19 août 2019 | International, Aérospatial
By Joseph Marks
LAS VEGAS — In a Cosmopolitan hotel suite 16 stories above the Def Con cybersecurity conference this weekend, a team of highly vetted hackers tried to sabotage a vital flight system for a U.S. military fighter jet. And they succeeded.
It was the first time outside researchers were allowed physical access to the critical F-15 system to search for weaknesses. And after two long days, the seven hackers found a mother lode of vulnerabilities that — if exploited in real life — could have completely shut down the Trusted Aircraft Information Download Station, which collects reams of data from video cameras and sensors while the jet is in flight.
They even found bugs that the Air Force had tried but failed to fix after the same group of hackers performed similar tests in November without actually touching the device.
“They were able to get back in through the back doors they already knew were open,” Will Roper, the Air Force's top acquisition official, told me in an exclusive briefing of the results.
The hackers lobbed a variety of attacks — including injecting the system with malware and even going at it with pliers and screwdrivers. When I saw it, the metal box that's usually secure on the aircraft had wires hanging out the front.
The hackers briefed Roper on the findings on Saturday afternoon. He was surrounded by discarded pizza boxes, iced coffee drinks — and the hotel's drinking glasses filled with screws, nuts and bolts removed from five fully dismantled TADS devices, which run about $20,000 a pop.
He'd expected the results to be about this bad, Roper told me on a private tour of the hacking event. He pinned the weaknesses on decades of neglect of cybersecurity as a key issue in developing its products, as the Air Force prioritized time, cost and efficiency.
He's trying to turn that around, and is hopeful about the results of the U.S. government's newfound openness to ethical hackers. He'd come straight from Def Con's first-ever Aviation Village, which the Air Force helped establish, and was wearing a gray T-shirt with the words “No, Mr. Bond, I expect you to hack,” emblazoned on the front — a riff on a classic line from the 1964 James Bond film “Goldfinger.”
This is a drastic change from previous years, when the military would not allow hackers to try to search for vulnerabilities in extremely sensitive equipment, let alone take a literal whack at it. But the Air Force is convinced that unless it allows America's best hackers to search out all the digital vulnerabilities in its planes and weapons systems, then the best hackers from adversaries such as Russia, Iran and North Korea will find and exploit those vulnerabilities first, Roper told me.
“There are millions of lines of code that are in all of our aircraft and if there's one of them that's flawed, then a country that can't build a fighter to shoot down that aircraft might take it out with just a few keystrokes,” he said.
Roper wants to put his military hardware where his mouth is.
During next year's Def Con conference, he wants to bring vetted hackers to Nellis or Creech Air Force bases near Las Vegas where they can probe for bugs on every digital system in a military plane, including for ways that bugs in one system can allow hackers to exploit other systems until they've gained effective control of the entire plane.
He also wants to open up the ground control system for an operational military satellite for hacker testing, he said.
“We want to bring this community to bear on real weapons systems and real airplanes,” Roper told me. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”
Those hacking challenges will also be useful for the private sector because military planes and satellites share many of their computer systems with the commercial versions of those products, Roper said, and the Air Force can share its findings.
The seven hackers probing the TADS devices were all brought to Vegas by the cybersecurity company Synack, which sells the Pentagon third-party vulnerability testing services, under a contract with the Defense Digital Service, a team of mostly private-sector technology stars who try to solve some of the Pentagon's thorniest technology problems during short-term tours.
The Defense Digital Service started by organizing large-scale hacking competitions in 2016, with names such as “Hack the Pentagon” and, eventually, “Hack the Air Force.” These were open to almost anybody — but included only public-facing hacking targets such as military service websites and apps.
Shortly after, they also began opening more sensitive systems to a smaller number of vetted hackers who sign nondisclosure agreements.
DDS has run about a dozen of those more sensitive hacking competitions so far, but this is the first time it has offered up the same system for hacking twice, said Brett Goldstein, DDS's director, who earned a reputation in technology as Open Table's IT director and chief data officer for the city of Chicago.
“That's important because security is a continuous process,” he told me. “You can't do an exercise and say, ‘Oh, we found everything' and check the box. You need to constantly go back and reevaluate.”
They also allowed the hackers to be more aggressive this time and to physically disassemble the TADS systems to get a better idea of what kinds of digital attacks might be effective, Goldstein said. That meant the hackers could simulate a cyberattack from adversaries that had infiltrated the vast network of suppliers that make TADS components and had sophisticated knowledge about how to compromise those elements.
They could also advise the Air Force about flaws in how the TADS hardware was built that make it more susceptible to digital attacks.
Moving forward, Roper told me, he wants to start using that knowledge to mandate that Air Force vendors build better software and hardware security controls into their planes and weapons systems upfront so the Air Force doesn't have to do so much cybersecurity work on the back end.
