Air Force Leadership Needs to ‘Walk the Walk’ in Baking Security into Cyber, Software Boss Says

The Air Force’s chief software officer is pushing hard for the service to adopt security into its cyber development and operations from the start. He’s also calling for a more unified approach to reduce redundancies. 

Speaking at an Air Force Association Gabriel Chapter luncheon Aug. 11, Nicolas M. Chaillan offered a blunt assessment of where the Air Force’s cyber capabilities stood when he first went to work for the service in 2018 and even until today.

“I realized pretty quickly, we’re very behind in cyber, to a point that it was very scary when it comes to critical infrastructure and the lack of security,” Chaillan said. “And we see it every day, more and more, and I still don’t believe we have any kind of handle on what’s going on.”

One of Chaillan’s main concerns is incorporating security into software development, a practice known among IT professionals as DevSecOps. With a lack of basic IT infrastructure, implementing DevSecOps has proven difficult, he said. What’s more, there has been some resistance among those used to the more traditional approach of considering security after development and operations.

Failing to include security concerns early, however, would be “almost criminal” for certain programs, Chaillan said. And across the board, everyone should be using the approach, “period, full stop,” he added.

There are teams within USAF who have been using DevSecOps with impressive results, he said. In particular, he mentioned the Ground-Based Strategic Deterrent, the Long-Range Standoff weapon, the B-21, and the F-35 as examples of programs in which the approach has been adopted and used with success.

The GBSD program has saved “at least 18 months” by incorporating DevSecOps from the very start, he said. Without that, the nuclear program’s schedule might have already slipped.

Moving forward, Air Force and Space Force leadership needs to continue promoting DevSecOps across the service, Chaillan said. So far, he’s heard all the right things. More than that, though, he wants to see actions to back those words up. 

“I have to be a little cautious there, because quite honestly, the leadership in the department always says the right things,” Chaillan said. “I’ve yet to hear them not say the right things. The Space Force, [Chief of Space Operations Gen. John W. “Jay”] Raymond says, ‘We’re a digital service.’ Are you? Are you sure you’re a digital service? I’m not so sure. It’s just easy to say—it’s a little bit harder to walk the walk. And so we need to start doing that and stop talking.”

The Space Force and Air Force need to stick together with their approach to IT and cyber infrastructure or risk exacerbating another challenge Chaillan has identified—a splintering of approaches leading to cyber “silos” in which different agencies work on the same tasks and don’t share information.

“I’m actually very concerned with the Space Force starting to potentially drift away from the Air Force. It would really be a big mistake, compounding on the existing silos between the Army, the Navy, and the Air Force, and fourth estate,” Chaillan said.

Even beyond the service level, Chaillan said, he’s noticed a tendency for wings and other units to develop workarounds and solutions for their own specific software problems. While this is useful on a small scale, it creates larger issues.

“We do have to be careful because if you let everybody code in vacuums … who is going to maintain it—who’s going to sustain it once that person moves on?” Chaillan said.

What’s more, such an approach doesn’t fix the fundamental software issues that plague many Airmen on a day-to-day basis. The problems persist, but those in a position to solve them for everyone aren’t as affected.

“For me, it has always been important to use the [Government Furnished Equipment] device, use the normal network, feel the pain that the Airmen feel when they use those tools, because if you’re not feeling the pain, you’re not going to fix it,” Chaillan said.

On top of all that, in too many instances, people replicate each other’s work.

“We have silos within silos,” Chaillan said. “We have people reinventing the wheel, whether for good reasons or bad reasons, whether it’s ego-driven or for little kingdom-building exercises, and so it’s been a challenge to start bringing everybody together, to realize that if we want to get to the all-domain vision that we keep preaching for many years, that’s not even really new, we need to start having a cohesive cybersecurity and IT capability stack.”

Joint All-Domain Command and Control is another part of Chaillan’s portfolio—he’s responsible for helping to incorporate security into the JADC2 architecture. Right now, though, he sounded a pessimistic note on the program’s future.

“Maybe I’m too blunt sometimes, but I tell people, you know, right now JADC2 has probably zero chance of success, period, full stop,” Chaillan said. “Because it’s effectively not a thing. It’s a bunch of services doing their own things … with different names and different concepts, often reinventing the same wheel.”

Chaillan is not the only one expressing concerns about the lack of coordination. Defense analyst Todd Harrison of the Center for Strategic and International Studies recently told Air Force Magazine that the Defense Department needs to start a joint office to oversee each service’s efforts or risk a “recipe for disaster.”

The solution, Chaillan said, is for leadership to start managing the expansive program on a joint basis to ensure coordination and to issue mandates that can be “living” and updated as new technologies come along.