Software factories are the new target for cyber attacks, Air Force official says
Will Roper, the Air Force's acquisition chief, said the massive cybersecurity breach that's plagued several federal government agencies creates "a new kind of target for our adversaries" that must be protected.
NOTE: This story first appeared on FCW.com.
The Defense Department has been pushing hard for digital modernization, but the massive hacking campaign that breached multiple federal government agencies via Solarwinds software has put some of its more nascent efforts at risk -- namely software factories.
"Yes, this creates a new kind of target for our adversaries. These digital factories that we are using to design things may become crown jewels and they'll have to be protected as such," Will Roper, the Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, told reporters Dec. 18 during a virtual Defense Writers Group event.
That becomes an acute challenge for newer programs such as the Air Force's Cloud One and Platform One, which respectively centralize data sharing and tool development capabilities.
"So as I look at programs like Cloud One and Platform One that are being used broadly across our development enterprise, that becomes a single thing to attack whose effects would ripple into other programs," Roper said.
The 2021 defense policy bill, which is under veto threat and awaiting a presidential signature, has a number of cyber provisions aimed at improving the federal government's preparedness for security breaches like Solarwinds.
"This attack is a stark warning that our nation must bolster its cybersecurity posture and capabilities, and it must do so without delay," wrote House Armed Services Committee Republicans Ranking Member Mac Thornberry (Texas), incoming Ranking Member Mike Rogers (Ala.), and four other members said in a statement Dec. 18.
"There is no doubt our adversaries will take advantage of any opportunity to attack vulnerabilities in our cyber infrastructure. The measures in this year's bill will provide critical safeguards to protect the information and capabilities most foundational to our nation's security."
During his talk, Roper stressed DOD's need for zero trust principles on a large scale.
"The other thing that we have to bring into our software environment, into our digital infrastructure which the department is behind on is new technologies that allow you to deal with adversaries that have gotten in -- so zero trust technologies and doing continuous monitoring," Roper said.
"We don't do that in the Defense Department. We certify things are impregnable and commercial industry assumes everything is pregnant and has to deal with that after the fact."
Roper said the goal is to both keep adversaries out while having a plan once they get in and building on those technologies, particularly with initiatives like Cloud and Platform One. The Air Force has been using red teaming to test those systems' security in the wake of Solarwinds Orion software breach, he said, but that new approaches can often mean new targets.
If you create a game changing approach to change the [defense procurement] system, that game changing approach is likely the new thing your adversary targets," Roper said. "Welcome to the digital age."