The Air Force is betting big on its digital future. The service is coming to grips with the new norm that to be successful in future conflicts, it needs to become adept in the practice of software coding and adoption.
“Every major modernization for the future involves planes or satellites that can sense more, that can share more, that start having artificial intelligence and then feeding those into exotic behavior like swarming — all of that’s driven by software,” Will Roper, assistant secretary of the Air Force for acquisition, technology and logistics, told C4ISRNET in an Aug. 10 interview.
Roper was attending DEFCON in Las Vegas, a first for him and the service, in order to begin to build relationships with good hackers and bring in ideas for how to better use software.
“When I look at a conference like DEFCON, there’s 40,000 technical experts here — many of whom are interested in helping us. But the Air Force has not had a presence here. We’ve not presented here. We’ve not done hacking events here,” Roper said.
“I really wanted to start off seeing what would happen if we went and we gave a talk, if we opened ourselves up, if we brought real military hardware to hack and then asked the hacking community to be a partner with us to try to find these vulnerabilities. The response has been wonderful. I think it’s a move that was worth making. I just wish we had started it earlier.”
This year, the Air Force brought two different live hacking events to DEFCON; one was a surrogate for getting into an airbase and the other was live critical subsystem hardware that moves data back and forth for an F-15.
Roper explained that the Air Force has to open itself up in ways that make the military uncomfortable because sophisticated adversaries in a conflict will be able to find vulnerabilities in U.S. systems if trusted forces don’t do it first.
“In a historical view, the government will view [exposing internal software vulnerabilities] as bad,” Roper said. “But as software becomes increasingly important to combat capability, finding that vulnerability before we go to conflict has got to be the name of the game. If a group of hackers here can find it in a few minutes, then so can a capable adversary like China or Russia.”
Roper added the hypothesis that being closed has to be questioned. In the Cold War this made sense, given how slow technology advanced. However, technology moves so rapidly today that opening systems to hackers will ultimately make the service more secure.
Roper pointed to the robust red teams dedicated to hardware systems that have been a bedrock in DoD for decades. The same now needs to be applied to software.
“If we can find a way to be comfortable with open, then we will be a more secure Air Force, and if we don’t learn to become comfortable with it, at least we can be comfortable with being uncomfortable,” he said. “Then we’re moving in the right direction.”
By starting with more open systems like websites and building trust between the department and hacking community, eventually the Air Force can move to testing more critical weapon systems through partnerships.
“There will be contrarians who will argue that this process could be penetrated by a foreign bad actor or that we could have people who do not wish us well participate,” he said. “I hope that we’ll win against those arguments. If a foreign bad actor can penetrate our vetting process and is able to successfully hack our system, then they will be able to do so on the battlefield anyway.”
The Air Force was well received at DEFCON, Roper noted, saying they’re working with the Defense Digital Service, who has helped run the bug bounty programs such as Hack the Air Force, to help onboard some of the white hat hackers met.
Roper has big plans for DEFCON next year. He said they are in talks of bringing a full aircraft next year to be hacked and they want to do a live satellite hack.
“That is going to be a go-to-the-mattresses activity for us. We’re going to make that happen,” he said.
Adopting software throughout the Air Force
A focus on mitigating vulnerabilities is a natural byproduct of the Air Force’s increasing number of coding and software initiatives.
“Kessel Run” is probably the best known effort for adopting best practices from industry and using software coding in an ongoing basis to improve the way the Air Force does business. However, Roper said, there are roughly 13 other “software factories” within the service.
For example, a cell of about 100 in Los Angeles, “Kobayashi Maru,” writes code for space situational awareness and battle management.
However, it is important to think of these software factories not as a product, but rather as a pipeline or service, Roper said.
“When the operator needs a new capability, let’s say the space battle management, rather than getting the war fighter’s requirements on hundreds of pages of documents and delivering software five years later, that war fighter gets a continuous stream of updated capability. Just like you would on your smartphone,” he said.
“The whole reason we want to write software wicked fast in the Air Force is that if we can’t our acquisition system won’t be fast enough to keep us ahead of countries like China. Right now, we consider it fast to deliver code to the battlefield in three weeks. But you can imagine, as artificial intelligence becomes more capable, that software may be burner code every day of the war. You may need to update your code on day two and day three.”
Due to the nature of threats, new signatures for a radio or radar, for example, could be detected during conflict and necessitate a quick, on-the-fly software update.
To that end, Roper said he considers current programs and modernizations to also be software factories. These include the new B-21 bomber and the Ground Based Strategic Deterrent program.
“I would call our B-21 program a software factory. They’re writing agile DevSecOps code and they’re pushing the envelope on trying to do software updates faster than any other aircraft. We call it the digital bullet challenge,” Roper said. “It’s all in the vein of what if we have to change our code every week, every day. That team is trying to think about operational code coming at the speed at which operations happen.”
Roper added that the Air Force is moving all its data into on-demand repositories, Cloud One, which will make it easier for other software factories to develop within the service because tools and best practices can be pulled down rather than created from scratch.
It’s initiatives like these that Roper hopes will define the Air Force going forward.
“We want people in the future when they think of the Air Force ... we’d like them to say software first, that the Air Force is an awesome software service and they apply it to air, space and cyber.”