Zero Trust Is Key Enabler of Air Force’s Agile Combat Employment
The service’s move to send groups of multicapable airmen in an agile, dispersed manner from main operating bases will be supported by the emerging cybersecurity measure.
Led by the Air Combat Command, the U.S. Air Force is pursuing zero-trust architecture on a level not seen before. One of the service’s first main use cases applies the cybersecurity measure to the agile combat employment (ACE). ACE operations provide a more lean, agile and lethal force that can generate airpower from multiple locations. ACE requires a different kind of command and control (C2) environment, as well as advanced planning concepts and logistical supply line support. Zero-trust architecture is the key underpinning for this ACE effort, leaders say.
“The objectives that we describe as we are implementing zero trust is that we are trying to achieve freedom of movement across our warfighters, giving them the flexibility to operate from anywhere and anytime, regardless of their conditions or network or their location,” said Stephen Haselhorst, chief technology officer at Air Combat Command’s (ACC’s) Directorate of Cyberspace and Information Dominance (A6), who is leading the Air Force’s pursuit of zero-trust architecture. “Agile combat employment is one of our main use cases that we absolutely have on the forefront to provide [zero-trust architecture] capabilities to.” Haselhorst is also dual hatted as the Air Force’s zero-trust task force lead.
“The Air Force defines zero trust as a data and application access strategy that assumes all resource requests originate from an untrusted source,” added Frank Hudson, Pacific Air Forces chief technology and data officer. “Access is granted for each request only after confidence, in both the user and device, is established through identity verification and connection context attributes. Zero trust addresses the limitations of traditional perimeter-based defenses while enabling broad, secure access of data outside of the perimeter. It gives airmen the freedom to operate and access data and resources from anywhere and anytime.”
To confront the threats of near-peer adversaries in a contested environment, the Air Force developed the ACE concept of shifting operational-level forces into smaller, tactical-level forces. In 2019, the service began looking at how to engage these small groups of multifunctional airmen to increase capabilities in the Indo-Pacific region, through the Pacific Air Forces, and then spread the concept to its European operations, led by Air Forces in Europe (USAFE). In 2020, the commanders of the two regions signed an ACE concept of operations, or CONOP, that they are implementing, with the goal of bringing it to the greater Air Force.
“PACAF and USAFE collaborate on developing ACE concepts on a weekly basis,” explained Lt. Col. Brant Reilly, USAF, Pacific Air Forces ACE team lead. “While COVID-19 has limited some in-person work, collaboration is ongoing this month during Pacific Iron where USAFE service members will observe ACC and PACAF forces conducting simulated combat-related dispersal operations to develop tactics, techniques and procedures for real-world operations.”
In order to support ACE, the Air Force has advanced multicapable airmen (MCA), trained in other areas besides their traditional billet duty, outside of their assigned Air Force specialty codes. Last year, the service initially tested ACE at various military exercises. This year, it has expanded its ACE training and operations in conjunction with U.S. Combatant Commands—such as Indo-Pacific Command—allies, and partners—such as Japan—at various U.S.-based or multinational exercises, including: Cope North 2021 in February, Arctic Gold 21-2 in April, Northern Edge 2021 in May in Alaska and Pacific Iron in July. Air Force wings around the Pacific theater also are conducting ACE events, according to the Pacific Air Forces.
“Pacific Iron is a dynamic force employment [exercise] to project forces into the U.S. Indo-Pacific Command area of responsibility, demonstrating ACE concepts such as deploying, operating, maneuvering, sustaining and generating forces from smaller and dispersed bases,” explained a Pacific Air Forces Public Affairs spokesperson. “Pacific Air Forces planned and exercised ACE elements during Northern Edge 2021 in Alaska, which was designed to provide high-end, realistic warfighter training, develop and improve joint interoperability, and enhance the combat readiness of participating forces.”
Improved cybersecurity measures are needed to support such agile operations, a role that zero-trust architecture is meant to fill, the leaders said. “Another objective is to impose costs on the adversaries,” Haselhorst shared. “Adversaries today have a lot of freedom of movement within our networks, whether that is Air Force networks or other commercial networks. The castle and moat perimeter model has failed and allows operator or adversaries to operate inside of our networks undetected. Through zero trust, we are changing that model radically.”
“Zero trust is the foundation to building a resilient responsive network architecture that can federate with joint forces, allies and partners, giving airmen the ability to maneuver quickly and connect to data sources seamlessly across the globe,” Hudson stated. “It is an enabler to the Air Force’s vision of agile combat employment.”
By implementing micro segmentation strategies, attribute-based access controls, validation of the health and status of systems connecting in any environment, and other zero trust architecture components, the cybersecurity measure will give airmen performing ACE operations peace of mind in conducting their dispersed missions.
“The way we achieve freedom of movement is because we don't trust any connection,” Haselhorst said. “We don't trust any device. That is the premise of zero trust. We're going to validate every single connection the same way, and continuously monitor and analyze that connection throughout the life of that connection. Because of that, it no longer matters if you're connecting from an on-premise network or off-premise. That means that I can now give you the same level of access whether you are local or remote, in an expeditionary environment and even a contended environment. We will be able to provide you the same level of access regardless of your location, and that's a big thing.”
Moreover, the cybersecurity measure will enable airmen conducting ACE the flexibility to use all sorts of communications, computing or networking equipment. “That identity and the health and status of the systems that are connecting—whether it is your government-furnished equipment, laptop, or other device—combined with other external factors, make up that trust core, and that's what allows us to give access to a resource, anywhere, at any time,” Haselhorst noted.
Looking forward to fiscal year 22, the Pacific Air Forces will continue to work with the ACC on the command’s “significant” pilot programs that are designed to validate the service’s zero-trust architecture, Hudson confirmed. “We will continue to experiment in order to institutionalize zero trust as quickly and effectively as possible,” he said. “Lastly, PACAF looks to advance together by learning from one another about what technologies work, what strategy works, and what architecture best fits a particular mission.”
This article is SIGNAL Magazine's second piece in a series about the U.S. Air Force's significant expansion into zero-trust architecture. The first article, Air Force Greatly Widens the Aperture on Zero Trust, examines ACC's 18-month plan to implement zero trust and its comprehensive view to employ the cybersecurity measure across its bases, weapon systems and missions.