Air Force activities to ensure resiliency to adversarial cyber operations are somewhat fractionated, with blurred lines of authority and no overall coordinating mechanisms to ensure that all related activities are identified, tasked, and implemented and act in concert to achieve enterprise objectives. The authors recommend better ways to manage, at the enterprise level, efforts to ensure resiliency of missions to adversarial cyber operations.
Managing for Mission Assurance in the Face of Advanced Cyber Threats
- What should Air Force official policy and strategy for addressing cybersecurity look like?
- How should the roles and responsibilities for cybersecurity risk assessment be managed in the Air Force?
- Should the provision of information technology network services and the cybersecurity of those networks be managed together or separately?
- How should preparatory and operational cybersecurity activities be apportioned?
- In what ways can leaders foster a culture in which all airmen, civilians, and contractors understand and play their roles in cybersecurity?
Current cyberspace threats are highly dynamic, complex, and ubiquitous in time and space. Activities to ensure resiliency to adversarial cyber operations throughout the Air Force have organically organized themselves to be somewhat fractionated, with blurred lines of authority and no overall coordinating mechanism to ensure that all related activities are identified, tasked, and implemented and act in concert to achieve enterprise objectives. The authors develop a foundation for better managing efforts to ensure resiliency to adversarial cyber operations at the enterprise level aimed at mission assurance in the Air Force. This structure includes guidance on the allocation of roles and responsibilities for tasks to ensure resiliency to adversarial cyber operations and mechanisms to create a cohesive initiative in which each individual and organization is working toward a common goal. The authors also stress the need for leaders to instill in airmen, civilians, and contractors an understanding that the conflict in cyberspace is ubiquitous in time and space; that operations in cyberspace might be decisive in warfare; that all airmen, civilians, and contractors play a role in ensuring resiliency to adversarial cyber operations; that nothing can be completely secure in cyberspace, which leads to a sense of responsibility to carry on mission(s) in the face of an attack through cyberspace; that connecting one system to another (or to a network) carries potential risks; and that personnel have an obligation to report anomalies in data, nonnominal procedures, and potential cyber incidents.
Enterprise management to ensure resiliency to adversarial cyber operations has gaps
- The DoD and the Air Force lack a clearly stated objective for cybersecurity and cyber resiliency that concisely articulates the objective for all airmen, civilians, and contractors.
- High-level policy in the Air Force does not comprehensively delineate tasks for resiliency to adversarial cyber operations and does not allocate the roles and responsibilities for these tasks to each organization.
- The culture for cybersecurity in the Air Force is immature and in need of shaping by leadership.
- The Air Force should issue a clearer objective and strategy for cybersecurity, embracing both cyber defensive measures and the ability to continue missions through adversary cyber operations holistically.
- This treatment of cybersecurity activities should employ a balance of cyber defensive measures and cyber resiliency measures (of systems and missions) and employ a balance of enterprise networks and cyber-physical systems.
- Activities that require quick decisions using detailed knowledge in a complex environment should be distinguished from those that do not.
- Leaders should institute cultural change, promoting recognition that there is conflict in cyberspace between the United States and others that is ubiquitous in time and space and that all individuals and organizations within the Air Force play a role in being resilient to adversarial cyber operations. Failure to perform that role effectively could be decisive.
Table of Contents
Framing the Problem
Specifying the Objective, Strategy, and Tasks
Issues for Apportioning and Coordinating the Labor
Discussion of Apportioning and Coordinating the Labor
Improving the Cyber Culture
Conclusions and Recommendations