That’s where the Software Solariums come in. Held at Aberdeen Proving Ground, the Software Solariums — the first of which was held in September and the second Feb. 2-3 — were about bringing stakeholders together from across the Army, joint force and contracting community to make some “way-ahead recommendations,” said Maj. Gen. Bruce Crawford, commander of Army Communications and Electronics Command. During a call with reporters on Feb. 3, Crawford categorized the software concern facing the Army as one of “strategic importance.”
The solarium sought to get at four lines of effort: enabling a more defensible network that involves linking software development to a defending network; driving efficiencies; oversight and policy on software development and sustainment; and what the optimal workforce — between government and contractor — should be.
One of the problems for the Army is delivering updates and patches to systems in the field. Crawford said the previous operating model involved creating disks and then sending them via snail mail to a post camp or station, which all told was a 120-day process.
Now, the Army has developed an automated process for delivering these updates and patches, shrinking this process to just 30 days. The automated process, in addition to significantly bringing down security vulnerability timelines, allows for cost savings, Crawford said.
The Army is also building an organic workforce base to keep up with vulnerability compliance in partnership with Tobyhanna Army Depot in northern Pennsylvania. The workforce at Tobyhanna has automated systems capable of conducting tests on software systems in less than an hour, meaning these can be released in the same day to the Software Engineering Center at Aberdeen Proving Ground. The center will then replicate the software systems and release them to the field. This capability is a big deal to officials, primarily because it shrinks the timeline and frees up software engineers for separate tasks.
From a technical standpoint, patches can be implemented in a matter of hours to fix critical vulnerabilities. However, because some systems are not interconnected, disseminating the patches can prove difficult — some systems are tactical, and so injecting patches into a larger system might adversely affect that system.
“When you look at the development and sustainment of software, there is not enough collaboration between the two,” Crawford said. He said his team has been working closely with the new cyber directorate within the Army, headed by Brig. Gen. Patricia Frost, as well as Army Cyber Command to close these gaps.
“I think we’re getting closer to closing that gap,” he said.
Crawford said there are actionable steps the Army can take right now to further improve the patching process. His team doesn't intend to commission a study on this, he added. The Army needs to act right away to begin institutionalizing these measures, he said, because there are critical issues that affect readiness.