Over the last few years, the Air Force has been taking proactive approaches to prepare for a proverbial “sucker punch” via cyber-attack. In preparation for this assault, and to mitigate vulnerability, cyber resiliency is being ingrained into Air Force culture.
By military definition, cyber resiliency is the ability of a system to complete its objective regardless of the cyber conditions, in other words, how well it can take a cyber-punch and keep fighting.
Blue: Cyber in the Contested Domain
To help lead these efforts, the Air Force, through Air Force Materiel Command’s Life Cycle Management Center, stood up the Cyber Resiliency Office for Weapons Systems, or CROWS, in response to the National Defense Authorization Act of 2016. The NDA instructed the military to analyze the cyber vulnerabilities of major weapons systems and report findings back to Congress. In 2018, the program was fully funded by Congress to begin its mission.
“It’s all about two things, making sure our warfighters are protected and making sure they are able to do their jobs,” said Joseph Bradley, director of CROWS.
Joseph Bradley is the director of the Cyber Resiliency Office for Weapons Systems (CROWS) which ensures cybersecurity is integrated into the development of all new programs from the start, then maintains and validates the cyber resiliency of the system throughout its life cycle. (U.S. Air Force)
Initially CROWS was created to look at liabilities in legacy weapon systems, but now it is taking aim at ensuring cybersecurity is integrated into the development of all new programs from the start, rather than as an afterthought. Then CROWS maintains and validates the cyber resiliency of the system throughout its life cycle.
Cyber resiliency needs change constantly and impact all Air Force missions — new threats emerge regularly and require new approaches to improve mission assurance.
As an F-35 Lightning II pilot, Maj. Justin Lee flies one of the most advanced aircraft on the planet with systems that will be upgraded and enhanced well into the future.
“We’re passing off a tremendous amount of data and, just like your computer, you want that data to be correct,” Lee said. “If you go into an adversarial environment against a frontline threat, then they’re going to be trying to do their best to interfere with it.”
It’s not just his weapons system that is vulnerable; the data these systems take in and put out is just as vulnerable and critical to mission success.
“If a hacker is able to get into the GPS time and get it off sync just by a few nanoseconds, then it can cause the bomb to land in a place that we don’t want,” Lee said.
One key mission in the evolution of CROWS was to find ways to implement cyber resiliency in the acquisition process. This now includes embedding cyber professionals within a program’s executive offices. Also, an acquisitions guidebook was created to standardize cyber-related language for contract evaluations, reducing the burden on any future programs while also allowing better communication with industry partners.
An Air Force pararescueman, assigned to the 83rd Expeditionary Rescue Squadron, communicates with an Army Task Force Brawler CH-47F Chinook during a training exercise at an undisclosed location in the mountains of Afghanistan, March 14, 2018. (U.S. AIR FORCE PHOTO // TECH. SGT. GREGORY BROOK)
CROWS allow cyber experts to join forces with the command responsible for the maintenance and development of a weapons system. Through testing and analysis, CROWS will then offer recommendations to make the system less vulnerable and ultimately safer.
Combat and training missions, weapons delivery and air drops are all put together using computer-based air-space mission planning systems. When the Air Force’s Life Cycle Management Center wanted to overhaul their software to assist ground operations for aircraft, they called on the CROWS for help.
“As the challenges were identified we put together an engineering plan for how we would start to resolve or mitigate some of those cyber security vulnerabilities. The CROWS walked us through that analysis,” said Col. Jason Avram, Air Force Life Cycle Management Center, Airspace Mission Planning Division chief.
Tech. Sgt. Michael Vandenbosch, 22nd Space Operations Squadron defensive counter-space operator, uses software to identify interference to a specific satellite at Schriever Air Force Base, Colorado, Dec. 16, 2019. (U.S. AIR FORCE PHOTO // AIRMAN 1ST CLASS JONATHAN WHITELY)
“As that engineering plan came together, which looks specifically at how we’re going to deal with data integrity issues not only the data that we’re ingesting, but also how we’re processing that data through our software and then how we’re transferring that data to any platforms.”
According to Avram, CROWS funded the effort to develop an engineering plan on how to mitigate vulnerabilities over time.
Having cyber resiliency personnel inserted into a weapons system’s development and life-cycle management allows them to be at the tactical edge; fully understanding the system so they can detect if the obscured hand of an adversary is at play.
“They’re (CROWS) the cop on the beat that sort of knows what their neighborhood is supposed to look like. They’re the first ones that can see that window over there isn’t supposed to be open, let’s go investigate,” said Maj. Gen. Patrick Higby, director of DevOps and lethality. “So, they go in (figuratively) with the flashlight, they investigate and ‘holy cow’ there’s somebody in there, where do you go with that?”
Initially created to look at legacy weapon systems, the Air Force CROWS office will be taking aim at ensuring cybersecurity concerns are taken into account from the start of new programs. (AIR NATIONAL GUARD PHOTO // KELLYANN NOVAK)
Higby asked, how does that cop who is on the beat, how do they get the right experts, engineers and PhDs involved who may have built or designed that system to facilitate an agile response to the threat?
He explained the responses to a threat could mean a number of repercussions to the Air Force. There could be a need to ground the asset and not fly the next sortie because the risk is too great. It may be a decision to still fly with the vulnerability in place because there may be other work arounds.
It all goes back to the resiliency; can the weapon system maintain a mission effective capability under adversary offensive cyber operations. The fix may be the deployment of code to quickly patch and shut the window and get the adversary out of the system. But in all responses, you need the expert that built that system originally to be in that discussion alongside the CROWS.
“We really want the CROWS to be that interface to the real expert of a given weapon system, whether it’s an aircraft, a missile, a helicopter or whatever,to understand, if you’re going to tweak this, it may have these other consequences to it. And then make that risk decision,” Higby said. “Grounding the asset is not always an option, we have to launch because we have other actors that are dependent on us striking a target.”
In short, the Air Force has to be ready and able to take a punch.
“That’s the idea behind resiliency; you are going to fight to get the mission done no matter what happens,” Higby said.