The Air Force's cyber path

Defense Systems Editor Sean Gallagher recently sat down with Maj. Gen. John Maluda, director of cyberspace transformation and strategy at the Office of the Secretary of the Air Force, at the Pentagon to talk about the service’s developing cyber strategy.

Q: How would you describe what you do as Director of Cyberspace Transformation and Strategy day-to-day – what particular issues are you dealing with on a daily basis?

GEN. MALUDA: Lately, my job focuses on two items. One is to help [Major General] Bill Lord stand up a cyber organization, and part of that is working with our good friends on the operational side, such as Brigadier General Mark Schissler, who’s the AF/A3O-C [Director for Cyber Operations, Deputy Chief of Staff for Operations, Plans and Requirements]. Mark and I co-chair a general officer’s steering group looking at cyber issues. The other area of focus is cyber workforce development. Is the workforce just the traditional communications and information systems folks? Or do we bring the electronic warfare folks over, or the space and intel? And in my view, we should consider the unmanned aerial system folks along with the F-22 guys and gals from an operational standpoint.

So I spend a good bit of time helping Bill Lord stand up a cyber organization, working not only from a force development standpoint, but also looking at what capability we are going to bring to bear. Do you crawl, walk, run, or do you try to throw everything into cyberspace that we think it ought to be? I can assure you, in the days of the Wright Brothers, they didn’t throw in JDAM and Hellfire missiles and Sidewinders. It’s a gradual thing, and you have to be careful that you grow that and you don’t break something along the way. Just from a straight force development standpoint, I’ve already mentioned I’m working on the standup of the cyber workforce, but at the same time, I still have the comm and information career field that, until it transforms into the cyber career fields, I will continue working those issues. I chair what we call a force developmental team, and we meet periodically in Texas to review who we’re going to send off to our schools, who we’re going to make commanders, and who to send to other key jobs. In addition, we’ve been tasked to figure out how to bring our civilian workforce into the mix better than we do today. They’ve always been the steady folks, but in today’s environment they not only need to be steady, they need to be key leaders and they need to be mobile. As we develop the military side of the house, we will develop our civilian workforce as well for those critical duties and responsibilities.

Today, every airman that comes on active duty, whether it’s enlisted or officer, must go through a certain core technical training of sorts. We’re looking at doing some of the same things for the civilian side. In fact, for the first time this fall we’re sending some of our new civilians through the Officer Training School (OTS). We’re doing that to get that same experience. We currently send civilians through some of our technical schools, but it’s not a carte blanche thing and we need to do more of that.

Q: Are you putting together policy and doctrine for the new cyber organization?

GEN. MALUDA: We are working jointly with Bill Lord and his folks, who have the mission of figuring this stuff out. We’re also working with the team at the AF Doctrine Center at Maxwell AFB, helping to develop the doctrine for cyberspace operations. In other words, it’s great to be able to go out and strike a golf ball, but you need some policies in place about what constitutes par or a bogie or a birdie, what the course length should be, those types of things which you might consider doctrine for golfing. Until we establish some of that in the cyber realm, then it’s just a pick-up game. What we’re trying to do is to normalize that, professionalize that such that we can present those forces to the combatant commander for defense of the nation.

Q: From the perspective of having the people to execute that doctrine and help develop that doctrine, how do you go out – how do you develop the strategy for pulling people in to assist with that? I’ve seen recently some reports that there’s some consideration of bringing people in to the Air Force as reservists from industry to play a cyber role, leaving physical fitness requirements to get folks in the back door to be part-time cyber warriors or fulltime cyber warriors on an activation basis. You’re competing with industry to get people with expertise. You’re competing with a large – with private industry for people’s brains, as well as the technology industry itself. What do you – what is – what part of what you do is focused on figuring out how to get those people for General Lord and the other folks who are going to be fighting in the space?

GEN. MALUDA: Good question. First, I’m what we call the force development lead for the Comm and Information functional area. Remember, cyber is not just a comm and information area of expertise. Our vision, and General Lord’s vision as well, is to make cyberspace inclusive of not only traditional comm and information, which is where I grew up, but also to be inclusive of space personnel, electronic warfare personnel, the core intel folks, plus many other disciplines out there as we weave in that capability.

Q: Now, there’s been a problem over the last decade, I would say, with the decreasing number of U.S. citizens who are studying for higher-level engineering degrees. There’s an increasing shortage of U.S. citizens who have those degrees or are in those programs. The majority are from overseas, particularly Asia.

