by Kris Osborn
Finding the proper balance between leveraging new technologies enabling increased data interoperability and needing to adjust to changing technical paradigms to sustain threat-focused cyber resiliency - is emerging as a complex, if even paradoxical, challenge.
While a variety of IT and cyber initiatives, such as accelerated work on AI, cloud migration and data consolidation throughout DOD and the services, appear to be on a successful path toward configuring what many observers regard as auspicious tech developments, such progress naturally operates within the context of a fast-evolving threat landscape. In particular, many DOD and military service leaders are specifically looking to expedite technical movement toward the commercial sector as a strategy to address this.
Upon initial examination, several ongoing efforts appear to be successfully oriented toward reconciling what might strike some as a uniquely modern predicament given the current pace of technological progress – namely when new common standards could collide with unexpected threat areas or entirely new technical structures. It is conceivable that new technical structures would, in some respects, challenge or complicate the current modernization push for common standards.
Such things, it seems, could manifest within several different spheres, including yet-to-be-implemented IP protocols, applications of AI, unanticipated methods for data analytics or more nuanced attack schemes. Engineering new systems entirely impervious to cyber intrusion may be a bridge too far, current thinking seeks to identify, however modern US military strategies are hoping to mitigate some of these risks by emphasizing the need to identify vulnerabilities as quickly as they emerge.
Overall, these phenomena seem to fall within several distinct, yet also interwoven trajectories. One of these, expectedly, includes the ubiquitous and often-discussed “open architecture” approach aimed at engineering common sets of IP protocol both within and between networks, databases and cyber-dependent weapons systems.
This, as many current developers emphasize, is designed to allow for rapid integration of emerging tech such as software patches designed to address new threats, new algorithms enabling increased automation, machine-learning and commercial innovations favoring rapid modernization.
At the same time, some have raised the question of what happens if, within the strategic sphere occupied by open architecture, new unexpected technological progress changes the entire equation. In one sense, common standards and rapid upgradability are designed to address this, yet it also seems conceivable that new potentially unforeseen technical innovations could, at very least, bring a particular set of new challenges.
For this reason, DOD and the military services appear to not only be emphasizing integration of commercial tech but also working feverishly to increase risk taking and embrace an “expect the unexpected” type of broad strategy. In more specific terms, some of this can be described as several service efforts to “bake in” cyber resiliency early in the acquisition process.
The Air Force is now working vigorously to implement its seven-lines of effort cyber and IT strategy; building cybersecurity and resilience through technical adaptability is a cornerstone of this effort aimed at enabling adaptation as new threat vectors emerge.
This not only includes an open architecture strategy but also seeks to leverage new machine-learning techniques wherein emerging levels of computer automation detect, track and adjust to new attacks.
This kind of automation, made possible by more recently developed algorithms, is an area of particular emphasis by the Air Force. The service is working with industry to design automation able to replicate human behavior online – to both improve efficiency by independently performing needed functions and analysis and also lure attackers to monitor their activities and track new methods of attack.
The Air Force seven-line plan was first articulated several years ago by the Commander of Air Force Materiel Command, Gen. Ellen Pawlikowski. More recently, Air Force senior leaders have stressed that vigorous implementation of these strategies is now underway. Of course, in keeping with the DOD-emphasis upon finding innovative commercial solutions, the Air Force plan implicitly favors the integration of COTS approaches when it comes to baking-in resilience.
For instance, DOD is now pretty far along with an effort to move data systems to Windows 10 commercial systems with the two-fold aim of expediting modernization and integrating new protections. Such a strategy is unambiguously built upon the core assumption that the pace of commercial technical innovation often exceeds that of some military-developed programs.
While few would advocate a wholesale replacement of government developmental programs, there is a fast-growing chorus of IT developers aggressively pushing for more commercial sector involvement. Of course at times there are particular government-only approaches and protocols related to security. Current thinking seems to even favor connecting some of these technical methods with commercial systems. CIO, EVO Samsung Electronics IT & Mobile Communications
In fact, in a recent conversation with Scout Warrior, former DOD CIO Terry Halvorsen - (now a CIO at Samsung electronics) - said moves like faster migration to Windows 10 is something which not only lowers costs but, given the pace at which new commercial innovations and protections emerge, also something which can improve security.
