Modern weapons are no longer just hardware—they’re deeply connected, software-driven systems vulnerable to cyber attack. In this episode of Exploited: The Cyber Truth, RunSafe Security’s Dave Salwen joins Paul Ducklin and Joseph M. Saunders to discuss the cultural and technical challenges of securing the future of Aerospace & Defense.
From GPS jamming and supply chain risks to the dangers of relying on outdated patch cycles, Dave outlines how adversaries exploit weaknesses and why resilience requires more than traditional IT defenses. Discover why Secure by Design, proactive defense against unknown vulnerabilities, and cultural change across the defense ecosystem are critical to keeping mission-critical systems secure.
Key topics include:
- How adversaries exploit software flaws in unpatched, mission-critical systems
- Why cultural change inside the DoD and its ecosystem is as vital as its technical defenses
- The role of Secure by Design in weapons development lifecycles
- The risks of open-source and supply chain dependencies in defense programs
- Why resilience and runtime defenses are critical to mission survivability
Speakers:
Paul Ducklin: Paul Ducklin is a computer scientist who has been in cybersecurity since the early days of computer viruses, always at the pointy end, variously working as a specialist programmer, malware reverse-engineer, threat researcher, public speaker, and community educator.
His special skill is explaining even the most complex technical matters in plain English, blasting through the smoke-and-mirror hype that often surrounds cybersecurity topics, and helping all of us to raise the bar collectively against cyberattackers.
Joe Saunders: Joe Saunders is the founder and CEO of RunSafe Security, a pioneer in cyberhardening technology for embedded systems and industrial control systems, currently leading a team of former U.S. government cybersecurity specialists with deep knowledge of how attackers operate. With 25 years of experience in national security and cybersecurity, Joe aims to transform the field by challenging outdated assumptions and disrupting hacker economics. He has built and scaled technology for both private and public sector security needs. Joe has advised and supported multiple security companies, including Kaprica Security, Sovereign Intelligence, Distil Networks, and Analyze Corp. He founded Children’s Voice International, a non-profit aiding displaced, abandoned, and trafficked children.
Guest Speaker: Dave Salwen, VP of Embedded Systems at RunSafe Security
Dave leads RunSafe’s global Public Sector go-to-market efforts, bringing expertise in rapid technology development and public sector sales. He previously led business development for Raytheon Space and Airborne Systems’ $500M R&D division and held leadership roles at Leidos (SAIC) in advanced technology and electronic warfare. Earlier, he worked in commercial tech at ScoreBoard and PSINet. Dave holds a BS from the University of Pennsylvania and an MBA from MIT Sloan.
Episode Transcript
Exploited: The Cyber Truth, a podcast by RunSafe Security.
[Paul] (00:01)
Welcome back everybody to this episode of Exploited: the Cyber Truth. I am Paul Ducklin joined today as usual by Joe Saunders CEO and founder of RunSafe Security. Hello, Joe And our very special guest today is Dave Salwen who is SVP of business development at RunSafe Security.
[Joe] (00:20)
Greetings, Paul.
[Paul] (00:31)
And we have a very intriguing title, I must say. Weapons Cybersecurity, the challenges facing aerospace and defence. Now, before we start, I’ll just say, Dave, when I saw this title, my own limited knowledge of weapons, safety and security, I was thinking, well, you know, if you have a revolver, that normally has a transfer bar, so if you drop it, doesn’t go off. And when you finished using it, you normally have a safe that you lock it up in.
But we are talking about safety and security of a very different sort in the modern era, aren’t we? It’s not about locking the things up, it’s actually keeping them safe while they’re out in the field and active.
[Dave] (01:14)
These weapons are billion dollar, even trillion dollar systems. They’re aircraft, they’re radars, they’re sensors, they’re communication devices and actual munitions, kinetic and non kinetic. Like everything around us, like autos, like our smartphones, they’re becoming more and more and more about software. Yes. It’s a real topic of discussion inside the DOD, how to best secure weapon systems from a cyber attack perspective.
