This is part four of a series exploring the differences between military cyber forces, capabilities, mission sets and needs. For previous installments, see part one, part two and part three.
In addition to being the direct service link for U.S. Cyber Command, 24th Air Force, or AFCYBER, holds a mission set in cyberspace that is much more expansive than just the man, train and equip cyber mission force Cyber Command contribution.
Maj. Gen. Chris Weggeman, commander of AFCYBER, noted in written congressional testimony recently that AFCYBER is designated as the cybersecurity service provider for the Air Force in addition to executing assigned cyberspace operations missions through six avenues; building, operating, securing and defending the Air Force networks.
Additionally, organic capabilities specific to the Air Force revolve around their five core mission sets: assurance of aerial refueling, assigning crews to planes and ensuring planes take off on time and complete their mission. In this vein, the Air Force has created a director of cyber forces, or DIRCYBERFOR, with 39 billets across all air operations centers with the intention of integrating cyber into the theater of the service’s multi-domain operations, officials from AFCYBER told C4ISRNET.
One of the Air Force-specific efforts their 17D cyber warriors perform is defense of specific installations. This initiative, which has undergone a series of moniker alterations, is now known as the cyber squadron initiative directed by the Air Force’s CIO office.
Weggeman outlined this effort as one of three major efforts his command is undertaking.
In broad and simple terms, this mission set performed by 24th Air Force personnel was described in a recent C4ISRNET interview with Maj. Gen. Patrick Higby, director of Air Force cyber strategy and policy, as focused more on doing the active defense of the mission vice just making sure that all of the servers and networks are up and running.
[Air Force ‘chronically undermanned’ in cyber]
The genesis of this effort dates back two decades, Higby noted, saying that if something happened like a circuit went out or a server crashed or a radio net went down, if that comm squadron commander went to their wing commander and said they just lost circuit x, y or z, the wing commander is going to ask what does that mean for the mission?
“So even 20 years ago, we were training our officers to think about not just is the circuit up or down and what am I doing to keep the circuit up or get it up if it goes down, but what are the implications to the mission I’m supporting,” he said.
Currently, this initiative seeks to ensure the individual squadron level can fight through cyber incidents — whether from adversaries or insiders — to make sure the wing commander can complete their mission even if it’s in a degraded state. This effort is separate from the CMF and is being manned with mission defense teams, or MDT. On the surface, Higby equated MDTs to looking similar to cyber protection teams, which are part of the CMF even though cyber protection teams are much larger.
He envisions MDTs as “beat cops,” meaning cyber protection teams are the SWAT teams, an analogy that has been made by other commanders.
[Cyber ’beat cop’ needed to add context to for SWAT teams]
MDT’s defend installations and certain weapon systems. If overwhelmed, service retained CPTs can assist. One such example is space weapon systems as outlined in a recent request for information issued by the Air Force that asked for contractor support for cyber defense of space weapon systems.
[Air Force wants contractors to defend space systems from cyberattacks]
“AFCYBER is not prioritized, nor resourced to perform day-to-day defensive missions outside of Air Force NIPRNET and SIPRNET,” a spokesman from Air Force Space Command told C4ISRNET. “Because of this, Headquarters Air Force leaders have allowed localized Communications Squadrons to request [mission defense teams] to focus solely on their own installation. Many of which are performed by contracted mission partners.”
The beat cop patrols the network on a regular basis, knows what normal might be and can deal with certain threats. However, if the problem is too big to handle, the cop will call in the cyber SWAT team; in real life this would be the service retained cyber protection team (see part I).
The Air Force also has cyberspace intelligence components, one being the 35th Intelligence Squadron Cyberspace Threat Intelligence Center. According to an Air Force spokesperson, these teams “provide the Air Force with trained and equipped cyber forces at the Wing level, focused on delivering cyber-based mission assurance for their units/Commander’s mission(s). They are a key component of how we scale cyber security and defense of mission and data systems across the totality of AF missions and key cyber terrain.”
Moreover, this will be staffed by personnel who are not CMF billeted from AFCYBER.
“The 35th Intelligence Squadron has an existing and historic mission to provide intelligence support to Air Force units tasked with defense of Air Force networks, unrelated to Cyber Mission Force. The Cyberspace Threat Intelligence Center (CTIC) is tasked by 24th Air Force’s 624th Operations Center to provide such intelligence. The newly established CTIC Operations floor modernizes the Squadron’s ability to accomplish this mission,” a spokeswoman from 25th Air Force provided to C4ISRNET. “The Cyber Squadron Initiative (CSI) organizations will expand their scope and footprint to provide additional protection to bases and their resident cyber systems as required.”
On the weapon systems front, the Air Force stood up an office specifically dedicated to cyber resiliency for weapons systems. The Cyber Resiliency Office for Weapons Systems, or CROWS, which reached IOC in December, will work to integrate activities across the Air Force ensuring weapon systems maintain mission-effectiveness capabilities in the face of adversaries.
Weggeman, in his written testimony, explained this office was “developed to address last year’s NDAA Section 1647 weapon system cyber security mandate. These three major endeavors, deliver a coherent approach to cyber security, cyber defense, weapon system resiliency, and the ever critical ‘every Airmen a sentry’ cyber hygiene culture across our Air Force.”
The series continues at Navy applies a layered defense approach in cyberspace.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.