WASHINGTON — In the high-intensity world of cyberspace, rapid and secure software development is crucial to stay ahead of quickly evolving threats.
The U.S. government and military traditionally relied on industry for much of the software development, but in recent years, the armed services have trained software developers to build tools for operators.
Now, an Air Force cyberspace wing is testing a hybrid approach by embedding developers at commercial production spaces — an idea the wing calls software factory as a service.
Col. Jeffrey Phillips, commander of the 67th Cyberspace Wing, discussed the effort with C4ISRNET, along with how his wing is trying to better compete in the information environment. This interview has been edited for length and clarity.
You work with some airmen to leverage the resources and spaces of the software factories that are local to the wing, and some services have started to create software development billets for personnel that work alongside operators to quickly turn on capabilities. How do you see this capability advancing for the Air Force?
We have the 90th Cyber Operations Squadron, which is aligned under the 318th Cyberspace Operations Group.
It’s the squadron that’s solely focused on capability development, and what I’ve learned as I’ve been in this job is that the key to effective and efficient capability development is to have a reliable DevSecOps platform to develop on.
That’s the development, security and operations platform. It automates the integration of security at every phase of software development life cycle from initial design though integration, testing, deployment and then software delivery.
For years, the wing has internally resourced and managed our own DevSecOps platform. It’s not the most efficient way of professionalizing capability development at all.
We know the partnerships with industry and academia bring up a whole realm of possibility and creativity. So collaboration and outreach efforts have leveraged insights with regard to talent and innovation.
We’ve recently established a relationship with Platform One and LevelUp — Air Force and industry organizations dedicated to software development. They have very mature and reliable DevSecOps platforms.
We started it as a proof of concept; we co-located 30 of our developers with the software factory in an initiative that we’re calling software factory as a service. Basically, we’re paying these companies to leverage their DevSecOps platform for our airmen to be able to develop on this very professional infrastructure that already exists.
This alleviates our developers from the burden of having to manage a capability development infrastructure, then I think we’ll evaluate periodically to determine if this initiative is bearing the fruit we anticipate it will.
I can see a future where all of our capability development airmen are co-located with software factories that already exist and we buy that as a service versus trying to develop that DevSecOps platform ourselves because we’re not funded for it, we’re not professionals at maintaining that infrastructure. We just have really, really smart airmen figuring out how to get it done. I think we buy a lot if we can leverage industry and academic partners that already do this for a living.
Is it a little too early to say how well this effort is performing?
Yes, I really have a lot of faith that it will go well. Literally we’ve started it in the last month.
We’re working through some negotiations right now to see if we can move a broader portion of our airmen into these software factories because we have a lot of faith that it’s going to be the right way to do capability development in the future.
Working with industry partners, you probably will do the unclassified software development on their DevSecOps platform.
There might be some classified aspect to develop that has to be added onto a capability that we’ll bring back into the SCIF [sensitive compartmented information facility] to top it off. I think overall, we can do the majority of our software development in the software factories.
What tools are they developing, and what teams are the tools for?
Our developers work very closely with the CPTs [cyber protection teams] and the CMTs [combat mission teams] to determine what capabilities they need.
We’ve really gotten away from the waterfall software development, and we have that integrated DevSecOps approach that’s a more agile approach to developing software, and we’ve found that it’s generating capabilities a lot faster.
Actually, we stood up what we called the cyber shoot house where we have capability developers, airmen from cyber protection teams, airmen from the combat mission teams, airmen from our range squadron, airmen from our test squadron all sitting together doing this DevSecOps capability tool development.
Cyberspace is considered a subset of the larger information environment. How are you looking at marrying cyber and information operations personnel to achieve outcomes for various combatant commanders or U.S. Cyber Command?
I think the alignment of all the information warfare disciplines under 16th Air Force has driven a very disciplined approach to convergence among the organizations that are responsible for executing each of those missions in each of the disciplines.
Now, we’re all in the same 16th Air Force and Joint Force Headquarters Air Force battle rhythm meetings. We’re participating in the same operational planning teams, and we’re focused on integration through all phases of the joint planning process.
As you know, information operations personnel are a high-demand, low-density commodity. We have a lot of them currently employed in our operational support squadron. We have several of them deployed in the 16th Air Force JFHQ Air Force J-39 as well as man in air operations centers across the different Air Force major commands.
They’re truly experts at planning to dominate the information environment, and I think the way we’ve married them up with our cyber operators, the information operations personnel tend to build the message that we want to proliferate, and our cyber operators figure out a way to deliver that message.
You can almost look at it as building the bomb and then putting the bomb on the plane to be delivered.
The recent stand up of the 14F initial skill training course at the 39th Information Operations Squadron at Hurlburt Field in Florida has allowed us to formalize, professionalize the training that we give to those information operations airmen.
We’re seeing they’re in high demand. We can’t produce them fast enough.
Every AOC [air operations center] wants one. Several wing commanders, flying wing commanders will talk to me about integrating those IO personnel into their OSS’s [operation support squadrons] as well.
I think they’ll be in demand in the Air Force for a long time to come.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.