[Paul] (01:47)
So is not like you might think of weapons a century ago. This is not just the actual munition, it’s the entire system that gathers data that helps you understand where you need to go, who needs to do what.
[Dave] (02:03)
Exactly. These systems have communications. These systems have command and control. These systems have GPS. These systems have algorithms and radars that are pulling in lots of data to make them more effective, to provide information back to the military on what they’re doing and how successful they’ve been. I mean, these are very connected, very software driven systems.
[Paul] (02:26)
Yes, and you mentioned that they’re communicating back. If you think of kernels or generals sitting back at HKEY watching what’s going on, they’re not watching on embedded systems. They’ve probably got laptops or dedicated IT systems, which are somehow receiving data from the field, probably in real time. So there’s a two-way communication that means you have all the risks of the embedded systems and the specialized networks combined with risks to the what you might call the regular IT side as well.
[Dave] (03:00)
I think about the weapons systems, generally they’re in the field, generally they’re without cyber support. They’re not those enterprise IT data systems, headquarters of an air operation center or what have you. That has its own challenges that IT enterprise like challenge. That’s where most cyber defense kind of fits really well. But when you’re dealing with a weapon system that’s out in the field, when you’re dealing with a weapon system, that isn’t going to get an upgrade, a software upgrade or a software patch for one or two years. That is a whole different beast when it comes to cyber defense. Those systems that are in the field that have mission critical roles that are under cyber attack from the most sophisticated adversaries, what’s happening with them? Are they cyber secure enough? I and many would argue not even close. And so that’s where we are today.
[Paul] (03:56)
Can you share an example of a recent cyber incident, in detail if you can speak publicly about it or just illustratively if not, that gives us an example of the kind of risks that these systems, as distinct from traditional IT systems, suffer from?
[Dave] (04:13)
It is hard to talk about specific systems. Let’s just look at in the newspapers of what’s going on. You can start with Volt Typhoon, likely Chinese backed, getting into critical infrastructure, thought of as commercial critical infrastructure, water systems, energy systems, IT systems and the like. But it’s showing you there are sophisticated adversaries connected to the Chinese who are getting into these public infrastructure systems.
Do we think they’re not thinking about how to get into weapon systems? Of course that’s going on. Transitioning, well we’ve got a conflict, unfortunately, going on with Russia’s invasion of Ukraine. Again, we’re seeing cyber attacks in the nature of the whole typhoon on Ukrainian infrastructure. And to me, when you talk about GPS spoofing, GPS jamming, you’re right on the cost.
[Paul] (05:10)
Yes, I was thinking of that. That’s something that affects everybody, but it definitely affects standalone or autonomous systems that rely on GPS to tell them where they are because there’s no one else to do it.
[Dave] (05:23)
That often is considered sort of more in the domain of electronic warfare, not cyber warfare, but that distinction starts to blur. And so now all of a sudden back to this premise, you have these weapons systems that are in the field that aren’t getting patched, that are subject to attacks from absolutely the best adversaries. To me, the approach of US government to weapons cybersecurity
[Paul] (05:32)
I agree.
[Dave] (05:53)
is a bit too much like the approach to enterprise IT security. It’s not putting enough rigor into the cyber defense.
[Paul] (06:02)
traditional security approaches patch Tuesday once a month Update your iPhone I did mine to iOS 26 the day it came out and I figured you know if it doesn’t work I’ll probably just go back to iOS 18. I’ve got a reserve phone I’ll use that for the few hours that my phone isn’t available It just doesn’t work like that with embedded systems in general and it really doesn’t work like that with things as important as weapon systems specifically does it?
[Dave] (06:31)
Exactly. again, Patch Tuesday, that is great for the enterprise IT system. These weapon systems are very complex. Every time they change the software, that triggers a massive test cycle. You don’t just update your phone and as you were saying, hey, if it works great and if it doesn’t, I’ll update it again. No, when these weapon systems are updated, that triggers appropriately a very rigorous testing cycle. So guess what? These systems are only updated once every year or once every two years. And by the way, to update them, they’re not accessible over the air like an iPhone.