GEN. MALUDA: I would say two things about that. One, I would say that it is a stamp of approval of our higher education here in the United States that other countries view an education in the United States as a quality thing and they seek it. Two, I think it is also a condemnation of our education system that we have not pushed our youngsters into the hard sciences. It is much easier to earn a degree in something other than the hard sciences, such as math, physics, mechanical engineering, computer engineering, electrical engineering, etc. You pick the hard sciences where you have to do the analytical work – very, very difficult.

And, we’re a pretty easy society sometimes. We want instant gratification. It is very difficult working through the math and physics and engineering sequences to get instant gratification to include all the labs. So it’s a little bit tougher out there. And 10, 15 years ago, I’m not sure that the hard sciences were making that much money compared to some of the other degrees. I think that’s turned the corner. Right now all of our system engineers in hard-core sciences – Google, Microsoft, you pick your top vendors like that – they’re scarfing them up, and they’re making much, much more money in those jobs than what some of the other soft sciences are doing.

So, from a military standpoint, how do we ensure that we have our fair share? You’ve already mentioned the Reserve and the Guard. The total force – and that’s where you take our Air National Guard and our Air Force Reserve and weave them in. We’ve done it for years in the flying world. If you look at our tanker capability we have today, without the Air National Guard we couldn’t do it. From the comm and information standpoint, 98 percent of our combat comm, our expeditionary, capability resides in the Guard and Reserve, and they do a great job of that.

One of the things that we’re looking at doing is weaving the guard and reserve more into the cyber business as we stand up that capability. First and foremost, many of our folks that are part of the Guard and Reserve work in technical jobs today anyway, so you might have a Microsoft engineer, or an engineer at another firm whose day job is highly skilled. Bringing them on board to fill a role is perfect, so we’re doing more of that.

The other thing that we’re doing is developing our civilian workforce. The civilian workforce for many years has been the stability of the United States military. One of the things that we’re working on now, not only within the cyber C&I community but across the Air Force, is how to better develop our civilian workforce to fill in those particular places that they’ll go hand in glove of what the military is doing from that standpoint.

And then finally, regarding our commercial base, we’ve had several initiatives where we’re using commercial standards, commercial practices, and we have commercial companies that are helping us day in and day out. We partner with many vendors to take care of day-to-day requirements within the Department of Defense.

Q: In terms of developing the tools you need to fight in that space, in addition to the people – we’ve talked a bit about how automation is reducing your requirements for manning in the comm. and information area. What role is, say, Air Force Research Lab playing, DARPA playing, DISA playing in terms of providing you the tools you need to equip the people you do have and to take some of the fire off of the feet of some of the people you have to do the job? The ads say millions of attacks on DOD sites every day. Where are you turning to find the tools to turn those attacks away and project into cyberspace?

GEN. MALUDA: You’ve mentioned several places. The Air Force Research Lab, DARPA, MIT, Georgia Tech, I could go on with the partnerships that we have with our institutions of higher learning. We’re dependent upon that. And then we talk about the military and the attacks on the military, and whether it’s X number of attacks or where they’re coming from, but let me just have sidebar discussion here for a second on attacks.

Let’s take physical attacks. Most, if not all, military installations have a security fence or a perimeter around it, and you normally have a gate guard or security forces that man those gates. If Aunt Elma is out for a Sunday drive and she gets lost and drives up to the gate, is that an attack on the base? Probably not, just somebody lost. Your delivery truck of Dr. Pepper makes a wrong turn and comes up to the gate. Is that an attack on the base? I’d say not. However, you have a clandestine group that goes somewhere around the gate and tries to penetrate the base without being detected, or you have someone who went out on a Friday evening and had too much to drink and decided to blast through the gate. Is that an attack? It’s a physical attack, but was it meant to do harm? No. You have somebody else who’s trying to enter the facility with the purpose of taking military hardware, or software or anything else. That’s an attack. You see what I’m saying?

Q: Yes, sir.

GEN. MALUDA: The same thing in the cyber world. On a daily basis, you have people that are casual users of the Net and they will inadvertently hit the wrong sites. They may get a hit on our military system, which technically is not an attack but it is a hit. We’re not too concerned about that. What we’re concerned about are nation states and rogue actors that are physically trying to enter our systems with the intent of changing data, disrupting data, or taking the systems offline.

So how do we go about protecting our systems? We do it the same way, by the way, that the banking industry does. Our banking system today, by and large, doesn’t haul gold around on pickup trucks. The currency of today is ones and zeros. ATMs are all over the place. When was the last time you went to the bank and cashed a check to get money? You go to an ATM machine, and that’s how you get money today.

