Search:  

 Blog     e-Newsletter       Resource Library      Directories      Webinars     Apps
AFCEA logo
 

The Failing of Air Force Cyber

November 1, 2013
By 1st Lt. 
Robert M. 
Lee, USAF


Organizational missteps have left the service ill-suited for the digital realm.

The U.S. Air Force cyber community is failing for a single fundamental reason: the community does not exist. In 2010, the communications community began to be identified as the cyber community. An operational cyberspace badge was created, and those who previously had been communications professionals now were seen as cyberwarriors. This change did not effectively take into account that cyber and communications are two distinct fields and should be entirely separate communities.

When attempting to identify cyber operators, it is impossible to look at the cyber Air Force specialty codes (AFSCs) as an indicator. In the officer ranks, only a small fraction ever takes part in on-keyboard or operational missions where the effects of cyber are leveraged for exploitation, attack or defense. Yet, all of the personnel wear the badge and identify themselves, some cynically so, as part of the cybercommunity.

This faux community creates problems when trying to identify the personnel needed for a mission. It is a distinct way of thinking and set of skills that enables an operator to target adversary networks or take an active role in defense. As an example, many people consider themselves computer network defense operators and are consulted as such. Yet, often they participate in more of a communications or maintenance role. They establish, maintain and oversee networks. This is a very important role—maybe even more important than a defense operator’s role when done correctly—but it is different. Applying vendor-issued software patches is not defense; it is maintenance.

Cyberdefense uses a variety of different sources and methodologies to mitigate active threats using fields such as incident response, malware analysis, digital forensics or even intelligence-driven defense. Instead of having clear separation between communications and cyber roles, the term cyber is applied to anything that can be remotely justified. The field is plagued with those who want to use the term and community to try to advance their own causes and careers. It is important to remember that even with the best intentions, members who have not participated in cyber operations will have a limited perspective of what is required. Some of the best leaders are not those who take command and usher in new change but instead those who stand out of the way.

Instead of having well-trained analysts who can be identified by their AFSC, the Air Force now has a number of personnel who are called cyber operators but are not. Most do not understand the domain or how to operate within it. By quickly creating this blended community and renaming everything cyber, the Air Force appears to be taking action to defend national security. However, the actual result is difficulty in supplying core training and education useful to the field; finding the people actually wanted as operators; and assigning operators to the right missions. The combination of these three aspects is the most common denominator among cyber operators who are leaving the Air Force. These operators want to have mission satisfaction while being challenged and developed, but because of the lack of a cybercommunity they are more likely to find what they are looking for in civilian jobs.

One of the most important aspects for mission success is properly training and educating the force. When the communications community was directed to transform into the cybercommunity, the mission of the communications field remained. In addition, the majority of communication professionals would never take part in cyber operations or have an on-keyboard mission. So, the education and training developed for the new “cybercommunity” had too much on which to focus. Another byproduct is that this training could not be so technical that communications professionals could not complete it.

A perfect example of this blended communications and cybertraining can be found in the Undergraduate Cyberspace Training (UCT) schoolhouse that all incoming 17D cyberspace officers must complete. The six-month UCT course spends part of its time introducing 17Ds to tactical communications, communications ethos and legality, and other traditional communications training. The rest of the time is spent trying to educate the students on cyber operations and the different skillsets. The instructors who were directed to stand up the course did an amazing job with what they had, but they were asked to complete an impossible task. Out of each class of about 15 students, only two will be selected for an operational cybermission. With only about 15 percent of the students going on to be cyber operators, the material had to be passable and understandable by everyone so the majority of students who go on to communications missions could succeed.

This is not a feasible strategy for providing core technical training to an operational cyberforce. If two distinct communities existed, the communications personnel could take material that is most relevant to their profession. This would allow the cyberpersonnel to spend their entire training time focusing on skills the nation needs. Additionally, cybertraining could be extended to cover more core skills that give hands-on experience to more technically challenging and advanced skillsets. Instead, cyber operators that come out of training are expected to do extensive on-the-job training to gain skills they should have been taught. Proper discussions on what type of education and training is needed after the core training cannot be held, because the core training does not provide the skills it should. From this flaw all other training programs for cyber operators are affected.

