Air Force Planning Future Cyber Security Investments

The Air Force has taken lessons learned from cyber attacks like the Office of Personnel Management breach in June — that compromised 23 million government employees — and is applying them to its cyber strategy, a service official said Oct. 29.

"The cost [of the attack] for the Air Force, man hours aside — and we've spent a lot of man hours in … damage control mode — the cost to the Air Force was about $37 million," said Brig. Gen. Patrick Higby, director of cyberspace strategy and policy in the Air Force's Office of Information Dominance and Chief Information Officer. "What could we have done before the hack, before the breach, for a tenth of that?" he asked during an Air Force Association breakfast.

He suggested that for $3 million the service could have better secured its networks, put in additional safeguards or implemented a more active defense regime that might have protected it from the attack.

A fitting analogy is how service members viewed aircraft safety protocols in the 1980s and 1990s, which were sometimes seen as placing a drag on the mission, he said.

"But when you realize once you crash an F-16 and what are the impacts to the mission and the time it has consumed by senior leaders having to look at that, instead of focusing on executing the mission, you're better off spending a little bit to keep that F-16 from crashing than you are not," Higby reasoned.

Cyber attacks result in "gargantuan" bills, he continued. "I think everybody now realizes from the Secretary of the Air Force down, let's take a little bit of that and invest it somewhere to prevent the big, bad thing from happening" that drives a bill that's even bigger than the Air Force can afford.

To be more proactive the service established its Task Force Cyber Secure in March. The task force was charged with indentifying platform IT and weapon system cyber security safety concerns and vulnerabilities. The unit's efforts will inform Air Force strategic planning and programming for fiscal year 2017 and beyond.

Higby said the task force is currently drafting a report that will list the top 10 security threats facing the service, which will be delivered to the secretary of the Air Force next year. The list will inform service leaders where to invest dollars and manpower, including upfront funding to prevent breaches.

The task force is expected to end its work in April 2016 but there are ongoing discussions about keeping it in operation past that date, Higby said. "We're trying to figure ouet what is the enduring framework once that task force does sunset to take over some of those initiatives that need to be addressed."

One of the biggest concerns for the Air Force and most other departments are insider threats, he noted. That could end up as the problem that the task force identifies as its number one priority, Higby said. However, he is worried that it might not get the attention it requires because most departments already have insider threat countermeasures in place, the Air Force included. "Now we're asking ourselves, 'Okay, if we give the secretary a top 10 list and number one on there is … insider threat, and that's really not news, will that get any traction?'"

The insider threat group that the Air Force currently has in place is working to generate solutions, Higby said. "Is it a personnel security question, is it an operational security question, is it putting things on devices, is it a combination?" he asked. "That's what that group is trying to sift through."

Topics: Cyber, Cybersecurity