General Sarah Zabel @ AFA 2014

NATIONAL HARBOR: The good news is the Air Force has almost finished a new strategy to protect its high-tech gear from hackers. The bad news? The problem is huge, the processes are nascent, and the intimately interrelated issue of electronic warfare is, at the moment, not part of the discussion. Sure, cybersecurity is the scary, sexy, budget-grabbing brave new world; but with deployed forces dependent on wireless networks and satellite uplinks, good old-fashioned radio jamming can shut you down as hard as any virus — and jamming technology keeps getting cheaper.

“Frankly… we don’t address it deeply,” Brig. Gen. Sarah Zabel, the service’s director of cyberspace strategy and policy, told reporters this morning at the Air Force Association’s annual conference. “We are speaking to it overall,” she added. Electronic warfare is included in the strategy’s overview of information technology issues, but the strategy does not get into the specific functions that rely on relatively secure fiber-optic cables and which rely on wireless links. Nor does the new “information technology portfolio” being created to coordinate management of multiple IT programs include electronic warfare systems. EW aspects will be resolved by acquisition officials at Air Force Space Command, which oversees the relevant networks, she said.

“If you’re deploying, then you’re probably relying on satellites, [not] landlines,” she said. Air Force information technology has to support the mission in face of both hackers and jammers: “If we’re trying to get the bomber through,” she said, “we’ve got to get the bomber through, even if people are blasting GPS out of the sky [and we] can’t tell where we are.”

But the problem already on Zabel’s table is huge enough. The new strategy strives to make cybersecurity a focus for every Air Force program from its inception, rather than something that gets patched on after fielding — “baked in” rather than “bolted on,” as Air Force Secretary Deborah Lee James put it today at AFA. Most current programs began long before cybersecurity was a top priority, and all too often, they must scramble to patch the resulting holes at the tail end of a years-long, even decades-long process.

“They’re done, ready to go out to the Air Force, and [you ask,] ‘by the way, did anyone ever mention cybersecurity to you?’ And too many times the answer is ‘no,'” Zabel said. Today, under the current acquisition regulations, she said, “with each of the milestone decisions, there’s something cyber-related there, but how effectively are we checking the right things at the right time? I think that still needs massive amounts of improvement.”

The new strategy will “make sure cybersecurity requirements are included…right from the beginning” of the acquisition process, Zabel said. Later on, when new systems are ready to field, the strategy will ensure that their operators are trained on the cybersecurity aspects, she added.

The Air Force’s acquisition secretariat “has actually taken a very strong interest in…. making these platforms resilient and robust against cyber adversaries,” added Peter Kim, deputy director of Air Force cyber operations. “If you look at the JSF, if you look at any of our weapons systems platforms that fly in the air,” Kim said, “there are robust IT systems that support these things, that fly these things, and they’re vulnerable to all kinds of exploits.”