The Air Force’s in-house software factories, as game-changing new tools in speeding capabilities to the force, need special protection against hacking attacks like the recent Solar Winds incursion that compromised numerous U.S. agencies, including the Pentagon, service acquisition executive Will Roper told defense reporters Dec. 18.
The key to dealing with such attacks will be to build defenses that can not only keep cyber enemies out, but deal with intruders who succeed in getting inside protected systems.
The Air Force’s cloudONE, platformONE, and dataONE systems, which enable the entire development community to access data and software from anywhere, has become a “new kind of target, … a new thing to attack,” Roper said, because they’re enabling the service to advance capabilities rapidly. They are the Air Force’s “crown jewels … and must be protected as such,” he said. The service is employing red teams to attempt to break the system and find vulnerabilities. “We’re pulling out all the stops … to ensure it’s as tough as it can be.”
But the Defense Department is behind in developing defenses “that allow you to deal with adversaries that have already gotten in,” he said. It needs to make everything a “zero-trust” technology, with continuous monitoring.
“We don’t do that in the Defense Department,” he noted. “We certify things are impregnable,” while the commercial industry “assumes everything’s pregnant.” That leaves DOD to deal with intrusions, such as the Solar Winds breach, after the fact.
“I’d love to keep adversaries out, but I’d like to have a plan if they get in,” Roper said. As an analogy, he noted there are “lots of burnt castles in Europe. There are also burnt keeps … that are still standing because the defenders had a plan in case the outer barriers were breached,” or “fallback positions and defense inside the perimeter … That tells me just having a single perimeter that your adversary’s never going to get through,” isn’t a good strategy. Zero-trust technology “allows you to deal with the potential for malware and other bad software getting inside your castle,” he added.
The Air Force anticipated this and “we built cloudONE and platformONE with zero trust as a foundational tool, but we have to keep up” with the technology and augment it, he said.
There are “no free lunches in defense procurement,” Roper said. “If you create a game-changing approach” to acquiring new capabilities, as he said the –ONE systems and software factories do, “that approach is likely the new thing your adversary targets.” He added, “Welcome to the digital age.”
Asked if the –ONE systems can be scaled up to cover the whole joint all-domain command and control networks, Roper said they could, but with the caveat that old, analog systems will have to be accommodated on a case-by-case basis.
“I’m very confident we can scale Cloud and Platform…They are very scaleable, commercially. And we’re following that commercial design model,” Roper said.
He then joked, “Fortunately, some of our systems are so old I don’t know that anyone knows the coding languages to hack them.” Nevertheless, older systems will have to interact with USAF systems digitally, to a degree.
Any new system must be “fully digital” from the outset, he asserted, like “Formula One racing cars.”
“Analog things [are] going to have to live in both worlds, and we have to be clear-eyed [about] what is worth digitizing?” Roper noted. A system nearing retirement won’t be worth creating a digital twin of, “But you should at least digitize the data coming off of it, so we can do predictive maintenance … The data should be working for us, even if the system isn’t digital.”
As examples, he said the B-52 will have a “fully analog wing” but fully digital engines, once the aircraft is re-engined. The A-10, he said, is “more digital than you think,” because the Air Force “lost the authoritative source of truth” when its builder, Fairchild Republic, went out of business, and “we shifted from vendor to vendor” to subsequently sustain and upgrade the jet. “They had to create that digitally,” he said.