Air Force getting a grip on its cyber weapons

The Air Force’s approach to cyberspace as a domain of warfare is continuing to take shape at Hanscom Air Force Base, Mass., the hub of the service’s cyber weapons systems operation.

The Pentagon in 2011 declared cyberspace a warfare domain, in the same sense as land, sea, air and space. In April 2013, the Air Force followed up by classifying six of its cyber capabilities as weapons systems, a designation that underscored the importance of IT systems and security to military operations.

Declaring something a domain and classified systems as weapons in one thing, of course. Managing those systems, even if they already existed, is another. For the Air Force, like any military service, it involves a global approach to cyber defense, applying the same systems, standards and practices to all bases and the Air Force Information Network infrastructure.

The center for this approach is Hanscom, where all six of the cyber weapons systems are  managed by the Command, Control, Communications, Intelligence and Networks Directorate, although three of the program offices are located at Joint Base San Antonio-Lackland, Texas. Personnel involved with the systems are scattered at bases around the globe.

"As the life cycle manager, we are responsible for providing effective and affordable upgrades to fielded systems," Col. John Bedingfield, C3I Infrastructure Division senior materiel leader, said in a release. "And we do so by acquiring and integrating new capabilities in response to an ever-evolving cyber threat environment."

In the January 2014 issue of MilsatMagazine, Brig. Gen. Robert Skinner, then deputy commander of Air Forces Cyber and now chief of staff for the Defense Information Systems Agency, wrote about the reason for classifying these systems as weapons and offered a few details on what the systems do.

The Air Force Cyberspace Defense weapons system. ACD provides continuous monitoring of classified and unclassified networks, with an emphasis on prevention and detection of cyberattacks, response and forensics to identify an attack’s source, means and impact. ACD is operated by Joint Base San Antonio-Lackland and the Air National Guard’s 102d NWS at Quonset, R.I.

The Cyber Security and Control System program, which provides continuous monitoring of network activity, with crews identifying and characterizing unusual activity and responding in real time. CSCS, which grew out of the consolidation of major command–specific networks into a centrally managed network, filters traffic entering and exiting Air Force base domains and will block suspicious software. It also provides network operations and management for classified and unclassified networks,

Air Force Intranet Control, which serves as the primary interface to the Internet for each base and the entry point to the Air Force Information Network, and provides the gateways for internal base traffic. AFINC, which consolidates and replaces disparate, regionally managed Air Force networks, covers four sub-disciplines: defense-in-depth, proactive defense, network standardization and situational awareness.

Cyberspace Defense Analysis, which monitors official Air Force information released via unclassified systems to determine if any of that information is sensitive or classified. CDA’s monitoring covers six areas: Internet capabilities; email traffic; unclassified telephone networks; radio frequency communications covering mobile phones, land mobile radios and wireless local area networks; cyberspace operational risk assessment; and Web risk assessment. The system will report compromises to field commanders and others, and can conduct information damage assessments from network intrusions. It also performs assessments of the service’s unclassified websites.

Cyberspace Vulnerability Assessment/Hunter Weapon System, which in addition to vulnerability assessments, performs white hat hacker-like operations—including penetration testing and hunter missions—on Air Force networks to find and eliminate vulnerabilities. CVA/Hunter, which focuses on advanced persistent threats, also can respond to attacks, performing defensive sorties around the world from either on-site or remote access. The system, which grew out of a strategy shift from trying to defend the entire network to ensuring mission performance, has been used in real-world operations since November 2010 and was given initial operational capability in June 2013.

Cyber Command and Control Mission System, the system that watches the other systems. C3MS provides operational command and control and situational awareness for cyber forces, networks and mission systems, synchronizing the other cyber weapon systems. In providing overarching C2 support for the service’s slice of the cyber domain, it’s intended to ensure reliable access, mission assurance and use of networks and information systems worldwide.