[Paul] (07:09)
Well you’d rather hope not wouldn’t you?
[Dave] (07:12)
You’ve got to get those weapons systems back into a depot. I really want to bring in the word culture. Right. I know this is about technology, but again, to me, the gap in weapons system cyber defense begins with a shift in culture inside the DOD and its ecosystem. What is the vision? What is the goal in cyber defense for these weapons systems?
[Paul] (07:41)
It’s never really worked even for consumer laptops just papering over the cracks every week or every month. It’s much better if you actually get things right upfront and if you can bake in things that mean that if there is a vulnerability in the future you don’t necessarily need to patch immediately to be able to mitigate it.
[Dave] (08:05)
Exactly, it’s that second point. What you’re describing of building it in is a key change in culture. And the second thing again, and you touched on it, is you can’t just go after the known vulnerabilities. You have to acknowledge, hey, these are very complex software systems. They have vulnerabilities in them despite best coding practices. We have to be proactive and we have to not just focus on the known vulnerabilities, you have to focus on the unknown vulnerabilities as well right from the start.
[Paul] (08:39)
Joe, maybe I can ask you at this point to say something about a topic dear to your heart, which is also more of a cultural matter than a technological one, a way of thinking as much as a way of doing, and that is the idea of Secure by Design.
[Joe] (08:54)
Yeah, I think the big challenge people have to think about from a software development perspective, when you think about weapons systems is it’s not just as simple as doing a few updates and then pushing the release back out like you might in a web environment or something else. There is a hurdle that weapons programs have to go through to achieve authority to operate and to meet a standard and expectation of quality and rigor to include security and testing.
We want to make sure, and everybody wants to make sure that these weapons and all their components work exactly as intended. There are pushes then to improve the efficiency of those processes, but historically we would have, I would say a waterfall kind of software development life cycle for these weapons programs. And more recently we have seen changes towards a more repeatable DevOps process.
[Paul] (09:49)
Now DevOps, that’s development operations. Yes. So instead of just send the developers away for seven months to build something and then they come back and show you what they’ve done and then you see whether it will work together. Every time anyone changes anything, you make sure that you haven’t gone off on a wrong tangent.
[Joe] (10:07)
Ultimately, it comes down to what is your process to ensure you can achieve authority to operate and meet both the timeline and the budget to push out your weapons on schedule. To the extent we can do that faster, it means that the Department of Defense or Department of War is more competitive and more innovative. And that ultimately, I think, is the balancing act of ensuring software is bug free and has authority to operate, versus that timeline to achieve it. We’re certainly trying to accelerate development life cycles without compromising quality.
[Dave] (10:44)
When you talked about secure by design, Joe and Paul, to me, there’s a big element of cultural change involved in that movement. Again, I think that’s a gap in the DOD weapons systems that the DOD weapons systems are not being treated with that specialness, that they are more like operational technology, less like enterprise IT. They’re out in the field, they’re unpatched. And again, subject to cyber attacks by the most sophisticated attackers on the planet, aside from the US attackers.
[Paul] (11:21)
With autonomous systems and with weapon systems that aren’t so much about blowing things up as actually acquiring information about who’s doing what where, there are a lot more moving parts and many more of those moving parts are just pure software, aren’t they?
[Dave] (11:37)
Exactly. It’s that change. And again, it’s happening in other industries as well, like the automobile industry. Yes. Where physical and mechanical and physically isolated was the norm. Now it’s so much more about software and connectivity. And additionally, to go into a bit more detail, the software is sometimes making great use of open source. So any attacker can get their hands on open source. People are also trying to make software uniform and modular across systems, that’s making it easier for the attacker. If they find an issue, most likely that’s going to be relevant to other systems as well because there’s so much of that modularity and reuse going on because it’s about software. It’s not about custom hardware applications anymore.
