USAF’s Schmidt on Cyber Threats, Hygiene, Improving IT Networks


Brig. Gen. Michael Schmidt, USAF, the service’s program executive officer for command, control, communications, intelligence and networks, discusses cyber threats and defenses during an era of great power competition, better cyber hygiene and improving IT networks with Defense & Aerospace Report Editor Vago Muradian at the Air Force Association’s 2019 Air Warfare Symposium in Orlando. Our coverage was sponsored by Leonardo DRS and L3 Technologies.

Vago Muradian:  Welcome to the Defense and Aerospace Report.  I’m Vago Muradian here in Orlando for the Air Force Association’s Annual Air Warfare Symposium, number one winter gathering of the service’s leadership, industry executives, thought leaders, reporters and more here in Florida.  Our coverage is sponsored by L3 Technologies and Leonardo DRS.

We’re honored to have with us Brigadier General Mike Schmidt who is the Program Executive Officer, the United States Air Force’s Program Executive Officer for C3I and Networks. C3IN.

Sir, thanks very much for joining us.

Brigadier General Mike Schmidt:Thank you, Vago.  It’s great seeing you again.  Really appreciate it, and I look forward to the opportunity to have a chat.

Mr. Muradian:  Absolutely.  We had a great conversation at Air, Space and Cyber, the big do that’s always around the Air Force’s birthday in September.

Let’s start with the common computing environment.  Obviously the Air Force is leading the services to sort of getting all of that data up in the cloud.  You’re at the nexus of everything that’s sort of really most interesting and revolutionary, both in society, but also in military operations from the cyber side of things to the network side of things to the just regular infrastructure that everybody is using.  Talk to us about how that migration is going.  There was a lot of debate associated with that.  I still get emails from people saying oh my God, this is the worst thing ever.  And Amazon and society’s going to end when we do this.

Talk to us about why this is the right thing.  But most importantly, how that migration is going to get away from these ground-based legacy distributed architectures we have to something that is actually going to be a lot more secure at the end of the day.

Brig. Gen. Schmidt:  Thanks, Vago.  Appreciate it.

I’m really excited about where we’re going with this.  As you mentioned, I think we’re leading the pack in terms of the movement of our data to the cloud.  It really is a more secure environment than where we’re at today.  Knowing where our data is and knowing the security boundary around our data is much better than having pockets of data all over the place where we might think it’s secure, but it’s kind of a different standard at every different place.

So we’re taking all of our Air Force applications, or as many as possible, and moving them from wherever they are into the cloud, whether that be AWS, Amazon Web Service, or Microsoft Azure or some other cloud in the future, but that’s kind of where we’re at today.

We’ve moved many applications already, and trying to hit 100 this year if possible, kind of funding, maybe funding limited, but we’re trying to 100 this year. But the real benefit of that is now we actually know where our data is and our data’s in the same place.  I think the next big step is learning how to, working with our Chief Data Officer, Ms. Eileen [Bedreen] and her office, to properly tag the data that’s in our cloud or elsewhere in the Air Force. Because you have to tag it to know where it is and to use it.  Then when you’re tagging it, make sure the data you’ve tagged is from an authoritative source.  Data is just data unless you’re sure of the source of that data.  Then we can start to apply artificial intelligence and machine learning tools on that.

We’ve already done some great projects with IBM Watson, for instance, on our engine programs, allowing us to identify areas where maybe during an engine overhaul we can do parallel maintenance to keep our engines in the field longer or take them down in less time, increasing our aircraft availability, increasing our readiness.

I’m an industrial engineer by trade, so I think a little bit in terms of a queuing theory and that stuff, kind of the study of lines.  The really cool part about that is those industrial engineering techniques where you take the data and try to figure out if I applied more resources at this point, I could be more efficient, I could get more through-put, or maybe I have too many resources at this point and I could put it somewhere else. That’s really, in my mind, what machine learning and artificial intelligence is, it’s taking data from disparate places and I think we’re doing some neat things in the Air Force.  And when you put it together it gives you the ability to make decisions that you didn’t see before.

I will mention another great program that the Air Force started, and Ms. Deb [Negei] and her team started to really look at conditions-based maintenance for some of our aircraft and really identifying, you know what?  If we had put this part on the airplane because we suspected it would fail, and it flew to Spain or wherever, and you had the part in the airplane.  What a difference that makes versus having to wait a few days for that part to show up. So that kind of stuff is going on, and we’re moving Deb [Negei’s] condition-based maintenance stuff into the common computing environment as well.

Mr. Muradian:  Let me ask you a little bit.  You mentioned security.  That’s one of the important things.

