Spotlight On General Shelton @ The 2013 AFCEA Symposium
Air Force Space Command and its role in the cyberspace business
This transcript of General Sheltons remarks are courtesy of the Armed Forces Communications Electronics Association (AFCEA) and were presented at the 2013 AFCEA Symposium. General Shelton is the Commander, Air Force Space Command
Thanks for the kind introduction. Ive been looking forward to speaking with this group again this yearand if any of you have some influence in Washington, can you please get this budget thing fixed?
I think, as you know, there are a lot of pressures on all of us to try to make some really tough decisions without a whole lot of good information. I have no idea what this fiscal year is going to look like for the rest of this year, much less what FY14, 15 and beyond are going to look like. How in the world do we execute modernization and sustainment of our national security assets in an environment like this? I know its just as irritating to all of you as it is to me.
Lewis Carroll wrote in Alice in Wonderland, If you dont know where you are going, any road will take you there. These days, I feel like were in Wonderland. Were on a lot of different roads right now. Frankly, were trying to prudently cover all our bets because we dont know what the environments going to be. But you didnt invite me here to talk about the sorry state of affairs in our budget situation. Rather, Id rather talk about Air Force Space Command and our role in the cyberspace business.
Lets first, cover a few givens. I think most people today understand that cyber clearly underpins the full spectrum of military operations, including planning, employment, monitoring, and assessment capabilities. I cant think of a single military operation that is not enabled by cyber. Every major military weapon system, command and control system, communications path, intelligence sensor, processing and dissemination functionsthey all have critical cyber components.
Now, as immature as we are in our work in cyber, already its clear that its a critical enabler for all military operations. It is deeply embedded in the other Air Force domains of air and space, and it provides an integrating connection between domains and missions. And, as such, the Air Force recognizes we had better get our arms around this domainand soon.
To that end, the Secretary and the Chief have charged me with being the single commander responsible not only for operation, maintenance, sustainment and defense of the Air Force Networks, but also with developing, fielding, and employing operationally relevant cyber capabilities and effects. Bottom line: The buck starts and stops with me and my Command.
Now, you might remember, last year at this time, I gave myself an F as the lead for cyber in the Air Force. Since then, weve made what I consider to be some impressive progressthats the good news, which Ill describe soon.
The real challenge is, though, theres so much more work to be done. Back in 2009 when we began the concentrated cyber effort within the Air Force we didnt get it right the first time. Thats why we are aggressively re-evaluating our roles, and authorities as we speak. Were taking a microscopic view on exactly how and why were doing all things cyber.
Were reviewing every piece and part of cyber to assess its proper home; what piece is operational versus what part is considered infrastructure, and where do those responsibilities properly fit in the current Air Force organizational structure.
Were reviewing the operational impacts and costs of merging with DoD programs like the Joint Information Environment and DISAs Defense Enterprise Email. And were thinking about whether we should outsource entire capabilities to industry where exceptional, secure capabilities already exist.
Priority And Guiding Principle
Our overarching priority, of course, and therefore our guiding principle, must be on providing the best support to the warfightercognizant of operational effect, cyber security, and costs. Were taking these challenges head-on and as a Command, were moving out.
But full disclosure here, not everything is moving as fast as Id like. For example, we thought wed be done at the end of this fiscal year with our AFNet migration project, driving toward a single, centrally-managed, homogeneous and defensible enterprise. Hiccups occurred, we needed more money, and the schedule lengthened; certainly not the path wed projected. We now anticipate completing the migration midway through FY14.
Weve learned from the mistakes that led to the fits and starts, and weve begun to change a cultural mindset from one of, it must be invented here, to one of innovation based on partnerships.
We understand our AF networks like never before; were better able to implement new capabilities across the entire spectrum of operational cyber. And its our considerable task to take those lessons and implement new cyber capabilities on operationally relevant timelines. Those must be, in fact, lessons learned and not just lessons observedits doubtful well have the luxury of making the same mistakes twice in the future.
So, even though the AFNet project is late, there are some things to brag about. But, before I cover those successes, Id like to provide an overview of some key next steps that Ive recently discussed with the Air Force senior leadership. Well focus on some technologies, organizations, structure and policy, financial, and related keys to formulating the next wave of successes.
Translating A Vision
Were working hard to translate our vision for Air Force cyber operations into reality. Our first responsibility has been to develop an Air Force vision that is based in realism in the cyber domaina domain that is incredibly dynamic, evolving at speeds and in ways that we couldnt imagine just a few short years ago. For a technology-based Service like the Air Force, which is so dependent on cyber, its only logical that we commit ourselves to maintaining the edge over potential adversaries. And we should be comfortable with speedy evolution, and technological innovation; after all, that has been our birthright in the Air Force since our beginnings in air and space and it has to be the way we act in cyberspace as well.
