As many mainstream people in government and industry continue struggling to get a basic grasp of cyber-security and cyber-war, the Air Force’s top cyber chief is already trying to think 20 years out.
Space Command boss Gen. William Shelton acknowledged Thursday in his whirlwind tour around town that he has trouble even seeing 20 months out, given how quickly the cyber-world changes. But as the military-industrial-congressional complex accepts that cyber is here to stay and growing in importance, it has to start applying the same kind of big-picture approaches it has long used in planning and acting in the real world.
For example, the Air Force must start thinking now about the cyber dimensions of plugging advanced aircraft — such as the F-35 Lightning II and the much-anticipated new bomber — into the larger information grid.
“The blending of cyber and air domains must be transparent,” Shelton said. “As we get to advanced tactical data links … the seams between ground air and space layers could start to show. These systems will plug directly into the [Global Information Grid], and we’ll have analogous defense responsibilities all the way to the platforms. In cyberspace, a risk accepted by one is a risk shared by all. Adversaries are probing every possible entry point into the network looking for that vulnerable weak spot – if we don’t do this right, those new data links could become one of those spots.”
Old-fashioned cyber-defense also will remain critical. Shelton said he wants networks riddled with sensors and redundancies to spot intrusions and irregularities, as well as redundancies and layers to keep the bad guy out — “walls within walls,” he said. Although he said the Air Force today is “very good” at cyber-defense, he said it must get a “predictive capability,” because it can’t monitor and defend everywhere.
“We have to identify the assets we protect and then protect the essential ones,” he said. “We have to make conscious decisions that other parts of network don’t receive as much attention, so as you can see shifting from ‘traditional’ cyber defense to a strategy of resilience and layers” — what he called “the walls and moats” developed by the 24th Air Force.
Shelton wants a network that can “disable diseased applications, switch to a different [operating system] on backup hardware and a combination of myriad other defensive actions.” Not only must the Air Force and other services handle these kinds of defense for its nonclassified network, it also has to improve the classified high side, he said. Shelton expects an analysis of alternative on how to improve the Air Force’s SIPRNET this month or next — don’t look for much coverage of it in the press.
Here’s something else he touched on that will mostly play out behind the scenes: Shelton described a “debate” inside the family about how DoD is going to continue to mainstream cyber into its organization and operations.
“As we think about how we’re going to operate in cyber there are still many, many questions,” he said. “Is there really, in the future, a big DoD network that’s centrally managed and controlled? Or do each of the services have their independent capabilities to come together in the standard model?”
There’s even an argument about whether DoD and the services need separate cyber-commands — though Shelton did not characterize it that way. He did ask, rhetorically, “Who employs those capabilities? In cyber, you could be anywhere to employ capability. Does that mean CyberCom has no role, or the CoComs have no role, or we somehow parcel capabilities out to the CoComs with reach-back to CyberCom? I am answering with questions because we don’t know the answers to those questions just yet. It’s a very active debate — very heady stuff for those of us in the Department of Defense right now.”
DoDBuzz asked Shelton after his speech to expand on this discussion, and he set up this parallel: Today the combatant commanders ask the Air Force for a certain number of airplanes to conduct a certain mission within their battlespace. A number of B-1B Lancers flies over to … ahem … “Southwest Asia,” and then begin flying sorties to support the campaign. But does Central Command need airmen to physically be in Qatar, or Kabul, to defend (and attack) computer networks? Or can they be in Fort Meade or down in Tampa? And do those airmen “belong” to CyberCom, or CentCom?
“That’s kind of the dilemma,” Shelton said. “Physical presence and command authority.”
He did not answer any of the questions he raised, but you can imagine the pros and cons of each side. At very least, if you can keep troops safely out of harm’s way in a command center in Florida, that’s less risk at your headquarters downrange and less cost to transport, feed, clothe and sustain them forward. But the services obviously prize the value of tactical operations centers and forward headquarters, where everyone on the team can see and hear and smell their colleagues, enabling them to work closer together. If you’re the commander and your cyber-soldier is just as important as your intel guy or your logistics guy, there’s a strong argument for all of them to be downrange.
Then there’s the money issue — the services’ cyber-divisions are only a few years old, and they, like every new box in the org chart, have survival as their first priority.
Whatever happens, Shelton said the cyber-threat is only increasing. DoD’s networks are probed more than 10 million times a day, he said, and they’re getting more sophisticated all the time.