There was a GAO study late last year, as I recall, that said something like 80 percent of the most sophisticated and important networks we have are actually protected by like the worst passwords you could imagine.  Some of this is a culture, we were talking about some cultural things that people do.  Even though the computer looks like your home computer, it doesn’t mean that you do this, that or the other thing.

How is that cultural piece going?  Of getting the whole enterprise to think very differently, to think very security minded? Because this space is becoming much much more contested in types of capabilities, the intrusions, the persistence of the threats.  Whether you look at what the Chinese are doing or the Russians are doing or the North Koreans or even the Iranians, or even terror groups are doing or criminal organizations.  It’s astonishing the sophistication of the capability.

What are some of the things that have to happen from your standpoint that is on the human side of this equation and not just on the system side to assure that networks that are designed to be secure fail when the humans are not doing the things they need to do to keep them secure?

Brig. Gen. Schmidt:  You covered a lot of ground there, Vago.  On the big defense of our network side, you know, I think General Skinner and the 24thAir Force, there’s a lot of focus on that.

But I would say a lot of what you talked about in the beginning is kind of cyber hygiene and there’s definitely a lot of focus in the Air Force right now on cyber hygiene.  Don’t stick thumb drives into your computer.  That’s just something that over and over we seem to have to repeat. And getting through basic cyber hygiene, change the passwords when they should be changed.  While some laptops on your desk or at home might look like the same laptop that you use to load OFPs into F-16s, they’re not and they need to be treated completely differently.

So certainly defense of our networks and the really hard defense, cyber defense things is very important.  But from an Air Force standpoint, we’ve got to get past the hygiene part first, and I think we’re making a lot of progress there.  The airmen today know a whole lot more about cyber hygiene than they did just a short time ago, and I really feel like we’re moving in the right direction there.

Mr. Muradian:  We were just up in Montreal not very long ago to Telesis’ artificial intelligence site, and some of their experts were talking about the vital role of AI in cyber security in particular.  But also that there are folks who don’t fully understand what artificial intelligence is.  And there are a lot of friends of mine in the military community even, but also in the civilian world who are like look, what does really AI mean, or 5G or Block Chain? As the person who kind of touches and sees all of this, what’s the right way for folks to think about all of these technologies that are fast-moving, obviously with 5G we know what the security concerns are with China associated with it.  But what’s the right way?  And what do you tell senior leaders when they ask?  Because they’re much more schooled and versed in their traditional warfare areas, whereas this is a warfare domain in its own right.

Brig. Gen. Schmidt:  I won’t talk about 5G.  That really is the future and the high speed rates and high speeds of data, the ability to connect a lot of users.  And the question will be how do we take advantage of 5G as it comes on while maintaining the security posture?  And those are all things that we’re going to work through as technology grows.

I think back to your artificial intelligence, what is it exactly and what — some people are creating big centers for artificial intelligence and that’s a little overwhelming for me.  Because when I think of artificial intelligence I think of it as I want to take disparate data and I want to bring it together and I want to make decisions with that data that I couldn’t make before because I have that data together.  I call that data weaponization.  Dr. Roper calls that data weaponization.  That’s really what it is.  We are taking data and bringing it together and making ourselves a much better fighting force because we were able to figure out how to bring that data together, put some algorithms on top or decision-making tools on top and be better than we were before and be quicker to the fight than we were before, and to me, that’s artificial intelligence in my little nutshell, if you will.

Mr. Muradian:  What about Block Chain in terms of how that actually may increase your encryption capability?   Because you find in so many of these conversations that comes up as hey, this is the next level, actually it is a little bit like artificial intelligence, it is whatever it is to the beholder.  But do you see a role in that in terms of any of the infrastructures that the service has?

Brig. Gen. Schmidt:  Certainly we spend a lot of time ensuring that data that comes in, I talk about the authoritative source.  How am I sure that I’m getting the data from a secure environment?  Your definition of secure could be many different things.  How valuable is this data for you that you want to make sure this is pristine data versus some data, you know, I’m not sure we want to protect so much.  There’s a lot we can learn from social media in terms of decision-making tools for the Air Force or for any business and that kind of thing.  In that case we don’t worry so much about the authoritative source.  But then you get back to maybe we do have to worry about the authoritative source because if someone’s playing around with that it could change your decision-making process.

Those are hard questions, but I think we only have so many resources and we need to decide what data do we really need to make sure we need to protect and what data do we say that you know what, the commercial industry does an awfully good job of protecting data.  We trust our banks, and that’s probably good enough for the Air Force.  In fact we’re moving, I discussed last fall a little bit about Enterprise IT as a service, and we’re getting into this risk reduction phase.  We have AT&T and Microsoft on contract right now to do a number of risk reduction bases, and we’re super excited about it.

