This transcript of General Shelton’s remarks are courtesy of the Armed Forces Communications Electronics Association (AFCEA) and were presented at the 2013 AFCEA Symposium. General Shelton is the Commander, Air Force Space Command
I think, as you know, there are a lot of pressures on all of us to try to make some really tough decisions without a whole lot of good information. I have no idea what this fiscal year is going to look like for the rest of this year, much less what FY14, ‘15 and beyond are going to look like. How in the world do we execute modernization and sustainment of our national security assets in an environment like this? I know it’s just as irritating to all of you as it is to me.
Lewis Carroll wrote in Alice in Wonderland, “If you don’t know where you are going, any road will take you there.” These days, I feel like we’re in Wonderland. We’re on a lot of different roads right now. Frankly, we’re trying to prudently cover all our bets because we don’t know what the environment’s going to be. But you didn’t invite me here to talk about the sorry state of affairs in our budget situation. Rather, I’d rather talk about Air Force Space Command and our role in the cyberspace business.
Let’s first, cover a few ‘givens.’ I think most people today understand that cyber clearly underpins the full spectrum of military operations, including planning, employment, monitoring, and assessment capabilities. I can’t think of a single military operation that is not enabled by cyber. Every major military weapon system, command and control system, communications path, intelligence sensor, processing and dissemination functions—they all have critical cyber components.
Now, as immature as we are in our work in cyber, already it’s clear that it’s a critical enabler for all military operations. It is deeply embedded in the other Air Force domains of air and space, and it provides an integrating connection between domains and missions. And, as such, the Air Force recognizes we had better get our arms around this domain—and soon.
To that end, the Secretary and the Chief have charged me with being the single commander responsible not only for operation, maintenance, sustainment and defense of the Air Force Networks, but also with developing, fielding, and employing operationally relevant cyber capabilities and effects. Bottom line: The buck starts and stops with me and my Command.
Now, you might remember, last year at this time, I gave myself an “F” as the lead for cyber in the Air Force. Since then, we’ve made what I consider to be some impressive progress—that’s the good news, which I’ll describe soon.
The real challenge is, though, there’s so much more work to be done. Back in 2009 when we began the concentrated cyber effort within the Air Force we didn’t get it right the first time. That’s why we are aggressively re-evaluating our roles, and authorities as we speak. We’re taking a microscopic view on exactly how and why we’re doing ‘all things cyber.’
We’re reviewing every piece and part of cyber to assess its proper home; what piece is operational versus what part is considered infrastructure, and where do those responsibilities properly fit in the current Air Force organizational structure.
We’re reviewing the operational impacts and costs of merging with DoD programs like the Joint Information Environment and DISA’s Defense Enterprise Email. And we’re thinking about whether we should outsource entire capabilities to industry where exceptional, secure capabilities already exist.
Our overarching priority, of course, and therefore our guiding principle, must be on providing the best support to the warfighter—cognizant of operational effect, cyber security, and costs. We’re taking these challenges head-on and as a Command, we’re moving out.
But full disclosure here, not everything is moving as fast as I’d like. For example, we thought we’d be done at the end of this fiscal year with our AFNet migration project, driving toward a single, centrally-managed, homogeneous and defensible enterprise. Hiccups occurred, we needed more money, and the schedule lengthened; certainly not the path we’d projected. We now anticipate completing the migration midway through FY14.
We’ve learned from the mistakes that led to the fits and starts, and we’ve begun to change a cultural mindset from one of, “it must be invented here,” to one of innovation based on partnerships.
We understand our AF networks like never before; we’re better able to implement new capabilities across the entire spectrum of operational cyber. And it’s our considerable task to take those lessons and implement new cyber capabilities on operationally relevant timelines. Those must be, in fact, “lessons learned” and not just lessons observed—it’s doubtful we’ll have the luxury of making the same mistakes twice in the future.
So, even though the AFNet project is late, there are some things to brag about. But, before I cover those successes, I’d like to provide an overview of some key next steps that I’ve recently discussed with the Air Force senior leadership. We’ll focus on some technologies, organizations, structure and policy, financial, and related keys to formulating the next wave of successes.
Translating A Vision
We’re working hard to translate our vision for Air Force cyber operations into reality. Our first responsibility has been to develop an Air Force vision that is based in realism in the cyber domain—a domain that is incredibly dynamic, evolving at speeds and in ways that we couldn’t imagine just a few short years ago. For a technology-based Service like the Air Force, which is so dependent on cyber, it’s only logical that we commit ourselves to maintaining the edge over potential adversaries. And we should be comfortable with speedy evolution, and technological innovation; after all, that has been our birthright in the Air Force since our beginnings in air and space and it has to be the way we act in cyberspace as well.
