Oct 27, 2015
Air Force weapon systems today are heavily reliant on complex software and high interconnectivity to perform their missions. Cyber capabilities enable many of the advanced features (e.g., electronic attack, sensor fusion, and communications) that give the Air Force its edge over potential adversaries. But they also create potential opportunities — and incentives — for adversaries to counter U.S. advantages through cyberattacks. For example, a sophisticated adversary may seek to discover and exploit vulnerabilities in an aircraft's software, supporting systems, or supply chain in order to gain intelligence or to sabotage operations. Nor are the potential risks limited to the newest and most advanced systems: Legacy aircraft, which make up the majority of Air Force inventory, are also exposed to attack from evolving cyber threats and must remain vigilant.
To manage cybersecurity for these systems, the Air Force and the U.S. Department of Defense (DoD) need appropriate policies to foster system designs that are robust and resilient to cyber attacks, organizational designs that are optimally shaped to implement these policies, and monitoring and feedback mechanisms that capture the true state of cybersecurity (as opposed to just compliance with policies) over a weapon system's entire life cycle.
The Air Force Life Cycle Management Center asked RAND Project AIR FORCE (PAF) to assess current laws, policies, organizations, and processes against best practices and sound principles of cybersecurity and to recommend steps for improvement. The research focused on national security systems for which the Air Force has some control over designs, architectures, protocols, and interfaces, as opposed to commercial, off-the-shelf (COTS) information technology and business systems.
Our premise is that the desired outcomes of cybersecurity management are to (1) limit how much critical information an adversary can obtain from a successful exfiltration and (2) maintain an acceptable level of operational functionality even when attacked. These outcomes must be achieved continuously throughout the life cycle of a military system, from research and development through disposal. All phases are important, but the development and sustainment stages are particularly critical: the former because design decisions are made that can limit options in the future, and the latter because most systems reside in sustainment for the majority of their life cycle. Given these goals for cybersecurity, a review of the literature reveals two observations regarding organizational design and feedback for attaining these cybersecurity objectives:
Comparing these management principles with a detailed review of the laws and policies governing Air Force cyber-security reveals a number of gaps:
Current policies are better suited to simple, stable, and predictable environments than to the complex, rapidly changing, and unpredictable reality of today's cybersecurity environment. DoD has sought to standardize cybersecurity by applying the National Institute of Standards and Technology's (NIST's) security controls to all systems, including weapon systems. But these controls are designed to mitigate security issues in designs that the Air Force inherits, such as in COTS systems. Weapon systems, in contrast, present opportunities for designers to build systems that are more inherently secure. Sound system security engineering during the early design phase of a weapon system would be more effective than security controls that are applied as overlays to designs created without cybersecurity as an integral priority.
Implementation of cybersecurity is not continuously vigilant throughout the life cycle of a military system. Attention to cybersecurity is generally triggered by acquisition events, which mostly occur during procurement. As a result, policy does not cover the full range of cybersecurity issues that affect a system over its life cycle. This shortfall has several important consequences. First, programmatic triggers for cybersecurity come late in the design process and, therefore, have little leverage to influence critical design decisions that affect cybersecurity. Second, systems in programs beyond the procurement phase (i.e., in sustainment or disposal) receive less attention than those in procurement. As noted above, this underemphasizes the majority of Air Force systems, which are in sustainment. Third, this policy structure tends to favor vulnerability assessments (prevalent in the design phase) over mission impact and threat assessments (which affect the entire life cycle). Finally, management, oversight, and budgeting within DoD are strongly structured around programs, whereas cybersecurity vulnerabilities cross program boundaries. This creates a misalignment between cybersecurity challenges in specific systems and how they can be managed.
Control of and accountability for military system cybersecurity is spread over numerous organizations and is poorly integrated. This results in diminished accountability and unity of command and control for cybersecurity. These overlapping roles, and particularly the presence of a cybersecurity-focused authorizing official, create ambiguities in decision authority and accountability. For example, who can make the final decision regarding risk to a mission: the commander or the authorizing official? And should a cybersecurity incident occur, who is ultimately to be held accountable: the program manager, the authorizing official, or the operational commander?
Monitoring and feedback for cybersecurity is incomplete, uncoordinated, and insufficient for effective decisionmaking or accountability. Current feedback does not capture all systems, does not probe the consequences of cybersecurity shortfalls, and is not produced in a form that informs effective decisionmaking. The lack of comprehensive program- or system-oriented feedback on cybersecurity and the impact of cybersecurity on operational missions stands in contrast to the abundance of feedback on cost and schedule. This imbalance creates an incentive structure for program managers and program executive officers to favor cost and schedule over cybersecurity performance. These deficiencies in feedback on cybersecurity also further inhibit individual accountability.
No simple solution will correct all of the above shortfalls, many of which are structurally embedded in DoD. Some result from well-intentioned statutory requirements and DoD policies that are not easily changed. However, within these bounds, there are steps the Air Force can take to strengthen cybersecurity for weapon systems:
We acknowledge that these recommendations, even if fully implemented, would not completely solve the challenges of cybersecurity. Further, some of these policies would necessarily require additional resources and a suitably skilled workforce to carry out the responsibilities — commitments that are difficult to make in a constrained fiscal environment. The fact is that there are no quick or easy fixes for achieving world-class cybersecurity. However, by adopting these recommendations, the Air Force would take a large step toward more effective cybersecurity of its military systems throughout their life cycles.