But thats the easy partthe commitment. The how is the hard part.
Machiavelli wrote: There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of new things.
From that quote, we can assume he was an observer of the real world, and we have been working diligently to introduce this new order of things within the Air Force very deliberately and very methodically. Now, dont confuse being deliberate and methodical with being slow. We have several initiatives underway that leverage new technologies and challenge the traditional ways we acquire and operate in this domain.
Now, as I look at this new order, we face some additional challenges in a clearly decreasing budget environment:
The availability and retention of qualified and proficient cyber professionals;
Organizing staff functions to provide adequate oversight,
Management of roles and responsibilities; mundane, yes, but critical to an Enterprise, game-changing approach to a game-changing domain,
Establishing responsive acquisition activities that produce capabilities on much shorter timelines; and finally,
Overcoming cultural challenges accompanying the faulty assumption by many that all data and information is trustworthy and actionable.
And, these needs and challenges come together in an age where precision engagement and battlefield success in all Air Force core functions requires larger amounts of higher quality information in shorter periods of time. We must assure access to required information and freedom of action to create desired cyber effects at a time and place of our choosing to meet the Combatant Commanders requirements anywhere, anytime, while denying the same abilities to our adversaries.
The Air Force currently operates 21 Air Force networks; we have 840,000 users. There are 1.9 million computing devices and we spend about $40 million annually to clean up cyber-related attacks on our information infrastructure. This may not make us the most complex enterprise in the world, but its got to be up there among the most.
Therefore, weve embraced the idea that Enterprise means providing a consistent template upon which to maximize effectiveness while inherently providing efficiencies of scale, cost, and use.
We certainly dont have all the answers yet, but were clearly leading the effort to make these overarching concepts military realities. To ensure progress toward our objectives, we are aggressively managing our oversight roles and responsibilities to provide focus to Air Force cyber efforts.
So, in that vein, let me talk about standardization a bit. Its imperative that we not continue one-off implementations. How many times over the years have individual units used what we would call county options to purchase technology, then not optimize what is installed, or even worse, not use it at all?
You all know what Im talking about... and this practice has just got to stop.
Well work on standard architectures and standard operational processes, but well all need to be vigilant against that Ive got a great idea implementation mentality at Base X or Command Y... and thats the least we can do for our Air Force and our taxpayers to maximize available economies of scale. To that end, all of our efforts are based on that Enterprise approach... thats the way we view our AFNet and thats the way we will present our capabilities as a Service to the Joint arena.
Since the Air Force and the DoD started down the path of establishing cyberspace, weve been challenged to clearly articulate whats cyber, whats IT, and what are communications and information. Definitions in DoD, Joint and even Air Force policy can be interpreted in multiple ways leading to confusion, duplication, and unnecessary work. With the pace of change, the ops tempo, the threats associated with cyber, and our constrained resources, we must have clear definitions which will then allow us to define whos doing what in cyber and IT to make sure we are all pulling together and working toward the same end-state.
I have my staff doing a thorough review starting with what does law, like Clinger Cohen, say about IT and cyber? From there we are going to come up with definitions that clearly articulate....well, this is cyber because it falls within the realm of warfighting weapon systems...this is IT because it is a business system application...this is communications because it is a telephone or postal service.
Definition Of My Role For The Air force
This also will help us better define whats in my role as the Cyberspace Superiority Core Function Lead Integrator for the Air Force vs. what belongs in my role as the Lead Major Command within the Air Force for cyberspace.
Closely coupled with this effort is a lanes-in-the-road dialog, both internal to my staff and with external organizations like the Air Force A3/5 and A8 staffs, as well as Lieutenant General Mike Baslas SAF A6/CIO organization. And, were not forgetting that a significant part of the role of Core Function Lead Integrator will be to facilitate partnering with industry, academia, other services, allies and friends to ensure a robust, defensible network enterprise.
Very recently, I published an AFNET Commanders Intent. While normally commanders intents are focused on purpose, desired end state, and key activities required to achieve that end state, I went further to also define the AFNET. I have to admit there is not unanimous consent to this definition, but for the sake of progress, this is how were going to refer to the AFNET from this point forward. The definition is also the foundational building block that will drive decisions across all communities, systems, and functional areas. Our next steps will be to provide an additional level of detail to inform our architecture work from the As-is to the To-be to the Should-be.
My A5 is leading the AFNET As-is Architecture work and we will have that complete by the end of this month. In concert with our programming efforts, well be developing the To-be Architecture, which will be done by the end of the month also. Together, these architectures will help us understand where the gaps in capabilities and resources lie. Were also developing standard, expected levels of service. We owe it to the Common Computing Environments, missions, and business systems what levels of service they should expect.