But that’s the easy part—the commitment. The “how” is the hard part.
Machiavelli wrote: “There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of new things.”
From that quote, we can assume he was an observer of the real world, and we have been working diligently to introduce this new order of things within the Air Force very deliberately and very methodically. Now, don’t confuse being deliberate and methodical with being slow. We have several initiatives underway that leverage new technologies and challenge the traditional ways we acquire and operate in this domain.
Now, as I look at this new order, we face some additional challenges in a clearly decreasing budget environment:
• The availability and retention of qualified and proficient cyber professionals;
• Organizing staff functions to provide adequate oversight,
• Management of roles and responsibilities; mundane, yes, but critical to an Enterprise, game-changing approach to a game-changing domain,
• Establishing responsive acquisition activities that produce capabilities on much shorter timelines; and finally,
• Overcoming cultural challenges accompanying the faulty assumption by many that all data and information is trustworthy and actionable.
The Air Force currently operates 21 Air Force networks; we have 840,000 users. There are 1.9 million computing devices and we spend about $40 million annually to clean up cyber-related attacks on our information infrastructure. This may not make us the most complex enterprise in the world, but it’s got to be up there among the most.
Therefore, we’ve embraced the idea that “Enterprise” means providing a consistent template upon which to maximize effectiveness while inherently providing efficiencies of scale, cost, and use.
We certainly don’t have all the answers yet, but we’re clearly leading the effort to make these overarching concepts military realities. To ensure progress toward our objectives, we are aggressively managing our oversight roles and responsibilities to provide focus to Air Force cyber efforts.
So, in that vein, let me talk about standardization a bit. It’s imperative that we not continue “one-off” implementations. How many times over the years have individual units used what we would call “county options” to purchase technology, then not optimize what is installed, or even worse, not use it at all?
You all know what I’m talking about... and this practice has just got to stop.
We’ll work on standard architectures and standard operational processes, but we’ll all need to be vigilant against that “I’ve got a great idea” implementation mentality at Base X or Command Y... and that’s the least we can do for our Air Force and our taxpayers to maximize available economies of scale. To that end, all of our efforts are based on that “Enterprise” approach... that’s the way we view our AFNet and that’s the way we will present our capabilities as a Service to the Joint arena.
Since the Air Force and the DoD started down the path of establishing cyberspace, we’ve been challenged to clearly articulate what’s cyber, what’s IT, and what are communications and information. Definitions in DoD, Joint and even Air Force policy can be interpreted in multiple ways leading to confusion, duplication, and unnecessary work. With the pace of change, the ops tempo, the threats associated with cyber, and our constrained resources, we must have clear definitions which will then allow us to define who’s doing what in cyber and IT to make sure we are all pulling together and working toward the same end-state.
I have my staff doing a thorough review starting with what does law, like Clinger Cohen, say about IT and cyber? From there we are going to come up with definitions that clearly articulate....well, this is cyber because it falls within the realm of warfighting weapon systems...this is IT because it is a business system application...this is communications because it is a telephone or postal service.
This also will help us better define what’s in my role as the Cyberspace Superiority Core Function Lead Integrator for the Air Force vs. what belongs in my role as the Lead Major Command within the Air Force for cyberspace.
Closely coupled with this effort is a lanes-in-the-road dialog, both internal to my staff and with external organizations like the Air Force A3/5 and A8 staffs, as well as Lieutenant General Mike Basla’s SAF A6/CIO organization. And, we’re not forgetting that a significant part of the role of Core Function Lead Integrator will be to facilitate partnering with industry, academia, other services, allies and friends to ensure a robust, defensible network enterprise.
Very recently, I published an AFNET Commander’s Intent. While normally commander’s intents are focused on purpose, desired end state, and key activities required to achieve that end state, I went further to also define the AFNET. I have to admit there is not unanimous consent to this definition, but for the sake of progress, this is how we’re going to refer to the AFNET from this point forward. The definition is also the foundational building block that will drive decisions across all communities, systems, and functional areas. Our next steps will be to provide an additional level of detail to inform our architecture work from the “As-is” to the “To-be” to the “Should-be.”
My A5 is leading the AFNET “As-is” Architecture work and we will have that complete by the end of this month. In concert with our programming efforts, we’ll be developing the “To-be” Architecture, which will be done by the end of the month also. Together, these architectures will help us understand where the gaps in capabilities and resources lie. We’re also developing standard, expected levels of service. We owe it to the Common Computing Environments, missions, and business systems what levels of service they should expect.