Forty years ago, the military was the leader in technology. Look at NASA. Many of the systems that we have today in the high-tech end came from research and development in NASA. They brought us more than Tang. Look at your commercial airline businesses today. Without the military application and military research and development and demand for flight, you wouldn’t have vendor X, Y, and Z out there. The air traffic control systems that the FAA runs today, without the forethought and what we put in place for the military, and your air-to-air and air-to-ground communications – the military put that in place and there was commercial application.

Look at your navigation system that many of us have in our cars today. GPS, a military system that was almost killed off because people didn’t see the application of it. And today can you imagine not having GPS? Living in Washington, D.C., I can’t think of traveling anywhere around the city without having a GPS tell me which street to turn down, and even then it gets pretty complicated.

Folks try to take cyber and they try to put it in a box. It’s not a box. Cyber is one of the five warfighting domains. You’ve got land, you’ve got sea, you’ve got space and air, and those are domains that we do warfighting in. And they say cyber is a warfighting domain that we fight in. Well, it is, but it’s more than that. It is the capacity that lets all the other warfighting domains operate.

Q: It’s also a domain that the rules of engagement are insanely complicated.

GEN. MALUDA: Oh, they are, because from the air if an adversary enters our airspace within the Continental United States, somebody knows that, and you can see the aircraft or missile, whatever it is, entering your airspace. If somebody enters from the sea, it’s a little more difficult but you know that you’re having a penetration of your physical space. From the land, same way. Look at all the discussion we have about our borders, and how we want to block that. But that’s a visible thing.

In cyber we break all the rules. They can enter the United States via country X, Y or Z, and it may go around the corner to get to us. Electrons have no physical presence per se like the other domains that I mentioned before. It’s very easy to physically see something in the air or space or land or sea. In cyber, it does not adhere to a physical presence in any particular country. That’s why the laws associated with cyberspace and the prosecution and the execution of our offensive and defensive capability gets complicated because if I’m going to do an attack against you located in Chicago, I may end up in Great Britain or I may end up in – you pick another country – and those electrons may flow many different ways prior to getting to you in Chicago. And that drives the lawyers crazy. But, again, the network was designed to be that way so you couldn’t take it down. That’s the beauty of cyberspace.

Q: It also, I would contend, is probably the most asymmetric warfare environment there is.

GEN. MALUDA: Oh, absolutely, without a doubt. But remember, we’ve been doing cyberspace many, many years. It’s just a matter of refining it. And I say good on the Air Force for stepping up and saying this is a significant warfighting capability. Even though we do not profess that we own cyberspace, we think it’s a core area that we need to focus in. In fact, it is in our mission statement, along with air and space. But of all the domains and all the capability that the military brings to bear, I can think of no capability that’s more joint than cyber, and in order for the United States to be successful militarily as well as domestically, we need to get a handle on that. It’s going to take the efforts of the Air Force, the Army, the Navy, the Marines, the Coast Guard, all of those, in conjunction with the commercial sector, with the Department of Homeland Security, and many others.

Q: So is there a specific slice you’re looking at for the Air Force as far as where you’re building your capabilities, because obviously it’s a joint effort overall...

GEN. MALUDA: You bet. And we have great relationships with both the Army and the Navy and the Marines as we work through this. In fact, operationally Lieutenant General Bob Elder, who is currently the 8th Air Force commander, as well as the AFNETOPS commander at Barksdale Air Force Base, runs the operational thread for what we’re doing in cyber day in and day out, and his folks work though JTF-GNO (Joint Task Force - Global Network Ops) back through USSTRATCOM to present those forces to the combatant commanders.

I will also tell you that we still need a little more refinement in what we’re trying to do. Remember that technology, the reduction of X number of folks and how technology was going to help us? We’re still pushing that envelope to get that technology in place, the tactics, techniques and procedures in place, but just as anything else, it will take time. Just like in football, when they first started playing many years ago, it was nothing more than a ground game. Then somebody said, hey, maybe we can kind of move over that ground, maybe a little air power, if you would, and they created the forward pass, and now they do all kinds of things.

So cyber is going to be the same way. We’ll continue to work through some of the angst out there and we’ll get better. We’ll have to get better because today, my personal and professional opinion, nobody can touch the United States of America militarily – muscle to muscle, mass to mass, whether you’re talking about our sea power with the United States Navy and the Marine Corps and the expeditionary nature they have. Nobody can touch the United States Army, and, quite frankly, I don’t think anybody compares to what we have in the United States Air Force. The F-22s are the best fighter aircraft the world has ever seen. Surveillance and reconnaissance, what we can do with our unmanned aerial systems, nobody comes close to that. And what ties all that together is cyberspace.

