The Air Force is trying to prioritize increasing its cybersecurity capability, which is proving to be quite a challenge.
Speaking to Air Force Magazine’s editorial board, Acting Undersecretary of the Air Force Lisa Disbrow said USAF has “shortfalls” in its ability to stand against
. The need for readiness in the information war is “critical,” Disbrow said. “Are we challenged there? Yes.”
A microcosm of USAF’s hard path toward cyber readiness is its Air Operations Center - Weapon System (AOC-WS) upgrade, or lack thereof. Earlier this year, as
, the service was forced to tell primary contractor Northrop Grumman to stop working on the project, which through its 2032 sustainment looks to cost roughly $3.5 billion.
Once the program ran past its timelines several times, USAF had to submit a Critical Change report to Congress, asking it to reprogram money from other places in the FY17 budget to keep the project above water. That didn’t happen, and the entire program was suspended through the current fiscal year. One of Northrop’s priorities in upgrading AOC-WS from the current 10.1 version to a 10.2 version was adding the very cybersecurity measures the Joint Requirements Oversight Council—and Disbrow—called critical.
“We’re looking at a pathfinder,” Disbrow said, meaning the service is working with Congress to find a new way to get cybersecurity into the existing AOC. She called it a “tiger team” approach by which outside eyes were allowed into the program to investigate its shortcomings.
Lt. Gen. Arnold Bunch, the Air Force’s top uniformed officer for acquisition, previously described the group as in-house experts and members of the AT&L’s Defense Digital Services. This is a small team that “talks to engineers, talks to decision makers” for about a week and comes back with recommendations based on best commercial practices and other technical wisdom. Other reviewers were an Air Force independent review team, the DOD’s Cost Assessment and Program Evaluation team, and an Office of the Deputy Assistant Secretary of Defense, Command, Control, Communications, Cyber, Business Systems team.
This tiger team, among other things, gave USAF some ideas about the very nature of the upgrade.
“You have to rapidly test that code,” Disbrow said, describing the team’s findings. “If you don’t—if you take an incremental approach, which we tend to do in the acquisition system—you allow the code to fail while you’re building other code.” USAF won’t even know if that initial code is failing because it won’t test it until it has “a number of different systems together,” she said.
The lessons derived from the AOC debacle can be used in approaching other modernization programs within the service, as well.
“Almost all the weapons systems we’re modernizing are software-centric,” Disbrow said, adding that the service is also trying to “change the way we develop and the way we acquire these systems.”
Is there a timeline to move forward on these capabilities? “The urgency is there,” Disbrow said, “but the battle rhythm of the processes within the department drive us to certain timelines.” With AOC, for example, the program is suspended until at least Fiscal 2018, when funds will open up for it again.
Included in the Air Force’s Fiscal 2018 unfunded priority list, released on Friday, was $563 million for “cyberspace,” which is further denoted as a “national priority.” The list includes everything from skills training to cloud migrations, all items the service needs in developing an ever more resilient cyber infrastructure.
Another effort to curb the service’s informational gaps is the “cyber scorecard,” which lists “probably two dozen initiatives underneath it,” said Disbrow. “Knowing where USAF is on each of those—it drives us to get the funding in place and move forward.”
One gripping issue with the AOC and other software-driven projects isn’t just the lack of coders on hand to deal with said projects, “it’s also having the expertise in place to manage coders that are state-of-the-art,” Disbrow said. Among the options in dealing with this obstacle is “looking at what’s the right mix” of contract, civilian, or DOD entities. The service is still figuring that mix out.
“I really think it’s more that cyber and IT are areas that have rapidly progressed outside the department and we don’t have the workforce in place,” said Disbrow.
Tellingly, the very antiquated nature of some of USAF’s systems could be their saving grace.
“Some legacy systems, which, interestingly, just being as old as they are—not in the network—builds in some resilience,” Disbrow said. “We’ve got shortfalls out there we have to address. And I think we are—it’s a matter of how long you can get it all done.”
