US Air Force: cybersecure in the digital space

US Air Force: cybersecure in the digital space

Nicolas M. Chaillan, Chief Software Officer at the US Air Force, discusses the launch of the DevSecOps Initiative and technological change in Washington...

The US Air Force needs little introduction. Operating with the mission: ‘to flight, fight and win… in air, space and cyberspace’, the organisation affirms that only the best is good enough. With serving the American people at the forefront of decision-making, the US Air Force has established three essential core values to which it adheres: ‘Integrity First, Service Before Self and Excellence in All We Do.’ 

Sitting down in the US capital of Washington DC, Nicolas M. Chaillan, Chief Software Officer at the US Air Force and Co-Lead of the US Department of Defense (DoD) Enterprise DevSecOps Initiative, is responsible for overseeing the successful launch of Cloud One, supporting all business and weapon systems in the Air Force and the DoD Enterprise DevSecOps Initiative. Introduced by the Chief Software Officer and Gen. Schmidt in July 2019, a combination of both Microsoft and Amazon Web Services’ cloud platforms has allowed the Air Force to operate at heightened speeds, providing access to cloud capabilities to airmen within days to enable software development on the cloud or leveraging artificial intelligence (AI). “This is game changing for us,” affirms Chaillan. “The current process takes around six to eight months for someone to be granted access to a cloud to deploy software there.” With the initiative focusing on marrying automated software tools, baked-in cybersecurity, services and standards to the DoD program, it is set to enable fighters in the field to create, deploy and operate software applications in a secure and flexible way. “Having started nine years ago, DevOps has become the evolution of agile and is now able to use automation, both in testing and cybersecurity, to help bring software into production,” explains Chaillan. “By removing the impediments we have in order to build software faster and better, DevOps enables us to deploy software on the commercial side multiple times a day. For us in the DoD, cybersecurity is vital because of the continuous monitoring side of the house. That is why we call it DevSecOps. It’s important that we’re able to constantly see what’s going on in production in real-time with a zero-trust model down to the container level, with behavior detection and centralized logging so we can obtain the data and get the telemetry back to development teams.” 

With the task of implementing DevSecOps, the Air Force has begun implementing software factories such as the Kessel Run Laboratory over the past few years. Through Kessel Run, Chaillan believes the Air Force has transformed the way it develops and delivers software capabilities. “Back in 2017, the Air Force was already very innovative and decided to develop Kessel Run while also building software and mission capabilities to use the Kessel Run factory,” he says. “The goal wasn’t just to build a factory for the sake of having a factory – it’s been to create mission software and bring tangible value to the warfighters.” 

Chaillan began work at an early age in his native France. At 15, he created and developed his first company. “I’ve been on the commercial side for a long time, I ended up selling 12 companies and building robust teams in cybersecurity and software innovation,” he explains. “I moved to the US around 10 years ago and, after selling my companies, I decided I wanted to make a difference and have a real impact. Building mobile applications and other cool technologies is fun, but it’s not the same impact as we have in the federal government.” Due to new technology such as Big Data, machine learning (ML) and AI becoming increasingly influential globally, businesses worldwide are adopting innovative, modern processes in order to remain current. The case also applies to the US Air Force, with Chaillan understanding the impact that technology has had on the way his organisation conducts operations. “I think the entire future of war is going to be something that’s driven by embracing these kinds of technologies, whether it’s AI, ML, Big Data or cybersecurity offence and defense,” affirms Chaillan. “If you can’t adapt while in production, then you’re stuck in time and there’s nothing worse in software than that. It’s important to bring in new capabilities as well as adapting existing capabilities to make sure you can fix problems as they arise.” 

Cybersecurity is perhaps the dominant factor at the forefront of Chaillan’s decision-making. With the importance of keeping highly-confidential information secure at all times being crucial to both the DoD and the Air Force, the government must remain proactive rather than reactive to counteract any potential threats. “Proactivity is the only way, particularly in terms of cybersecurity because you can’t afford to be reactive,” he says. “If you’re not being proactive, you’re not doing a good enough job. You have to combine what’s already stable enough to use versus something that’s new but just a little too early.” Striking a fine balance between the risk of embracing disruptive technology to accelerate current processes and sticking to previously successful approaches is challenging. However, Chaillan believes one of the biggest hurdles to overcome is continuously training staff with the latest trends. “You really have to understand the risk, because technology is accelerating at an incredible pace at the moment. In IT, you have the ability to completely change the way you’re doing business; sometimes it’s going to last and sometimes it may not.” 

