Air Force scrambles to harden weapons systems

Cybersecurity needs to be incorporated into all weapons systems from the outset, said Gen. Ellen Pawlikowski, commander of Air Force Materiel Command.

At the Air Force Association's Air, Space and Cyber Conference, she said the Air Force is a year into executing its seven-point Cyber Campaign Plan.

Under the plan, which is expected to take five to seven years to fully execute, officials are looking for vulnerabilities with to the goal of hardening existing systems and ensuring that new ones are developed with cybersecurity in mind.

"We want...our contractor teammates, our government engineers and contracting officers and program managers and financial managers to have the tools and the understanding to address cybersecurity as early as we can in the life cycle of a weapons system and a mission," Pawlikowski said.

She added that the Air Force is putting together a group that will test the cybersecurity of weapons systems in the development and operational phases.

The other half of the initiative is making existing systems more secure and resilient. Pawlikowski said the F-16 shows the nature of the challenge. The computer test equipment, mission planning data (which could have been generated on a number of computer platforms), the plane's operational flight platform and its spectrum-based systems are some of its vulnerabilities.

"You find that there are cyberthreat surfaces all over the place," she said. "So if we want to talk about how we make sure the F-16 is cyber secure and resilient...we need to address each and every one of those threat surfaces."

One of the challenges of hardening systems is the mix of government and industry hardware and software, but she said the Defense Department is increasingly focusing on cybersecurity requirements in the contracting process.

"If you're going to do, for example, software development," Pawlikowski said, "you may actually see us in some cases, depending on the criticality, go back to the 'trusted foundry' concept, where if we're concerned about introducing vulnerabilities by a chip, that you need to buy your chips from [specific] vendors to ensure that you are compatible."

Still, she said it's important not to overly burden industry with requirements. "The thing that I want to be careful as we do that is we don't end up restricting our ability to leverage the full scope of what this American industrial base can provide," she added.

Although potential vulnerabilities can be introduced into weapons systems through commercial hardware and software, Pawlikowski said companies are increasingly concerned about security. She cited the financial sector as an area where industry is striving for greater security, which means that in some cases, industry can provide more secure code than government.

"I think it's a two-way street," she said. "I'd really like to see the industry get together and look at this in a team environment so that we can...have them engage in developing that common security environment and helping to share tools that are developed."

Pawlikowski said some of the other lines of action in the Cyber Campaign Plan are growing the cyber workforce (including creating a cybersecurity engineering team), standardizing the language and terminology used to discuss cybersecurity, and improving cyber intelligence to better anticipate and plan for future threats.

Some of the solutions will not necessarily involve new technology but better use of existing tools and resources, Pawlikowski said, adding that the current uncertainty about the defense budget is hindering progress on hardening weapons systems.