He explained that a modern commercially-built system such as Windows 10 is likely to include the latest patches, software upgrades and security measures better able to adjust to new standards and emerging technical developments. Halvorsen emphasized that most successful cyberattacks to DOD networks have taken place on legacy systems and not as much on the most current state of the art technologies.
“If you move to Windows 10, you eliminate the threat to legacy systems. Each time technology evolves, you are rapidly addressing vulnerability,” Halvorsen said. “If I move to commercial I am much better equipped to adjust to changing standards.”
At Samsung, Halvorsen is now working with the military services on prototyping a new high-speed, high-bandwidth 5G cell network. Due to its ability to access more bandwidth, the emerging 5G network can utilize higher levels of encryption – making it more secure.
This commercial-tech oriented sensibility, in fact, provides the conceptual basis for the Navy’s new analytics optimization strategy – “Navy Strategy for Data and Analytics Optimization.” The strategy prioritizes open source exploration to expedite IT acquisition with a mind to sustaining security. The new strategy occupies a particular space within a larger Navy evolution dating back several years to the services’ Task Force Cyber Awakening.
Findings from the task force, initially stood up to identify new areas of vulnerability and address the growing extent to which weapons systems and military technologies are cyber-reliant, are now being implemented across the Navy. In fact, Navy cyber director Rear Adm. Danelle Barrett is currently zeroing in on AI as a key element of the service’s approach to this.
Building protections, or at least an apparatus engineered to keep pace with needed new cyber defense tactics, is designed to align with the requisite threat assessments which accompany early weapons and tech development. For instance, the Air Force has recently stood up a Cyber Resilience Office for Weapons Systems, or CROWS, with a specific mind to searching for the most damaging or concerning current and possible future cyber threats. This grounded upon the widely discussed recognition that the operational security of new avionics, radar and missile guidance and targeting technologies is increasingly cyber-reliant – alongside systems historically thought to be vulnerable to targeting by malicious cyber intruders such as radio networks, data systems and cloud servers.
Accordingly, experts with the Air Force CROWS office, are currently “red teaming” now developing weapons systems to simulate attacks and identify vulnerabilities. Knowing this can, of course, set the stage for developing responses to newer, unexpected methods of attack – the office is seeking to build in resiliency early in the developmental process. Solutions, protections and or techniques designed to ameliorate vulnerability cannot emerge, quite naturally, without first discerning where some of those vulnerabilities may be.
Simulating cyberattacks and prospective avenues of attempted intrusion, in fact, is an emphasis across the services. The Army’s recent Cyber Quest exercise sought to replicate likely Russian cyberattacks to locate vulnerabilities and identify areas of needed improvement. Army developers also say that their services’ Common Operating Environment initiative, which similarly seeks to engender improved security, performance and modernization through common standards and COTS integration, can also present security challenges which need to be addressed. Accelerated COTS can, in some instances, need additional protective tactics because open standards can create more potential points of entry for cyber attackers.
The respective service efforts are, by DOD design, are intended to inform the emerging Joint Information Environment (JIE) initiative aimed at allowing cross-domain IT interoperability; the effort is intended to both allow for much greater joint access to combat relevant information systems through sharing mechanisms, virtualization and established protocols.
JIE, and Joint Regional Security Stacks (JRSS) are continuously working on engineering switches, routers and protocol such that individual service networks can preserve the necessary measure of autonomy. JRSS is, accordingly, also moving more quickly toward AI and commercial tech as well.
JIE however, while bringing the promise of favorable new possibilities, also seems to encapsulate the fundamental challenge of how best to adjust when current and even some future systems encounter a disruptive or paradigm-changing technology.
The DOD hope, understandably, is to position the services such that they can achieve the maximum flexibility in light of the current pace of change and global IT innovation. This concept, favoring a culture of risk-taking, COTS integration and innovation, was heavily emphasized in a recent memo from Deputy Defense Secretary Patrick Shanahan.
Given this scenario, the aforementioned paradox or attempted balancing between open standards and complex preparation for future modernization, is not likely to disappear anytime soon.
That being said, DOD and the services do seem acutely aware of the many challenges, conflicts and risks associated with rapid modernization and a changing technical landscape. As they say “chance favors the prepared mind” and “expect the unexpected.”