[Paul] (12:31)
Yes, and we’ve seen recent attacks in the open source space like the XZutils hack where someone going by the name Jia Tan, no one seems to know who he is even now, spent something like one to two years earning trust with archiving compression tools so that he was trusted to work with these projects, but his ultimate goal was to hack into the version of open SSH which was used specifically in the Debian flavour of Linux and you just think wow there’s such time and money available to whoever the attackers were. These are challenges that even when you think you can trust your source you may not be able to and you have to be nimble enough to deal with the fact that you might be wrong.
[Dave] (13:20)
Yeah, mean, combating a foe that is willing to spend years building that kind of a cover story is just a very big task. Alongside all the other challenges we have from the exploitation of vulnerabilities that were done not on purpose. Writing code is not easy. And despite best practices, the best coders, when they’re dealing with embedded system languages like CC++, end up with vulnerabilities in their code.
And then the attackers, I know, and develop exploits against them. As you were saying, Paul, in the military, in the defense world, they’re much more disciplined. They don’t launch an attack just to show off. Yes. There’s a concept of war reserve mode. You can develop your attacks. You can test them. can validate them, but you are not going to expose them to the enemy until there’s an actual conflict. In Jaguar Land Rover, right now, today, as we’re recording this, there are global plants are still shut down. They’re shut down for two weeks now. And some people are saying they’re going to be shut down until November.
[Paul] (14:26)
Boy. I noticed when that first happened I didn’t realise it was becoming such a long-running saga. If I’m not wrong, the current suspicion is that this was simply that person A phoned up person B and said, Hey, will you let me in? And they said, Yeah, okay, since you asked so nicely, here you go.
[Dave] (14:44)
Getting out of my swim lane, dealing in that IT enterprise, you can’t call up ⁓ a jet fighter per se. But again, when we’re seeing these attacks in the domain of IT, and we know the vulnerabilities exist in the DOD weapons systems, and we know that non-kinetic attacks are very much a part of the craft of war,
[Paul] (15:08)
That’s part of what’s referred to as the grey zone, isn’t it? You’re almost attacking, but you’re stopping just short of anyone being able to point a finger at you and do anything about it. As much as there are many moving parts in the bits you need to defend, there are a lot of moving parts in every cyber attack, aren’t there?
[Dave] (15:13)
Yes, as you’ve seen, there’s that gray zone, that preparation of the battlefield. Some of that preparation of the battlefield goes beyond weapon systems, right, into just public critical infrastructure. When you have these complex weapon systems in operation, executing missions that are critical, of course they’re going to be under attack. My sophisticated adversary is, to me, there’s a big gap, and I believe it begins with the cultural approach of right now,
[Paul] (15:42)
Yes.
[Dave] (16:01)
Adopting enterprise IT cyber defense to weapon cyber defense, not recognizing that weapon cyber defense is so different. And then the second result of that is this focus on known vulnerabilities. You’ve got to focus on the unknown because these systems are in the field and don’t get patches except on one or two year cycles.
It’s just naive to think that our adversaries aren’t developing cyber attacks for weapons systems. It’s naive to think that these weapons systems can’t be exploited. So the right answer is that cultural change that brings unknown vulnerabilities into the requirement set, that brings proactive cyber into the requirement set.
[Paul] (16:45)
So Dave, you want to say something about, since we’re talking about culture more than technology, when it comes specifically to weapons security rather than automotive or power grid or mobile phones for that matter, what does that shift look like in practice, say for people in different parts of the organisation, for say engineers, for program management and for defence leaders?
[Dave] (17:12)
me a close relative of cultural as organization. lot of my background before RunSafe was in the electronic warfare domain. The interesting dynamic in electronic warfare is the people working on electronic warfare attack work shoulder to shoulder with the people working on electronic warfare defense. The attackers turn around to their defender colleagues and say, hey, I just developed this attack for this enemy adversary weapon system, by the way, would work on our.,
[Paul] (17:44)
dear.
