The Editors,
In her article "SOFT WARE" about the Star-Warsian revolution in code development occurring inside the Air Force, Rachel Cohen has taken us in the wrong direction by glorifying bad coding practice. Ironically, she points out the worry that a new DevOps mindset in the military, "…may be stymied by cultural resistance." Well count me as the start of the cultural resistance. Ms. Cohen's article will hopefully rally push-back from those who are trying to defend this Country from cyber-attack.
First principal of the resistance should be to block development of code for our military systems in the DevOps manner described in the article. In fairness it's not Ms. Cohen's fault, she was trying to report on something she was being told. Those who were interviewed didn't point out the hidden side of a cool App. The dark side--where vulnerabilities inherent in open source code and other rapid coding practices live.
We are vulnerable enough to the everyday run-of-the-mill adolescent in their mother's basement using social engineering and script-kitty skills aided by dark web services to make a hacker capable of conducting grade school DDOS or ransomware attacks. Beyond that nuisance, our second-rate adversaries, ISIS and 3rd world countries among them, have demonstrated increasing skills and are gunning for us with teams of better mercenary hackers. Finally, the best in the world from countries like China and Russia, pour resources into supply chain attacks (Huawei and ZTE), attacks against embedded systems and networks (SCADA, ICS, IOT) as well as our strategic military C2 networks. Not to mention the daily influence attacks happening within our social media. If we can't rely on some systems, preferably our military systems, we place at risk our national standard of living for our citizens and the lives of our soldiers, sailors, airmen and marines who have offered their service in hostile environments.
Given this onslaught, anyone who permits a block of code from an open source to be written into software attached to a military system should look for a new job. The metric for evaluating software should not be how rapidly an application is up and running but whether or not it can provide a secure and assured function. This battle will continue far into the future and is on the cusp of becoming automated by robots and other automatons running algorithms with vast scale.w We wage this battle with our adversaries. We should not be fighting within our own military development organizations on proper coding practices. We would never put weapons on an aircraft with inferior or untested parts. This is a culture that should not be changed whimsically.
It should be noted here that I am not sounding the Cyber Doomsday alarm. I'm simply saying let's not have ID.1.Zero-T deficiencies in our code. And I get it, one way to try to recruit coders away from the lure of Silicon Valley is to be like Silicon Valley. And we certainly are losing talent to commercial industry…continuously. They are high paid and the applications are cool. But we must find other ways to motivate high end software talent to join our ranks. We might have to adjust and let them keep their environment of t-shirts, the brainstorming, stickie notes, pizza boxes, and dogs at work. The real solution will come in the form of a shared government GitHub with assured code, assured tools, and an integration environment that will link all developers together in an enclave with advanced tools at their fingertips with everyone sharing found vulnerabilities and using automation to check and recheck. Those tools will help them not only write code, but will help them write assured and secure code. Those are the initiatives we should invest in, not the flash of Silicon Valley with the work ethic that brought us the "Fake it till you Make it" culture. The tools exist for such an enclave to be built today. Development environments such as those provided by Green Hills will lead this charge. Other companies such as Red Balloon, Trail of Bits, Vector 35, Cromulus, For All Secure, Galois and it's off -shoot TangramFlex, alongside Guardtime Federal all have the talent and the tools under development to take things further. But such an enclave would require breaking down proprietary walls and reducing other impediments not so easily solved with Red Bull and pizza. That initiative will cost money. But that's the vector we should be following. I recommend Air Force Magazine send Rachel Cohen to report on DEFCON next year to report on a counter perspective.
Jim "Mooch" Muccio
Fairfax, VA
Mooch has spent his career supporting the USAF in various capacities primarily as a civilian analyst conducting force structure analysis of air, space, and cyber forces. He is currently assisting DARPA usher in a new age of cyber tools for the Country.
