Blinky Lights, Layer 8, and Staff Retention: Space Systems Command’s Chief Information Officer reflects on cybersecurity challenges and opportunities in this era of Great Power Competition
Just as the U.S. Space Force continues to evolve as the United States’ newest military service, so does Space System Command’s approach to IT and cybersecurity. The fact that the office is designated as Chief Information Office (CIO) and not S6 — the military designation for communications/IT — indicates just how critical cyber security is to the USSF.
Near-peer competitors and other potential adversaries are relentlessly conducting malicious cyber activity across all sectors of the United States’ infrastructure, exploiting valuable data systems during competition, and have demonstrated the ability to deny, disrupt, degrade, destroy, or manipulate vital information and networks during conflict, according to USSF Gen. B. Chance Saltzman, Chief of Space Operations, in USSF’s Cyber Strategy.
Col. Craig Frank, Director of Space Systems Command’s CIO office, explains, “From my point of view, a CIO has the ability to create and enforce policy, where an S6 is more at the unit level and enacting that policy.”
For the CIO-level functions, Frank and his team provide cyber oversight and support to SSC’s Program Executive Officers (PEOs) who oversee space capability development and delivery.
“On the S6 side, we’re really concerned with the care and feeding of the IT side for the command and all the downtrace units. We actually support the three installations (Los Angeles Air Force Base, Vandenberg Space Force Base, and Patrick Space Force Base) with their IT infrastructure,” Frank said.
Whether CIO or S6, Frank said his three top priorities are: making certain SSC data and workstations are secure but still function at the speed of the fight; maximizing partnerships wit space industry and academia; and workforce development and retention.
“What keeps me up at night is not SIPRNET (a highly secure network used to transfer classified information), JWICS (Joint Worldwide Intelligence Communications System, another secured network), or sat networks where someone walks in with a pop music CD and walks out with a bunch of classified documents, and the tens of thousands of unclassified, unencrypted laptops out in the witheld, sometimes sitting in the back of a car and getting stolen – and the ability of the enemy not to be this super- smart keyboard warrior, but someone who just happened to be in the right place at the right time, grabbed a laptop and the next thing you know, they have 30,000 personnel records. Most jobs, particularly at SSC, require the use of computers. Anyone can be a target for a cybercriminal, which is why cybersecurity is everyone’s job,” Frank added..
“Cybersecurity is a critical tool to protect not only organizations and individuals, but also to defend our nation against attacks from adversaries, who have demonstrated the clear intent to disrupt our national ground and space systems,” said Joy White, executive director of Space Systems Command, who delivered opening remarks at the Command’s annual Cyber Expo in April. “Here at SSC, we’re collaborating with our mission partners, industry, and academia to make sure our acquisitions are cyber-hardened and that the United States is training more cybersecurity experts to join the fight. Our Chief Information Office has been tireless in its efforts to improve the tools and technologies we use, as well as how we support and develop our cybersecurity and IT workforce.”
Under Col. Frank’s helm, SSC is increasingly moving to the Cloud and Virtual Desktop Infrastructure (VDI) that allow users to access enterprise computer systems from any device securely.
Col. Craig Frank, Director, Space Systems Command’s Chief
Information Office, spoke at the recent Space Symposium in
Colorado Springs, Colorado.
“My big push is to get as much VDI and as much virtual capability as possible so that if a device gets stolen, all they have is a $3,000 laptop and we have to do a FLIPL (Financial Liability Investigation of Property Loss) and the person has to pay for it,” Frank said. “It’s not that cyber criminals can’t access data on the computer – it’s that there is no data on the computer. The computer is merely a window into where the data is on the server. The virtual desktop infrastructure is basically a choose- your-own-adventure video, because all you’re doing is looking at screen scrapes, it’s all on the server. So (cyber criminals) could steal a laptop, but they’re never going to get the data because there’s nothing there.”
Frank also is working to embed cybersecurity teams within the Program Executive Offices to “bake in” cybersecurity from the very beginning.
“What we see sometimes is that something is engineered, designed, and built to work, but at the end they say, ‘Oh yeah – we gotta do cybersecurity – somebody grab the ATO checklist and start marking things off,’ without putting active cybersecurity controls into the program,” Frank said. “The whole point of having those teams is that there’s somebody there to speak for cybersecurity right from the very beginning, not just when we’re getting ready to launch a satellite.”
SSC also has been working with the National Security Agency (NSA) at the behest of Frank Calvelli, Assistant Secretary of the Air Force for Space Acquisition and Integration, to develop a crypto roadmap to make sure cryptography was not becoming the critical path in programs, or the longest sequence of activities that must be finished on time to complete a project.
“In other words, when a satellite is being put up, and it has to have an encryption device on it, we want to make sure that the time it took to get the encryption device designed, certified manufactured, and put on the system was not holding up the deployment of the satellite all together,” Frank said. “One of the things we had to look into was, do we have crypto that is being designed without checking with the accreditation offices that it was actually encryption that NSA and other entities approved for transmitting classified information? It was determined that yes, there are satellites that are using one-off special encryption devices rather than the standard, but that didn’t look like it was holding up any satellite development or deployment.”
