The Air Force thinks it’s done a good job of making sure its IT systems are defended from cyber threats. But those networks only account for about 20 percent of the cyber problem the service faces. So a new task force will try to take an enterprise approach to protecting the other 80 percent of Air Force systems the service sees as vulnerable, including weapons systems and critical base infrastructure.
The project, dubbed Task Force Cyber Secure, borrows heavily from the concepts the Navy used when it launched its Task Force Cyber Awakening last year. Both services say they need to make clear to all of their service members that cybersecurity isn’t just an issue for IT personnel, and that they need new institutional processes to protect systems that haven’t traditionally been thought of as part of cyberspace.
Gen. Mark Welsh, the Air Force chief of staff, authorized the task force in a memo late last month. He said part of its charter will be to draw clear divisions of labor among the service’s headquarters organizations.
“We have to make sure we have all responsibilities right so that we don’t have Air Force Space Command and our CIO beating each other over who’s the right voice for the right issue,” Welsh told an Air Force Association breakfast Thursday. “We’re also going to make sure we understand the impact of good and bad cyber behavior on the capabilities of the Air Force, what our real vulnerabilities are, including in our mission systems: our airborne platforms, our space-based platforms, our analytical databases. Their objective is to take a step back and take an objective look at the ability of the Air Force to do its job, how the cyber domain allows us to do it better or prevents us from doing it well, and then get after the problems they identify.”
Specifically, the task force is charged with diagnosing how cyber vulnerabilities might impact each of the Air Force’s five core mission areas and developing a strategy that attempts not just to fix problems one by one, but also takes as a given that cyber is going to be an element of virtually all aspects of future warfare and, since funds are limited, that the military needs take an informed and risk-based approach to hardening its systems.
Lt. Gen. Bill Bender, the Air Force’s chief for information dominance and CIO, said they’ll start by examining all systems that lie outside of traditional IT networks, including weapons systems and maintenance depots.
“It’s not that this work hasn’t been done, it’s that it hasn’t been done in any kind of coherent way,” Bender said Thursday at AFCEA’s Washington, D.C. chapter’s cybersecurity summit in Washington. “We need to connect the dots and do a better job of information sharing. I think that will happen naturally as a result of getting people with common concerns in the same room, whether that’s in-person or virtual.”
The Air Force also sees the task force as a venue for prioritizing its cyber investments and letting leaders deliberate on where it makes sense to pump more money into cyber protections and where it’s willing to accept more risk.
Pete Kim, the Air Force’s acting director for cyberspace operations and warfighting integration, said various sectors of the service have spent plenty of time thinking about how to bake security into their programs and how to fund those efforts. But those efforts have been highly disjointed until now.
“Before the task force was stood up, I could go into any functional area of the Air Force and somebody was doing something to secure their information or do cybersecurity, whether they’re working on intelligence or logistics or space, and I could go on and on,” said Kim, who will lead the task force’s day-to-day operations.
“But one of the things that kind of convinced folks to do this was when I plopped down two huge binders on the table full of all of the cyber assessments, studies and quick looks that were going on across the Air Force. None of it was synthesized, everybody thought they had their own solution, and all of them were coming into the E-ring of the Pentagon and asking for money to implement it.”
The Air Force expects the task force’s work to last at least a year.
During that time, it will be looking for ways to identify to senior leaders exactly what needs to be done to secure the service’s systems and infrastructure, and if more cybersecurity spending is necessary in any given area, to make a cogent case to its senior leadership.
“We need to be able to go to the chief of staff and say, ‘The Long Range Strike Bomber is good. The maintenance systems are secure. The people on the ground know what to do and the cyber operations guys are patrolling the right space. We’ve got an integrated approach. It’s been designed as securely as possible, but we still think we need to spend $5 million more for cybersecurity.’ Who in the Air Force has that kind of big corporate look to pull all of that together? Currently, no one does,” Kim said. “The program office wants to spend some money, the intel guys are asking what we need to focus on, and meanwhile everybody and their brother at Cyber Command is sending orders to patch, patch, patch, report, report, report. At some point, we need to just say, ‘Stop. OK, what are we really doing here?'”
Focus on new areas
Kim said part of the task force’s job will be to search out what’s already being done in the cybersecurity space, not just within the Air Force but across the Defense Department, and to prevent a duplication of effort in what are likely to be very similar challenges across the military.
He said the group has already seen some success in coordinating those efforts and has served as a sort of matchmaker between people with cybersecurity problems and people who are already working on solutions.
“The information sharing and connecting the dots is part of the goodness here,” Kim said. “We’re going to be able to put some focus on things we haven’t been able to in the past. People are already coming to me and saying, ‘We need this funded, this is very important.’ Our next challenge is to get the corporate board structure to say, ‘Yep, that’s important. We’re going to fund that.'”