Cybersecurity

Red teaming isn't easy

Wikimedia image: The U.S. Navy variant of the F-35 Joint Strike Fighter, the F-35C, conducts a test flight over the Chesapeake Bay. 

Cybersecurity testing of the software that serves as the brain of the F-35 Joint Strike fighter has caused headaches in the Pentagon. 

The IT that supports the armed force's new Joint Strike Fighter is a complex system that serves as an example of the widening cybersecurity blind spots that can confront agencies, according to one Defense Department expert.

While the Autonomic Logistics Information System (ALIS) provides a single information environment for the Joint Strike Fighter's operations, maintenance, prognostics, supply chain, customer support services, training and technical data, it was also designed without considering some critical cybersecurity aspects, said Dr. Michael Gilmore, director of operational test and evaluation in the Office of the Secretary of Defense.

Experts on an Oct. 20 cyber resiliency panel sponsored by the Consortium for IT Software Quality in Arlington, Va., pointed to the rapidly growing Internet of Things as a difficult obstacle to cover, especially for complex defense systems.

Standard cybersecurity testing that's taken for granted to protect commercial IoT systems, Gilmore said, are not easy to get implemented in the defense environment. Unlike the standard continuous "red team" testing many commercial companies do on their software and system cybersecurity systems, the JSF and ALIS hadn't been developed with that kind of immediate, hands-on cybersecurity process. For instance, he said, ALIS requires workstations to be distributed across the globe to support the aircraft's deployment.

"That means all kind of people worldwide will have access" to the system and the aircraft's systems, he said.

There are other issues as well, Gilmore said.

 "If ALIS goes down, there was no thought about how to restore it" during the development of the system, he said. Also, getting defense program management offices to accept "red teaming" of systems, he said, "has been a struggle."

"It took months to get [JSF's contractor] Lockheed to arrange red team tests for the aircraft," he said. To be truly secure, both ALIS and the aircraft itself need to get red team tests to they're vulnerable. The aircraft can't get in the air without ALIS, he said.

Although there are efforts to develop cybersecurity testing in the defense procurement process, those efforts have been stalled, said Gilmore.

Intensive, immediate testing for system vulnerability, according to Gilmore and other federal officials on the panel, isn't as common across the federal acquisition process as it should be.

Getting basic, specific cybersecurity language into federal contracts, said Gilmore, is a problem. Without it, he said, security is hard to pin down. Program management offices at vendors will say "'It's not fair to test that way because it's not in the contract specifications,'" he said.

"Until you get meaningful metrics in specifications, the rest is just nonsense," he said.

"There's not a lot of specificity" in the cybersecurity language in solicitations to industry, said Ray Letteer, chief of the Marine Corps' Cybersecurity Division. Letteer, speaking on the same panel, said the Marine Corp. uses its Cyber Range to "test the [expletive] out of systems" it plans to deploy to produce quantifiable data on them that can be addressed.

Martin Stanley, the branch chief of the Department of Homeland Security's Cybersecurity Assurance Branch, said his agency has found that below the need for cyber specifications, lies a more fundamental requirement to get basic IT practices and governance in place. "We share a lot of the same findings in civilian agencies and we're focusing on securing high value assets" under the president's Cybersecurity National Action Plan. As that assessment moves along, he said, the agency is finding that "basics matter."

DHS' review of other federal agencies under CNAP has found that some system's boundaries aren't well known by some operators, and that others have segmentation issues.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.