He's up against an arcane and byzantine military contracting process, however, that's going to make those sorts of fundamental reforms extremely difficult, he acknowledged.
In some cases, the company that built an Air Force system owns the software embedded in that system and won't let the Air Force open it up for outside testing, he says. In other cases, the Air Force is stuck with legacy IT systems that are so out of date that it's difficult for even the best technologists to make them more secure.
“It's difficult to do this going backward, but we're doing our best,” Roper told me. “I can't underscore enough, we just got into the batter's box for what's going to be a long baseball game.”
25 juin 2024 | International, Sécurité
Discover GrimResource, a new cyber threat leveraging MSC files for stealthy code execution. Stay informed and protected against this evolving cybersec
31 décembre 2018 | International, Aérospatial, Naval, Terrestre, C4ISR, Sécurité
By: Aaron Mehta WASHINGTON — Under the purview of Defense Secretary Jim Mattis, reform has become a buzzword inside the Department of Defense, with every office trying to find ways to be more efficient, whether through cost savings or changes to bureaucracy. The department's Acquisition and Sustainment office, headed by Ellen Lord, manages billions of dollars in materiel; and by Lord's own belief, it is ripe for changes that could net the department big savings. On Dec. 17, Lord sat down with reporters and outlined a series of goals for 2019 that she hopes will help transform how the Pentagon buys equipment. Here, then, are six key items to watch for in the coming year. 1. Rework the department's key acquisition rules: The DoD Instruction 5000.02 is a key bedrock that forms the basis of how the defense acquisition system works, guiding acquisition professionals in their day-to-day program execution. And if Lord gets her way, she'll largely rip it up and start over. “In 2019, one of my key objectives is to rewrite 5000.02. We have, right now, this huge, complicated acquisition process that we encourage our acquisition professionals to tailor to their needs,” Lord said. “We are going to invert that approach and take a clean sheet of paper and write the absolute bare minimum to be compliant in 5000.02, and encourage program managers and contracting officers to add to that as they need for specific programs.” Lord envisions taking the massive, unwieldy 5000.02 guidance and getting it down to “a couple page outline of what you need to do,” with “simple” contract language and an easy-to-follow checklist “so that this isn't an onerous process.” “I'm encouraging what I call creative compliance. I want everyone to be compliant, but I want people to be very thoughtful and only use what they need,” she said. “This is literally starting with a clean sheet of paper, looking at the law and the intent, and working to vastly simplify this.” Andrew Hunter, a former Pentagon acquisition official now with the Center for International and Strategic Studies, notes that the instruction is supposed to be rewritten every five years to keep it fresh, and now is probably the right time to start looking into that. But, he added, “a lot of what she says she wants to do are things that sound very similar to my ear to what [Lord's predecessor] Frank Kendall was trying to do in the last rewrite. He tossed stuff out left and right, worked very hard to create the different models, put in extended discussions of different potential models of programs so that it would be obvious to people there's not one single way to do a program.” Hunter is cautious when it comes to a massive shift in the 5000.02 system. “If you literally tell the system, ‘All the rules are repealed, go do everything you want,' the reaction won't be a sudden flood of creativity that astounds you with the amazing talent at the department, even though there is a lot of talent there," he said. “What's more likely to happen is you have total paralysis because everyone is sitting around going: ‘Oh no, the rules are gone. How do we know what we can do? What do we do now?' But over time that might shake out.” If Congress needs to get involved, Lord said, she's prepared to go to Capitol Hill “because I know they are partnering with us and they want to make sure we do things in a simpler, most cost-effective manner.” 2. Intellectual property rules: A long-standing fight between the department and industry is over who should own the intellectual property used by the American military. Before fully taking on 5000.02, Lord hopes to write a departmentwide intellectual property policy. Lord pointed to the “very good job” done by the Army on creating an IP policy and said her goal is to build on that to create a standard across the DoD. “From an industry perspective, we are trying to be consistent across all the services and agencies, so that we don't have different requirements for similar needs,” Lord said. “So intellectual property is a good example. We'd like to have the same kind of contract language that can be tailored to individual needs, but basically have consistent language.” David Berteau, a former Pentagon official who is now the president and CEO of the Professional Services Council, noted it is hard to read the tea leaves for what Lord may be planning based on her public comments. But he pointed out the long-standing challenge for the Pentagon — that nearly 70 percent of all program costs are life-cycle sustainment and maintenance costs — as a sign that something needs to change so the department can avoid major issues in the future. Depending on how new rules are implemented, the use of IP might drive down costs — or, he warned, it might lead to companies unable to compete, forcing the Pentagon to pay more or be less prepared for challenges. Put plainly, Berteau said, “it's complicated.” He hopes Lord will begin interacting with industry on this issue in ways similar to the current “listening tour” on changes to progress payments. 