With new technology also comes new ways for bad actors to get hold of software. Nowhere is this more cutting edge than military space technology, which means the security measures in place need to be top-notch and updated frequently. To find out how, Lt. Col. Laila Barash, materiel lead for the Evolved Strategic Satellite Communications (ESS) ground division for the U.S. Space Force, joined Federal Drive with Tom Temin.
Interview Log:
Eric White: Lt. Col. Barasha, thank you so much for your time.
Laila Barashah: Thank you. Thank you, Eric.
Eric White: So first, tell us what your approach to secure software development is. Can you give us an overview of the applications that you're using to secure or that you need to secure? Where are those applications hosted? Are they hosted in the cloud or are they handled by an external organization?
Laila Barashah Before I talk about the Evolved Strategic Satellite Communications software applications, I want to start with an overview of Evolved Strategic Satellite Communications. Evolved Strategic Satellite Communications is a constellation and satellite capability that is the successor to the U.S. Next Generation Nuclear Command Control and Communications Architecture. So it's the successor to AHF. Under that umbrella, ESS has five different segments that are software application based. The first is the spacecraft software, which basically controls all the capabilities on board, the satellites, the payloads, and the capabilities that provide communications to the U.S. military, joint and international partners. The second is the Mission Application Suite, which is the software that resides on the ground segment and allocates space resources to ground users and ground terminals. The third is the in-band command and control capability, which is another subset of software that controls the on-board communications, payloads, and buses, 24/7. The fourth software application is out-of-band command and control, which is the control of the entire constellation. And I think we're going to talk at length today about the framework and the integration components. Within the framework and integration components, you'll find all the APIs, the cyber security aspects, the digital twin, the system architecture. So this framework is the baseboard on which all other applications for the ground segment, the ESS, exist.
Eric White: So, as you said, it's really the fifth sector that we're looking at today. What does it consist of? Is it larger in terms of people and the software that it requires?
Laila Barasha: I wouldn't say it's big, but it's a component that controls the APIs and how other software interfaces with the overall suite or combination of applications. That's the first step. We have contracts with software integrators and framework providers, and it's their responsibility to make sure that the APIs that are provided to other mission software developers interface accurately. They oversee the standards, but they also manage all the system requirements to ensure that the data flow is cybersecure from the beginning. We have a zero trust architecture, and we need the digital twin and the digital engineering aspect, so that we can warn the game and do cybersecurity threat analysis through this digital twin that is owned by the framework and integration vendors.
Eric White: So as you're securing, developing new software, updating current software, is your primary reliance just on zero trust and continuing to monitor the contractors that you have in place?
Laila Barashah: You asked about software reuse, and I think there was a five-year effort to really understand the cyber vulnerabilities of legacy software and whether we could reuse the software, whether it was compatible with this modular, open systems architecture, which is a best practice for ensuring cyber security in a system. Through this analysis, we quickly learned that we probably couldn't reuse the legacy software. So we started from scratch with that blueprint in mind. The framework and the integration components, we don't reuse software. We're going to build on a very thin framework that has just the bare minimum of functionality to allow software developers to freely create subsets of modular system components in their software, but we're also going to have cyber security in mind from the beginning, so we're not going to reuse any legacy software. But because everything is government owned, we have the blueprint. We're not going to reuse that software because cyber security is a very important part of the architecture. Again, this is nuclear command, control, and communications. So when the president picks up the phone on a bad day, the president hears the dial tone. So this system will run on a really bad day. So cyber security is obvious, it's a threat-informed, risk-based software architecture so cyber security is built in from the beginning.
Eric White: We're speaking with Lt. Col. Laila Barashah, who is the materiel lead for the Evolved Strategic Satellite Communications Ground Division of the U.S. Space Force. Is this also the approach for new hardware that you're working on, new equipment, or new pieces of the other four divisions that you mentioned? Are you redeveloping the code or developing it from scratch every time, or is this applicable to newer, updated software and hardware as well?
