The Complex

It's the data stupid

The Air Force has realized that simply trying to wall off its networks from cyber threats, which become more sophisticated every day, will work about as well as the Maginot Line. So it is working on a two-pronged approach to protect its most valuable information and to ensure that it can transmit that information even while under attack. This effort reflects a shift from the Air Force's focus on defending networks to protecting what really matters: the data itself.

"Our adversary has found ways to get over, under, around, and through our defenses," said Air Force Maj. Gen. Earl Matthews, chief of cyber operations in the Air Force's Chief Information Officer's shop during a Sept. 18 speech at the Air Force Association's annual conference just outside of Washington. "We still need to protect the network, but we must also protect the reason for the network, the data and information that resides and flows through the network.... [That] must be our focus."

One of the biggest parts of the service's effort to protect its ability  -- and DoD's ability as a whole -- to move critical data is something called the Joint Aerial Layer Network, a plan to provide multiple means of communication for the military should it find its radio, cellular, computer, or even satellite communications networks jammed by the enemy.

"We need resiliency in our hardware and our applications...the ability to endure outside stresses from an event, multiple events and to be able to continue to function," said Matthews. "If our satellite communications capabilities were to be temporarily interrupted, how would we pass information to the aircrews and warfighters at the edge? We would need an alternate link, perhaps a radio."

The Joint Aerial Layer Network is meant to "link air, space, and cyber forces together, providing resilient capabilities in each of those domains," added Matthews. The network will consist of aircraft, manned and unmanned (drones can stay aloft much longer than manned aircraft), that provide a backup communications system allowing U.S. forces to pass data in real time should their radio, satellite, or Internet communications be taken out. These aircraft will contain a variety of transmission and relay devices known as "smart nodes," allowing U.S. forces to pass data to one another. An existing example of the type of system is the Battlefield Airborne Communications Node (BACN, yes it's pronounced, "bacon"). BACN is being used now in Afghanistan -- it is sometimes hoisted aloft by ancient WB-57 Canberras, one of the world's first jet bombers, designed just after World War II --  where it translates and passes data that troops, aircraft and command centers send from a variety of communications devices that weren't originally designed to communicate with one another.

All of this is part of the Pentagon's plan to fight an adversary that will try to blind the United States in a conflict -- removing the massive advantage provided by all the UAVs, satellites, guided munitions, and stealthy jets loaded with sensors that have given the U.S. an edge for decades.

"All command and control runs through cyber now," said Matthews. "We can't launch [the Air Force's newest fighter] aircraft, the F-22 or the F-35, without the network being established and operating and secure. . . . Not a single [UAV] mission would be possible without a functioning and secure cyber domain."

The obvious question is, just how many aircraft will be needed to do implement the aerial network and what happens when the enemy attacks it, either with missiles or cyber weapons?

When it comes to actually protecting data, the service is moving to encrypt as much sensitive data as it can. The Air Force recently ordered that all personal information -- data that can be used to glean an airman's identity -- be encrypted before it is transferred across the service's networks. That's right, the air service is just as concerned about protecting its members' personal information from hackers as online-privacy advocates are about protecting citizens' information from the government.

This is just the start.

"As we identify other information, critical to our Air Force operations, [Lt. Gen. Mike Basla, the Air Force's CIO] intends to establish similar criteria and policies focused on the protection of mission-essential information and data on our networks, especially information like deployment readiness or logistics data," said Matthews.

Deployment readiness and logistics data may sound boring, but it is hugely important, as Maj. Gen. Christopher Bodgan, deputy program manager for the F-35 Joint Strike Fighter pointed out this week when he revealed that the jet's computerized maintenance system called ALIS (Autonomic Logistics Information System) had to be tweaked to prevent spies from hacking it.  Gaining access to ALIS would let hackers see how many of the jets were able to fly versus how many were down for maintenance and other details that could be extremely useful when planning to fight U.S. air forces.

"You don't mission-plan without it, you don't maintenance debrief without it, you don't pull your training records without it, you don't make sure the airplane is ready to go without it -- so it's so crucial to maintaining this airplane. It's frightening, almost," said Bodgan during the same conference. "One of the big problems was security. You can imagine that a system that has all that information about an F-35 Joint Strike Fighter in it: what parts need to be fixed, what pilots are qualified, what maintainers are qualified, what mission planning is going on. You've got to protect that information.... We did some testing and found some vulnerabilities." 

U.S. Air Force

National Security

Broken record theme: We're moving too slowly on cyber defense

Deputy Defense Secretary Ashton Carter reiterated the Pentagon's gripe yesterday that Congress and the U.S. government as a whole are moving far too slowly in figuring out how to protect the networks of utility companies and banks from strategic cyber attacks.

"When it comes to dealing with these issues of safeguarding the nation as a whole from a cyber attack, we're working our way through all these issues, my own view is, way too slowly. We're still vulnerable, the pace is not adequate," said Carter. "We were hoping for some legislative relief this summer out of the Congress, and I hope this isn't going to be one of those situations where we won't do what we need to until we get slammed."

Carter's comments echo those made by senior Pentagon officials for several years on the risk of a massive cyber attack that could catch the United States flat-footed due to legislative inaction.

This summer's cyber legislation, dubbed the Cybersecurity Act of 2012, called for basic information-sharing between private companies that control critical infrastructure (finance, utilities, Internet service providers, defense contractors, etc.), and the government about cyber attacks; it also established minimum network security standards. Senate Republicans nixed the bill in August, citing concerns that even minimum security standards would be too restrictive on private businesses.

"Most of those networks are not owned or controlled by us, they're owned and controlled by private entities who typically fail to invest or under-invest in their own security," said Carter during a speech at the Air Force Association's annual confab just outside Washington. "When we offer to assist them, we run up against a lot of barriers that we're slowly trying to knock down and reason our way through."

In addition to Republican resistance to government security regulations, the government's ability to protect critical infrastructure is hampered by both privacy and antitrust concerns.

"When we provide information to Company A, do we have to provide the same information to Company B?" asked Carter. "Can Company A provide information to Company B, or does that violate antitrust laws? Can Company A provide information back to the United States, or is that providing personal information to the government? ... These are all tough problems."

DoD cyber officials insist that the government is not interested in collecting individuals' information, only basic digital information on specific cyber attacks. The bill that was defeated in August contained provisions that restricted the amount of personal information about network users that private companies could share with the government, a move that was lauded by civil liberties groups.

"If you've ever seen a signature, basically a string of numbers in hexadecimal format that's mostly unintelligible unless it's read by a machine or an antivirus program," Eric Rosenbach, deputy assistant secretary of defense for cyber policy, told Killer Apps during a Sept. 4 interview. "That type of information, technical information, is what's most valuable to information sharing, it's not the personally identifiable information that we're interested; it's the type of information that could help you stop an attack if you know what you're looking for." 

An earlier version of this post incorrectly referred to Carter as undersecretary of defense. Killer Apps regrets the mistake.

U.S. Department of Defense