Air Force hackathons show some ways security can be too much of a good thing

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Air Force is in the midst of a series of hackathons, but not the sort the federal government has started to get used to. Instead of trying to find and fix holes in the cybersecurity apparatus, they’re trying to figure out what’s possible if the security rules are relaxed.

The thesis, at least in this case, is that the same safeguards that ostensibly keep the bad guys from seeing DoD’s data also prevent its own developers from doing useful things with it. One initial takeaway, according to its main backer, is that big Pentagon ambitions like Joint All-Domain Command and Control simply can’t be done under the current data protection regime.

The hackathon series is dubbed “Bravo.” The first event happened in January; the latest wrapped up just last week at three locations: Joint Base Langley-Eustis, Virginia; Patrick Space Force Base, Florida; and Eglin Air Force Base, Florida. In short, the objective is to see what development teams can do to solve real-world use cases in the span of just a week, once they’re given access to real-world classified, operational data.

Stuart Wagner, the chief digital transformation officer for the Department of the Air Force said the events are meant to start tackling what he thinks has been a problem for DoD’s attempts to foster bottom-up innovation from its workforce: namely, that the people with ideas very rarely have access to the information they need to show that their solutions can work.

“If you have a new idea, you end up being in a space where you effectively need to know what to build, how to build it, how much it costs, and you need to have money. And the problem is, when you start with a new idea, you don’t know those things. So we created a hackathon series to try to solve that problem,” he said during an event hosted by Cognilytica. “Bravo costs one week and allows you to use what would otherwise not be approved software, using classified, operational data. We’re going to allow them to build emergent capability, and demonstrate what’s possible in one week of time.”

Wagner said one of the biggest lessons from designing and implementing the hackathons has been how hard it actually is to move classified data around the Department of Defense under normal circumstances. In some cases, that’s because the technical capability doesn’t really exist to move information from system to system.

“For the hackathon that we ran at Nellis Air Force Base, we sought to collect telemetry data. What we found was that the fastest and most reliable network for classified data in the United States Air Force is the United States Postal Service,” he said. “This was actually quite shocking to me. If we’re leveraging data that is sent on physical devices and is then couriered or sent via the mail, I don’t know how we’re going to develop the capabilities that are being requested and required by the most senior leadership within the Department of Defense … we cannot even obtain visibility into our own systems if I need to make a special request to get the data.”

Wagner said the other barriers fall into other buckets that have more to do with policy and culture.

He says classified information — the kind that, by definition, the Air Force needs to share very, very broadly to make concepts like JADC2 work — is reflexively hoarded and siloed. And much of it is held in systems that are designated as special access programs (SAPs).

And what happens when you try to combine data from more than one system or classification level? The protection level always goes up, and the number of people legally authorized to see the rebundled package shrinks even further. If they’re SAP programs, the engineer working on the project might need clearance for all the ingredients in the recipe.

“Some of the primary systems I think about are the F-22, the F-35, and the F-15EX Eagle II. Notably, all of these systems are both sensors and shooters. So if I want to produce [the Advanced Battle Management System], I’m going to need the sensor data, I likely will also want any sort of command and control-related data from these systems, and I want to join that together to learn from it, to build, say, an AI model of some kind,” Wagner said. “Each of these systems requires a separate [SAP read in]. And the number of engineers that have access is infinitesimally small. My belief is that the people who would be read into any of these programs within the Department of Air Force is less than 1%.”

Wagner said the problem gets even more thorny once you consider that ABMS is just the Air Force’s contribution to JADC2.

For that broader DoD project, the end vision is to have all of the military sensors and shooters communicate with one another, sharing data in real time. That vastly expands the number of systems that will need to share classified data with one another once it’s up and running.

But more importantly, before any of that can happen, the developers building JADC2 will need to have a fairly deep understanding of the systems that generate the information in the first place, if there’s any hope that they can design an architecture that can fuse it together in a sensible or useful way.

“Now I need read-ins for jets, submarines and satellites. But as I noted, the number of people with read-ins to any one of those is infinitesimally small. And there’s only a few people I can think of who would actually have access to all of them, which makes me wonder who’s teaching the Secretary of Defense to code,” Wagner said. “Nobody else has read-in to these programs — not all of them, anyway. Siloing the data makes JADC2 impossible. You cannot build it without joining the data. The SAP and compartmentalization policies we have for our data actually makes it illegal to scale it to our secret-level operational networks. But 99% of the force operates on the secret network, which means 99% of the force can’t participate in JADC2.”

Wagner said the hackathons are designed to show what’s possible when those data barriers are broken down. And he says the first round proved the concept. The initial code isn’t necessarily something you’d want to put on a real world weapons system, since teams only had a week to work on it.

But they did prove out solutions in several specific areas. The fact that all of them involved classified data makes it hard for the Air Force to discuss specifics, but officials say the challenges teams were given encompassed several capability areas, including, for example, jet sensor visualization and playback, target planning, and automation of some aspects of personnel recovery missions.

“We showed that we can develop capabilities with weapons data in under a week. When the security and set and data shackles were removed, people built capability,” he said. “One capability is now being leveraged operationally, just three months later. Over half of the projects have actually continued development. Not all of the projects will succeed, but systemically, where we want to get to is for people to spend their time building instead of talking. There’s been a lot of talk about ABMS and JADC2, not as much building. And we’re learning things by building: there’s a bunch of communication and collaboration taking place. If you’re talking while you’re building, you perhaps learn a lot more about that topic and find solutions to it.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.