Laila Barashah: In terms of the framework and integration puzzle piece, it's all new software, but it's to ensure that we can build in cybersecurity from the beginning. But in terms of the hardware, because we're the successor to AHF, it's compatible with the existing user terminals. Because the user terminals, you know, are items that have a long lead time in any system. And we think it's compatible with the legacy strategic terminals that are in service today. So in that respect, we're not going to redo those hardware components, the user terminals, or the software within the user terminals with encryption updates because it's a next-generation system. The encryption has to be upgraded, and the software has some limitations. So those upgrades are obvious. We're not coding them from the ground up. I think what constitutes the backbone framework and architecture, that's what we coded from the ground up. That's the framework and integration piece. So overall, in the five different lines of effort, we have the hardware. Obviously, some of the components of the legacy systems still have to be worked on. For example, legacy Space Force, SCN for C2 scheduling. So, the components that absolutely had to be redone from the beginning because of cybersecurity concerns, we've redone them. And the parts that are working as needed, we'll upgrade as needed – that was also part of the calculation.
Eric White: We're using the same terminology, but we built these with cybersecurity in mind from the beginning. So it sounds like coding, so can you explain a little bit about that? And how do you ensure that code that's secure in a fast-changing production environment compiles and can interact with new systems and the legacy systems that you mentioned?
Laila Barashah: When you look at the cybersecurity requirements across the DOD, everyone references RMF compliance. It's a system of risk management frameworks that are RMF compliant, and there's a ton of items that vendors have to adhere to to ensure cybersecurity. Last week, CMMC was released, which is also the standard for cybersecurity within DOD systems. Aside from that, it's a cybersecurity regulation. You can be RMF compliant and not be cybersecure. So what are the cybersecurity aspects that actually ensure that the entire ESS is cybersecure? That's why we have a zero trust architecture built in. We tell our vendors from the beginning that cybersecurity is the most important part of this software development architecture, and part of the incentive structure in the contract includes surviving a cyber intrusion by the DAFRED team. And the DAFRED team looks at the compiled code, the system architecture, the digital twin, and they can tell us if this is cybersecure software before it's deployed operationally. So from the very beginning of development, there will be cyber components from third parties, FFRDC University and the DAFRED team who will analyse at a systems level whether this is a cyber secure architecture before it is deployed operationally.
Eric White: It would be rude not to ask that here. I'm talking to members of the Space Force, this is not the usual SEC DevOps conversation that you have with other federal agencies. What aspects of these systems being deployed in space? Does that present any challenges or is that just standard practice and you're just applying it to space technology?
Laila Barash: I think it's standard software best practices. You're dealing with code in space, so of course there's that level of complexity. You're dealing with code that has to communicate with space. But overall, the system standards, the best practices, the DevSecOps pipeline, Agile, Scrum Eye, everything that goes into building good software, is standard best practices across the Department of Defense. The Space Force has a certification category for young software coders called supercoders, military personnel who get software certifications. They understand software and best practices and how to code. In fact, I have a couple of supercoders on my team who helped me initially create requests for prototype proposals and then helped me analyze the entire software and pick the best vendors that have the most cybersecurity with best practices for writing software. The Space Force has those certifications, and I was fortunate to have members on my team who helped me analyze the software, and we were able to create a procurement strategy where we were bringing in the best software coders as vendors and holding those vendors accountable. This is probably the only difference between the Space Force and other departments, but for us, super coders have been integral in developing best practice software within the Department of Defense.
Eric White, Lt. Col. Laila Barashah is the materiel lead for the Evolved Strategic Satellite Communications Ground Wing for the United States Space Command. Thank you so much for taking the time to speak with us.
Laila Barashah Thanks, Eric, thank you so much.
Eric White You can find this interview on our website at federalnewsnetwork.com/federaldrive You can subscribe to Federal Drive wherever you get podcasts.
Copyright © 2024 Federal News Network. All Rights Reserved. This website is not intended for users within the European Economic Area.