In order to arrange and manage software containers, the Air Force has deployed Kubernetes, originally designed by Google and now maintained by the Cloud Native Computing Foundation (CNCF), as part of its DevSecOps platform. “As a government, it’s important that we don’t get locked into a particular cloud provider or platform,” says Chaillan. “When I started, I wanted to ensure that whatever we built was abstracted so we weren’t reliant on a single vendor or product. It was a key reason why we initially chose Kubernetes and decided to abstract our entire stack because, whatever application you use, you want to ensure you understand the costs and the impact of the lock-in with that specific application.” 

“Kubernetes is clearly winning the battle when it comes to container orchestration and scale. It’s an open source product that anyone can use, but you have multiple companies like Pivotal, Red Hat, Amazon, Microsoft and VMware that can take the Kubernetes solution and make it into a turnkey product that you know will be compatible with any environment. It’s critical because you’re not getting locked in; you can take that piece of code and move it to a different cloud or disconnect and classified environment and it’ll behave in the same way. This is particularly important for our edge deployments.” 

The Air Force was the first organisation to join CNCF, the vendor-neutral home for many of the fastest-growing open source projects, outside of commercial companies and became an influence over how CNCF looked after Kubernetes. “When I joined the Air Force, I realised we had many teams building factories to develop their mission applications. We had seven or eight teams and incredible people developing mission software,” explains Chaillan. “Originally, we had teams such as Kessel Run, Space Camp, Kobayashi Maru, LevelUp, Bespin that were all utilising a very limited set of talent to create the factory, and this then enabled them to build the software. We just decided to decouple development teams from factory teams and now we only have two factory departments — LevelUp and Kessel Run. The development teams can simply use these two factories so they don’t have to reinvent the wheel. The more development teams we are integrating into our DevSecOps platform and migrating our existing software factories the better, because they can simply piggyback on them and on Cloud One.” 

The US government has a process for software approval called an Authority to Operate (ATO) which takes between six months to a year. “Thanks to Dana Deasy, the DoD CIO, Bill Marion the Air Force CIO, Lauren Knausenberger, the Air Force Chief Transformation Officer, Daniel C. Holtzman, Cyber Security Engineering and Resilience Senior Leader, we implemented the concept of a DoD-wide continuous ATO to allow us to push software to production continuously within a software factory,” he explains. “The continuous ATO (cATO) enables us to automatically take software from development to production multiple times a day, without having to reassess the software manually. This becomes an automated process and is a clear, well-defined, step-by-step procedure that takes software from unit, integration, regression and end-to-end testing all the way to cybersecurity scanning and deployment.” Regarding partnerships, Chaillan hopes it will become easier for startups to work with the US government to ensure the Air Force continues to achieve success in the technological space over the next few years. “We’re trying to tap into every company that is interested in working with us,” says Chaillan. “My job is to make it easier for startups to work with the US government. Getting access to technology is critical, if we get behind it’s going to have a major impact on our mission capabilities. If we don’t have access to the latest technologies because startups find it too hard to work with the US government, then we’re going to fail. The second aspect is the real partnership with the airmen and the DoD programs. We have to build mission capabilities with the implementation of programs such as AEGIS, JAIC, F16, F22 and F35 because they need to build software and they have to do it now. That’s my partnership — it’s teamwork.” 

With the future in mind, Chaillan hopes to create a legacy that will last long-term. “The most important thing is that everything that is designed has to be sustainable – it must be something that will last after I’m gone. You have to ask the question: is it something that can scale? If I don’t do that, I could stay 10 years and I wouldn’t have made a big impact. You need to change the system, not just go around the system. You have to make that change last,” concludes Chaillan.  

Our Partners
Sonatype
View profile
Security Compass
View profile
Checkmarx
View profile
Share