The Air Force wants to eliminate cybersecurity vulnerabilities in legacy platforms, but it faces a big bill and a limited workforce with the engineering skills necessary for the effort, according to the service’s chief information officer (CIO).
Lt. Gen. William Bender, also the Air Force’s chief of information dominance, on Thursday called the effort “bolt-on cybersecurity,” an aggressive and robust plan to address these cybersecurity vulnerabilities in aircraft with an average age of 30 years in service. The goal isn’t 100 percent compliance, he said, but accomplishing as much as possible by understanding vulnerabilities and working through them proactively. 
The problem, Bender said, is that the bolt-on cybersecurity effort leans heavily on engineering and the Air Force doesn’t have enough people to understand it, let alone implement it. He said the service has roughly a “handful” of technically-experienced people to do the job, while the Microsofts [MSFT] and Googles [GOOG] of the world have hundreds. Bender called for a public/private partnership to help bridge this talent gap.
The Defense Department has a similar public/private partnership called the Information Technology Exchange Program. It gives the Pentagon and participating companies the opportunity to share best practices and enhance employee and organizational capabilities through personnel assignments that can last from three months to a year. The program focuses on information technology (IT) personnel whose skill sets include commercial cloud services, mobility, cybersecurity, big data and data analytics, enterprise architecture, network services and others.
Bender didn’t know how much the bolt-on cybersecurity effort will cost, but he said it would be large as the Air Force is heavily dependent on legacy systems. He said for newer weapon systems the Air Force is working to ensure that cybersecurity parameters are being met as acquisition progresses.
Bender emphasized this effort with newer platforms is a learning on-the-fly effort.
“All the services are probably in a similar place where we’re trying to figure out what defines those cybersecurity requirements in new weapon systems development,” Bender told reporters at a Defense Writers Group breakfast in Washington.