Recently retired Lt. Gen. William Bender, the Air Force’s former chief information officer, has offered his thoughts on how the service must change to fight and win in the increasingly complex information age.
In “The Cyber Edge: Posturing the US Air Force for the Information Age,” published by the Mitchell Institute for Aerospace Studies, Bender notes that airmen must “think and act differently about how they will face adversaries in 21st century warfare.”
“To manage the risks associated with emerging ‘cyber-contested environments’ the U.S. will face in the future, we must radically transform a litany of decades-old policies, processes and business practices to respond to this completely different world,” he wrote. “Perhaps more importantly, we need to fully embrace cyberspace as an operational domain, and undertake the necessary cultural shift this will entail.”
The nature of the information world — which is heavily reliant on connected networks underpinned by hardware and software — creates unique and inherent vulnerabilities. “While a P-51 [Mustang] would have been impossible to stop through cyber attack, a vastly more capable F-35 is so dependent upon software and IT-enabled support equipment that it could prove less effective in certain scenarios than the Mustang,” Bender wrote, citing the World War II- and Korean War-era fighter plane.
Bender offered four areas in which the service should start to meet these challenges: increase focus on mission assurance; build a future cyberspace force; manage data as a strategic asset; and take measured steps to manage IT services and investments at an enterprise level.
Cybersecurity under the guise of mission assurance was a main talking point of Bender during his previous role as Air Force CIO, a position from which he retired earlier this year. It starts with leadership and extends to every service member, translating to smart cyber hygiene given the interconnectedness of all networks.
Bender noted the Air Force has grouped systems into three categories to help best understand mission assurance:
- IT — cyber and physical systems meant to store and transmit data;
- Operational Technology — cyber and physical systems that control or monitor something in the physical world, such as thermostats or power plants;
- Platforms — aircraft, made up of both IT and OT.
Moreover, under this guise, Bender wrote that not all vulnerabilities are created equal and they must be prioritized based on severity and relationship to the mission. For example, a vulnerability in a command-and-control node is more significant than the same one in a library computer. However,, Bender writes, the service counts vulnerabilities across the organization with little analysis of their impact on mission.
To build a future cyberspace force, the second focus area Bender cites, he mentions the Cyber Squadron Initiative, a program aimed at developing organic cyber defense teams for the Air Force — separate from the cyber mission force the service is building and feeding to Cyber Command — to defend installations.
“The Cyber Squadron Initiative (CS-I) pathfinder effort is changing the culture, mission, operations and organizational structure for cyberspace superiority by providing freedom of maneuver in, thru and from cyberspace,” he writes.
The CS-I will also involve the eventual maturation and employment of offensive cyber capabilities. “It should be noted that another part of CS-I is the cyberspace operations flight — where advancements in OT&E for offensive cyberspace operations generation will occur,” he writes. “The integration of adversary cyberspace activity and threat vulnerabilities will sync up with the air tasking order in wing operation support squadrons.”
However, offensive cyber employment is still governed at the highest levels of government executed and orchestrated through Cyber Command.
Third, Bender said the force must manage data as a strategic asset. “In today’s high-paced and rapidly evolving information environment, having the right information at the right place and time is critical to derive strategic advantages in a competitive, interconnected world,” he wrote. “In short, data is a strategic asset and we need to treat it as such.”
Bender wrote that the Air Force, with no current data management strategy, cannot claim to have the right information at the right place, which has led to data being spread across the force in separate enclaves, making it difficult to manage and leverage. What the Air Force needs, he said, is a data capability that can identify and collect visible data fit for purpose and structure it in a way that makes information accessible. Registering and cataloging data and information will help produce informed decisions, he added.
Bender wrote that one of the best ways to accomplish these tasks is to designate a chief data officer, who would lean an organization capable of managing data for the Air Force at the enterprise level.
This was something Bender pursued. Peter Kim, the Air Force’s CISO, told reporters back in June that Bender, as he was leaving the Air Force, got concurrence from high levels of the Air Force to start moving out on this.
Lastly, Bender notes the Air Force must manage IT services and investments at an enterprise level. “[I]f the Air Force is to transform its cyberspace approach, concerns the need to manage IT at the enterprise level under centralized CIO-led governance,” he wrote. “Private industry considers enterprise IT a business enabler, not a cost to be minimized. When enterprise IT is managed properly it can increase the speed of capability delivery, reduce total costs, improve C2, and enhance security of key mission capabilities. Huge efficiencies are also ready to be realized.”
Given how different the operating environment of cyberspace is to the physical world, the service’s IT needs and acquisition need to reflect those differences.
“Single-purpose ‘stove-piped’ programs, for example, that focus solely on cost, schedule and performance can no longer disregard the contextual attributes of speed, agility and cybersecurity,” Bender said. “A vulnerable system can be the access point needed by an enemy to get to more critical and better-defended systems. Strong cybersecurity requires managing overall risk at the enterprise level.”