3. Better software development: It's become almost cliché that the department needs to do better at developing software, but in this case it's a cliché that experts, including Lord, agree with. The Defense Innovation Board, a group of tech experts from outside the department, is working on a series of studies on software, including one focused on how to drive agile development techniques inside the building. Lord said to expect that report before the end of March, adding: “I think that will be important in terms of capturing a road map forward on how to do this correctly.” 4. Increase use of OTAs: In 2018, Lord's office released a handbook on when and how to use other transaction authorities — legal standards designed to speed acquisition that critics say are underutilized by the department. Lord called it “sort of a warmup” for creating more useful handbooks for the acquisition community, but said that the goal for 2019 is to get people to correctly employ OTAs. “Usually they should be used when you don't have a clear requirement. So, true prototyping when you don't know what you're going to get,” Lord said. “Prototyping early on, probably before you get to the middle-tier acquisition.” 5. Greater use of prototyping: Speaking of which, Lord said the department has about 10 projects underway for rapid prototyping at the mid-tier level, with the goal of growing to about 50 in the next year. The goal is to take the systems into the field, test them out and then grow the next iteration of the capability based on what is learned. “We're taking systems that are commercially available and perhaps need a little modification, or defense systems that need a modicum of modification to make them appropriate for the war fighter,” Lord said. “That's one of the authorities we are very appreciative for, and we will continue to refine the policy. I signed out very broad policy on that this year. We'll write the detailed policy coming up early next year.” 6. Making the Selected Acquisition Reports public again: Until recently, the department publicly released annual Selected Acquisition Reports for each of the major defense programs. Those reports can inform the public of where programs stand and the costs associated. However, under the Trump administration, those reports have been largely classified as “For Official Use Only,” or FOUO, a higher level of security. Critics, including incoming House Armed Services Committee Chairman Adam Smith, D-Wash., have argued there is no need for those once-public reports to be listed as FOUO. It appears Lord is working to open those back up. “We're going to try to minimize the FOUO on that,” Lord said in response to a question about it. “There are certain information [issues] that we have to protect, but [we] understand the need, the requirement, and I will put our guidance to make everything open to the public to the degree we can.” https://www.defensenews.com/pentagon/2018/12/27/six-things-on-the-pentagons-2019-acquisition-reform-checklist/
22 mai 2020 | International, Aérospatial
Dans un contexte de crise économique aggravée par le coronavirus, une bagarre se joue au sommet de l'état-major indien à propos d'un appel d'offres lancé il y a deux ans pour l'achat de 114 avions de combat. Par Guillaume Delacroix Publié le 20 mai 2020 à 09h03 - Mis à jour le 20 mai 2020 à 12h42 L'épidémie de Covid-19 fait une victime inattendue en Inde : le groupe Dassault Aviation. Celui-ci est en train de voir s'envoler ses espoirs de fournir une bonne centaine de Rafale supplémentaires au géant d'Asie du Sud. Le constructeur aéronautique français, qui a reçu commande de 36 exemplaires biplaces de cet avion de combat pour 8 milliards d'euros en septembre 2016, vient d'apprendre de la bouche du nouveau chef d'état-major des armées indiennes que l'appel d'offres international lancé en avril 2018 pour l'achat de 114 autres appareils était en passe d'être annulé. C'est un marché évalué à 1 000 milliards de roupies (12,2 milliards d'euros) qui va vraisemblablement s'évaporer. « L'Indian Air Force est en train de se réorienter vers des avions de combat légers » produits dans le sous-continent, a déclaré le général Bipin Rawat à l'agence Bloomberg, jeudi 14 mai. En l'occurrence, des Tejas LCA (Light Combat Aircraft). C'est une énorme déconvenue pour l'avionneur français, à qui l'Inde devait initialement acheter 126 Rafale, et non pas 36. Les quatre premières livraisons devaient d'ailleurs avoir lieu ce mois-ci, mais la crise sanitaire mondiale en cours l'a contraint à les reporter à juillet. D'autres constructeurs en sont pour leurs frais, qui entendaient eux aussi remettre une offre pour les 114 nouveaux avions. Parmi eux, les américains Lockheed Martin et Boeing, le suédois Saab et le russe Soukhoï. Le Tejas, avion « made in India » Confrontée à un ralentissement économique historique en 2019, avec une croissance du produit intérieur brut (PIB) à moins de 5 % – alors qu'elle approchait 9 % il y a un peu plus de deux ans –, l'économie indienne prend de plein fouet les effets de l'épidémie liée au coronavirus et risque désormais de tomber en récession. Dans ces conditions, Delhi n'a plus les moyens de s'équiper auprès de fournisseurs étrangers, a fait comprendre dès la fin du mois d'avril le premier ministre, Narendra Modi, en affirmant que le pays ne se relèverait qu'en produisant « local ». https://www.lemonde.fr/economie/article/2020/05/20/en-inde-dassault-voit-s-eloigner-tout-espoir-de-nouvelle-commande-de-rafale_6040216_3234.html