Air Force Space Command not spending on cyber defense of weapons systems

Of the $3 billion the Air Force Space Command spent last fiscal year on cybersecurity, not a single penny went to defending software vulnerabilities in weapons systems that Pentagon officials have said are at great risk.

Gen. John Hyten, head of the command, acknowledged the funding gap on Dec. 1, and Air Force CIO Lt. Gen. William Bender was asked to explain it the following day.

The Air Force's top leaders have held meetings on the lack of funding for weapons cybersecurity and are planning to allocate more money, Bender said Dec. 2 at a conference hosted by AFCEA's Northern Virginia chapter.

The Air Force Life Cycle Management Center "came to the table with a pretty big bill" for making weapons systems more secure, Bender said. He added that proposed funding, which he did not specify, would likely be pared down, but more money for weapons cybersecurity would definitely be needed.

Last year, the command spent $2.7 billion on network operations, with the remaining $300 million put toward offensive and defensive operations.

Bender's predecessor, retired Lt. Gen. Michael Basla, told FCW that the command's spending on cybersecurity was indicative of the sheer number of legacy systems the service has and that officials were seeking to do more policy planning around cyber mission areas.

Reacting to the revelation of zero funding for weapons cybersecurity, Richard Stiennon, chief research analyst at IT-Harvest, told FCW: "This is not a surprise considering that most weapons systems were sourced before there was any understanding of the need for cybersecurity."

Stiennon has estimated that there are 9 million lines of code in the F-35 joint strike fighter jet, plus 15 million lines in support systems. Securing all the code in weapons systems fielded by the Defense Department would lead to heavy costs, which officials are still scoping.

Weapons cybersecurity is an unrelenting problem for U.S. defense officials. Frank Kendall, the Pentagon's top acquisition official, has made the issue a key piece of his latest round of acquisition guidance to the DOD workforce.

"Many of the things that are in the field today were not developed and fielded with cybersecurity in mind," Kendall said earlier this year. "So the threat has sort of evolved over the time that they've been out there."

At the conference, Bender said getting cybersecurity right will require the Air Force to transform its workforce through training.

"We're the best Air Force in the Industrial Age, but we're living in the Information Age," he said.