coleman addressed cybersecurity concerns and the recent Colonial Pipeline ransom attack, suggesting the Air Force should “let somebody else” build the defensive systems and infrastructure.
The Air Force “is a user of that infrastructure, … not a producer of that infrastructure,” she said. “I strongly believe that every time we produce infrastructure, we get it wrong, because that’s not our line of business.”
Much of the infrastructure for cyber “that we need to use will eventually have to come out of the commercial sector … the world out there that has built it, deployed it, scaled it, operated it, and learned what works, what doesn’t work—the community that maintains it.”
The Air Force struggles to field new technology in a timely way, Coleman said, “and it takes us years to change it.” That means the USAF just can’t keep up. She’s aware of no systems that don’t have vulnerabilities, and “the longer you have it out there, the longer the adversary has to find ways to find all those vulnerabilities it couldn’t find in the first place. The only way to avoid that is to have it change all the time.”
Constant updates would be unaffordable, and the service lacks the expertise and workforce to do such a thing, she said.
“If it’s not a core competency, let somebody else do it,” Coleman said.
While she readily admits the “private world has not solved this problem,” the Air Force would be “kidding ourselves” if it assumes that a custom-made approach will somehow allow it to “avoid all the pitfalls that a private-sector solution has.”
Information systems are vulnerable because they are “wicked hard” to connect, and “people just make mistakes” that adversaries exploit, Coleman said.
In a 2018 Defense Science Board look at microelectronics, which Coleman chaired, “we asked ourselves … ‘If it takes 500 people to do this, where would we find these people? Which school, … which companies would they come from?'”
In addition to her background—most recently as head of the Defense Advanced Research Projects Agency and from academia and various computer companies—“I came from Intel. I knew how good our people were and how hard we worked to make sure our devices were secure,” but “two decades later” vulnerabilities and hacks were still being discovered in old Intel systems.
“That’s not because Intel engineers didn’t care or they weren’t good; they were the best in the business. It’s just wicked hard.”
Coleman said cyber is “an arms race … I think it’s a war, but we’re better off fighting with our partners from the private sector,” she asserted. “They can take into account our mission and how it’s prosecuted,” but more than just the technology, “you also have to have the know-how and the culture for using it, so that you know what to do when it doesn’t work … ”
Coleman also said she’s excited about an Air Force storefront in Silicon Valley, California, which would have knowledgeable staff able to answer questions and engage with smart people who come in off the street with ideas and approaches the Air Force can use. She praised the efforts of former Air Force acquisition executive Will Roper for making a priority of engaging with small businesses and developing ways to help them capitalize, “so we can bring them back” as a contractor who can help, she said.