After training, cyberspace officers are given operational cyberspace badges. These badges, or cyberwings, can be earned through the six-month course or a transition course. The considerably shorter online transition course allows personnel of different AFSCs to wear the badge if they are in a cyberspace-related job, but in reality most of those jobs are communications missions. The course gives only the most basic understanding of terminology and does not develop, train or test cyber-related skills. Not only is the AFSC not a good identifier of a cyber operator, but neither is the cyberspace badge. With this in mind, leaders have discussed ideas for giving special experience identifiers (SEIs) to personnel with specialized cyberskills. But, because of the flaws in identifying personnel with relation to their AFSC or badge, the SEI then becomes a detractor. An SEI is not a proper method for identifying an entire community. The SEI further separates out personnel and makes it harder for talented analysts to end up in jobs for which they do not have the SEI but may have the passion and aptitude to excel.

In readying mission tasking and filling cybermission needs from organizations such as the combatant commands and the intelligence community, the Air Force cannot succeed. The teams that are established to deal with national level problems cannot gain access to properly trained and easily identifiable personnel. This results in a personality-driven team that gets its start because a commander knows someone he or she believes could do the job. Using name requests for personnel to operate and lead all cybermissions is not sustainable on a large scale and over time. When leaders who are chosen for command look to staff their teams, they do not know where to begin because the mission tasking was designed for a community that already should be trained and identified.

National cyberteams, especially at combatant commands, are stood up with the expectation that the military services have accomplished their main function with regards to the troops: organize, train and equip. In this regard the Air Force has not met mission success. Other organizations such as the U.S. Cyber Command can attempt to provide additional training, but it is ineffective when built off the core training currently available. The Air Force’s role in these national cyberteams will fail from the lack of a cybercommunity.

The personnel in charge who are making decisions to try to fix these issues are neither complacent nor incompetent. Men and women at every rank are trying to help the Air Force understand and succeed in cyberspace. However, no good ideas can be generated and implemented to ensure the securing of the cyberspace domain when all the ideas are created from a fundamentally flawed origin. Yet, there is an ability to change this flawed start.

If the Air Force is willing to split the communications and cyber communities, then the men and women in each who serve honorably will be able to establish ways forward. Cyber cannot be a buzzword that is used to obtain larger portions of the budget or secure contracts. Cyber must be a term that belongs to a specific community that is truly operational. Cyber must be its own community and have its own leaders. Those who say cyberpersonnel are too technical to lead their own are only trying to find a way to stay relevant in a domain they do not understand. Leaders will rise through the ranks as they always have; it is not a quality of any specific career field but of the professionalism of the armed forces.

Many men and women in the U.S. Air Force are ready to answer their nation’s call, to readily advance their skills, and to secure the cyberspace domain. It is only by accepting the need for a different approach that the communications community can return to its roots and the cybercommunity can begin to grow in its own right. A true cybercommunity and culture will see the development of leaders, innovators, educators, operators and the type of passionate people required to respond to the nation’s adversaries. The Air Force stands in a prime position to allow this cyberculture to develop and lead the way forward. Otherwise, with the passage of time, the Air Force very well may be known not for its mastery and securing of the aerial domain but instead for its failure in the cyber realm.

1st Lt. Robert M. Lee, USAF, is a flight commander and national-level cyberteam lead at an intelligence squadron in Germany working under the Air Force Intelligence, Surveillance, and Reconnaissance Agency. The views expressed by him in this article do not constitute an endorsement by, or opinion of, the U.S. Air Force or the U.S. Department of Defense.

 

Departments: 

Comments

While I agree with some of the author's points regarding the difficulty of identifying those individuals who have the aptitude to excel in this challenging field, I don't believe the plan to develop these folks at UCT is sustainable. The numbers just aren't there. The mission of the school house is to provide entry level training for the entire community and then identify those with the possible skills that require further development. This "AF" model works because the numbers are there. The only other way to pull this off would be to develop a Joint entry level program. That opens up a whole other can of worms that are too numerous to get into here.