In parallel, we’re going to identify what we expect of these programs and systems. To connect to the AFNET, users will comply with these standards and waivers will be the exception, not the rule. While there are many more activities outlined in the Commander’s Intent, in the interest of time, I’ll ask you to read the document for yourselves and partner with us toward that desired end state. Over the next few months, we will be releasing more foundational guidance documents to ensure all of us are on the same page and these will range across the spectrum of capabilities, networks and classifications.
I’ve set up a Cyber Working Group to identify, monitor, and execute these key steps. While I’m normally not a fan of management by committee, the breadth and depth of our work demands a broad approach, and they are updating me weekly with their progress.
Good Reports From Cyber Acquisitions
Let me now shift to some outstanding work going on in cyber acquisitions. We’ve set up a Cyber Solutions Cell with the Air Force Life Cycle Management Center and the 688th Information Operations Wing folks at Lackland AFB. These are our 9-1-1 agencies to rapidly acquire cyber capabilities in response to warfighter needs. We have a really good mix of operators and engineers working together to identify and close gaps in the cyber domain—sometimes within hours.
These operations and acquisition teams are dedicated to making sure the operational needs generated by the move-countermove nature of the contested cyber environment are developed, tested, and fielded in a timely fashion.
Across the Air Force we’re seeing increased awareness of the need for new cyber-related capabilities and operational concepts which will materially improve the ability to employ forces across the range of military options. And, as Lead MAJCOM for cyber, we’re chartered to make those tough decisions as to which great idea or solution is the best for the mission. Developing an enterprise architecture with adaptable, controllable, and defensible attributes requires an achievable and enforced set of standards, clarity in organization, and well-defined authority, roles, responsibilities, and accountability.
Within the Air Force, and within the DoD as a whole, we will require that the capabilities and effects are developed, tested, fielded, and employed by proficient acquirers, developers, and operators. We will make sure they are proficient in those skills. Functional systems and Program Management Offices will conform to the standards as outlined in law and in our guidance documents. Wondering how to get a waiver to avoid conforming shouldn’t be a manager’s first impulse. Some may consider this a bit “draconian,” but it’s how we will ensure security and efficiency of AFNET for its operations.
We’ll develop a requirements framework in which cyber capabilities and effects can be integrated into other core functions, services, and agencies. To that end, we’re developing roadmaps for Offensive Cyber Operations, Defensive Cyber Operations, and Defense Information Network Operations mission areas. These roadmaps will provide a template from which to examine the various cyber capabilities as they are associated with mission area requirements, the related programmatics and corresponding sustainment or modernization of those capabilities.
We’re doing this with an eye toward making investment and divestment recommendations while providing transparency to major stakeholders such as the other Major Commands across the Air Force. Over time, as policies and procedures evolve, we foresee cyber-related capabilities and effects integrated wholly with kinetic capabilities to maximize success during employment.
Giving Our Airmen More Operational Guidance
Until very recently, some of our 24th Air Force Airmen were a little bit confused about what was expected of them because we had not provided them with the operational guidance needed to accomplish their missions. We’ve moved aggressively to address that shortfall by publishing four guidance memorandums within the last year - for Combat Comm Employment, one for Operations and Training, and one for Standardization/Evaluation. And now our IG is inspecting our units against those standards.
As we consider current technology, I think we can do a better job of making our Airmen more productive by furthering the use of Commercial Mobile Technologies. The DoD has explored using expanded mobile technology for a number of years. It’s time to move out on this, and we have—in a coordinated effort throughout the federal government, with the Defense Information Systems Agency, and with the National Security Agency. We’re taking advantage of the fast-moving commercial market, in concert with the added security and functionality needed for Air Force users.
In fact, we are going operational with AF capabilities to extend mobile solutions, to Air Mobility Command, Global Strike Command, Air Education and Training Command, Air Combat Command, Air Force Special Operations Command, and of course, Air Force Space Command. A great example of this is our direct support to the Mobility Air Forces and their Electronic Flight Bag—true innovation to decrease operating costs while providing much more up-to-date information in the cockpit.
Hand-in-hand with mobility is getting away from our traditional way of presenting IT by being connected to jacks and wall outlets and being bound to desks. Our Group at Tinker AFB is piloting a wireless-only capability that we expect to roll out in the future, aimed at extending the network reach of our Airmen to edges of the flight line, or to the inside of a security police patrol car. So as you can see, we’ll become more efficient and more connected across the board.