[Dave] (17:47)
That’s one thing that I think really should start to happen more. The cyber attackers in the DOD should be informing the cyber defenders. Again, that mindset of moving away from this is an enterprise IT system to this is a weapon system. These are what real attacks on weapon systems look like. Hey, we should be preparing our weapon system for those type of attacks. And in fact, it is the dynamic that happens at RunSafe our technical leads are now in cyber defense, they started in cyber attack. That dynamic of using what you know from cyber attack to do really cutting edge cyber defense is, think, how we’re able to do some unique things in the market.
[Paul] (18:32)
Joe, you’ll remember a few weeks ago we did a podcast with Leslie Grandy who was talking about Prime Meditatio Malorum imagining what could possibly go wrong. She said you may decide in your organisation that you’re not interested in AI, you’re not going to use it, you don’t even need it. But you’d better try it out to see what answers people who do use it are going to get. Because if they find something you don’t like they are going to use it against you. And that applies everywhere in the chain, doesn’t it?
[Joe] (19:06)
It does apply everywhere in the chain. I think Dave’s point is, Hey, we’ve got to look at this from different perspectives. Interestingly enough in the U S we’re thinking about what is the U S cyber force and how much cyber offense is involved in all that. If that’s the case, we also need to be setting the stage for even more deterrence, but even more than deterrence, we should be looking at resilience and resilience of weapons programs. Because if the U S escalates its cyber offense, then I do think that its resilience and the need for resilience will have to also increase.
[Paul] (19:40)
These days there’s a lot more collaboration with all sorts of different private sector industries, aren’t there? And as Dave said, also those development teams to be more productive, more responsive are in turn opening up not just to commercial off-the-shelf software, but to open source software as well. So what form does that cultural collaboration take in this new era where everything’s a bit more open, but parts of it still have to be as closed as ever they were back in the day.
[Joe] (20:14)
Well, we have integrated supply chains and that creates a reason for collaboration in part. I would even look at outside aerospace and defense companies like General Motors are making a substantial investment into the software world. These are not just hardware companies anymore, like they were in yesterday. You look at organizations like Lockheed Martin, they have, I don’t know, thousands and thousands, tens of thousands of software developers and the solutions they offer are software driven that necessitates an understanding of what the software development lifecycle looks like, but also what the software supply chain looks like.
You have to start to open up and think about what are the ramifications if I’m taking software from a third party? What are the ramifications if I’m using open source? And what are the ramifications as I connect all these new software applications into some environment that’s communicating with another set of systems? And so all of this means that the attack surface from a cybersphere is increasing all the while while we’re being more open and transparent about the software tools that we’re using.
[Paul] (21:20)
So at the risk of sounding salesy, which I don’t mean to but I don’t see why I shouldn’t, let’s talk about the technology you can bring to bear on getting security right before you deliver rather than papering over the cracks afterwards. Dave, what are some of the products that people who want to make that shift to secure by design can make in the software components that they deliver?
[Dave] (21:43)
To back up a little bit from your question, to restate my wish list for cyber security of weapons systems, it’s sort of threefold. First is recognize weapons systems are not enterprise IT systems and that unknown vulnerabilities have to be part of the solution. would be number one. Number two, that organizational change of the cyber defenders in weapons systems should be more informed by the cyber attackers of weapons systems within the DoD organization.
And then the third thing on my wish list, and this is happening and this sort of gets to your direct answer, these weapons system programs, they’re always complex, they’re always under budget pressure, there’s always under schedule pressure. But RunSafe is starting to work with some of the first movers, the early adopters, and starting to bring that proactive defense to these systems without changing the functionality of these systems. And I’m really excited as these first mover systems start to tell their friends and family within the DoD that there are solutions that can be recognizing that weapon systems are different, that can be more tuned to embedded systems, but that can also be proactive and that can go after the unknown as well as the known vulnerabilities. And that it’s real in DoD speak. It’s TRL9, it’s undeployed systems.
These can be adopted not just by the first movers, but by more generally weapon systems.
[Paul] (23:15)
Learned a brand new acronym today, which I actually really love, from Joe Saunders and that is RASP. R-A-S-P. Tell me something about that.