By Marlon Coerbell

Thanks for the feedback and you pose a great question. I think the root of the problem though is that there isn't one "community" but instead two entirely different communities that have been both impacted by being combined. Even if a certain level of numbers are needed for sustainability it is an issue that must be addressed and the answer cannot reasonably be to plus up those required numbers with people who do not need that training. In essence it's creating a training pipeline where the "pass rate" is around ~15% if the purpose is to identify the people with the skills for further development. The skills in the training are not up to speed with core cyber skills required and they are overkill for comm skills. It's insulting to the "B-Shreds" and can create a certain sense of animosity or unneeded division. Even being able to identify people as "B-Shreds" (which is common) as a community indicates an issue. We do not have a cyber community in the Air Force. We have a Cyber/Comm combined community that while attached bring both down. The traditional comm community, mindset, culture, mission, etc. is extremely rich in heritage and is critical to the AF's mission. This mindset that everyone needs to be an operator is something that is not beneficial to the overall AF mission.

Cyber personnel and cyber skills are not easy to develop and you cannot just create them regardless of what you name the job or AFSC. Unfortunately the approach we've taken is that traditional AF model that you've mentioned but it is not reasonable and ultimately creates a force where you do not know who is capable of what. You simply cannot look to the AFSC or Cyber Wings right now as an indication of who can perform a "cyber" mission. It's unacceptable and creates massive problems for the Air Force as well as Joint and National teams that try to staff their billets with the appropriate personnel. To be fair though one of the problems is that we as a force call everything cyber. It's become a joke to most civilian teams, conferences, and other services. There's a lot of money on the line so there's a huge incentive to label everything cyber and pretend we're all ops. Some people honestly believe they need "cyber troops" when all they want is network architecture and maintenance. Anti-Virus companies and other vendors have sold this concept of the "Advanced Persistent Threat" as an unstoppable force and that has been another reason for a quick reaction to try to operationalize "cyber" and defend our networks.

"Please do not blame us for not doing our job, it was the APT and we all know defense is REALLY hard!"

When you take a look at almost every single campaign the initial infection vector (and it's not an attack, it's an infection or exploitation attempt but that's another point entirely) is usually a phishing email or some other basic aspect of security. The non-sexy truth is that the basics of security are the most important thing. The advanced adversaries will get in eventually but right now as a community we do not even stop the easy intrusions; adversaries do not have to do anything fancy to win. We must raise the bar and we already know how. Network architecture and maintenance is NOT a defense function but it is the single most important component of defense. But that's hard to make sound great on a contract, EPR, or OPR so you can expect us to have "cyber defense" teams who have no hands-on-keyboard skills and "A-Shreds" who end up patching networks. We have a lot of great people in the Air Force with amazing skills who are getting out because instead of the Air Force realizing we only have a small number of cyber troops and we need to to develop more in a correct albeit slow manner, we've labeled everyone cyber and now the people with skills have a hard time getting into the right jobs. They can serve national defense more easily outside of the Air Force in many instances. That is a huge failure on the Air Force's part.

I'm deviating from your initial point/question but it's just to show that there are so many issues. And we won't really be able to figure them out or determine what is or is not possible because the community does not exist. It's not possible to try to solve any of these issues though without establishing an actual cyber community as well as a realistic way of identifying them. From there that community can figure out the way forward.

By Robert Lee

You make some good points and your thinking mirrors that of a significant number of folks within the 17D community. However, I’m not convinced that simply splitting career fields addresses the long-term requirements for resourcing cyberspace professionals. "Organizational missteps" are strong words because, as you state, a lot of good people with the best of intentions, have tried to advance the ball down the field under some challenging circumstances and I would submit that given the constraints and surrounding issues, we're fortunate to be where we are. I'd also submit that we're only a few years toward a desired end state and that while we may not be postured most efficiently, right now, we have built a career force development construct that, admittedly with some tweaks, will allow us the flexibility to meet future needs.

