The Cyber Edge Home Page

  • Roderick Wilson performs a scan to ensure all computer equipment on the installation has the proper operating system and software patches installed at Anniston Army Depot. Credit: Jennifer Bacchus
     Roderick Wilson performs a scan to ensure all computer equipment on the installation has the proper operating system and software patches installed at Anniston Army Depot. Credit: Jennifer Bacchus
  • Soldiers from the Maryland National Guard’s 169 Cyber Protection Team (CPT) participate in Cyber Shield 2020. The annual national exercise seeks to develop, train and exercise cyber forces in the areas of computer network internal defensive measures and cyber incident response. Soldiers from the 169 CPT joined more than 800 soldiers and airmen from over 40 states and territories for this year’s two-week exercise conducted almost entirely virtually for the first time due to COVID-19. Credit: Maj. Aaron Testa
     Soldiers from the Maryland National Guard’s 169 Cyber Protection Team (CPT) participate in Cyber Shield 2020. The annual national exercise seeks to develop, train and exercise cyber forces in the areas of computer network internal defensive measures and cyber incident response. Soldiers from the 169 CPT joined more than 800 soldiers and airmen from over 40 states and territories for this year’s two-week exercise conducted almost entirely virtually for the first time due to COVID-19. Credit: Maj. Aaron Testa

Army Builds Software Readiness

The Cyber Edge
January 1, 2021
By Jennifer Zbozny


A service initiative creates accountability and transforms its perspective.


The U.S. Army upped the tempo when Gen. Mark Milley, USA, fired off his first message to the force in August 2015 as the newly sworn-in Army Chief of Staff: “Readiness for ground combat is—and will remain—the U.S. Army’s No. 1 priority.” Today, Gen. Milley is the chairman, Joint Chiefs of Staff, and the Army has rebuilt its tactical readiness through a transformational process that it is now expanding to focus on strategic readiness.

At the U.S. Army Communications-Electronics Command Software Engineering Center (SEC), Gen. Milley’s message came through loud and clear. As part of the command responsible for sustaining the Army’s command, control, communications, computers, cyber, intelligence, surveillance and reconnaissance (C5ISR) systems, the SEC has long focused on keeping Army software secure with system updates and patches. Headquartered at Aberdeen Proving Ground, Maryland, the SEC also is responsible for fixing software defects, maintaining system interoperability and ensuring systems are authorized to operate on Army networks.

However, prior to Gen. Milley’s announcement of his priority, the center had never fundamentally attempted to tie its work to Army readiness. As the SEC began to grapple with this new imperative, the center was forced to conduct a deep reckoning and a top-to-bottom reassessment of how software enables Army units to be ready to fight and win in a cyber-contested environment. This concept is known as software readiness.

As technology redefines the modern battlefield, the process of cyber-hardening and updating platforms against emerging physical and digital threats is critical to protecting soldiers’ lives and ensuring mission success. Accordingly, Gen. Milley’s priority drew the SEC’s attention to a profound problem: With nearly every Army weapon and communications system now running on software, Army units faced increased operational risk fighting with outdated and vulnerable platforms. The center’s processes to update those systems were often disjointed, decentralized and difficult for system users, who typically received little training on software updates.

Given the 21st century demands of cyber-centric, multidomain operations against near-peer competitors, the SEC needed a new approach. Before the center began to undertake its efforts in 2018, software readiness as an Army concept did not exist. Traditionally, materiel readiness was associated with hardware, and commanders assessed their unit readiness based on people, training and physical equipment. But if outdated or defective software could leave that hardware inoperable or vulnerable on the battlefield, which put lives at risk, the unit was not ready. It was clear the Army was overdue for a paradigm and cultural shift in how it kept software up to date.

To make software readiness a meaningful goalpost, the SEC defined it as a concept and devised standard ways to measure it. By the end of fiscal year 2018, the center finalized two key metrics.

The first was software supply availability, which is commonly known as a measure for spare parts for hardware systems. However, the SEC now applies the concept to software by considering how many known critical defects are outstanding, whether it has created fixes and whether it has released the fixes to the field. Supply availability becomes a measure of the center’s software depot capacity.

The second measure, cybersecurity, considered how many SEC systems receive full or conditional authority to operate on the Army network. During this process, Army organizations outside the center conduct rigorous risk assessments of SEC software to ensure it meets stringent cyber criteria.

The SEC is currently using these internal measures to hold itself accountable for providing the right software updates at the right time. However, establishing this foundation was only a precursor to a more difficult part of the challenge: bridging the gap from ready software to ready units.

The SEC had to make it easier and quicker for users to know their system baselines and install needed updates. In addition, the center had to give senior leaders a more complete software and cyber readiness picture to improve accountability, situational awareness and decision making.

Today, the center is pursuing those initiatives with three lines of effort in phased increments: electronic patch delivery via a common software repository; a preventative maintenance and readiness reporting capability; and automated tools to generate and deliver cyber patches.

Historically, to deliver software patches, the SEC would physically send the bulk of its system updates to units on CD. This process was often slow, inefficient and offered no guarantee units would actually install the updates upon receipt.

