JOINT BASE SAN ANTONIO-LACKLAND, Texas -- Sixteenth Air Force (Air Forces Cyber) leaders recently launched an initiative to streamline its cyber weapon systems tools.
“12N12,” which launched July 1, aims to replace, reduce and consolidate the tools, systems and applications operators and analysts employ within the cyberspace security and defense mission area to approximately 12 by July 1, 2020.
“The goal is to reduce the number of applications in our cyber weapon systems, which in some cases are as many as 70, to about a dozen, and do so in 12 months or less,” said Col. Sean Kern, 26th Cyberspace Operations Group commander.
“But this is absolutely not just a technology initiative,” Kern continued. “It is about our Airmen and our ability to produce a highly trained and ready cyber force that possesses the appropriate tactics, techniques, procedures and tools, to gain and maintain operational access for core missions, and generate desired effects in and through cyberspace.”
According to Steve Barker, Sixteenth Air Force (Air Forces Cyber) director of requirements, “12N12” aligns with strategic initiatives focused on simplifying and improving full-spectrum weapon systems using agile methodologies to best prepare for future peer-adversary threats.
“‘12N12’ will reduce the complexity of our systems, allowing Airmen to gain deeper expertise in the tools they use as well as posture our enterprise for future change,” he said.
The end state calls for replacing aged, single-purpose tools with newer, multi-purpose ones.
One antiquated tool among many is the Security Information and Event Management tool.
“The SIEM scrubs through all the data we receive and presents it to the operator in a way that is easier to view,” said Staff Sgt. Trevor Daher, 33rd Network Warfare Squadron cyber operator. “It only allows us to manage the stream of information, and it was put in place in 1999. Of course it has been updated, but it is still a 20-year-old product.”
Some newer tools both manage information and respond to alerts.
“There is a tool called a SOAR, a Security Orchestration and Automated Response tool,” said Daher. “This tool reviews data and can be programmed to respond or react to individual alerts in different ways. You tell it what to do – it sees an alert and executes a checklist for you.”
For the aviation enthusiast, an aircraft analogy may help to better understand an operator’s current workspace.
“Think of this from a pilot perspective,” said Chief Master Sgt. Michael Clutz, 26th COG superintendent. “If I had to press 40 different buttons to fire a missile, nobody would think that was ok. Our cyber Airmen currently have to carry that burden. We are trying to make life better for them through this initiative while taking it to the adversary. The number of applications a weapon system employs is the number of things the operators must be familiar with.”
The prospect of having to master fewer weapon systems tools is an encouraging future for Daher.
“Replacing our old tools with new ones would be amazing,” he said. “These tools have capabilities we don’t currently have. Many of them can automate a decent portion of what we do, allowing us to spend more time investigating more malicious activities.”
Within the cybersecurity arena, time is one factor that separates winners from losers.
“In 18 minutes, 49 seconds a foreign nation-state actor can gain initial access into a victim’s computer before moving laterally throughout its network,” said Kern. “That is our operational urgency, and if we don’t get cybersecurity and defense right, we will lose.”
Some operators process upwards of eight million alerts per day using common computer programs, when newer, automated applications are available.
“We look at an insane amount of data from across the Air Force to determine if something is malicious or not,” said Daher. “We have seen what cyber attacks can do, and the goal is to stop those types of things from happening. To do that, we have to monitor our entire network. These new tools could change everything. Being able to better see data enables other Air Force missions to do what they need to do without cyber interruption.”
To keep pace with the goal date, a project team meets weekly to share updates and discuss obstacles and how to mitigate them. Additionally, Air Combat Command has adopted a new approach to cyber weapon systems development.
“The status quo will not work,” said Kern. “Air Combat Command’s efforts to implement agile methods will be critical to achieving our desired July 1, 2020 end state. “By next year, you can expect to see an Airman sitting at a single console, conducting cybersecurity and defense, and not having to move from system to system to do their job,” said Kern.