[Dave] (23:25)
To spell it out, runtime application self-protection. That is at the heart of RunSafe’s protection approach. And it has to do with giving that weapon system, that embedded system, that defense automatically. Really it’s manifested as a moving target defense. Memory locations are unknowable by the attacker. And in that sense, their attacks, they can still launch them, but they will fail. So the attack fails, that’s goodness.
And in addition, the DOD context, a failed attack is really good information for the person being attacked. It’s revealing of your enemy’s capabilities, of your enemy’s strategies.
[Paul] (24:08)
Even more so perhaps than any other sector. The idea that hey, well, we’ll just rewrite all our code in some fancy new language that gives us protections that never existed when C and C++ were invented, e.g. Rust, in the weapon systems environment, that’s essentially undoable.
[Dave] (24:30)
Rust is a good language, but for example, you cannot use rust if you have a safety of flight system. There’s a whole raft of weapons that even if you had the money and even if you had the time, they’re never gonna get approved for safety of flight concerns. It’s too new a language. People aren’t comfortable in that safety of flight domain. I think for all weapons systems and for plenty of commercial systems, the expense and the time of moving all the legacy code to Rust is just a non-starter. You need something that can be proactive, that can deal with the unknown, that can deal with those long patching cycles to the legacy systems. And that’s where RunSafe fits so well, and it’s super exciting.
[Paul] (25:12)
So to finish up, I’ll just throw a question out to both of you and either or both of you can answer it. Do you think that aerospace and defence can stay ahead of the cyber threat? If so, what should we start doing immediately that we maybe haven’t quite done yet?
[Dave] (25:30)
So there’s no question the aerospace and defense market can get it right. mean, the amount of creativity and really, really amazing ideas and thinkers is there.
[Paul] (25:43)
Yes, I’ll agree with that. If you have the kind of scientists and engineers, the kind of minds that can send a probe to a tiny asteroid, break up its surface and bring the stuff back to Earth so we can analyse it, we’ve certainly got the cleverness. Yes. And we’ve probably got the will. The question is how to make it so.
[Dave] (26:04)
I don’t know that we have the will. Really? And that’s where I get a little pessimistic. I don’t think that my assessment of the gap in weapons system cybersecurity is universal.
[Paul] (26:19)
I think I’m mixing up, Dave, the word will and desire that are actually not synonyms, I’ve just realised.
[Dave] (26:29)
There are so many priorities that people are dealing with and so many distractions that people are dealing with. While they have the cleverness, it may not get the priority it deserves until, unfortunately, in my opinion, there might be a horrible event due to successful attack to change the culture.
[Paul] (26:47)
Joe, how can we avoid doing it that way round? How can we have the defence ahead of the attack, if you know what I mean, which has always been an issue in cyber security, a vital issue, but I guess in aerospace and defence you can put that to the power of itself almost.
[Joe] (27:04)
Yeah, I think part of the goal is to drive innovation as fast as possible. Yes. And as we drive innovation, we have to take into consideration resilience, which means that software development practices need to find a way to continue to accelerate. And we need to find ways to build in security so that that runtime defense is made available even when a patch is not available. I think Dave said the set the context right.
We can’t just easily update these systems. So when we build them, we have to be very careful to anticipate both the known potential vulnerabilities that exist and what could lead to and result from unknown vulnerabilities when we build systems. Accelerate innovation, increase resilience, ensure weapon survivability in all contested environments, including the cyber domain.
[Paul] (27:56)
Wow Joe, think that’s a fantastic way to finish. Very, very strong words, but it’s clear that having the desire to do something is not the same as having the will to do it. And even having the will to do it is not the same as actually doing it. So for those people who haven’t yet taken their first step in whatever sector towards secure by design, now more than ever is a good time to do it. That’s a wrap for this episode of Exploited the Cyber Truth.
If you find this podcast insightful, please subscribe so you know when every new episode drops. Please like and share us on social media. Please recommend us to your entire team so that they can hear Joe and Dave’s words of wisdom as well. Thanks to everybody who tuned in and listened. And remember, stay ahead of the threat. See you next time.
