WASHINGTON — When security flaws allowed a Jeep Cherokee to be hacked and remotely controlled earlier this month, the US Army took notice, according to a lead acquisitions official.
The hack was a hot topic at a recent ground vehicle systems engineering and technology symposium, according to Kevin Fahey, director of system of systems engineering and integration in the Office of the Assistant Secretary of the Army for Acquisition, Logistics and Technology.
"I was pleasantly surprised that the government guys and the industry guys were talking about cyber, because if you can take over a truck, God forbid you take over a tank," Fahey said, speaking at the National Defense Industrial Association's tactical wheeled vehicle conference on Tuesday.
Fahey told the industry audience they must be concerned about cyber, particularly the security of the systems they manufacture. Though the formal requirements for system security are ever changing, Fahey said, vendors must design modular, open architecture systems that can adapt.
Assistant Secretary of the Army Heidi Shyu directed Fahey to incorporate system security into the formal defense acquisitions process. The Army's biggest challenge has been to improve the security of update systems that have already been fielded, to make them more secure, particularly tactical systems that do not connect to a network — an issue for Army vehicles, Fahey said.
The Army divides cyber into offense, defense and systems security. Most offensive cyber requirements are apportioned to Program Executive Office (PEO) Intelligence, Electronic Warfare & Sensors, and requirements for defense are sent to PEO Enterprise Information Systems and PEO Command, Control and Communications-Tactical, while some — like cyber situational awareness — are spread across the three.
The Army has been developing an agile acquisitions process for cyber, Fahey said, to keep pace with information technology development.
"If we do the requirements and materiel development for cyber the way we do a tank, we're screwed," Fahey said. "It wasn't easy because every time I staffed a document, I got: 'Why wasn't it within a process we already had?' But the process we already had doesn't work."
The G-8, Army headquarters' lead organization for matching available resources to the defense strategy, is lining up resources ahead of an execution plan. At present, G-8 is developing the budget for the 2017 program objective memorandum, or budget recommendations, for defensive cyber requirements.
The Army has formed a general officer steering committee, co-chaired by Fahey and representatives of the G-3 and Army Cyber. The organization determines cyber acquisition priorities and, by late summer, crafts a plan to execute the following year.
The committee meets with the Army's top officer on a quarterly basis. In its most recent meeting this summer, with departing Chief of Staff Gen. Ray Odierno — since retired — training requirements and how to institutionalize them were discussed. Fahey said he expects Odierno's successor, Gen. Mark Milley, will continue the same focus.
"We can do things faster … but you need top level support, and you have to have the requirements, the resources and acquisitions all aligned," Fahey said. "There were a lot of people who were queasy but the vice [chief of staff of the Army] and the chief [of staff] understood, and said go do it."
Email: jgould@defensenews.com
Twitter: @reporterjoe
Joe Gould was the senior Pentagon reporter for Defense News, covering the intersection of national security policy, politics and the defense industry. He had previously served as Congress reporter.