Frank said his office also is working to develop a cryptography office – either within CIO or within SSC’s Space Systems Integration Office (SSIO) to work with the program offices and keep them current on recommended encryption devices. As is the case with this initiative and others, an ongoing challenge is staffing and retention.
Col. Craig Frank talks to attendees at the 39th Annual Space Symposium
in Colorado Springs, Colorado, in April of 2024.
Just as the U.S. Air Force has had to deal with losing trained USAF pilots to higher salaries in the commercial industry, Frank said the U.S. Space Force features stiff competition from the private sector for cybersecurity professionals,. According to the National Institute of Standards and Technology, more than 1 million people in the U.S. are employed in cybersecurity in 2024, but there are only 450,000 cybersecurity jobs open. For every 100 cybersecurity jobs, only 82 people had the necessary education, experience, and qualifications to fill them. On average, cybersecurity roles take 21 percent longer to fill than other IT jobs.
Obtaining more cybersecurity experts in the pipeline is complicated, for numerous reasons, Frank said. For one thing, what most people call “cyber” isn’t just one field: in the USSF, there are three separate categories – Defense Cyberoperations Space (DCO-S); Mission Comms, which is command and control for satellites; and Base Operating System Information technology (BOS IT), covering SIPR and NIPR terminals.
“There’s a difference between an information systems manager and a cyber defender,” Frank added. “We have those very defined trainings and certifications so that when you have a defensive cyber operator, they can actually defend, and not just someone who can configure a network switch so you throw them in a chair to do cyber defense.”
Cybersecurity is also more typically a mid-level career, requiring certifications — including training and certifications on specific cyber tools — and real-world experience, rather than an entry-level position and is certainly not as glamorous as Hollywood has defined the technology.
“The hacker movies and TV shows, typically show somebody sitting at a desk and there’s this giant screen wall, and the next thing you know, the hackers get in and there’s all these lights and buzzers going off on the big screen wall,” Frank said. “That’s not what it is at all. It’s a cyber defender looking through massive amounts of system logs, trying to find that one line a hacker didn’t delete, to identify that someone was in our network nefariously.”
That’s where partnerships such as CHIRP (Cyber Halo Innovation Research Program) can help. CHIRP, a collaboration between SSC and Pacific Northwest National Laboratory (PNNL) is a college-to-career program that brings government, industry, and colleges and universities together to provide students with a direct two-year pathway to a cybersecurity career at SSC or an industry partner. Frank said PNNL also is helping SSC develop a cybersecurity test range.
Ms. Joy White, Space Systems Command’s executive director, provided
opening remarks during SSC’s Cyber Expo April 23, 2024, at Los Angeles
Air Force Base in El Segundo, Calif. The annual event provides
attendees with insight about the use of cyber resilience through panel
discussions and hands-on demonstrations showcasing how SSC is using
cyber resilience to protect current and future space systems and
acquisitions. (U.S. Space Force photo Van Ha)
Keeping these highly trained professionals once SSC has acquired them may require USSF offering some additional, financial incentives, Frank said, just as other services have done over the years. Some will choose to stay on because they like the mission or the idea of serving their country in a cause greater than themselves. However, working for the military definitely has other advantages.
“The military is the only profession where you can drastically change your career several times and not have to go back to square one,” Frank said. “I’ve been in the military for almost 31 years now, and I’ve had 10 different military occupational specialties, seven of which required me to go to formal training or school,” Frank said. “I moved from being an Explosive Ordnance Disposal (EOD) officer to an information systems manager and, every time I transferred, it wasn’t like I was starting an entirely new career where I’d lost all my seniority and all my pay rates — I just kept going from that moment forward.”
As prevalent as computers and technology are in the modern workforce, people don’t always understand how they work. You don’t have to understand what SMTP (Simple Mail Transfer Protocol) is to send an email, but leaving everything to the cyber professionals can leave users vulnerable to cyber criminals.
“When somebody asks me, ‘What do you do?’ my answer is: I am the master of the blinky lights.” Frank said. “If a blinky light isn’t working right, who do you go to? You go to the IT and cyber people, and we wave our magic wands and change a port number and magically everything works while keeping it all secure. We always say that the biggest threat in cybersecurity is layer 8,” Frank said. “That’s a joke, because when you talk about the internet, you talk about the OSI model (Open Systems Interconnection) which is 7 layers: the physical layer, layer one, all the way up to the application layer, which is layer 7. Layer 8 is the human user — that’s where the biggest weakness rests. The vast majority of major hacks that we’ve had in the last 20 years were all social engineering from the help desk and telling you to give them your login and password. That’s why VDI and a lot of these cross-connect systems that we’re looking at will help protect against these internal threats, because sometimes these internal threats aren’t intentional.”
Frank added, “Sometimes, somebody made a mistake and clicked the wrong button and accidentally sent off a bunch of information. The more we virtualize our systems and data, the more it’s centrally controlled in the