In parallel, were going to identify what we expect of these programs and systems. To connect to the AFNET, users will comply with these standards and waivers will be the exception, not the rule. While there are many more activities outlined in the Commanders Intent, in the interest of time, Ill ask you to read the document for yourselves and partner with us toward that desired end state. Over the next few months, we will be releasing more foundational guidance documents to ensure all of us are on the same page and these will range across the spectrum of capabilities, networks and classifications.
Ive set up a Cyber Working Group to identify, monitor, and execute these key steps. While Im normally not a fan of management by committee, the breadth and depth of our work demands a broad approach, and they are updating me weekly with their progress.
Good Reports From Cyber Acquisitions
Let me now shift to some outstanding work going on in cyber acquisitions. Weve set up a Cyber Solutions Cell with the Air Force Life Cycle Management Center and the 688th Information Operations Wing folks at Lackland AFB. These are our 9-1-1 agencies to rapidly acquire cyber capabilities in response to warfighter needs. We have a really good mix of operators and engineers working together to identify and close gaps in the cyber domainsometimes within hours.
These operations and acquisition teams are dedicated to making sure the operational needs generated by the move-countermove nature of the contested cyber environment are developed, tested, and fielded in a timely fashion.
Across the Air Force were seeing increased awareness of the need for new cyber-related capabilities and operational concepts which will materially improve the ability to employ forces across the range of military options. And, as Lead MAJCOM for cyber, were chartered to make those tough decisions as to which great idea or solution is the best for the mission. Developing an enterprise architecture with adaptable, controllable, and defensible attributes requires an achievable and enforced set of standards, clarity in organization, and well-defined authority, roles, responsibilities, and accountability.
Within the Air Force, and within the DoD as a whole, we will require that the capabilities and effects are developed, tested, fielded, and employed by proficient acquirers, developers, and operators. We will make sure they are proficient in those skills. Functional systems and Program Management Offices will conform to the standards as outlined in law and in our guidance documents. Wondering how to get a waiver to avoid conforming shouldnt be a managers first impulse. Some may consider this a bit draconian, but its how we will ensure security and efficiency of AFNET for its operations.
Well develop a requirements framework in which cyber capabilities and effects can be integrated into other core functions, services, and agencies. To that end, were developing roadmaps for Offensive Cyber Operations, Defensive Cyber Operations, and Defense Information Network Operations mission areas. These roadmaps will provide a template from which to examine the various cyber capabilities as they are associated with mission area requirements, the related programmatics and corresponding sustainment or modernization of those capabilities.
Were doing this with an eye toward making investment and divestment recommendations while providing transparency to major stakeholders such as the other Major Commands across the Air Force. Over time, as policies and procedures evolve, we foresee cyber-related capabilities and effects integrated wholly with kinetic capabilities to maximize success during employment.
Giving Our Airmen More Operational Guidance
Until very recently, some of our 24th Air Force Airmen were a little bit confused about what was expected of them because we had not provided them with the operational guidance needed to accomplish their missions. Weve moved aggressively to address that shortfall by publishing four guidance memorandums within the last year - for Combat Comm Employment, one for Operations and Training, and one for Standardization/Evaluation. And now our IG is inspecting our units against those standards.
Another measure weve taken to address standardization is the establishment of cyber weapon system teams. This will operationalize and normalize our capabilities similar to Air Force weapon systems in the other domains. These weapon system teams are addressing equipment baselines, sustainment, training, follow-on development, funding, and fielding. All of these initiatives provide the structure and discipline we must have to enhance our combat capability and integrate cyber effects across all warfighting domains.
As we consider current technology, I think we can do a better job of making our Airmen more productive by furthering the use of Commercial Mobile Technologies. The DoD has explored using expanded mobile technology for a number of years. Its time to move out on this, and we havein a coordinated effort throughout the federal government, with the Defense Information Systems Agency, and with the National Security Agency. Were taking advantage of the fast-moving commercial market, in concert with the added security and functionality needed for Air Force users.
In fact, we are going operational with AF capabilities to extend mobile solutions, to Air Mobility Command, Global Strike Command, Air Education and Training Command, Air Combat Command, Air Force Special Operations Command, and of course, Air Force Space Command. A great example of this is our direct support to the Mobility Air Forces and their Electronic Flight Bagtrue innovation to decrease operating costs while providing much more up-to-date information in the cockpit.
Hand-in-hand with mobility is getting away from our traditional way of presenting IT by being connected to jacks and wall outlets and being bound to desks. Our Group at Tinker AFB is piloting a wireless-only capability that we expect to roll out in the future, aimed at extending the network reach of our Airmen to edges of the flight line, or to the inside of a security police patrol car. So as you can see, well become more efficient and more connected across the board.
