20 September 2019

Why the Air Force acquisition chief wants to be hacked

By: Mark Pomerleau

As the top acquisition official for the Air Force, Will Roper seems like an unusual visitor to the annual information security conferences that take place in Las Vegas each August. But there he was in a T-shirt playing off an old James Bond catchphrase, “No Mr. Bond, I expect you to hack.”

Roper, the former director of the fast-moving Strategic Capabilities Office, wants the Air Force to be more cognizant of the role coding plays in national defense and wants the service to do more to foster its cyber and coding talent.

He spoke recently with C4ISRNET.

C4ISRNET: Why did you think it was important to head out to these conferences and engage with the white hat hacker community?


WILL ROPER: Every major modernization for the future involves planes or satellites that can sense more, that can share more, that start having artificial intelligence and then feed those into exotic behavior like swarming — all of that’s driven by software.

When I look at the Air Force, we have a very robust red-teaming scheme for hardware. We treated software as a trusted system running onboard our trusted hardware. You know very well that that’s simply not a good place to be today.

Software is increasingly vulnerable. As the amount of software on our systems increases, the number of opportunities to have vulnerabilities increases proportionately. We don’t have enough government hackers to make sure that our software’s reliable for the war fighter.

When I look at DEF CON, there are 40,000 technical experts here many of whom are interested in helping us. I wanted to start off seeing what would happen if we brought real military hardware to hack and then asked the hacking community to be a partner with us to try to find these vulnerabilities. The response has been wonderful. I just wish we had started it earlier.

C4ISRNET: Do you want something like the bug bounty and vulnerability disclosure programs the Air Force has run?

ROPER: Absolutely. The bug bounties and Hack the Air Force events have been hugely successful. We’ve done three. But in many ways, they’re a safe hacking event. They don’t put combat capability at risk. At DEF CON we brought two different live hacking events. One is a surrogate for getting into an airbase. We have the cameras, the perimeter security, all the way into locks and even an ATM.

Of course, any vulnerabilities they find are things we need to go fix. [But] we also brought live hardware. We have a critical subsystem for an F-15. It’s a trusted download system that moves data back and forth to the airplane. We made it available for white hat hackers to penetrate. They did.

In a historical view, government will see that as bad. A vulnerability has been exposed. But as software becomes increasingly important to combat capability, finding that vulnerability before we go to conflict has got to be the name of the game.

If a group of hackers here can find it in a few minutes, then so can a capable adversary like China or Russia.

C4ISRNET: Is the government’s thinking changing on this?

ROPER: Historically, we have been very closed about our vulnerabilities. That made sense during the Cold War. When a new technology was developed — whether it was satellites, microprocessors, stealth enhancements — these were big deals and we needed to be very secretive about that technology because to lose it was to lose a decade.

But now technology changes so rapidly and most of it is driven by software. The idea that closed can make you more secure is a hypothesis we need to question. Industry is going more toward open, being secure by allowing external experts to find vulnerabilities in a way that protects them so that they’re not legally culpable but that provides a safe conduit to make those available to the government.

That crowdsourcing approach is going to be much more effective than having small teams of government experts that simply aren’t enough to go across all our weapon systems.

It’s an untapped technical asset in our country that if we can find a way to be comfortable with open then we will be a more secure Air Force and if we don’t learn to become comfortable with it, at least if we can comfortable with being uncomfortable, then we’re moving in the right direction.

C4ISRNET: From a leadership perspective, how much leeway do you have to implement changes so if an airman finds a vulnerability, there are channels to expose that without retribution?

ROPER: We have a process today. It involves having government experts that we call CROWS — Cyber Resiliency Office for Weapon Systems — and these are, no kidding, cyber experts that we have in the Air Force. We have really scary technical talent. But we don’t have enough of it.

Working with the Defense Digital Service, the hackers that were able to go after our F-15 system were vetted. That’s the first round of vetting. Maybe we don’t put the most critical or sensitive weapon systems on the table. But if we did this routinely, over time as we build up … a trust in certain individuals you could imagine putting more and more sensitive systems on the table.

There will be contrarians who will argue that this process could be penetrated by a foreign bad actor or that we could have people who do not wish us well participate. But if a foreign bad actor can penetrate our vetting process and is able to successfully hack our system, then they will be able to do so on the battlefield anyway.

C4ISRNET: Kessel Run is the poster child for DevSecOps. Are there other projects like it?

ROPER: Kessel Run tends to be mentioned first because it’s the biggest of our enterprises and it has a very cool “Star Wars”-inspired name. The marketing aspects of the name Kessel Run have truly worked.

Kessel Run is one of about 13 software factories across the Air Force. They all have sci-fi inspired names. There’s a similar cell of about 100 people in Los Angeles called Kobayashi Maru after “Star Trek.” They are writing code that does space situational awareness and battle management.

Their cadence, they go from an operator need to something that’s deployed in about three weeks.

All these software factories are basically a replacement for a traditional waterfall program. We do not think of these factories as being a product. We think of them as being a pipeline or a service.

When the operator needs a new capability, let’s say space battle management, rather than getting the war fighter’s requirements on hundreds of pages of documents and delivering software five years later, that war fighter gets a continuous stream of updated capability. Just like you would on your smartphone.

That initiative is huge. The Air Force is truly leading the charge across the Defense Department. No one else in government has as much … of this software talent.

The move we’re making is to try to take this development to a greater scale. Our current process with creating Kessel Run-type organizations is not scalable. We’re shifting all our software development over time into our Air Force cloud called Cloud One. Cloud One allows these development environments to be hosted in virtual private clouds that anyone in the Air Force can use. So, if Kessel Run writes a new tool, everyone has access to it.

C4ISRNET: How would that work?

ROPER: The thing that’s great about putting these development factories in the cloud is you get automatic certification across the Air Force. If a new software factory stands up, they get tools that they can use on day one to write code on day one.

What I hope that will do is it will allow us to create these factories faster and faster, because the name of the game is trying to speed up the pace at which we can field capabilities.

The whole reason we want to write software wicked fast in the Air Force is that if we can’t, our acquisition system won’t be fast enough to keep us ahead of countries like China.

Right now, we consider it fast to deliver code to the battlefield in three weeks. But you can imagine as artificial intelligence becomes more capable that software, maybe burner code, every day of the war. You may need to update your code on day two and day three.

If we can’t speed up to that pace, we could lose. All this is under the auspices we’ve got to be the fastest acquisition system in the world or we can’t expect to be the most dominant Air Force.

C4ISRNET: What’s being done to identify folks to bring in more talent to build this community of coders across the force?

ROPER: You can have the greatest process or organization or cool building, but it’s the people in the seats that make the magic happen. We’ve created a portal site on the Air Force website that allows people to self-identify as coders. There’s an aptitude test they go through that basically puts them into the pipeline.

We’ve got a career development track that is a software coder designator. We now also offer the language credits that we have historically given to airman who know a foreign language like Spanish or French. We now offer that to people who know Python or other coding languages. These are small first steps and we need to do a lot more.

You mentioned hiring. We’ve been doing a lot of direct site hires at these software factories like Kessel Run. We hired 32 people and we were able to make them offers on the spot. The fastest we were actually able to get someone an offer was 15 minutes.

If we can’t move at that pace, then we can’t expect to have the top-shelf talent that we need.

Mark Pomerleau is a reporter for C4ISRNET and Fifth Domain.

No comments: