Air Force lays foundation for strong cyber defense
24th moves quickly to build a well-trained cadre of professionals
It's been a year since the Air Force established the 24th Air Force, the Air Force Space Command subordinate unit in command of all Air Force networks and cyber operations. Based at Lackland Air Force Base in San Antonio, Texas, the cyber numbered air force is the operational arm of Air Force Space Command's network operations and cyber warfare mission.
The 24th has ramped up rapidly to an initial operating capability. But Maj. Gen. Richard Webber, its commander, still sees a long, difficult road ahead for the 24th and for the Air Force's enterprise networks. In an interview with Defense Systems contributing editor Sean Gallagher, he highlighted the work that's been done to build a true cyber capability in the Air Force, the concept of operations that guides the 24th and the work left to do to achieve the Air Force's cyber goals.
DS: How has the establishment of the 24th changed the network command and control picture for the Air Force?
Webber: The ops center that the Air Force had, I would categorize as a communications and IT-centric operation. It basically monitored the circuits and pushed the patches. That's what we had at Barksdale Air Force Base, La. What we now have here at Lackland Air Force Base, Texas, is an operations center in the true terminology of an Air Force operations center, like an air operations center. We do strategy to task, we have a strategy division, combat plans, combat ops; we push operational orders, we push tasking orders, maintenance orders. So it's a complete change from a monitoring function to a war fighting organization.
Historically, each major command — Air Combat Command, Air Mobility Command. Air Force Space Command — had their own network, which they designed and provisioned the way that they wanted to. They were individual stovepipes. We are now embarking on a very difficult journey to a single Air Force network that will be homogeneous, that will have single standards. We've already established me as commander of Air Force network operations. So now if there's an emergency going on, I have instantaneous tactical control all the way down to a network control center in any base around the world that's on the Air Force enterprise. The challenge going forward is how to operationalize and normalize the command and control across those networks.
DS: How far are you in terms of the documentation for the concept of operations you need to achieve that level of command and control?
Webber: There's a process within the Air Force that builds the foundation for all these things. The first level is called the enabling concept, developed by Air Force Space Command, which has been designated by the chief, [Gen. Norton Schwartz], and the secretary as the lead major command for the organizing, training and equipping activities required for cyber for the whole Air Force. That enabling concept was signed in April. The document that builds on that is what's called a functional [concept of operations]. That is in coordination right now — that's also being built by Space Command headquarters, and obviously, we participated in that.
Then from that, we will build the operating concept here at 24th Air Force with our A3 shop, which is the operations directorate, and our 624th Ops Center folks. So, obviously we were major players in the building of the two higher level documents, so it has the foundations that we need to get down to our level.
DS: You've mentioned how command and control of the Air Force's network is changing. How have you changed how you do network defense? What sort of approach is the Air Force taking that's different from how you used to protect networks?
Webber: Prior to the time we embarked on this journey, looking at how networks were built, I would say that they were much like the Maginot Line prior to World War II. And basically, they would build the walls higher and higher and the moats deeper and deeper, but it was an attempt, I think mistakenly, to try and defend everywhere. And if you try to defend everywhere, you defend nowhere.
What I think you see in industry: They focus on what is mission critical; what are their crown jewels? So we've coined a term: mission assurance. Our focus is to ensure the warfighter's mission. Our mission is not to assure the network. And if we ever forget it, our warfighters remind us very, very quickly.
So we went to each of the component air forces — such as the air component commander for Pacific Command at 13th Air Force in Hawaii and the 7th Air Force in Korea at Osan Air Base. We asked them — and worked with them, because this is new to them also — to build what we call in air operations center terms their “defended asset list.” It's nothing more than mapping their cyber dependencies: What ops center do you need? What hardware do you need? What software, what sensors, what circuits, what data at rest, what data in motion — what are the mission critical things that you need to have from the cyber domain? And then we help them build a defense in depth to focus on the really important things.