While I wont belabor my previous comments on our economic situation, I would like to address a related topic on financing the costs of DoD IT Enterprise Services. A particular focus of mine over the next few months will be the utilization of commercial constructs and reduction of costs in areas such as long-haul communications. As we move to more enterprise services, we must address the speed, agility, and pricing that the scale of commercial services brings. The DoD is making progress with commercial cloud services, as an example, but its simply not fast enough.
Innovate To Save Financially
We need to do more and leverage the billions in R&D and security that the banks and credit card companies have made, especially for unclassified services. Also, the commercial IP capabilities across all communications is driving capability up and costs down. Meanwhile, our AF bills continue to rise. Weve got to address these trends, but we wont have the ability to spend to saveinstead, well have to innovate.
No cyber-related speech these days would be complete without some reference to JIE, the Joint Information Environment. Ill be the first to admit, I have some reservations on JIE. While I understand and agree with the overall objectives, the devils clearly in the details and we have significant work ahead to truly realize the JIE vision at affordable costs.
We are committed to providing the expertise of the Air Forces AFNet experts, our network defense operators, and our acquisition professionals. Weve already invested thousands of engineering man-hours to the effortthe best and brightest in our Air Force. They are deeply involved in the potential changes to how we will protect and defend our networks. We must do this right the first time and we must continue to emphasize mission assurance in our cyber defense posture.
Successess In Reduction Of Adversary Entry Points
I mentioned earlier that Id end on some successes... successes that make me particularly proud. By reducing the number of Internet gateways over the past two years, weve reduced the attack surfacethe number of potential adversary entry pointsfrom 144 entry points to just 16, along with gaining better focus, generating fewer holes, and achieving greater visibility into network operations.
The Command has leveraged expertise at three different squadrons in Major General Suzanne Vautrinots 24th Air Force to change and improve network defense tradecraft. Our operators are now using a more focused model of examining known threats instead of a scattergun defend against everything type of approach.
There is much improved integration between 24th Air Force defensive units and the Air Force ISR Agency cyber support which weve accomplished by collocating crews to achieve maximum communication and mutual support.
Network operators can now deny by default, closing ports and potential entry points into the network to IP addresses and locations that traditionally have either shown mischief or have shown no value to Air Force users.
Weve added interactive sensors and automated processing, so our analysts are freed up to work problems vice spending time finding problems, and this has led to a much greater increase in high-confidence forensics and heuristics analysis. That said, not every malicious actor is caught at the gateways. In fact, many are caught by defensive capabilities within the network, with rule sets that are created by proficient Airmen who now have greater freedom to do the analysis required.
As always, its our professional Airmen who rise to the occasion, and Im proud to say that some 60 percent of all rule sets created for DoD defensive tools are generated by innovative Airmen within the 24th Air Force. Those same Airmen, by the way, are leading efforts to create defensive schemes for the Joint Information Environment; truly, when it comes to defense of cyber networks in the military, when 24th AF Airmen speak, people are listening to them.
These improvements in our cyber defensive posture arent trivial, even though they dont have the cachet of offensive cyber capabilities, but they represent some of the best ways that automation, innovation, and partnership have led to a much more effective enterprise approach to protecting our information.
Were Not Done But were not done... there are some other things we must continue to get after such as providing cyber overwatch of our Air Forces global air, space, and cyber missions.
Just as an example, in 2012, our 24th Air Force operators provided support for more than 4,000 Remotely Piloted Aircraft sorties worldwide, executed 4,000+ computer network exploitation missions against 10,000+ national priority targets and supported 100 IED neutralization missions in Afghanistan. Thats truly direct support to the Joint team.
The challenges presented by the cyber domain are new and in many cases unique. However, much like nuclear deterrence, air superiority, and other airpower centers of gravity, the Air Force will be successful in developing, fielding, operating, and maintaining operational capabilities representing the cyber center of gravity.
Success requires clarity in organization, authority and accountability, and while were still ironing out some of the details, make no mistake that the center of gravity for this effort is Air Force Space Command in its role as lead Major Command for cyber.
Were adopting a building-block approach in which we will make some strategic decisions about which lines of business have priority. Well decide what our Airmen need to operate and manage, and what functions or capabilities would be better performed by industry in the private sector. So, as Ive highlighted today, weve made considerable progress over the last year. And, I also discussed areas where we clearly recognize we must improve this year.
Whats my assessment for our grade this year? Id give us a C, and Im much more confident were moving smartly toward achieving excellence in this domain. But Im impatientwe need to move faster, and our foundational work will enable a faster pace. I thank you for your attention, and thanks again to AFCEA for providing this forum for us.