Ex-USAF Chief Scientist Likens U.S. Cybersecurity Challenge to Whac-A-Mole

Scientific American

From his vantage point as chief scientist of the U.S. Air Force, Mark Maybury had a bird’s-eye view of myriad advantages and challenges that modern technology presents not only to the military but also to society as a whole. During a three-year tenure that ended in June when Maybury returned to military contractor Mitre Corp. as vice president and chief technology officer, he led a series of three studies to expand the military’s understanding of energy use and cybersecurity.


The most recent—the June 2013 “Global Horizons” report (pdf)—broadens the Air Force’s purview by evaluating the $1.4 trillion in annual public and private spending on research and development worldwide in areas including transportation, communication, information technology, pharmaceuticals and materials science. The report also makes a number of recommendations regarding how best to spend this money.


Global Horizons follows last December’s “Cyber Vision 2025” study (pdf), which articulates how the Air Force can leverage cyberspace as part of its missions while minimizing its exposure to digital security threats. That report concluded the Air Force’s increasingly cyber-dependent operations are at risk from malicious insiders, insecure supply chains and increasingly sophisticated online adversaries. "Cyber Vision 2025" also includes several proposals for overcoming these risks through tightened security and networks that are resilient when attacked. Maybury’s initial research project—the January 2012 “Energy Horizons” study (pdf)—outlined approaches to improving the Air Force’s energy efficiency and reducing demand over the next decade and a half.


While attending a conference for corporate security executives in New York City last month to promote “Cyber Vision 2025,” Maybury spoke with Scientific American about some of the wide-ranging science and technology areas in which the Air Force is conducting research.


[An edited transcript of the interview follows.]


Why is so much of the Air Force’s research devoted to cybersecurity?

The amount of malware is growing exponentially. There are approximately three million pieces of malware in existence today and we project that number will grow to something like 200 million unique pieces by 2025. That’s going to make cyberspace a much more challenging environment to defend, probably even more difficult moving forward than space or air, which themselves are very contested [military] environments


That’s significant when you consider how much technology has come to rely on software and cyberspace. Just to give you a very concrete example of how complex our mission systems are and how dependent they’ve become on cyber: Our [McDonnell Douglas] F-4 Phantom aircraft that we flew in Vietnam were about 5 percent dependent on software. Our [Lockheed Martin] F-35s—our most advanced aircraft—are about 90 percent dependent on software. Those F-35s have on board between nine [million] and 10 million lines of code. And they can’t take off without their Automated Logistics Information System (ALIS) (pdf), which has another 15 million lines of code. So you’ve got 25 million lines of code to fly a modern aircraft.


What is the Air Force’s strategy for dealing with cybersecurity threats over the next decade?

When the Air Force was putting together our “Cyber Vision” study, we came away with several good lessons from studying the business world. One is the principle of least privilege, which means you limit the access you give to people in your organization to only the information, facilities and other resources they need to do their job.


Another characteristic that can be applied to security is resilience, or the ability to absorb or deflect an attack and then respond to that attack. Closely related to that is agility, which is the ability to move and maneuver in the classic army sense of the term. To literally say, “Okay, you attack my computers because I happen to be running a certain operating system,” well, I’m going to hit a button and switch my operations to another operating system, which requires a different attack. It’s like playing Whac-A-Mole.


An idea related to this is to change the network topology on demand, so that if an attacker spends time mapping your network, by the time they return to launch the attack, the arrangement of the nodes in that network has been changed. It’s a capability built at my old stomping grounds as a young lieutenant—the Air Force Research Laboratory Information Directorate in Rome, N.Y. It’s not something you can go and buy in commercial software. But it doesn’t necessarily have to be complicated. It can be something as simple as a random number generator in a router that switches network traffic. Cloud computing is important as well, because it gives us the opportunity to move mission applications amongst a multiplicity of virtual machines to create a moving target for attackers.

How do quantum encryption and communication factor into the Air Force’s cybersecurity plans?

Our Air Force Office of Scientific Research in Arlington, Va., is investing in, among other things, quantum sensing and quantum computing. Basically, you have a qubit [a unit of quantum information that can have more than one value, as opposed to a regular bit, which is 0 or 1]. And you have an ability to use light as a means of encoding information in such a way that if anything interferes with the communication of that information, you know there’s been a breach. So you can guarantee the integrity of communications.


Although not part of the research reports we’re discussing, drones have become very important to the Air Force in recent years, and many concerns have arisen regarding how these aircraft are used. Are there many common misconceptions that the public has about Air Force drones?

People say, “Let’s talk about drones.” Well, I don’t know what a “drone” is. I know what a remotely piloted aircraft is, but a drone to me, it sounds like it’s some autonomous thing running around, chasing after you. That couldn’t be further from the truth. It’s been difficult educating the public that these are remotely piloted aircraft [RPAs], and there are in fact as many humans in the loop—if not more—in the RPAs as there are when aircraft are flown by human pilots. The Air Force Scientific Advisory Board did a study on RPAs four years ago. It turns out there are hundreds of people involved in running [Air Force] RPA missions. We’d like to make these aircraft more autonomous. However, for certain missions there will always be pilots as well as other operators in the loop.


In what ways are humans kept in the loop during these missions?

There’s a huge diversity of unmanned aerial vehicles in use—five different [Air Force] classifications in fact—and many of them are not autonomous. In the ground control station responsible for launch and recovery you have a pilot and you have a sensor operator. Whereas the pilot controls the flight platform, the sensor operator controls the surveillance package onboard—for example, to actively track moving ground targets. Then you’ll have all of the people in the cloud following a mission remotely—public affairs, JAG [judge advocate general], the operational commander and intelligence folks. It takes weeks to plan a mission for a long-range RPA like the [Northrop Grumman] Global Hawk, including what to do if we lose our link with the aircraft and what our recovery options are for the aircraft at any point during the mission.


What types of outside research are interesting to the Air Force?

There are many inventions and innovations that are important to the Air Force. For example, there is a device company in Cambridge, Mass., called MC10 that we are funding through our Office of Scientific Research because they make a device that looks like a Band-Aid. But if you look closely, you’ll see that the adhesive tape actually contains a flexible computer. We’re interested in this device as a possible way of monitoring pilots during missions. You could stick this type of sensor to a pilot’s neck and check their vital signs remotely, without wires. So we’ll not only know the status of the aircraft, but the status of the people in them as well.


What is the biggest challenge to assessing technology more than a decade into the future?

You have to reassess your vision probably at minimum every five years because things are going to change. Five years ago we didn’t have the cloud, and we didn’t have as much mobility.

Follow Scientific American on Twitter @SciAm and @SciamBlogs.

Visit ScientificAmerican.com for the latest in science, health and technology news.

© 2013 ScientificAmerican.com. All rights reserved.

View Comments (3)