Army CECOM Tackles Outdated and Vulnerable Software
Outdated and vulnerable technology risks operations.
Next week, the U.S. Army’s 101st Airborne Division will begin testing a software repository that allows the downloading of up-to-date software systems and patches. The effort is one of thee major initiatives to resolve the service’s challenges in updating and securing systems to enhance operational readiness.
Maj. Gen. Mitchell Kilgo, USA, commanding general, Army Communications-Electronics Command (CECOM), reported the effort during the final day of the virtual Army’s 2020 Signal Conference, which is hosted by AFCEA.
Fighting with outdated or vulnerable software increases the operational risk for Army units, the general noted. Software is now ubiquitous in modern military systems, including computers, radios, aircraft and armored vehicles.
Gen. Kilgo explained that a few years ago when he was a signal corps officer at U.S. Army Forces Command, one of his frustrations was a pronounced lack of software readiness in operating systems and combat systems.
“We were typically well behind where we should have been, which created vulnerabilities for our units.
“One of the things that really started back then, but we’ve been on a big push this fiscal year to finish and get done is a common software repository. If you are in the Army, and you’ve been in more than four or five years, you’re accustomed to receiving a disc in the mail for all of the updates to your combat systems, in most cases on a quarterly basis,” Gen. Kilgo offered. “That puts you 90 days, on average, behind where you should be. And just because you got the disc does not necessarily mean you updated your assets at the time you got it, so units were way out of tolerance.”
The software repository has been in the works for a few years, but Army officials are pushing hard to complete it this year. It will be hosted by the Defense Information Systems Agency on both the Secure Internet Protocol Router Network and the Non-secure Internet Protocol Router Network. The repository will include every kind of software CECOM supports, and it will allow units to download new software or patch old software at their convenience.
“Having that available with the latest and greatest software for all of your systems allows units to pull that software at any time. When they have the opportunity to upgrade their systems, that software is available,” he added. “They know it’s the latest. They know it’s securely patched and all vulnerabilities have been mitigated with it, so they can pull that software where we can push it as an enterprise.”
The system will initially be tested with the 101st as a pilot program. That will be followed by additional pilots with other units. By the end of the year, the repository should be considered fully operational.
“We’re going to test this system out beginning next week with the 101st Airborne Division as our pilot. We’ll run the process with them for a period of time, see how it functions, gather lessons, make adjustments and then we’ll go to the next unit late next quarter and then we’ll add another unit for one of the outside the continental United States areas of responsibilities prior to December,” Gen. Kilgo reported.
Around the middle of the 2021 fiscal year, the system should be available to the entire Army. “By that time we will have had at least three or four pilot programs, been able to refine our processes and actually have this system to where it’s easy to use for the soldiers,” the general added.
The repository goes hand-in-hand with another CECOM initiative: the creation of a software readiness report card. Currently the Army only reports on the readiness of major weapons systems, vehicles and communications hardware. Software is not part of the equation. Which means that a radio, for example, that functions properly is considered ready for combat, even though the software that runs it may be vulnerable.
Gen. Kilgo has been working with Forces Command and other Army leaders, including Gen. Bruce Crawford, USA, the soon-to-retire CIO/G-6, to establish the reporting system so that units will be required to disclose the status of software systems. “We’ve been able to develop a scorecard. … Units will have to report the status of their software on their scorecard, and it … will affect their readiness rating,” the commander stated. “We’re marching toward that. Having software available and units being required to report compliance, now we know that when a battle platform rolls, it’s rolling with the most current software, and it’s secure, so it protects our forces,” Gen. Kilgo said.
A third complementary initiative is an “automated build and patch” system that makes it much easier for units to update software. “We know our systems have gotten a little more complex, and one of the things this effort will allow us to do is automatically scan and sense what version of software this particular unit or asset has, and where it should be. Part two is an automated system that builds a package specific for that platform and then delivers that patch automatically,” he said.
The Army still has to work out the tactics, techniques and procedures, but in the next fiscal year will use another pilot program to refine and build the tools so that they are “ready to go” and fully operational at the beginning of 2022.
Ideally, the tactics, techniques and procedures will allow units to choose the timing for the automated updates. “It makes it very easy for the soldiers because they have to connect, start to process and then they’ve got the latest operational system, latest patches, and their systems are ready.”
The report cards will allow commanders and others to have a better sense of combat readiness. The reports, for example, can be fed through existing dashboards, the general noted. “Army senior leaders will have the opportunity to leverage tools they already have to see the software readiness of their systems in their portfolio. That’s a big deal for us, and it will provide us with the confidence that our soldiers have the right software in their systems to be effective at time and that they’re secure.”
CECOM also has been making changes at its Tobyhanna Army Depot, where communications and electronics systems go to be repaired or refurbished. The command has spent about $8 million over the past five years to modernize the depot so that it can focus on software as well as hardware.
Traditionally the depot only supported hardware, but now systems will be updated with the latest available operating system and patches as well. “As the system came off the assembly line, if you will, for overhaul it left the depot but it didn’t leave the depot with the latest operating system on that platform, or patches up to date so that when it was returned to the unit from a software perspective it was ready, just like the hardware piece,” Gen. Kilgo said.