So cyberspace isn’t competing with air power or sea power or land power, or space power. Cyberspace is an enabler. It’s a force multiplier that allows that to happen. What makes our ability to do surveillance and reconnaissance so powerful is the ability to take an unmanned system, whether it be a Global Hawk or a Predator and have it in the CENTCOM AOR, thousands of miles away, and be controlled by an individual sitting at Creech Air Force Station out near Las Vegas, Nevada.

Q: So, are unmanned aerial vehicles part of the cyber domain, as you see it?

GEN. MALUDA: When you say part of the cyber domain, I would say the operation or getting the critical information and controlling of those sorties falls underneath the umbrella of cyber, because in order for us to operate that unmanned aerial system in the CENTCOM AOR, or wherever it happens to be, takes electrons and it takes spectrum.

Remember I said before, cyber is kind of that underpinning where we can operate the other domains in and through. That’s what cyberspace brings to bear. And that’s why it’s so important that we get this right. Otherwise you have a big hunk of metal flying around in the sky. Look what we did during World War II. You go back to the lineage of 8th Air Force, the Bomber Command, and the hundreds upon hundreds of bomber sorties that we flew during World War II – great heritage. I can also tell you stories where they sent hundreds of bombers to take out one bridge or one factory. Today, instead of having squadrons of bombers taking out one target, we now have one bomber taking out numerous targets. And that’s what technology has provided for us. That’s what GPS has provided for us. That’s what commercial industry, working with the military, has provided for us, and it’s a great partnership.

Q: So how do you – what projects are you turning – what programs are you turning to for the tools to secure that data path. I mean, are there any key procurement programs right now, any key development programs?

GEN. MALUDA: We’re working with our partners in DISA. DISA runs the Global Information Grid, so we work hand in glove with them because they have the biggest portion of our underlying infrastructure that all this stuff rides on.

We’re also working with our industrial partners to create the tools. Two months ago I went out to a vendor who has a global operation, and they’re looking after a similar network infrastructure that we have in the United States military. They had a huge facility, which was designed probably for 400 to 600 folks to sit behind a computer device to tell what the networks were doing and whether or not they were under attack. The day that I went to visit that facility they had a half dozen people in it, and those half dozen folks were monitoring a couple of screens and the rest of that workload was being done machine to machine.

So you had different layers of defense taking place that 5 - 10 years ago required a human interface. Today it’s done automatically, machine to machine, and it’s not until there’s an issue that it kicks out by default and goes to a human to intervene. We’re working with industry now in our research labs to do some of the same types of things. Just as that physical perimeter around that installation, and just as football first started with a ground game and then somebody found out that I can take care of that with an air game, we’re always looking for ways to better do our job and better defend against a particular attack, because if we don’t do that, then an adversary will have an advantage over us.

Entry into the cyber world doesn’t require an F-22 or an Aegis cruiser or the latest main battle tank. What it takes is a laptop or some computing device, and that’s the scary part of it. In other words, you take our most sophisticated weapons systems out there; given the right skill sets, given the right scripts, codes, and the tactic, techniques and procedure, we need to be mindful of that. Technology is a wonderful thing, but I can take your vehicle and I can drop a JDAM on it, or I can take some TNT and I can blow it up. Or I can zap it, take out your electronic ignition, and then you get frustrated and I can go and put another chip in there and drive it away, much the way we do precision bombing today. In the old days we’d go in and just crater a runway. Today we do strategic bombing such that it’s much easier once we’ve defeated you we can go back in and we can repair those small spots and then have the use of the runway.

Q: So, there is now a – there has been an initiative up at the DOD undersecretary level – Undersecretary England is pushing this Lean Six Sigma process management – continuous process improvement of the Lean Six Sigma, and I understood it originated to some degree on the AT&L side. How do you see that sort of methodology being applied to how you develop your force and develop doctrine within the cyber domain?

GEN. MALUDA: Well, cyber, by its very nature, can be very efficient, and we’ve embarked on a program called AFSO 21, which stands for Air Force Smart Operations, 21st Century. These are initiatives that the United States Air Force is doing, in line with the Six Sigma. I attended an executive course at the University of Tennessee, and we visited a manufacturing firm that was using the Six Sigma construct as well as the construct of value stream analysis, much of what you mentioned earlier. We are taking those initiatives over in our maintenance area. They’ve been working hard on that. In the IT realm, the cyber realm we’re working hard on that. Some of the technological items that I mentioned before, which will reduce our personnel workload, as well as make things more secure –you can be very efficient, but if you’re not effective, then you’ve wasted your effort.