So for example, don't [take this the wrong way], but I don't care about the base library at Kirkland Air Force Base, N.M., but I will fight to the death for the Tactical Air Control Center at Scott Air Force Base, Ill., that controls air mobility. And so we build a defense in depth…with separate enclaves, separate firewalls, separate sensors and much more in-depth two-factor authentication.
In addition, I have relationships with each of the numbered air forces. So if they are going to support an operation, I see their guidance…and I know what pieces of the enterprise I am responsible for. In any given day, and this won't get much better very quickly, but today I can monitor actively about 5 percent of my network with my sensors. But if it was a small operation, or a small [area of responsibility], I could do it all.
And we have the beginnings of hunter teams, which would actually get into the dynamic night-fight on the network, where if we see somebody bad coming in we're kicking them off just as they come in.
So that's where we need to go, from this Maginot Line to defending what's mission critical, building a defense in depth, dynamically defend it, and when the attack comes — and they will — have a way to fight through all the way through the attack. For example, if you for some reason were to shut down a system or a database, [we would] have it stored in the cloud, the last known good [version] that's only 10 minutes old. That's how you fight through an attack.
DS: What does the 24th Air Force do now in terms of supporting the bandwidth needs of unmanned aerial systems operations and other ongoing operations in Iraq and Afghanistan?
Webber: We are already doing network support for [unmanned aircraft systems] now for a big chunk of our operations that are being used in the [Central Command] AOR. So we have identified and mapped all of the circuits, and all of the command centers.
We're actually down to looking at the key routers and servers. We're monitoring these 24/7 in support of the warfighter over in CENTCOM. Again, the focus is mission assurance. So we help them design a redundant defense-in-depth system, and our initial steps are to monitor them to make sure that they're operating or that we have fallen back to the backup and we're ready to do some dynamic defense, if needed.
DS: What other sort of bandwidth challenges are you facing, and how are you dealing with them?
Webber: We just went through social networking, and we're opening that up to the force; and obviously, streaming video is a bandwidth hog. As we opened up to about 70 social networking sites, we've had some bases say, “We are bandwidth limited, and we'd like to delay until we can get bigger circuits,” or they've asked us if we can turn off a particular social networking site because it has streaming video. So we are managing bandwidth in a very real-time way.
DS: When do you see being able to dynamically manage bandwidth based on what missions require — and tweak application allowances for various networks so you can get more mission-critical traffic?
Webber: Certainly today, it's centrally monitored, centrally directed and I can turn sites off base-specifically. But in terms of controlling application bandwidth across the whole Air Force enterprise, that's a future capability. Other than the network slows down, or you turn things off, we don't have that kind of capability now. It's not until we start getting into the more modernized, homogeneous Air Force network that we'll have a significant ability to do that.
DS: What do you see as the challenges in securing the Air Force's networks overall in terms of getting a consistent implementation of information assurance systems, such as the Host Based Security System?
Webber: Without getting too technical, we have made tremendous progress on HBSS — it's one of those things that require other foundation parts to be in place before you can make good progress.
In order for us to really improve security, you need to focus on moving to this single homogeneous Air Force network. Because whether we like it or not, we're going to have to deal with adversaries or people breaking into our networks, and we're going to have to be able to get the mission done with systems that are highly dependent on networks in an increasingly contested environment.
We have to have a weapons system mindset about the network. This mindset change is absolutely critical. Every single airman needs to know that when they sit down in front of a terminal and log on to our network, that they are our strongest and our weakest link at the very same time. They all have to have the discipline and the rigor that you would insist on with any professional warrior flying any weapons system. I think that a lot of our folks don't view the network as being mission essential or realize that they are in fact the potential weak link in our defense when they try to do workarounds. You would never stick a thumb drive in an F-15. You would never walk out to the flight line and say, "Hey, let's just hang this on the wing and see how it works." But we routinely do that in the network. And you need to have a professional, weapons system mindset toward the network.