To address this challenge through its first line of effort, for the past several years the center has been transitioning as many systems as possible to faster and more secure electronic patch delivery. While not all systems can receive their updates electronically because of bandwidth constraints and other limitations, today, the SEC delivers the updates electronically for dozens of systems. In FY 2021, the Army G-3/5/7 also is expected to issue an order to increase the use of electronic delivery across the force.

For the SEC, however, increased electronic delivery led to a second challenge: multiple and sometimes duplicative websites housing C5ISR software updates. Even with electronic delivery, this made updating software cumbersome for users responsible for multiple systems.

To facilitate the process, the center, in partnership with the Defense Information Systems Agency, created a common repository to house all of its software updates. The repository’s user-centered interface is designed to be intuitive and easy to navigate, requiring no more than two or three clicks to find what’s needed.

Prior to the repository reaching full operating capability at the end of FY 2020, the SEC initiated a two-week pilot program with the 101st Airborne Division in July 2020. Following the pilot, the center conducted feedback sessions and is pursuing additional pilots based on the results.

The SEC and the entire Army recognize that software and cybersecurity enable strategic readiness and are key components of Army maintenance processes. Accordingly, the Army G-3/5/7 is developing a Cyber Readiness Framework that will modernize the way units assess and report their readiness by including software and cybersecurity, among other factors.

Within FY 2021, the G-3/5/7 is planning to issue an order to define the new cyber readiness reporting requirements and initiate a pilot with U.S. Army Forces Command (FORSCOM) to validate them. The SEC is a member of the Cyber Readiness Framework working group and is helping to define those requirements, including software readiness criteria. It also will shape how requirements will be implemented across the Army.

Simultaneously, as part of the second line of effort to give leaders a better picture of software and cyber readiness, the SEC is proactively implementing the emerging G-3/5/7 cyber readiness requirements. To accomplish this task, the center is building preventative maintenance capabilities for the software systems it sustains.

Several key steps compose this process. It starts with the SEC clearly tagging all software with its version number. Next, the center is finding ways to display that information to the user in an easily accessible way. To achieve that, the center has created a system identification tool that displays version information right on a system’s desktop, and it is working to deploy the tool across its systems. Then, the SEC is documenting the processes and defining criteria for users in the field to check whether their own software is the correct version and update it if necessary.

To complete the second line of effort, the SEC is integrating software processes and criteria into the list of preventative maintenance checks and services found in a hardware system’s technical manual. These checks determine the unit’s R rating of equipment readiness, which is part of the monthly Unit Status Report. When users consult the technical manual, complete the software checks and are noncompliant with needed updates, they must report the results. This subsequently impacts the unit’s readiness ratings.

The center has established a monthly software readiness working group with FORSCOM to gather feedback on its implementation of these steps because the command is ultimately responsible for ensuring most Army units stay up to date with software. The working group is meant to help the SEC both meet the new G-3/5/7 Cyber Readiness Framework requirements and ensure the center’s solutions remain soldier-focused.

The ultimate goal of these efforts is to improve software situational awareness and decision making for unit commanders and senior Army leaders. With software checks integrated into unit status reports, software metrics funnel into Army readiness assessment tools, such as the Army Vantage dashboard, Army Readiness Common Operating Picture and the Enterprise Management Decision Support Tool. This gives commanders awareness of whether their software is out of date and empowers them to address any deficiencies. It also gives senior Army leaders a picture of total unit software readiness across the force. The center anticipates its preventative maintenance capability will become fully operational in FY 2021.

The third line of effort in the SEC’s software readiness initiative is creating automated tools to make it easier for soldiers to ensure systems stay up to date. The goal is to simplify and streamline the entire patch process, from creation to delivery to installation, in bandwidth-constrained environments.

To that end, the SEC is building an internal tool known as the profiler to standardize how it creates cyber releases and makes patch structures more efficient. At the same time, it is creating an external user-facing tool called the conductor that is designed to combine complex updates for multiple systems into one straightforward process.

In the field, a software user would input a cyber scan into the conductor. Based on the results, the tool would automatically determine what patches were needed for the unit’s systems. The conductor would then build a custom executable file for the user to install the necessary updates. While these tools are still in the early phases of development, the SEC anticipates they will be available for use in FY 2021.

Collectively, all of the SEC’s software readiness efforts are planting the seeds for a crucial shift in mindsets that is taking place across the Army: the recognition of software as a core combat enabler. And if the tools and processes are not in place to maintain software with the same rigor and consistency as the hardware it controls, the cyber-hardened Army of 2028 will not materialize.

In the coming years, the SEC will stay focused on these and other initiatives to make software updates as quick and easy as possible for soldiers, and the center encourages all Army software community members to provide it with insights and feedback.

Concurrently, the SEC will continue to educate soldiers and commanders on their responsibility for software readiness and provide them with resources to maintain accountability. The Army must remember that until its forces have consistently ready software and hardware, it will not achieve its critical goal of materiel readiness.

 

Jennifer Zbozny is the director of the Software Engineering Center, U.S. Army Communications-Electronics Command.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Departments: 

Share Your Thoughts: