August 19, 2019 | International, Aerospace
By Joseph Marks
LAS VEGAS — In a Cosmopolitan hotel suite 16 stories above the Def Con cybersecurity conference this weekend, a team of highly vetted hackers tried to sabotage a vital flight system for a U.S. military fighter jet. And they succeeded.
It was the first time outside researchers were allowed physical access to the critical F-15 system to search for weaknesses. And after two long days, the seven hackers found a mother lode of vulnerabilities that — if exploited in real life — could have completely shut down the Trusted Aircraft Information Download Station, which collects reams of data from video cameras and sensors while the jet is in flight.
They even found bugs that the Air Force had tried but failed to fix after the same group of hackers performed similar tests in November without actually touching the device.
“They were able to get back in through the back doors they already knew were open,” Will Roper, the Air Force's top acquisition official, told me in an exclusive briefing of the results.
The hackers lobbed a variety of attacks — including injecting the system with malware and even going at it with pliers and screwdrivers. When I saw it, the metal box that's usually secure on the aircraft had wires hanging out the front.
The hackers briefed Roper on the findings on Saturday afternoon. He was surrounded by discarded pizza boxes, iced coffee drinks — and the hotel's drinking glasses filled with screws, nuts and bolts removed from five fully dismantled TADS devices, which run about $20,000 a pop.
He'd expected the results to be about this bad, Roper told me on a private tour of the hacking event. He pinned the weaknesses on decades of neglect of cybersecurity as a key issue in developing its products, as the Air Force prioritized time, cost and efficiency.
He's trying to turn that around, and is hopeful about the results of the U.S. government's newfound openness to ethical hackers. He'd come straight from Def Con's first-ever Aviation Village, which the Air Force helped establish, and was wearing a gray T-shirt with the words “No, Mr. Bond, I expect you to hack,” emblazoned on the front — a riff on a classic line from the 1964 James Bond film “Goldfinger.”
This is a drastic change from previous years, when the military would not allow hackers to try to search for vulnerabilities in extremely sensitive equipment, let alone take a literal whack at it. But the Air Force is convinced that unless it allows America's best hackers to search out all the digital vulnerabilities in its planes and weapons systems, then the best hackers from adversaries such as Russia, Iran and North Korea will find and exploit those vulnerabilities first, Roper told me.
“There are millions of lines of code that are in all of our aircraft and if there's one of them that's flawed, then a country that can't build a fighter to shoot down that aircraft might take it out with just a few keystrokes,” he said.
Roper wants to put his military hardware where his mouth is.
During next year's Def Con conference, he wants to bring vetted hackers to Nellis or Creech Air Force bases near Las Vegas where they can probe for bugs on every digital system in a military plane, including for ways that bugs in one system can allow hackers to exploit other systems until they've gained effective control of the entire plane.
He also wants to open up the ground control system for an operational military satellite for hacker testing, he said.
“We want to bring this community to bear on real weapons systems and real airplanes,” Roper told me. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”
Those hacking challenges will also be useful for the private sector because military planes and satellites share many of their computer systems with the commercial versions of those products, Roper said, and the Air Force can share its findings.
The seven hackers probing the TADS devices were all brought to Vegas by the cybersecurity company Synack, which sells the Pentagon third-party vulnerability testing services, under a contract with the Defense Digital Service, a team of mostly private-sector technology stars who try to solve some of the Pentagon's thorniest technology problems during short-term tours.
The Defense Digital Service started by organizing large-scale hacking competitions in 2016, with names such as “Hack the Pentagon” and, eventually, “Hack the Air Force.” These were open to almost anybody — but included only public-facing hacking targets such as military service websites and apps.
Shortly after, they also began opening more sensitive systems to a smaller number of vetted hackers who sign nondisclosure agreements.
DDS has run about a dozen of those more sensitive hacking competitions so far, but this is the first time it has offered up the same system for hacking twice, said Brett Goldstein, DDS's director, who earned a reputation in technology as Open Table's IT director and chief data officer for the city of Chicago.
“That's important because security is a continuous process,” he told me. “You can't do an exercise and say, ‘Oh, we found everything' and check the box. You need to constantly go back and reevaluate.”
They also allowed the hackers to be more aggressive this time and to physically disassemble the TADS systems to get a better idea of what kinds of digital attacks might be effective, Goldstein said. That meant the hackers could simulate a cyberattack from adversaries that had infiltrated the vast network of suppliers that make TADS components and had sophisticated knowledge about how to compromise those elements.
They could also advise the Air Force about flaws in how the TADS hardware was built that make it more susceptible to digital attacks.
Moving forward, Roper told me, he wants to start using that knowledge to mandate that Air Force vendors build better software and hardware security controls into their planes and weapons systems upfront so the Air Force doesn't have to do so much cybersecurity work on the back end.
He's up against an arcane and byzantine military contracting process, however, that's going to make those sorts of fundamental reforms extremely difficult, he acknowledged.
In some cases, the company that built an Air Force system owns the software embedded in that system and won't let the Air Force open it up for outside testing, he says. In other cases, the Air Force is stuck with legacy IT systems that are so out of date that it's difficult for even the best technologists to make them more secure.
“It's difficult to do this going backward, but we're doing our best,” Roper told me. “I can't underscore enough, we just got into the batter's box for what's going to be a long baseball game.”
April 6, 2021 | International, Land
The new vehicles will offer Army soldiers added mobility and other capabilities while operating in the increasingly strategic Arctic region.
October 27, 2020 | International, C4ISR
BAE Systems has been awarded an indefinite delivery/indefinite quantity contract to develop an attritable air vehicle system for the Skyborg program. Under this program, which has a contract ceiling of up to $400 million, the company will compete to develop a digital design for an unmanned aerial vehicle (UAV) capable of autonomous functions. The Skyborg program is intended to create a low-cost autonomous unmanned aerial vehicle that will partner with manned aircraft to increase air combat power. Teamed with a manned aircraft, the UAVs will leverage autonomy to disrupt and defeat adversaries in contested environments. “This award will accelerate the development and deployment of manned-unmanned teaming technologies to give the U.S. Air Force a decisive edge in the battlespace,” said Ehtisham Siddiqui, vice president and general manager of Controls and Avionics Solutions at BAE Systems. The UAVs will be designed with BAE Systems' autonomous systems, which include sensors and payloads that communicate across a shared network with manned aircraft. This modular and common system approach provides the foundation for rapid updates and integration to ensure the fleet is fielding the latest capabilities to defend against emerging threats. The shared network enables manned-unmanned teaming (MUM-T), which allows UAVs and manned aircraft to work together and complete missions more effectively. The network extends the reach of the fleet, while keeping the manned aircraft and personnel out of harm's way. It will allow the UAVs to serve as the eyes and ears for pilots, collecting and sending data from the battlespace to a manned fighter. https://www.defenseworld.net/news/28159#.X5iIvEeSnIV
June 7, 2019 | International, Land
By: Andrew Chuter LONDON – Britain has fallen behind its allies and potential adversaries in key armored combat vehicle capabilities and must do more to become a force to be reckoned with, Defence Secretary Penny Mordaunt has warned. “The future may look very different in years to come, but meantime, while armour is relevant it must be capable, and we must be competitive. We have not been,” Mourdaunt told an audience of senior international army chiefs and industry executives at a land warfare conference in here June 4. The Challenger 2 main battle tank and the Warrior infantry fighting vehicle, two of the key elements of the British army's battle formations, were both labeled as “obsolete” by a defense secretary who only started the job a month ago but could move on once a new Conservative prime minister is elected in July to replace Theresa May. “Challenger 2 has been in service without a major upgrade since 1998. During this time the U.S., Germany and Denmark have completed two major upgrades, whilst Russia has fielded five new variants with a sixth pending,” she said. “Warrior is even more obsolete, and is twenty years older than those operated by our key allies. Since Warrior's introduction in 1988 the United States and Germany have conducted four major upgrades and Russia has invested in three new variants,” said Mordaunt. What does she mean by obsolete? In the case of Warrior its best known shortcoming is the inability to fire on the move, and a 30mm cannon that has to be manually loaded with three round clips of ammunition. As it stands, the vehicle is unlikely to scare potential adversaries like the Russians. The British have been under-invested in combat armored capability for years aside from meeting the urgent operational requirements to counter improvised explosive devices in Afghanistan. Many of those vehicles remain in service, even though the threat has changed. Efforts are finally underway to improve the situation, sparked, in part, by the army's move to form two armored strike brigades by 2025. That force is planned to include tracked reconnaissance vehicles, an 8x8 mechanized infantry vehicle and a new 155mm artillery system. General Dynamics UK has started delivering the first of 589 Ajax reconnaissance and support vehicles in what has been touted by the government as the largest armored vehicle investment in three decades. Germany's Artec has been nominated as the preferred supplier with its Boxer 8x8, although no contract has been signed yet. A competition on the artillery is getting underway. Programs to upgrade both the vehicles named as obsolete by Mordaunt are in the works, but there is no manufacturing contract yet for either. In the Warrior's case Lockheed Martin UK secured the upgrade development program from the defense ministry in 2011, but is only now undertaking the reliability trials on which a final production contract depends. At one time the number of hulls to be updated was in the region of 380, but suppliers at a recent Lockheed Martin briefing said that as the British Army has shrunk and budgets got tighter, that figure is now down to around 265 and could go even lower. As for Challenger 2 upgrades, an assessment phase involving BAE Systems and Rheinmetall has been completed and is now under review. It seems no final decision has been made, but the signals coming out of the defense ministry suggest the Army may get what they want, which is a Challenger 2 sporting a German turret and smoothbore cannon. Tank numbers to be upgraded are unclear, with defense procurement minister Stuart Andrew telling Parliament recently that the final decision would be informed by “the assessment phase, the defense requirement and a balance of investment consideration.” The British Army currently has a fleet of 227 Challenger 2 tanks. BAE and Rheinmetall recently announced their intention to form an armored vehicle joint venture including the British companies activities in the sector, with the German company having the majority shareholding. Final approval of the deal is expected this month and a decision about the way forward on Challenger 2 could follow in the following two or three months. The scope and size of the armored-vehicle effort depends, like everything else, on the availability of funding. The defense ministry has budgeted £18.4 billion ($23.4 billion) for land-warfare equipment purchases over the next 10 years. Shorter-term budget considerations, though, will be resolved in the next few months. A government-wide review of departmental budgets, known as the comprehensive spending review, is currently underway. That will dictate whether the currently cash-strapped military will get the sizeable spending increases they are hoping for over the next three years. In opening remarks to the RUSI conference this week, Gen. Sir Mark Carleton-Smith, the chief of the general staff, made it clear he saw the threat of the tank diminishing in the military of the future as the focus shifts to issues like cyber warfare. “The main threat is less missiles and tanks. It's the weaponization of those elements of globalization that hitherto have made us prosperous and secure, such as mobility of goods, people, data and ideas," he said. "Living on an island gives no guarantees against the corrosive and intrusive effects of disinformation, subversion and cyber.” Perhaps for now, at least, the last word over the utility of the tank in today's information-rich environment should go to the conference speaker who voiced the opinion, “You can cyber all you like, but there comes a time when only a tank will do." https://www.defensenews.com/global/europe/2019/06/05/will-the-stars-finally-align-to-upgrade-britains-obsolete-tanks/