A longer continuing resolution in 2018 could add unneeded stress to a fledgling office trying to build cybersecurity into Air Force weapons systems.
“A [continuing resolution] has an impact on us, but it’s not stopping us,” said Danny Holtzman, Air Force cyber technical director, about the future of the Cyber Resiliency Office for Weapons Systems (CROWS), which is supposed to get its first official funding in fiscal 2018. “The Air Force has made this a priority and we are executing towards it, but obviously once the CR is lifted we’ll be able to go faster.”
CROWS is about to finish its first year in existence next month. The office was created to “bake in” cybersecurity to weapons systems and other programs by teaming with industry and Air Force components.
In its first year, the office made some strides in making cybersecurity a priority when building a system.
“We’ve formed seven lines of action. We have champions and leads in those areas looking at different aspects of the problem. We have teams, we are building plans and we’ve actually been looking at specific mitigations. We’ve been engaging with industry and with our partners, we formed a partnership with our [federally funded research and development centers],” Holtzman told Federal News Radio.
Those lines of action include integrating system security, creating a common security environment and using intelligence to enhance communication.
CROWS is also working with industry and parts of the Air Force on what “good enough” looks like in terms of cybersecurity.
When fighting against hackers, there are always holes in the dike, but the Air Force wants to focus on certain areas to bolster the defenses of systems.
“We’re helping them to spend energy in two or three focused areas, instead of a lot of energy in areas that aren’t necessarily as beneficial to the mission objectives,” Holtzman said.
“We have formed alliances and partnerships,” Holtzman said. “We formed an industry roundtable, we’ve been sharing information better with them. We had a recent meeting with a number of the [chief information security officers] that work in the industry defense industrial base to talk about how we share information better. We have opened up the communications channels. We have helped our programs identify how they can write better requirements that industry can respond to and we’ve published a guidebook for that,” Holtzman said.
One of CROWS’ missions with industry is to understand the weapons systems being used. Since industry builds the systems, CROWS wants to work with companies in order to better understand where cyber access points are and how weapons systems can be penetrated.
“We need a better way of communicating that back and forth between industry,” Holtzman said. “When we buy a piece of hardware, we want to say, ‘Where did all the components in that piece of hardware come from?’ Do we know that? And if we can talk with them, they can start to track that like they do in commercial best practices.”
Of course, CROWS has had its own challenges as well in its first year.
Holtzman said cultural adoption is one of the biggest issues for the Air Force as a whole, and that means helping every airman understand the repercussions of their cyber actions.
“Everything touches the unclassified world, the internet, your data’s not protected once it leaves your possession. Those kinds of cultural adoption things are really key and the educational awareness of those are really key aspects of what we are trying to address,” Holzman said.