DS: What do you see as the key personnel challenges ahead in getting the talent and manpower in place to help you bring the 24th to its full potential?
Webber: There are a lot of pieces for that. If you look at how the Air Force builds a culture of Air and a culture of Space, we're going to use those same approaches to build a culture of cyber. For example, [look] at what it takes to create a fighter aircraft pilot. For about 12 months, they go to undergraduate fighter training. Then they're going to get trained in their warfighting platform. So now I've got 18 months of training. Then they arrive at the unit…as a wingman and start an apprenticeship – an on-the-job training process that will grow them into a shift leader and a mission package commander. But you're talking 18 to 24 months of intense training before you have that top-of-the-line warfighter.
We need to build that very same process within the training capabilities of the Air Force for cyber. Our undergraduate cyber training — it's shorter, obviously, but it's our equivalent of the undergraduate pilot training – was started up on June 22. And we're still building the mission qualification training – the individual weapons system training programs. The mission qualification training is done largely by the 39th Information Operations squadron at Hurlburt Air Force Base [Fla.]. And we need to expand that out into all of our weapons systems – right now it's just a handful. We're following the same model that the Air Force has used for space – they call it the space professional, or space pro. We're going to create a cyber pro program.
Gen. [Robert] Kehler is the overall functional authority for the cyber domain, and he is charged with creating a combat capability within cyber. That capability takes operators, communications and intelligence; it takes acquisition, and it takes engineers. We're going to go to every single job in the domain, in the enterprise, and we're going to identify what kind of education you need to have at the beginning of it – do you need a B.S. or an engineering degree. We're going to identify what kind of training must you go through, what kind of experience do we want you to have had before you're a squadron commander or group commander or wing commander, and what kind of certification training and professional military education training do we want you to have. So it will be a full package. All of those bits and pieces are in some various stages of progress, with the undergraduate classes and the early mission qualification classes already going.
Now, once you have done those two pieces – once you've got your cyber pro, and you've analyzed every one of those jobs, obviously if it takes somebody 18 to 24 months and two to three schools to get up to the full-up round, you can't lose them two years later. So what we're trying to do for payback is set up a construct where if we give you two years of training, we give you a total of six years of enlistment or obligation for the officers. And we'd also like to have back to back tours. So if you did something with the 67th Net Warfare Wing, let's say you were at one of the [Integrated Network Operations and Security Centers] at Langley Air Force Base, Va., or Peterson Air Force Base, Colo. Your follow-up job might be to the 624th Ops Center. So you'd have two back-to-back assignments within the same domain. That's how we're designing how we train folks and develop the cyber professionals of the future.
DS: How much of a role do civilian and contractor professionals play in filling out your capabilities, and are they currently filling roles that would conceivably be filled by Air Force personnel in the future?
Webber: If you look throughout our entire enterprise, you will see a total force team. You're going to see officers, enlisted, active duty, reserve, guard; you're going to see civilians and contractors all shoulder to shoulder. Obviously, there are certain things that only a Title 10 blue suit warfighter can do, but in this business, we're using the whole mix in current ops today, and quite frankly I don't see that changing. I don't think you want to change that. So once you go through the 18 to 24 months to train a cyber warrior and they want to hang up the blue suit and put on a contractor suit or become a civilian in the enterprise, we are going to have some very attractive jobs for those folks at several locations.
Let me add that one thing you should also do in planning the total force and that we have already done – because the people who went ahead of me were very smart about this – you also want to be smart about where you locate your guard and your reserve units. So if you locate them in close proximity to San Antonio, Texas, Fort Meade, Md., Spokane, Wash., I could go on and on…if you locate them correctly, then if we do lose folks to the civilian world or to other government agencies, you're sitting there with a reserve opportunity or an Air National Guard opportunity, and they can step across the street and do some of the exciting stuff that we do, getting into some of the more dynamic defense activities that we do that you couldn't do as a civilian. I think that's also part of how you build this force.