COLORADO SPRINGS: The United States invented the Internet, but we may not rule it any more.
“We are certainly behind right now. We are chasing our adversary, for sure,” one of the Air Force’s top cyber warriors, Col. Dean Hullings, told an audience of about 350 here at the National Space Symposium‘s one-day cyber event.
Hullings, chief of Air Force Space Command’s cyber superiority division, said the US is behind countries he declined to name when I asked him later (OK, we all know it’s China and Russia and Israel and…) both in defense and in offense. This may be part of the reason recently retired Gen. Keith Alexander, former head of the National Security Agency and Cyber Command, poured so much money and passion into offensive cyber capabilities.
Hullings was not alone in his assessment of the state of the US government’s cyber capabilities. The US government lags far behind the private sector, Tina Harrington, head of the NRO’s Signals Intelligence Directorate, said later at the conference.
“This is an area where we are following you guys. We have been behind you guys for most of the last two decades,” Harrington said. Her comments are especially striking, given the bleeding edge technology the NRO traditionally deploys and its supposed strong commitment to ground stations and its communications networks over the last decade.
Part of the NRO’s problem, Harrington told several reporters after her talk, is that its DNA is building the best satellites in the world and they hire the best satellite builders — not the best networks or cyber experts. So there’s the cultural hurdle to overcome. The NRO also tends to work with the biggest defense companies — especially Lockheed and Raytheon — who build most of its satellites and its ground stations. Harrington made clear both satellites and the ground need to be secure from cyber intrusion or supply chain infection, but she kept coming back to the ground as the more pressing vulnerability. That would be Raytheon’s ground network, bearer of the wonderful acronym MIND (Mission Integration and Development).
But one of the major obstacles to improving our cyber security is the Pentagon’s fabled acquisition system. Just getting through the budget system takes about two years. Add the requirements process and you’re talking another two years. That means you are about three years behind the latest technologies, thanks to Moore’s Law. As Harrington put it succinctly: “Two years to get it is two years too late in the cyber industry.”
She said the Director of National Intelligence is leading efforts to speed cyber acquisition for her part of the world and suggested the issuance of IDIQ contracts might be a good way to build a flexible stable of secure providers from whom one could buy quickly and with assurance.
Hullings pointed to the so-called 933 report which was meant to help break the logjam of IT and cyber acquisition. If implemented it could really help speed the purchase of cyber products.
The best story of the day came from Harrington. Talking about the security of the supply chain — the military and intelligence communities worry that foreign suppliers might build code into chips or firmware to thwart or warp how a US weapon works — she pointed to the example of a long-time trusted supplier at the NRO. The vendor decided to change the wax it used to keep the NRO’s floors bright and shiny to a new “green” substance.
“It created electronic status discharge and fried one of my electronics,” Harrington said. Wow.