The United States Air Force plans to choose on Dec. 13 which satellite it will offer to a service-selected group of hackers to try to infiltrate at next August’s Defcon 2020 conference in Las Vegas, an Air Force official said on Dec. 11.
Indeed, hackers are to be part of Air Force efforts to undertake “cyber hygiene” efforts to embed cybersecurity in aviation and space systems, including such systems’ vulnerable supply chains that lack secure embedded coding.
Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics, discussed the service’s cybersecurity initiatives at an event at the Atlantic Council to release the second council report on aviation cybersecurity since 2017, Aviation Cybersecurity: Scoping the Challenge, sponsored by Thales.
“What we’re going to do is make one of our satellites available to a team of ethical, cleared hackers just to be able to expose the challenges of trying to hack something in orbit because, aside from the fact that it’s a unique piece of hardware with unique ground stations, it’s whizzing around the earth wicked fast,” Roper said. “You only have access to it at certain times. We want to see if a team can do it.”
“I know we’re going to call it something like the Space Security Challenge, but we just keep calling it, ‘Hack-A-Sat’ inside the Air Force,” Roper quipped. “We want the community to learn that the cyber security piece is important. We want future space companies to think that. We also want to see if the way we’re approaching cyber security is flawed. So maybe we’ll have a team that brings in a new trick, and we’ll say, ‘Wait a second. We didn’t think of that.'”
The U.S. government had its first large scale presence at last August’s Defcon event, and the Air Force brought along its data transfer system for the Boeing [BA] F-15 fighter to expose to hacker tests. Roper said that he received “great feedback” from hackers and that Defcon is a significant opportunity for the Air Force to learn and augment the service’s cybersecurity.
“We are not being more secure sitting behind our high walls,” Roper said of the Pentagon. “When I was at Defcon last August, my first time there and the first time we had a large government contingent there, there are 46,000 hackers there that have amazing technical capability, and the U.S. military isn’t there looking for partnerships being part of a community that knows a lot more about software and vulnerabilities than we do–how myopic and short-sighted.”
The Air Force wants to reform its Cold War era acquisition process to field cutting edge technologies quickly, in part by working with “dual use companies” that build technologies that are not unique to defense. Writing aviation and space cybersecurity requirements that all companies must follow to be part of Air Force contracts will likely be a key part of the service’s rapid fielding efforts.
One key Air Force cybersecurity endeavor is the protection of GPS satellites, used by military and commercial aviation assets for precise navigation. Paul Prisaznuk, the head of ARINC standards development at SAE Industry Technologies Consortia, an affiliate of SAE International, has contended that GPS is the most vulnerable system on commercial aircraft but that airliners have Inertial Reference Systems to provide safe and secure operations “in the unlikely event of GPS outage.”
“We’re working all sorts of upgrades to GPS and alternatives to it,” Roper said after his remarks at the Atlantic Council. “It could be shared. Navigation is a big issue for us. We don’t ever want to lose it, and we’re thinking about NextGen navigation for military, and we should be thinking about how to make part of it commercially. It’s been an afterthought, and it needs to be a forethought.”
The Aviation Cyber Initiative (ACI) task force, tri-chaired by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense, and the Department of Transportation, has been working since May to implement the cyber security goals of the National Strategy for Aviation Security, released earlier this year, and to coordinate on cyber security priorities.