But there certainly are some that are questioning, saying hey, are we going to trust to go to a new network for the United States Air Force and definitely one of the answers from my perspective is well, we trust those companies in our homes and our computers that we do our banking on, and we trust them with our banks. What part of the Air Force’s mission are we willing to trust them?  And what parts are we not?  Those are decisions that I think will come to light here as we work through this risk reduction phase of Enterprise IT as a service.

Mr. Muradian:  One last question.  When it comes to security, and it’s funny, we were talking about the nuclear deterrent. And actually it’s remarkably secure and impervious to hacking because A, it’s in a language nobody understands.  I’m joking.  But it’s cassettes, and it’s a very insulated, not connected to the outside world system.

As you look to update new systems like that, how, especially for these ultra mission-criticial systems, what are the challenges, the opportunities and the right way to do that? Because some of these systems there’s no way in but by definition when you update them there will be ways in.

How do you do that, where you’re going from something ultra secure and make sure you still have that security but obviously in a modernized fashion?

Brig. Gen. Schmidt:  That’s a tough question, Vago.  You’re right.  The thing that’s maybe still on a DOS-based system but it doesn’t touch the internet, it doesn’t touch anything, that seems like it’s pretty secure.  Although there may be insider threat that you might have to worry about in that case or something like that.

And then when you’re trying to go to the next version of that, when you’re trying to get connected to the net.  When you’re trying to get better at taking advantage of all the data out there but now you’ve introduced additional security risk to your platform, there’s no one right answer, and we spend a lot of time looking through kind of our cyber awareness, our cyber walking through the steps of where are the risks and are these risks worth taking for the gain that we’re getting out of maybe a better capability?

But you’re right.  In some cases maybe just having the old school tape that’s in someone’s drawer, that has some level of risk and some level of security.  Those are hard questions that we ask ourselves every day.

Mr. Muradian:  General, thanks very much.  It’s an absolute pleasure talking to you.  You’re really at the nexus of the most interesting stuff that’s going on, and sadly, 99 percent of it you really can’t talk about.

Brig. Gen. Schmidt:  Thanks, Vago.  I really enjoy it.  I’m really, again, excited about where we’re going in IT in the Air Force.  It’s a place we haven’t been in the Air Force, and I really should mention that a lot of this is about the user experience for our airmen.  Ultimately our airmen, watching a donut spin around on their computer is work that they’re not getting done.  It’s not fair to our airmen that they have to deal with that on any regular basis.  And it’s our job to change that for them.

So separate, but including the security side of things, making the user experience right for our airmen is our mission, and honestly, I hear General Holmes talk about that all the time and I’m very proud that he’s doing that and it’s helping us a lot.

Mr. Muradian:  Actually, it’s good that you mentioned the Enterprise IT and the user experience.  Last year when we interviewed we did discuss it, but contractors hadn’t been chosen. So bring us up to speed quickly on where we stand right now because you guys have selected contractors.

Brig. Gen. Schmidt:  Right.  This is really in three phases.  There’s the network as a service phase, then there’s a compute and store phase, and then end user services phase.  So we selected the contractors to do the initial network as a service phase, so that’s AT&T and Microsoft.  And they’re going to do that at up to 20 bases to prove the viability and then the scalability of network as a service, and we’re going to do the same for compute and store and the same thing for end user services, although we probably don’t need to go to multiple contractors on end user services, although we may.

Anyway, that is how we’re going to prove the viability and the scalability of basically going to the best commercial contractors in the world and I’m not saying it’s just AT&T and Microsoft.  Those are just the ones that were selected for this, and then we’ll get to a FAR type competitive environment, FAR compliant competitive environment in the future.  But this is, again, just for the risk reduction piece of this.

Mr. Muradian:  How long before it would go service wide in your plan?  I know it’s a pretty aggressive plan.

Brig. Gen. Schmidt:  It is a pretty aggressive plan, but a lot of that depends on how this goes.  So we’ll start by next summer.  I think we’ll start to know how we’re doing in terms of the viability, and then over the next few years, say three or so years, the scalability.  And then certainly it will be resource dependent on our ability to get after the entire United States Air Force, about 200 bases worldwide eventually.  But over the next few years, I hate to set any specific dates because we’re not going to make decisions moving forward until we feel like the metrics and the data supports the decisions that we make.

Mr. Muradian:  Brigadier General Mike Schmidt who is the Program Executive Officer in the United States Air Force for Command, Control, Communications, Information and Networks.  Sir, thanks very much.  It’s a pleasure always.

Brig. Gen. Schmidt:  Thank you.  Appreciate it, Vago.  Thanks.


Comments are closed.

Your Information will never be shared with any third party.