Some perspective, the AF started the move toward a cyberspace career field in the early 2000's and the leadership was well aware that we were building for the long term. The old conundrum comes to mind, "How do you build a good general? Start with a Lt and get back to me in 25 years." The point being that if you want to grow a career force, you only have two options, start from zero or transition a number of folks that are already out there into the new force. Unfortunately, we didn't and don't have the luxury of time to grow a career force from scratch, hence the decision to transition the entire 33S. Additionally, establishing a career force involves much more than just cultivating technical aptitude and experience.

Keep in mind the core purpose of the service component, "Organize, rain and equip." The training pipeline and support functions had to be established to get the career force moving and that involved skillsets that had more to do with management and leadership than just cyberspace (i.e. I need more than just a cyberspace professional to stand up a course at a schoolhouse, I need folks experienced in instructional systems design, I need folks that understand contracting, budgeting, etc.). Also some thought had to be and was given as to how the career force would be utilized and professionally developed; however, these decisions had to be made before US Cyber Command even existed, before the Cyber C2 CONOPs existed, before the combatant command even knew or stated what their requirements would be for forces, and certainly before the Cyber Force Model had been given any thought. However, we knew we had to start somewhere and it's important to keep in mind that we had an established model for grooming cyber professionals because we'd already been supporting NSA for years. So basically, we scaled up what we already had in the absence of solid requirements but with the anticipation that it had to be flexible enough to get very large, very fast.

Another factor to consider is that the Air Force personnel management and professional development processes add another challenge to growing the career force, particularly because it doesn't offer a clean construct for growing and tracking expertise that can be assigned where needed consistently. That's a not a bug, that's a feature that at a minimum ensures you have a large enough pool of talent to choose from and that every technician has some baseline level of training and experience (it also levels the playing field for opportunity).

So while I don't disagree with your arguments, I think it's worth viewing them through the lens of the larger challenge...how do you provision a force (which you believe may not be right-sized currently, but that may have to surge in 2-3 FYDPs in the future), using the existing personnel system (which works pretty well for 90% of existing AFSCs), to ensure we can produce the capacity for a force that may easily outnumber other operational career fields within 10-20 years?

By Lt Col Paul Whi...

I came upon this article when reading the Nov 2013 Signal Magazine. Catching up on some professional reading. I went through the Lt's article and these are the very same things we discussed at AFIT in 2005/2006, and on the AF CIO staff from 2006 - 2009 when the foundation for the cyber career field was being developed and the AFNetOps construct was being planned and stood up. Two things: 1) BL: we still need to fully define Cyber before we press forward with professional development concepts. You can gain a lot of insight into this if you study the early 2000 Space arena studies and stand up of their professional development program; and 2) we saw the issues is designating all former 33S officers as 17D officers and the future lack of focus on the core 33S functions to maintain MAJCOM and base-level communications proficiencies. And, with the lack of Cyber understanding and the AFIT Cyber Training in its infancy at that time...we thought putting all "the eggs in one basket" was a poor idea. However, the hallowing of the 33S force through PBD 720 cuts, functional FOA realignment, and the AFNetOps 33S re-alignment did not afford us any favors in fully grasping the magnitude of transitioning all 33S officers to the 17D officer career field. You might be able to glean some insight into my thoughts circa 2006 from my AFIT Communications Officer Professional Development Research Project on a potential way forward on concentrating on KSAs and key alignment to mission requirements like Cyber and Communications. -- Brian Jenrette

By Brian Jenrette

I went through UCT / INWT last year and identified similar issues - UCT should have been taught as two courses, one for B-shreds and a follow-on for A-shreds. A combat communications LT doesn't need much of what is an A-shred centric course.

What should be done is UCT pared down to a three month B-shred course and all the A-shred material pushed into INWT / PIQT. WARNING: AETC ricebowls will be threatened.

Nice work, Robert, and I applaud your courage to tell the truth. In times of universal deceit, speaking the truth is a subversive act. Billy Mitchell would have approved.

By Major Mike

Add new comment