At DEFCON 2019, held in Las Vegas in August, the Air Force allowed ethical hackers to try to intrude into actual operational equipment — a data transfer system for the F-15 tactical fighter aircraft. It was not surprising that the hackers succeeded. What surprised the Air Force’s top weapons buyer was exactly how they got in.
“What they told me was the ways we got in were not the things you’ve told industry to design. They were the things industry doesn’t know is in their supply chain — it’s the ports that weren’t cut off, the dry functions that weren’t cut off,” Will Roper, assistant secretary of the Air Force for acquisition, technology and logistics, said Dec. 11 at an event hosted by the Atlantic Council.
“These are the thing you need to tell industry don’t do … Our defense companies are assemblers from the supply chains that they don’t require the suppliers to tell them what code, what software functionality is running on components because we don’t tell industry to do that.”
The service is coming to grips with new norms and the need to be comfortable with being uncomfortable when it comes to digital development.
Roper said the Air Force has to start baking these types of requirements into contracts because, as was pointed out to him by one of the white hat hackers, “it looks like you’re only getting the bare minimum of what you’re asking industry to do.”
The types of cyber hygiene measures that have to be written into proposals must be measurable, Roper added.
Some rules could include telling industry to do things like disable right functions and ports, for example. The government could also require industry provide all the embedded code on their systems to the extent they’re able to, considering they may not know several links down the supplier chain.
Roper noted that the government needs to improve its engagement with industry on cybersecurity.
“Right now, the cybersecurity mechanisms that we engage with industry on really look like 1990s dial-up internet-style protections. They have not progressed to this decade,” he said. “The reason that I came back from DEFCON thinking we’ve got to change this is that every day we don’t we’re allowing more of a supply chain we don’t understand into the Air Force. We have to stop it.”
Roper previously told C4ISRNET that it’s important to expose systems to ethical hackers in a controlled environment. If ethical hackers can find vulnerabilities, so too can sophisticated adversaries like Russia or China. Finding a potential vulnerability before they go to conflict and fixing it is much more ideal.