The Failing of Air Force Cyber
The U.S. Air Force cyber community is failing for a single fundamental reason: the community does not exist. In 2010, the communications community began to be identified as the cyber community. An operational cyberspace badge was created, and those who previously had been communications professionals now were seen as cyberwarriors. This change did not effectively take into account that cyber and communications are two distinct fields and should be entirely separate communities.
When attempting to identify cyber operators, it is impossible to look at the cyber Air Force specialty codes (AFSCs) as an indicator. In the officer ranks, only a small fraction ever takes part in on-keyboard or operational missions where the effects of cyber are leveraged for exploitation, attack or defense. Yet, all of the personnel wear the badge and identify themselves, some cynically so, as part of the cybercommunity.
This faux community creates problems when trying to identify the personnel needed for a mission. It is a distinct way of thinking and set of skills that enables an operator to target adversary networks or take an active role in defense. As an example, many people consider themselves computer network defense operators and are consulted as such. Yet, often they participate in more of a communications or maintenance role. They establish, maintain and oversee networks. This is a very important role—maybe even more important than a defense operator’s role when done correctly—but it is different. Applying vendor-issued software patches is not defense; it is maintenance.
Cyberdefense uses a variety of different sources and methodologies to mitigate active threats using fields such as incident response, malware analysis, digital forensics or even intelligence-driven defense. Instead of having clear separation between communications and cyber roles, the term cyber is applied to anything that can be remotely justified. The field is plagued with those who want to use the term and community to try to advance their own causes and careers. It is important to remember that even with the best intentions, members who have not participated in cyber operations will have a limited perspective of what is required. Some of the best leaders are not those who take command and usher in new change but instead those who stand out of the way.
Instead of having well-trained analysts who can be identified by their AFSC, the Air Force now has a number of personnel who are called cyber operators but are not. Most do not understand the domain or how to operate within it. By quickly creating this blended community and renaming everything cyber, the Air Force appears to be taking action to defend national security. However, the actual result is difficulty in supplying core training and education useful to the field; finding the people actually wanted as operators; and assigning operators to the right missions. The combination of these three aspects is the most common denominator among cyber operators who are leaving the Air Force. These operators want to have mission satisfaction while being challenged and developed, but because of the lack of a cybercommunity they are more likely to find what they are looking for in civilian jobs.
One of the most important aspects for mission success is properly training and educating the force. When the communications community was directed to transform into the cybercommunity, the mission of the communications field remained. In addition, the majority of communication professionals would never take part in cyber operations or have an on-keyboard mission. So, the education and training developed for the new “cybercommunity” had too much on which to focus. Another byproduct is that this training could not be so technical that communications professionals could not complete it.
A perfect example of this blended communications and cybertraining can be found in the Undergraduate Cyberspace Training (UCT) schoolhouse that all incoming 17D cyberspace officers must complete. The six-month UCT course spends part of its time introducing 17Ds to tactical communications, communications ethos and legality, and other traditional communications training. The rest of the time is spent trying to educate the students on cyber operations and the different skillsets. The instructors who were directed to stand up the course did an amazing job with what they had, but they were asked to complete an impossible task. Out of each class of about 15 students, only two will be selected for an operational cybermission. With only about 15 percent of the students going on to be cyber operators, the material had to be passable and understandable by everyone so the majority of students who go on to communications missions could succeed.
This is not a feasible strategy for providing core technical training to an operational cyberforce. If two distinct communities existed, the communications personnel could take material that is most relevant to their profession. This would allow the cyberpersonnel to spend their entire training time focusing on skills the nation needs. Additionally, cybertraining could be extended to cover more core skills that give hands-on experience to more technically challenging and advanced skillsets. Instead, cyber operators that come out of training are expected to do extensive on-the-job training to gain skills they should have been taught. Proper discussions on what type of education and training is needed after the core training cannot be held, because the core training does not provide the skills it should. From this flaw all other training programs for cyber operators are affected.
After training, cyberspace officers are given operational cyberspace badges. These badges, or cyberwings, can be earned through the six-month course or a transition course. The considerably shorter online transition course allows personnel of different AFSCs to wear the badge if they are in a cyberspace-related job, but in reality most of those jobs are communications missions. The course gives only the most basic understanding of terminology and does not develop, train or test cyber-related skills. Not only is the AFSC not a good identifier of a cyber operator, but neither is the cyberspace badge. With this in mind, leaders have discussed ideas for giving special experience identifiers (SEIs) to personnel with specialized cyberskills. But, because of the flaws in identifying personnel with relation to their AFSC or badge, the SEI then becomes a detractor. An SEI is not a proper method for identifying an entire community. The SEI further separates out personnel and makes it harder for talented analysts to end up in jobs for which they do not have the SEI but may have the passion and aptitude to excel.
In readying mission tasking and filling cybermission needs from organizations such as the combatant commands and the intelligence community, the Air Force cannot succeed. The teams that are established to deal with national level problems cannot gain access to properly trained and easily identifiable personnel. This results in a personality-driven team that gets its start because a commander knows someone he or she believes could do the job. Using name requests for personnel to operate and lead all cybermissions is not sustainable on a large scale and over time. When leaders who are chosen for command look to staff their teams, they do not know where to begin because the mission tasking was designed for a community that already should be trained and identified.
National cyberteams, especially at combatant commands, are stood up with the expectation that the military services have accomplished their main function with regards to the troops: organize, train and equip. In this regard the Air Force has not met mission success. Other organizations such as the U.S. Cyber Command can attempt to provide additional training, but it is ineffective when built off the core training currently available. The Air Force’s role in these national cyberteams will fail from the lack of a cybercommunity.
The personnel in charge who are making decisions to try to fix these issues are neither complacent nor incompetent. Men and women at every rank are trying to help the Air Force understand and succeed in cyberspace. However, no good ideas can be generated and implemented to ensure the securing of the cyberspace domain when all the ideas are created from a fundamentally flawed origin. Yet, there is an ability to change this flawed start.
If the Air Force is willing to split the communications and cyber communities, then the men and women in each who serve honorably will be able to establish ways forward. Cyber cannot be a buzzword that is used to obtain larger portions of the budget or secure contracts. Cyber must be a term that belongs to a specific community that is truly operational. Cyber must be its own community and have its own leaders. Those who say cyberpersonnel are too technical to lead their own are only trying to find a way to stay relevant in a domain they do not understand. Leaders will rise through the ranks as they always have; it is not a quality of any specific career field but of the professionalism of the armed forces.
Many men and women in the U.S. Air Force are ready to answer their nation’s call, to readily advance their skills, and to secure the cyberspace domain. It is only by accepting the need for a different approach that the communications community can return to its roots and the cybercommunity can begin to grow in its own right. A true cybercommunity and culture will see the development of leaders, innovators, educators, operators and the type of passionate people required to respond to the nation’s adversaries. The Air Force stands in a prime position to allow this cyberculture to develop and lead the way forward. Otherwise, with the passage of time, the Air Force very well may be known not for its mastery and securing of the aerial domain but instead for its failure in the cyber realm.
1st Lt. Robert M. Lee, USAF, is a flight commander and national-level cyberteam lead at an intelligence squadron in Germany working under the Air Force Intelligence, Surveillance, and Reconnaissance Agency. The views expressed by him in this article do not constitute an endorsement by, or opinion of, the U.S. Air Force or the U.S. Department of Defense.