Add new comment

Thanks for the feedback and you pose a great question. I think the root of the problem though is that there isn't one "community" but instead two entirely different communities that have been both impacted by being combined. Even if a certain level of numbers are needed for sustainability it is an issue that must be addressed and the answer cannot reasonably be to plus up those required numbers with people who do not need that training. In essence it's creating a training pipeline where the "pass rate" is around ~15% if the purpose is to identify the people with the skills for further development. The skills in the training are not up to speed with core cyber skills required and they are overkill for comm skills. It's insulting to the "B-Shreds" and can create a certain sense of animosity or unneeded division. Even being able to identify people as "B-Shreds" (which is common) as a community indicates an issue. We do not have a cyber community in the Air Force. We have a Cyber/Comm combined community that while attached bring both down. The traditional comm community, mindset, culture, mission, etc. is extremely rich in heritage and is critical to the AF's mission. This mindset that everyone needs to be an operator is something that is not beneficial to the overall AF mission.

Cyber personnel and cyber skills are not easy to develop and you cannot just create them regardless of what you name the job or AFSC. Unfortunately the approach we've taken is that traditional AF model that you've mentioned but it is not reasonable and ultimately creates a force where you do not know who is capable of what. You simply cannot look to the AFSC or Cyber Wings right now as an indication of who can perform a "cyber" mission. It's unacceptable and creates massive problems for the Air Force as well as Joint and National teams that try to staff their billets with the appropriate personnel. To be fair though one of the problems is that we as a force call everything cyber. It's become a joke to most civilian teams, conferences, and other services. There's a lot of money on the line so there's a huge incentive to label everything cyber and pretend we're all ops. Some people honestly believe they need "cyber troops" when all they want is network architecture and maintenance. Anti-Virus companies and other vendors have sold this concept of the "Advanced Persistent Threat" as an unstoppable force and that has been another reason for a quick reaction to try to operationalize "cyber" and defend our networks.

"Please do not blame us for not doing our job, it was the APT and we all know defense is REALLY hard!"

When you take a look at almost every single campaign the initial infection vector (and it's not an attack, it's an infection or exploitation attempt but that's another point entirely) is usually a phishing email or some other basic aspect of security. The non-sexy truth is that the basics of security are the most important thing. The advanced adversaries will get in eventually but right now as a community we do not even stop the easy intrusions; adversaries do not have to do anything fancy to win. We must raise the bar and we already know how. Network architecture and maintenance is NOT a defense function but it is the single most important component of defense. But that's hard to make sound great on a contract, EPR, or OPR so you can expect us to have "cyber defense" teams who have no hands-on-keyboard skills and "A-Shreds" who end up patching networks. We have a lot of great people in the Air Force with amazing skills who are getting out because instead of the Air Force realizing we only have a small number of cyber troops and we need to to develop more in a correct albeit slow manner, we've labeled everyone cyber and now the people with skills have a hard time getting into the right jobs. They can serve national defense more easily outside of the Air Force in many instances. That is a huge failure on the Air Force's part.

I'm deviating from your initial point/question but it's just to show that there are so many issues. And we won't really be able to figure them out or determine what is or is not possible because the community does not exist. It's not possible to try to solve any of these issues though without establishing an actual cyber community as well as a realistic way of identifying them. From there that community can figure out the way forward.