Protecting Operations in the Indo-Pacific
The U.S. Pacific Air Forces (PACAF) sees firsthand the actions of China in the Indo-Pacific region. To protect its dispersed operations across the vast region that includes 100 million square miles, PACAF is implementing a zero-trust architecture (ZTA) Pathfinder effort in May 2023, featuring cloud native access point, or CNAP, and other zero-trust capabilities as a way to replace its existing wide-area network.
The ZTA capabilities will allow PACAF to perform cybersecurity in “a fundamentally different way” than ever before, reported Col. Donald “Thunder” Cloud, USAF, deputy director, Cyberspace Operations and Warfighting Communications, Pacific Air Forces. Their current network-centric cybersecurity and defense capabilities in position today “are insufficient” against China.
“The Hickam pilot we’re working on is basically a zero-trust gateway and an OCONUS [outside of the continental United States] cloud native access point,” Col. Cloud explained. “If all goes well, the intent is that these zero-trust gateways will replace our wide area network that we have in theater for all our main bases. They will enable us to connect our deployed forces at the edge on these islands and spokes out there to the broader enterprise. And [it will] allow us to do that where we can also continue to move data to the warfighters, getting them the information they need to fight. At the same time, we can prevent or interfere with or hinder China’s ability to get after that data as well.”
At first, the PACAF Zero Trust Pathfinder is centered on the Non-classified Internet Protocol Router Network, or NIPRNet, but since most of their fighting information is classified, PACAF will add the zero-trust gateway and CNAP capabilities onto the secret version, SIPRNet [Secure Internet Protocol Router Network]—with the NIPR Pathfinder “setting the conditions for the SIPR Pathfinders so we can go faster on that side,” the colonel said.
“The why behind all of this is China, China, China, and what are we doing for this in the theater so that we, PACAF and the United States Air Force can present a credible deterrent against China in competition,” Col. Cloud explained. “As you are aware, China has a lot of capabilities. They have modernized their navy, their army, their air force with fifth-gen [generation aircraft], and they have one of the most advanced cyberspace forces on the planet. ... We have to be prepared with capabilities to fight China, and zero trust becomes a foundational piece of this.”
Over the last two years, the Air Force has led the development of ZTA and concepts, with several early pilot programs, including at Patrick Space Force Base, Florida, for ZTA applied to the launch environment in support of eastern launch range activity at Kennedy Space Center and at Beale Air Force Base, California, for a base-wide enterprise application of ZTA. PACAF has unique ZTA needs compared to a CONUS base or launch range, the colonel stated.
“The biggest thing that makes us different is that we have to operate dispersed in a very wide swath of territory, and we have to do that in the face of China, which offers a very, very credible offensive cyber capability to try to steal our data and know what we’re doing and then hold at risk U.S. military assets and personnel and also hold at risk the missions for us to deter and or defeat them,” he said.
The components of the CNAP/zero-trust gateway that PACAF is using include network infrastructure, a so-called application gateway—or app gate—and network microsegmentation.
“The app gate is a capability that allows us to connect our users who are going to use and access data,” the colonel noted. “[The microsegmentation piece] from Illumio—and I’m not favoring any particular vendors—allows us to segment our users and our networks, more than we do now, to a much more refined level. These three things will actually allow us to do something that we cannot do today. We will be able to bring more granularity to granting users access to the data they need from anywhere connected to the cloud, and we will be able to extend the cloud to the theater OCONUS to grant them access.”
The Hickam pilot we’re working on is basically a zero-trust gateway and an OCONUS cloud native access point. The intent is that these zero-trust gateways will replace our wide area network that we have in theater for all our main bases.
The principle idea is to establish role-based access to Air Force data no matter where the information is located globally. The microsegmentation component will separate aspects of their networks “into smaller chunks,” granting access to data that lies in particular data centers.
“We will be able to tell if someone’s trying to steal that data, which is a hard thing for us to do today,” Col. Cloud said. “We’re almost like playing whack-a-mole right now and this will actually allow us to look at protecting our data like how the adversary looks at us when they’re trying to steal our data.”
So far, PACAF has installed some of the necessary equipment and applications for the ZTA Pathfinder pilot, and they expect to have the NIPR CNAP in a box at Hickam fully up and running by May. “We still have some work to do to get these things going,” the colonel said. “Yes, this is going slower than I would like. But we’re also learning a lot of lessons that will save time later because this isn’t just about the Hickam Pathfinder. This is about [testing] in field conditions. This capability will inform the entire Air Force what to do service-wide.”
Col. Cloud and his team have identified about 200 test users to “really flesh these capabilities out.” The testers are a mix of airmen from Hickam involved in generating combat power forward, including command and control, logistics and munitions, etc., roles.
In addition to the zero-trust effort, PACAF is pursuing two other Pathfinder efforts: the Edge Connect Pathfinder and the Data Fabric Pathfinder. The Edge Connect effort will enable PACAF to conduct agile combat employment—moving, on short notice, combat air forces to many small locations across the vast theater.
“These are the three legs of a stool that are part of a cloud-based data enterprise that we’re trying to build in this theater that allows us to securely move data anywhere from the cloud back in the United States, all the way to the tactical edge,” Col. Cloud noted. “Think an island in the middle of the Pacific, 12 fighters [jets] and about 200 airmen, which is everybody from the pilots to the communicators to weapons to fuels and all that, who would then have to generate combat air power. These three pilot programs are critical to the foundation of what we’re building to set the theater so we can actually command and control this force going forward.”
Lastly, leaders at PACAF are watching China closely, especially with the threat of China invading Taiwan. “The bottom line is that we are refocusing to set our theater with capabilities that we need to be able to potentially fight the pacing threat of China,” the colonel emphasized.