Air Force Cyberspace Report

This week I attended Victory in Cyberspace, an event held at the National Press Club. It centered on the release of a report written by Dr. Rebecca Grant for the Air Force Association's Eaker Institute. The report is titled Victory in Cyberspace (.pdf). The panel (pictured at left) included Lt. Gen. Robert J. Elder, Lt Gen. (ret) John R. Baker, and Gen. (ret) John P. Jumper. Dr. Grant is seated at the far right.

As far as the event went, I found it interesting. If you are exceptionally motivated you can download the entire 90 min briefing in .wmv format here. I'd like to share a few thoughts.

First, I was impressed by all the speakers. Lt. Gen. Baker led AIA when I was a Captain there. At the same time Gen. Jumper led Air Combat Command, before becoming Chief of Staff. I learned Lt. Gen. Elder has a PhD in engineering.

Lt. Gen. Elder commented that cyberspace is a domain similar to the ocean, and he specifically drew parallels with the Navy. (This made me wonder why the Navy isn't taking the lead on defending cyberspace.) In order to use the ocean for commercial purposes, the domain must be controlled so ships are protected from harm. Cyberspace is similar, except that in addition to requiring control of the domain in order to use it, the domain must first be created. (No one needs to create an ocean.)

Control, however, does not mean "ownership." Elder specifically stated the Air Force does not plan to "own cyberspace;" cyberspace is more of a "strategic commons" like the ocean. Cyberspace is also not confined only to the Internet. A presentation by Dr. Lani Kass titled Cyberspace: A Warfighting Domain cites the classified National Military Strategy for Cyberspace Operations to define cyberspace as:

a domain characterized by the use of electronics and the electromagnetic spectrum store, modify and exchange data via networked systems and associated physical infrastructures.

(Speaking of the NMSCO, I read a Joint document is en route, according to Joint Staff readies cyber operations plan.)

Elder's presentation featured plenty of military jargon, like the great "OODA loop" (observe, orient, decide, act) and a new "effects chain" (find, fix, target, engage). (That sounds like the OODA loop, doesn't it?)

One of Elder's major points, reflected in the report, is the Air Force's recognition that cyberspace (broadly meaning communications, I believe) is the foundation for all Air Force operations. I would argue that all of the services are equally dependent on cyberspace. That reminds me of the role of United States Transportation Command. It makes sense to me that cyberspace activities are currently part of United States Strategic Command.

USSTRATCOM accomplishes its cyber mission through the Joint Task Force - Global Network Operations (JTF-GNO, led by the commander of Defense Information Systems Agency), Joint Functional Component Command - Network Warfare (JFCC-NW, led by the director of National Security Agency), and Joint Information Operations Warfare Command (JIOWC, led by the commander of Air Force Intelligence, Surveillance, and Reconnaissance Agency).

If cyberspace is truly a warfighting domain (alongside land, sea, aerospace), I don't see who can argue against an independent Cyber Force. (I don't argue for a separate Space Force because I think the Air Force will eventually be the Aerospace Force.) Elder rejects the idea of an individual Cyber Force in Dr. Grant's report, but the Army had the same feeling about the Air Corps before 1947. We can separate the world into physical and virtual, or as the military likes to say, "kinetic" and "non-kinetic." I find it hard to believe that a cyber operator who reads and manipulates hex is going to find much in common with someone who kills people by exploding ordnance.

Elder mentioned some of the tasks the Air Force expects to perform to better secure its networks. These included a "cyber standardization and evaluation team," application assurance testing, software tamper detection via signatures and hashes, clusters of systems voting on proper outcomes, "cyber sidearms" in the form of tools on individual laptops, and a specific cyber Air Force Specialty Code (AFSC). If this had happened 10 years ago my career would have been very different and probably much longer!

Elder finished his talk describing how the US Code affects Air Force activities. For example, Title 10 (Armed Forces) restricts the work of the active duty military. Similar restrictions affect the intelligence community through Title 50 (War and Defense). However, because the Air National Guard operates under Title 32 (National Guard), it has more room to help the commercial sector and local governments with network defense. Elder said he would like to see Guard cyber units in every state, from the size of a squadron up to a wing. I thought this was a fairly exciting concept, since the Guard is likely to contain people with industry experience.

Lt. Gen. Baker and Gen. Jumper only spoke for a few minutes each. Jumper really hammered the acquisition community for providing the "block 40 upgrade to the block 30 capability" and thinking that helps the warfighter. He recommended writing Concepts of Operations before deciding what to buy. (Wow, sounds just like the commercial world; don't let vendors drive your security program!) Jumper said we need a "PhD-quality Weapons School," aggressor forces, and policy and doctrine modeled on offensive and defensive counter-air operations.

In the question phase, when asked why the bad guys are "so much better" than the good guys, Jumper replied "Bad guys don't have policy constraints." I believe Baker stated that the biggest problem he sees in industry is the feeling that "we don't think it [breaches] can happen to us,", he said, "but it's happening every day."

As far as the report itself, I realized the author did not have any experience in the topic of computer network defense, exploitation, or warfare. Having just watched two shows on Army and Marine snipers, it made me think how it must sound to a sniper for a non-sniper to write a report on sniper craft. Disappointingly, the Estonia "cyberwar" was presented as the galvanizing action that should stir everyone's pot. In describing the event, the report author wrote:

The attackers also used illicitly linked computers around the globe to mount an enhanced onslaught. These attacks were conducted by networks of "bots" -- a bot being an automated program that accesses web sites and traverses the site by following links on its pages.

