The Air Force’s Cyber Resiliency Office for Weapons Systems (CROWS) has what appears to be a very daunting mission: Assess how the Air Force fields and sustains its weapons systems, and analyze any vulnerabilities that might exist. Ultimately, they must root out potential problems such as intrusions, malicious malware or any cyber threat to its arsenal.
The goal, as with the other military services, is to not only “bake-in” cybersecurity in its developing weapons systems and mitigate critical vulnerabilities in already fielded weapons, but to ensure that cyber resilience is a major part of the DNA of all airmen and service members.
Cyber resiliency is the ability to prepare for, and adapt to, changing conditions and to withstand and recover rapidly from disruptions.
The U.S. military’s weapons systems today are reliant on complex software and interconnectivity with a host of components, sensors and computer systems geared to help service members complete their missions. The highly connected nature of weapons systems gives soldiers, sailors, airmen and Marines the edge over opponents. At the same time, however, adversaries can look for vulnerabilities in the software, supporting systems or supply chains to disrupt and sabotage operations.
The National Defense Authorization Act for fiscal year 2016 required all branches of the military services to identify and evaluate cyber vulnerabilities of all major DoD weapons systems by the end of 2019. But weapon systems have real-time constraints and complexities coupled with differing sustainment strategies, which means the same security management and evaluation practices that are used for traditional information technology systems require extreme tailoring to be effective in a weapon system environment.
Air Force weapons systems include airplanes, ground systems, mission planning systems that provide airplanes with flight plans, satellites, weapons connected to airplanes and kinetic control networks, said Daniel Holtzman, cyber technical director for the Air Force Materiel Command’s life cycle management center. “It is almost too big of an elephant to try to get your hands around it, initially.”
The Air Force has invested a lot of energy over the past few years on strengthening network defense and traditional IT, and has addressed potential information spillage from its contractors’ systems.
CROWS’ focus now is on making sure that weapon systems have a resilient ability to execute their mission despite a cyber event. And cyber events have a broad definition in this context. Things like having the power go out can be a cyber event, not just hacking or malware, Holtzman said.
CROWS, which operates out of Hanscom Air Force Base, Massachusetts, with virtual offices around the country, has come up with a vision.
“We want to have cyber resilience ingrained in our Air Force culture so that everybody understands it isn’t something thrown over the fence to the cyber and IT guys in the back room.”
CROWS’ aim is to help the Air Force community, from warfighters to maintenance folks to airmen, understand everything they do with electronic systems has a cyber component.
The office’s two goals are baking-in cyber resilience into the Air Force and its weapons systems as well as understanding where there are weak points, and how they can be strengthened. The Air Force is not going to plug all the holes, but patch enough so if something happens weapons can still execute their mission. Holtzman would not name specific systems.
The office is organized around seven lines of effort: cyber mission threads, looking at things from an enterprise system approach, integration into the Air Force acquisition structure, training and education of the workforce, making future systems more agile and adaptable, creating a common cyber security environment and better conveying that message, bringing legacy systems into the fold and keeping track of threat intelligence.
“What we have done is laid out a plan across our five-year acquisition cycle. And we have taken our two main goals and broken them down into specific objectives in each of the next three years,” Holtzman said. “We are focused on aligning our seven areas into activities that map up to those technical objectives over the next three to five years,” depending on funding.
Navy goes beyond cybersecurity
The Navy has a two-pronged strategy for hardening weapons systems against cyber events or attacks.
First, the Navy is developing a series of very specific security standards for all IT systems, said Dr. Thresa Lang, the director of the Navy’s cybersecurity division. The Information Technology and Information Assurance Technical Authority (IT/IA TA) develops the standards for the Navy, which cover all the Navy’s systems commands (SYSCOMs). The chief engineers in charge of each SYSCOM have the authority to build Navy-specific standards from industry and government standards, such as the Federal Information Processing Standards (FIPS) and the National Institute of Standards and Technology security standards.
The chief engineers “make sure these standards are implemented in the design of anything new, and implemented when they check existing systems,” Lang said.
The standards work also ties in with the DoD Risk Management Framework.
“We make sure everything is good according to the NIST standards and Navy standards. That is our broad approach [to cybersecurity] on the first side,” she said.
The second part of the strategy is the work of the Navy CYBERSAFE program, modeled after SUBSAFE — the rigorous submarine safety program begun after the loss of the USS Thresher in 1963. Like the submarine program, CYBERSAFE’s aim is to harden a critical subset of warfighting components, which could be certain computer systems or parts of the network.
CYBERSAFE applies more stringent requirements to these components before and after fielding to ensure they are secure. CYBERSAFE will also require changes in crew proficiency and culture to implement these requirements. “We are elevating cybersecurity as a design principal. And that is really the core of what the CYBERSAFE program is all about,” said Capt. Nathan Gibson, director of CYBERSAFE.
“One of my jobs is to ensure that cybersecurity is one of the design principals from the very beginning,” which has not always been the case with industrial control systems. For instance, no one expected that thermostats could be a target of an attack when these instruments were first designed. “So, you must build design principals in from the beginning if you want to get a cybersecure system out the other end,” Gibson noted.
Additionally, the Navy has created a Cyber Security Executive Committee, which provides a forum where officials from every Navy domain — aviation, shore, space, and surface — get together to discuss their progress in making sure cybersecurity is built into their wide range of IT systems, Lang said. The forum occurs every six months and covers everything from technology to workforce development.
“Our focus goes beyond cybersecurity and into cyber resiliency,” Lang said. “Along with industry, DoD has learned no matter how much you protect a system, there is a possibility of something happening — a hack or error in a system — that will make it difficult for the system to continue in a full-function mode,” Lang said.
Cyber resiliency gives the Navy the ability to fight through and complete their missions, even when a system is not fully functional.
Rutrell Yasin is a freelance reporter.
Moving beyond cybersecurity compliance to risk management