Top Scientist Laments Air Force's Poor Awareness in Cyberspace
“Right now we do not have good situational awareness,” said Mark T. Maybury, chief scientist of the Air Force. “Cyber is something we’re dependent upon throughout our entire enterprise," he said July 17 at an Air Force Association breakfast meeting in Arlington, Va. “We have not found a single mission today that is not dependent on cyber.”
To address the growing security concerns within cyberspace, the Air Force has launched Cyber Vision 2025, a project to develop a framework for upgrading the nation’s electronic warfare capabilities over the next decade.
The cybersecurity effort could cost up to $4 billion, but that number is merely half or perhaps a third of what the Defense Department will spend on cybersecurity in the same timeframe, Maybury said. Priorities include protecting information-centric weapon systems such as in the highly computerized F-35 Joint Strike Fighter, he said.
“First and foremost, what we need to do is have better awareness,” Maybury said. “Ideally you want to know not only what’s going on now — who’s where and when — but also, you’d like to be able to predict what they’re likely to do.”
In cyberspace, as on a physical battlefield, “exquisite awareness … is probably impossible,” Maybury said, referring to a situation where a commander knows the movements and intentions of everyone involved in a contingency.
“In some respects it’s more of the same” as gathering intelligence in a physical environment, Maybury said. “But in cyberspace, attacks can be very, very fast” and numerous.
“The offense has been industrialized while defense [against cyber-attacks] is still a cottage industry,” he said. “Our adversaries now have the ability to take a piece of software and automatically scan that software looking for vulnerabilities. So, they’re automating ... the attack process. We’re defenders, but to be a good defenders, you’ve got to understand what the bad guy’s going to do to you.”
One problem for U.S. cybersecurity efforts is that the United States is being outpaced in churning out computer scientists, especially by China, its chief rival in cyberspace, analysts said. In 2025, the United States is expected to produce 3,800 computer-science PhDs, half of whom will not remain in the country, Maybury said. China, by that year, will produce 8,500 PhDs annually.
In 2011, there were an estimated 2.9 million unique “threat signatures” that the Air Force identified against U.S. computing systems. That number is expected to climb to as many as 200 million individual threats by 2025, in part because the process of launching cyber-attacks has become more automated, Maybury said.
Computing and data storage are increasingly accomplished with commercial technology. With much of those components and the software they run created overseas, “huge vulnerabilities” are developing that must be anticipated and addressed, Maybury said. Technology designed specifically for military use is no less vulnerable to threats launched from cyberspace.
Nearly all of the military's communications equipment and vehicles have become significantly more automated. Whereas an F-4 Phantom jet of the 1960s was 5 percent computerized, the F-35 Joint Strike Fighter is 90 percent automated and every one of its computer systems is a potential soft spot for hackers, Maybury said.
The nation also must worry about protecting critical civilian infrastructure, he said. Citing the mid-July storms that left much of the Washington, D.C., area without power for several days, Maybury said “it unfortunately would not take a lot” to duplicate such results with a well-coordinated cyber-attack.
The Air Force has taken the lead on shoring up U.S. defenses against cyber-attacks. “We’re expected to do this, it’s our mission,” he said. “We also believe we can do it. Also, an important aspect is not only have we been asked to do it … no one else is doing it.”