The Air Force says it’s committed to operationalizing its approach to cyberspace and exercising control over the new warfighting domain as convincingly as it does in air and space. But the service is doing some serious soul searching as it tries to wrestle its definition of “cyber” into something that’s manageable and understandable.
The concern about murky definitions of cyberspace goes all the way to the top of the Air Force. Gen. Mark Welsh, the service’s new chief of staff, recently said he’s worried that the service’s understanding of cyber is so broad that it could turn into a “black hole” for programs and money. And when Lt. Gen. Mike Basla took over as Air Force chief information officer earlier this year, Michael Donley, the Air Force secretary, directed him to convene a summit of the Air Force’s most senior leaders to get everyone on the same page. Basla said he will host that summit in November.
“The truth of the matter is that if I asked our four-star generals, our chief and our secretary, ‘what is cyberspace, what is the Air Force role in cyberspace, what is our current capability in cyberspace?’ we would truly get 15 different answers,” Basla told an industry conference Thursday. “So we’re going to baseline it internally, get our heads around it and understand that joint warfighter requirement.”
Gen. William Shelton is one of those four-star leaders, and also happens to be the Air Force’s core function lead integrator for cyberspace as the commander of Air Force Space Command. He said it’s incumbent on the service to narrow down its understanding of cyber.
“Our actual working definition is still evolving as we gain operational experience and understanding, but I grow impatient as we watch evolution take its course,” Shelton told the annual Air Force IT Day hosted by the northern Virginia chapter of AFCEA. “In 2006, the Air Force published a forward-looking document on cyber, but I think we’d all agree now that we started out too big and too ambitious, so we had to narrow our definition. In those days, some wanted to define cyber as the entire electromagnetic spectrum. In hindsight, I think this breadth had the unintended consequence of confusing everyone, including ourselves.”
Shelton said the confusion has had operational consequences because of a lack of clarity about roles and missions within the Air Force.
“I know Mike Basla would back me up on this: I’ve personally observed confusion in roles, functions, lanes in the road, etcetera, due to the lack of precision in our operating definitions,” Shelton said. “We owe it to our people, from the most junior airman to the secretary and chief of staff, to narrowly define what we mean when we talk about cyber. And once we’ve arrived at that agreed upon working definition, we must clearly communicate that to the field.”
Shelton said the Air Force also owes that definition to the other military services, so decisions can be made about which parts of the military are responsible for which missions in a joint environment like U.S. Cyber Command and regional combatant commands, which draw their staff from each of the military services. First though, he said the Air Force has answer questions for itself about which capabilities it can offer.
“Certainly we have to operate and defend our networks. But what about exploitation and offensive operations? Is that Air Force business, or do we count on others to provide what I would call “high end” services? How we answer these questions obviously has major implications for Title 10 and Title 50 authorities within the Air Force,” he said.
The Air Force is asking itself other big questions, like how it will acquire cyber capabilities before they’re obsolete, how to set realistic expectations for securing its corner of cyberspace, and exactly what composition its cyber workforce should take.
“Just as we spooked the herd with our DC-to-daylight definition of cyber, I believe we’ve correspondingly confused ourselves when we transitioned all of our legacy communications professionals into the cyber operations career field. Is everyone in the new cyber operations career field doing real cyber work? One could argue it depends on the cyber definition we choose,” Shelton said. “If our definition is narrow, it follows that our cyber force should be narrowly circumscribed as well. Do we need to recruit to high-end operations capability for the entire force? Or are we bound to create some haves and have nots in this career field?”
Shelton says the Air Force also needs a new paradigm for how it thinks about security. The current way of thinking, based on the objective of complete information assurance, is unrealistic given the huge spectrum of potential attackers facing the military. Instead, he said the Air Force should think about mission assurance.
“Sun Tzu said if you try to protect everything, you’ll succeed at defending nothing. We can’t defend in this domain everywhere all at once, so we have to identify the nodes and systems that are critical to mission assurance. And that list will change depending on what the mission of the day is,” Shelton said. “We’ve got to carefully prioritize what assets, what data, which data path, we will protect in extremis. We have to assure the availability and integrity of the information required to support ongoing joint operations. To do that, we may have to make the conscious decision that other parts of the network don’t receive as much attention.”
The new security structure, Shelton said, should assume that intrusions will happen, but rely on the idea of defense-in-depth and resilient, self-healing networks that can rapidly route traffic around trouble spots, isolate data from threats, and take other automated defensive measures. Building that resilient network will require an acquisition process that can keep up with the speed of technological change – something the Defense Department doesn’t have.
“Our industrial-age acquisition system — and I use that term advisedly — is designed to buy large hardware elements, like ships, airplanes and vehicles, places cumbersome and quite frankly, inappropriate requirements on our cyber acquisitions,” he said. “As this audience knows too well, cyber systems change on a timescale of days or even minutes. In the cyber arena, state-of-the-art hardware can become obsolete before the ink is dry on the check that paid for it.”
But that’s starting to change. Shelton said the Air Force is developing a “tiered” approach to cyber acquisition. Large, foundational capabilities like network infrastructure projects would still be procured through more traditional program offices over months or years. But a new cyber acquisition program based at Lackland Air Force Base would let the 24th Air Force deliver more urgent capabilities within weeks or months.
And he said the Air Force envisions a third, even faster track for extremely urgent needs.
“Our operators at 24th Air Force continue to develop processes to address gaps or needs that demand attention within hours or weeks,” Shelton said. “With the right mix of operators and engineers, we’ll develop a crew structure that will give us options for faster turn times, if necessary, at the operational and tactical levels of cyber warfare.”
To sustain funding and support for cyber programs, the Air Force has another idea. Shelton said the service is in the process of declaring several of its cyber capabilities as formal military “weapons systems.” That initial round of cyber weapons includes:
Cyberspace Defense Analysis
Cyberspace Vulnerability Assessment
Air Force Intranet Control
Cyber Security Control System
The Cyber Command and Control Mission System
Of the November conference, Shelton said no one should expect to see any grand pronouncements regarding the future direction of Air Force cyber operations. “I’ll be happy if I can just get everybody in the same canoe with me,” he said. “I think we need to elucidate the issues to the senior leadership of the Air Force. There’s some difficulty in the way ahead, not only in the definition, but also in the programmatic way ahead. If we can just get everybody rowing in the same direction, that would be fantastic.”
Basla agreed the summit is unlikely to result in any immediate cyber policy changes.
“We’re going to lay out where we are, what the requirements are, what the gaps are, which I believe will result in ‘go-do’ instructions to me and others,” he said. “We will then come out to industry and say, ‘this is what the Air Force way forward is and this is what we need from industry.’ I think it’s a two-step process.”