Over the last several months, new and iterative threats have emerged from the cyber domain. As the cyber environment evolves, the government faces increasing threats from state and non-state adversaries. Together with industry, the government—and the military in particular—are working to field solutions that work strategically and technologically.
Increasingly sophisticated cyber attacks, including those that take advantage of artificial intelligence, malware and denial of service, mean the government must make a more proactive effort to protect the United States from losing critical infrastructure or information vital to national security.
C4ISRNET sat down with Todd Hicks, chief technology officer of Leonardo DRS Land Electronics, to discuss the challenges in the cyber domain, and how industry is working to combat them.
C4ISRNET: How does the military have to think differently about cyber threats?
Hicks: Right now, a lot of the government focus is on risk management framework, as a tool for making sure cybersecurity is applied to a system or a subsystem. I think that translates to more of a paper drill and as opposed to government looking at the real vulnerabilities with its requirements. A subset of that is supply-chain risk management. If an adversary can get into the supply system, that’s a lot less of a protected environment. The government has to become more technically aware of its vulnerabilities and start applying requirements to plug the holes.
C4ISRNET: How are threats different now than they were 18 to 24 months ago?
Hicks: The threats in the past have been more overt, more front-door. Now, we’re seeing a shift in the landscape where we have adversaries that are willing to spend months to years planning a low-level cyber attack. They’re willing to think that far ahead and invest a lot of time and money planning and coordinating. When they’re ready, the physical attack is much more successful. It requires a very different way of thinking about things. It’s almost a completely different discipline.
C4ISRNET: What are some interesting and unexpected phenomena you’re seeing in the cyber domain?
Hicks: The trends we’re seeing that are worrisome are related to embedded systems. A lot of attention in cyber goes to the operating system and anti-malware, but what we’re seeing at the embedded level, whether it’s a sensor or a tactical computer, is a lot of vulnerabilities and exploits where the adversaries are not attacking the operating system in the classical sense, but they’re actually attacking the embedded controllers. Unfortunately, the government requirements are not responding as quickly as they should.
C4ISRNET: How is industry uniquely positioned to address the critical issues within the cyber domain?
Hicks: Industry has to carry a lot of the responsibility. For a lot of these products, they’re the subject matter experts; they have the design authority We have concerns about the warfighter, and based on the products we’ve been putting in the field for years, we’re cognizant of what the actual threat is and don’t want to see them materialize.
C4ISRNET: Which areas of technology are most important for industry to invest in, and how are you carrying out those investments?
Hicks: Strategically, we’re working with the Pentagon to write requirements, to help drive them from the top so that they’re able to give teeth to policies that are flowing down to the procurement offices. Tactically, with the products, we’re leaning forward with industry-cutting-edge technologies, baking them into our offerings, regardless of the shortcomings with the government requirements. We’re still applying the hardening measures to hardware and adding integrity measures.