While I won’t belabor my previous comments on our economic situation, I would like to address a related topic on financing the costs of DoD IT Enterprise Services. A particular focus of mine over the next few months will be the utilization of commercial constructs and reduction of costs in areas such as long-haul communications. As we move to more enterprise services, we must address the speed, agility, and pricing that the scale of commercial services brings. The DoD is making progress with commercial cloud services, as an example, but it’s simply not fast enough.
Innovate To Save Financially
We need to do more and leverage the billions in R&D and security that the banks and credit card companies have made, especially for unclassified services. Also, the commercial IP capabilities across all communications is driving capability up and costs down. Meanwhile, our AF bills continue to rise. We’ve got to address these trends, but we won’t have the ability to spend to save—instead, we’ll have to innovate.
No cyber-related speech these days would be complete without some reference to JIE, the Joint Information Environment. I’ll be the first to admit, I have some reservations on JIE. While I understand and agree with the overall objectives, the devil’s clearly in the details and we have significant work ahead to truly realize the JIE vision at affordable costs.
We are committed to providing the expertise of the Air Force’s AFNet experts, our network defense operators, and our acquisition professionals. We’ve already invested thousands of engineering man-hours to the effort—the best and brightest in our Air Force. They are deeply involved in the potential changes to how we will protect and defend our networks. We must do this right the first time and we must continue to emphasize mission assurance in our cyber defense posture.
I mentioned earlier that I’d end on some successes... successes that make me particularly proud. By reducing the number of Internet gateways over the past two years, we’ve reduced the attack surface—the number of potential adversary entry points—from 144 entry points to just 16, along with gaining better focus, generating fewer holes, and achieving greater visibility into network operations.
The Command has leveraged expertise at three different squadrons in Major General Suzanne Vautrinot’s 24th Air Force to change and improve network defense tradecraft. Our operators are now using a more focused model of examining known threats instead of a scattergun “defend against everything” type of approach.
There is much improved integration between 24th Air Force defensive units and the Air Force ISR Agency cyber support which we’ve accomplished by collocating crews to achieve maximum communication and mutual support.
Network operators can now “deny by default,” closing ports and potential entry points into the network to IP addresses and locations that traditionally have either shown mischief or have shown no value to Air Force users.
We’ve added interactive sensors and automated processing, so our analysts are freed up to work problems vice spending time finding problems, and this has led to a much greater increase in high-confidence forensics and heuristics analysis. That said, not every malicious actor is caught at the gateways. In fact, many are caught by defensive capabilities within the network, with rule sets that are created by proficient Airmen who now have greater freedom to do the analysis required.
As always, it’s our professional Airmen who rise to the occasion, and I’m proud to say that some 60 percent of all rule sets created for DoD defensive tools are generated by innovative Airmen within the 24th Air Force. Those same Airmen, by the way, are leading efforts to create defensive schemes for the Joint Information Environment; truly, when it comes to defense of cyber networks in the military, when 24th AF Airmen speak, people are listening to them.
These improvements in our cyber defensive posture aren’t trivial, even though they don’t have the cachet of offensive cyber capabilities, but they represent some of the best ways that automation, innovation, and partnership have led to a much more effective enterprise approach to protecting our information.
We’re Not Done But we’re not done... there are some other things we must continue to get after such as providing cyber overwatch of our Air Force’s global air, space, and cyber missions.
Just as an example, in 2012, our 24th Air Force operators provided support for more than 4,000 Remotely Piloted Aircraft sorties worldwide, executed 4,000+ computer network exploitation missions against 10,000+ national priority targets and supported 100 IED neutralization missions in Afghanistan. That’s truly direct support to the Joint team.
The challenges presented by the cyber domain are new and in many cases unique. However, much like nuclear deterrence, air superiority, and other airpower “centers of gravity,” the Air Force will be successful in developing, fielding, operating, and maintaining operational capabilities representing the cyber “center of gravity.”
Success requires clarity in organization, authority and accountability, and while we’re still ironing out some of the details, make no mistake that the center of gravity for this effort is Air Force Space Command in its role as lead Major Command for cyber.
We’re adopting a building-block approach in which we will make some strategic decisions about which lines of business have priority. We’ll decide what our Airmen need to operate and manage, and what functions or capabilities would be better performed by industry in the private sector. So, as I’ve highlighted today, we’ve made considerable progress over the last year. And, I also discussed areas where we clearly recognize we must improve this year.
What’s my assessment for our grade this year? I’d give us a “C,” and I’m much more confident we’re moving smartly toward achieving excellence in this domain. But I’m impatient—we need to move faster, and our foundational work will enable a faster pace. I thank you for your attention, and thanks again to AFCEA for providing this forum for us.