Air Force Cyber Mission Defense Teams 2.0: An Evolving Concept

As the U.S. Air Force evolves to operate in a near-peer environment, with adversaries such as China, and more broadly, Russia, North Korea and Iran, leaders are considering the role of cyber defenders. For the last year or so, the Department of the Air Force, or DAF, has been examining how to best position its mission defense teams (MDTs) for the future. 

The MDT program, established in 2015, is ready for its next evolution, leaders say. Over the last eight years, the service’s Air Combat Command (ACC) put in place the defensive cyber teams to protect Air Force weapon systems, offering a more targeted approach to persistent cyber defense than before, protecting the service’s most important warfighting components, such as an F-22 or an F-35, or key infrastructure like an air operations center, distributed common ground system or weather data. 

The service also implemented a common weapon system and command-and-control structure for MDT operations. It added formal training at two bases, Little Rock and McGhee Tyson, supported by total force partners from the Air Force Reserve and Air National Guard. A cloud-based structure also gave the MDTs access to agile code that could be tailored for particular weapons systems. The effort also pulled the MDT cybersecurity professionals, weapons systems maintainers and operators together as they built protections.

To meet the challenges of operating in distributed, contested environments against near-peer adversaries, however, the Air Force must redevelop the setup of the MDTs. One concept that the DAF is considering is more of a “tiered” MDT construct, said Maj. Gen. David Snoddy, USAF, the assistant deputy chief of staff for Cyber Effects Operations (AF A2/6), who is responsible for the development of more than 36,000 cyber warriors and integrating the service’s air and cyber effects. This means a more complex structure than protecting the Air Force Network (AFNET) and other infrastructure, Gen. Snoddy said, speaking December 14 at the AFCEA Northern Virginia Chapter’s annual Air Force Information Technology day held in Crystal City, Virginia.

“We are not quite there yet, but the vision is to reach the point where we can do some tiered defense,” he said. “We will have an enterprise view, but we should also be able to have more localized views. We will require a broader structure.”

For Gen. Snoddy, who has spent his career in cyber defense, the shift requires resources and an integrated structure that can protect the complex operations of the service. “[When] you have an installation that has an F-35 assigned to it, how effective is that one installation going to be at defending the F-35 mission?” he considered. “Especially when the actual thing that ties the F-35 together is Atlas, which is a network system that exists in multiple Air Force installations, but all consolidates in one Air Force installation and then connects to a contractor. And [what about] all that data then flows to that? It is a very complex [environment] and having one mission defense team scattered across several bases cannot fully defend that architecture. So, the evolving version of that concept is, ‘Let's put people out there, let's get the resources to put subject matter experts at these installations that will help us analyze that mission relevant terrain in cyberspace to map out where we need a sensor.’ And what should we be looking for, frankly? What should we be protecting? And then that data from those [cybersecurity] sensors as we place them over time, will aggregate up.” 

That type of integrated cybsersecurity sensor environment would also mean relying on modern-day data platforms to a greater extent—such as the 16th Air Forces (AFCYBER) ELISIR big data environment. 

“Across the service’s six big data platforms obviously there's been many successes, but the one closest to my heart is ELIXIR,” Gen. Snoddy said. “That is 16th Air Forces’ cybersecurity big data platform and is how we maintain enterprise level data. We can actually query against that data as enterprise to look for adversarial [cyber] activity. We have big data scientists, whether they be from the industry or inside the department or otherwise, that have helped develop ways to query against that data. We look for anomalous activity that can clue us in to adversary activity that we frankly could never see on an installation-by-installation basis before.”

Leaders are working with Wanda T. Jones-Heath, the DAF’s principal cyber advisor for the U.S. Air Force and U.S. Space Force, and other leaders to delve into the considerations of the MDT construct, Gen. Snoddy indicated. Jones-Heath is responsible for overseeing cyberspace recruitment, for the resourcing and training of cyber mission forces, related acquisition, cybersecurity supply chain risk management and the security of information systems and weapon systems. 

“With the help of Dr. Jones-Heath and the [Secretary of the Air Force] team, and the Air Combat Command and our own staff and others, there's been an evolving concept for how the Air Force is going to do cybersecurity and defense, that is, frankly, more built on things like the ElIXSIR Big Data platform for the cyber community,” he noted.

Lastly, Gen. Snoddy acknowledged that the MDT concept fit past needs and that it would take time to change what was put in place. “The 16th Air Force, Air Force Cyber, defends the Air Force's portion of the DODIN [Department of Defense Information Network],” he said. “[When that began] not that many years ago, that was a very difficult challenge. It was done on an installation-by-installation standpoint. ... With the mission defense teams, the MDTs, that is a path we started going down a number of years ago. We have advanced since then, but we still have room to grow. That mission defense team construct was an answer to [the challenges from] a number of years ago.”