Defending the country and having military might isn’t about being efficient; it’s about being effective. I’m not saying we’re not interested in being efficient. We are very much interested in that because that gives us more money or allows us to keep more money to work on those other systems that are going to make us operationally effective.

So AFSO 21 is the program that we’ve put in place to work at that. Some of the things we’re working on now is looking at having a service-oriented architecture. That particular approach in itself is going to allow us to get at data. The problem we have is that if I don’t have confidence and trust in our data, it is nearly the same thing as taking the system down. Your bank account, for instance –you can go online and check the status of your bank account. If you see that you have $50,000 in your bank account, you go, hmm, that’s pretty good. Then tomorrow you check and find out you have got $500 in your bank account, and the next day you have $500,000 in your bank account and you’re not exactly sure why.

You’ve lost faith and confidence in what you have in your account so you don’t know whether to go out and buy that new Hummer or to go out and buy a bicycle. You’ve lost confidence in the data that’s being presented to you. In the military we can’t lose confidence in the data. I need to know how many carrier battle groups, or I need to know how many F-22s or tankers or B-1s or B-52s that I have available to launch in a particular area. So disrupting my data or me losing confidence in that is complicated.

Under the same token, I need to have authoritative data such that I have a database over here that not only I and the United States Air Force can go into, but somebody from the joint staff could go into. And we have confidence that that data is good and I only have to input data once. And today we have multiple entries of the same data and we need to get away from that.

The Web’s a wonderful thing, and technology is a wonderful thing. That’s why it’s so important that we’re developing an Air Force organization for cyber and our cyberspace capabilities to ensure that we have the utilization of that, not only from an Air Force standpoint but from a joint standpoint as well. From the South I’d say we all were drinking from the same aquifer and we all have different wells. Some of the water is a little sweeter than others, but at the end of the day if somebody taints it, then it’s tainted for all of us.

Q: Are you looking at any sort of ways of expanding how you bring civilians into the mix to fill that role beyond the traditional senior executive force – a traditional civilian employee?

GEN. MALUDA: We’ve had a pretty good recruiting pool of folks just as the total force. Our guard and reserve, many of them come from prior service folks, people who either enlisted in the Air Force or had a commission, spent four years or 10 years, or 15, whatever it was, decided to get out, and then they joined the guard or reserve. Many of our civilians are coming from the same ranks, but we also have a lot of youngsters that we recruit out of college and we bring them in as interns. We’re going out to the universities, in certain cases from the technical side, trying to bring those folks in, and once we get them, we have a training program that we’re putting in place, to move them along. For those who are interested in not only a technical path but also a leadership path, we’re developing that program. At issue is how do I grow the technical expertise in the civilian workforce as well as the military workforce, but then also look at the leadership path that they might have to become part of the Senior Executive Services corps.

Now, does that mean that if you’re on the technical track you can’t be an SES? Absolutely not. I think, in fact, it’s much easier with our civilian employees than it is for the military employees. And so we’re trying to develop the paths to go about doing that. And I’ll tell you, we cannot continue, especially in the cyber world, to expand cyber and do all the things necessary in cyber without the civilian workforce, as well as our industrial partners, because we get a lot of our key capability and expertise from them. We want to bring those smart industry folks into the Air Force and drain them and then ship them back and get a new crop. And we’re doing that with something called the Chief Technical Officer Program. The CTO program that we’re developing will do exactly that, bring in highly skilled folks, for anywhere from two to five years because they’re current, utilize them and then ship them back out to industry and bring some more folks in. I think there’s something to be said for that. It’s kind of like bringing somebody from the New England Patriots down to your high school team, and it would certainly be good having a Tom Brady, right?

Also, for the first time, we’ve identified two United States Air Force Academy graduates to enter the first cyber program at AFIT, the Air Force Institute of Technology. So rather than going to pilot training or anywhere else, we’ve taken those two individuals and we’re shipping them to AFIT at Wright-Patterson AFB and they’ll start work immediately on a cyber career path.

In addition, we’re enhancing the cyber program at AFIT, and this past year, our youngsters – I say youngsters – our young men and women in the cyber department competed in the Defense Computer Crime Center annual cyber cook-off, and took first place, the United States Air Force did! They competed against a bunch of other people for the right of being the best defenders and attackers in the cyber world, in an academic environment.