So, it appears we should pin the blame on Web crawlers. Sigh.

I also read about "Windows 1.0" being released in August 1995 and "Windows 2.0" in November 1995.

Apparently no one did a technical edit of this report. It's clear it took a lot of work to write this report, however. There's plenty of history, references and interviews. I would not have wanted to undertake this task, since I would have required a few years to get the history right.

I found this one item immensely interesting, so I'll close with it:

[One] difficulty is estimating the scope of the mission. "We are well past the $5 billion per year mark, and I don't know where the top end is," commented one STRATCOM official. "The $5 billion is mostly on defense. We buy huge amounts of software and people to run that, but it's totally ineffective against Tier III" cyber [advanced persistent] threats, this official noted. (emphasis added)

Comments

CG said…
interesting post, i'm going to talk out my butt a bit because i didnt read the report (yet) but i dont think it will matter too much for my comments.

this:
"when asked why the bad guys are "so much better" than the good guys, Jumper replied "Bad guys don't have policy constraints."

is total garbage. the bad guys are better because 1) we dont have the specialties (MOS) to counter the threat, for the most part contractors and GS do the defending (i cant speak to the attacking) and 2) senior and even mid-junior leadership really dont understand the real threat that is out there and how bad the "bad guys" want access to our networks and data and 3) most IT staff are so busy trying to keep the network up and email running that security is an afterthought at best when it should be a forethought

the policies, tool, requirements that DISA and others have worked at and implemented are actually very sound, the USER is currently the weak link in our armor. fixing the user is a tough problem, most people dont want to be bothered with security at all, as long as internet and email works they dont want to be bothered with it.

on another note, i'd definitely like to hear how ANY service plans to train (and keep) application assurance testers and the cyber standardization and evaluation team members. training and keeping those caliber of people for what services pay people is definitely going to be a challenge.
Anonymous said…
Generally speaking, pay is less of a problem for the services than Information Systems senior officers like to pretend. The Algomated Life Insurance Co will never provide the kind of job satisfaction inherent in the military mission. Unfortunately, that job satisfaction is fully and completely spiked by a leadership who understand s telephones but not computers. Good computer people get out, leaving the rest who become senior leaders, who provide through their superior management skills fully ungrounded in a complete lack of understanding of what they are doing a good reason for quality junior people to leave.
Solve that and the Cyber Command will be able to mop the floor with the Peoples Liberation Army. Until then we will be doing well just to find out that we are the mop-head.
Anonymous said…
I agree that pay is less of a problem than the leadership, program direction, and support these information assurance military types require. As with Richard, my personal military career may have been different and longer had there been a comprehensive program in place. However, abysmal leadership decisions at even the most senior levels, poor program direction (I’m still not convinced there even ever was any, despite what “they” claim), and almost no support for information assurance led me to exit as soon as possible and seek out a job where my work would actually matter to someone. The higher pay helped make my decision easier, but was not the reason I left.

How many uber-techs do you know that take positions where the work is; money is simply not that important to them. Yes, there is always going to be a case where money motivates people, and those people will be the ones to leave the program. However, if the military were to become serious about creating a prestigious, interesting, and cutting edge information assurance program, I think the younger generation of highly skilled professionals would be quick to join. I don’t have the article handy at the moment, but I believe it stated something to the effect of 80% of Indian computer programmers would rather work on short-term (six months or less) cutting edge projects, constantly switching to newer and more interesting projects, than longer term projects with better job security.
Anonymous said…
Having worked as an IA Eng for DoD over in the Middle East for over three years, I see a huge leadership gap as the big culprit. We've got the talent and the tech. Ive worked with very sharp enlisted folks only to have it shewwed away as an anoyance by the officers...No offence Richard!

DoD needs to be more agile and flexible.
Anonymous said…
The Air Force has seized initiative as they grasp for a new defining mission. Always looking for the next "strategic bombing" concept, the Air Force has always been adept at applying emerging technology to the strategic threat of the times. Unfortunately, the Air Force is using its push to "cyberwar" as a budget wedge as the relative value of traditional airpower wanes. By leveraging the anticipated reluctance to engage in large deployments after Iraq, the Air Force is using the ability to "virtually" engage as a selling point to score budget points on the Hill. And the Hill is listening.

The Army has missed the boat on this one. They seem to feel the cyberfight doesn't extend past the brigade boundary. This myopia effectively cedes operations in cyberspace to the Air Force much like Space was ceded to the AF in the 1980's.

We'll see what happens, but don't be fooled that this isn't a budget event.
Anonymous said…
Agree with all your comments. Just a viewpoint, but it seems like everyone would like to fight these 'wars' from a NOC with a big screen, a'la' star trek, with a whole crew, and a capt chair, giving 'orders' and such.

It's not that kind of a war.

Not in the aggregate, and not on the individual OP level. Enemy isn't on a 'map', unless your op is to take down a physical country's infrastructure, which is how these guys see it. Still as a physical war.

The mental baggage that these actors bring to the engagement is based upon what they started out believing as how the world works. I say that from the perspective of having been Ivy League, having been military, having been 'underground', having been 'fringe' and 'academic'. Strategy is bad enough, but the tactics are not completely adaptable to the mindset they would like to apply, since the medium does not have the same pedigree (original intent).

Should be interesting. At least profitable and intellectually stimulating. But it is a different 'plain of existence' [intentional]. Not the fulda gap plain they grew up on.

But it is the next battleground.

Best, HAL

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics