More In This Article
From his vantage point as chief scientist of the U.S. Air Force, Mark Maybury had a bird’s-eye view of myriad advantages and challenges that modern technology presents not only to the military but also to society as a whole. During a three-year tenure that ended in June when Maybury returned to military contractor Mitre Corp. as vice president and chief technology officer, he led a series of three studies to expand the military’s understanding of energy use and cybersecurity.
The most recent—the June 2013 “Global Horizons” report (pdf)—broadens the Air Force’s purview by evaluating the $1.4 trillion in annual public and private spending on research and development worldwide in areas including transportation, communication, information technology, pharmaceuticals and materials science. The report also makes a number of recommendations regarding how best to spend this money.
Global Horizons follows last December’s “Cyber Vision 2025” study (pdf), which articulates how the Air Force can leverage cyberspace as part of its missions while minimizing its exposure to digital security threats. That report concluded the Air Force’s increasingly cyber-dependent operations are at risk from malicious insiders, insecure supply chains and increasingly sophisticated online adversaries. "Cyber Vision 2025" also includes several proposals for overcoming these risks through tightened security and networks that are resilient when attacked. Maybury’s initial research project—the January 2012 “Energy Horizons” study (pdf)—outlined approaches to improving the Air Force’s energy efficiency and reducing demand over the next decade and a half.
While attending a conference for corporate security executives in New York City last month to promote “Cyber Vision 2025,” Maybury spoke with Scientific American about some of the wide-ranging science and technology areas in which the Air Force is conducting research.
[An edited transcript of the interview follows.]
Why is so much of the Air Force’s research devoted to cybersecurity?
The amount of malware is growing exponentially. There are approximately three million pieces of malware in existence today and we project that number will grow to something like 200 million unique pieces by 2025. That’s going to make cyberspace a much more challenging environment to defend, probably even more difficult moving forward than space or air, which themselves are very contested [military] environments
That’s significant when you consider how much technology has come to rely on software and cyberspace. Just to give you a very concrete example of how complex our mission systems are and how dependent they’ve become on cyber: Our [McDonnell Douglas] F-4 Phantom aircraft that we flew in Vietnam were about 5 percent dependent on software. Our [Lockheed Martin] F-35s—our most advanced aircraft—are about 90 percent dependent on software. Those F-35s have on board between nine [million] and 10 million lines of code. And they can’t take off without their Automated Logistics Information System (ALIS) (pdf), which has another 15 million lines of code. So you’ve got 25 million lines of code to fly a modern aircraft.
What is the Air Force’s strategy for dealing with cybersecurity threats over the next decade?
When the Air Force was putting together our “Cyber Vision” study, we came away with several good lessons from studying the business world. One is the principle of least privilege, which means you limit the access you give to people in your organization to only the information, facilities and other resources they need to do their job.
Another characteristic that can be applied to security is resilience, or the ability to absorb or deflect an attack and then respond to that attack. Closely related to that is agility, which is the ability to move and maneuver in the classic army sense of the term. To literally say, “Okay, you attack my computers because I happen to be running a certain operating system,” well, I’m going to hit a button and switch my operations to another operating system, which requires a different attack. It’s like playing Whac-A-Mole.
An idea related to this is to change the network topology on demand, so that if an attacker spends time mapping your network, by the time they return to launch the attack, the arrangement of the nodes in that network has been changed. It’s a capability built at my old stomping grounds as a young lieutenant—the Air Force Research Laboratory Information Directorate in Rome, N.Y. It’s not something you can go and buy in commercial software. But it doesn’t necessarily have to be complicated. It can be something as simple as a random number generator in a router that switches network traffic. Cloud computing is important as well, because it gives us the opportunity to move mission applications amongst a multiplicity of virtual machines to create a moving target for attackers.