CyberWorx by USAFA Association of Graduates

cyberworx CyberWorx brings cadets, cyber professionals together to battle common enemies

AOG USAFA ALUMNI MAGAZINE l DECEMBER 2016

? A FALSE SENSE OF SECURITY Cyber takes center stage as Air Force’s newest warfighting domain By Jeff Holmquist

he Air Force is in the midst of a yearlong “Cyber Secure” awareness campaign to emphasize the role that every airman plays in keeping computer networks, weapons systems and mission-critical utilities safe from enemy attack. Not too many years ago, cyber and cybersecurity were viewed as a support function best left to nerdy IT personnel stuck in a back room somewhere. Today, cyber is a critical operational domain that must be constantly monitored and addressed to ensure that cyber threats and intrusions don’t cripple Air Force systems and networks. “We must position cyber at the forefront of our thinking, planning and operations,” says Lt. Gen. Bill Bender, the Air Force’s chief information officer. “Cybersecurity depends on every airman, regardless of rank or job description. Every time you log onto a system, click on a link, download a file, or plug one device into another, we risk exposing our systems to exploitation.” Bender takes advantage of every opportunity to urge airmen, civilian employees and contractors to start viewing cybersecurity as a part of their regular routine. By elevating the level of each person’s cyber awareness, everyone can be part of the solution. The United States Air Force Academy, in conjunction with the overall Air Force, has been ramping up its cyber efforts in recent months and now is leading the way in developing innovative approaches to solving emerging and ongoing threats and intrusions. In this issue of Checkpoints, we explore some of the cyber challenges facing the Air Force and how military, industry and governmental leaders are coming together to tackle common challenges that impact everyone in the nation.

30 · usafa.org

Checkpoints · December 2016 · 31

USAFA HELPS LEAD THE WAY CyberWorx brings cadets, cyber professionals together to battle common enemies By Jeff Holmquist

hen you step inside room 2N300 in the Fairchild Annex, one would never guess this is the epicenter of a cyberspace project that will eventually send ripple effects throughout the Air Force and the entire nation. Inside this classroom, cadets are allowed — even encouraged — to write on desks and windows. They frequently scribble words and phrases on dozens of Post-It notes and organize them along the walls. Class participants often draw stick figures and diagrams on nearby whiteboards to illustrate an idea. Down the hall, collaboration rooms provide a quiet space for innovators to narrow their focus surrounding the questions at hand. During regular class sessions, which occur every other day, cadets meet here with local industry employees to brainstorm, organize their thoughts and create solutions to cyber security problems that impact businesses, governmental units and the Air Force alike. This is CyberWorx, the new cyber innovation center at the United States Air Force Academy. The center, which was officially launched earlier this year, is in its infancy but expectations are running high for its future impact and success. “CyberWorx is the right name for it,” reports Col. Jeff Collins, the first-ever director of the center. “The verb that we’re doing is working. We are not here to articulate problems. We are here to deliver capability for the Air Force.” Ultimately, the vision of CyberWorx is to create resiliency for Air Force missions and systems, Collins explains. “The metaphor we use now is you can’t build walls high enough any more,” he says. “Our systems have to have resiliency enough to allow us to continue to do the mission despite a cyberattack. We will fight through just like we fight through in the other domains (air and space).”

PLANTING THE SEED A couple years ago, Lt. Col. Mike Chiaramonte ’01 (now CyberWorx director of operations) and Lt. Col. David Caswell (now 690 NSS commander) hatched the idea for the Academy’s new cyber center. “As we were building up the cyber program here at the Air Force Academy, we were looking at ways to make it more relevant to the Air Force,” he says. Chiaramonte, an Academy computer science professor on loan to CyberWorx, was convinced a center dedicated to cyber innovation — utilizing cadets, cyber experts and industry leaders — could reap rapid rewards for everyone involved. 32 · usafa.org

C1C Kellen Hall (left) and C1C Ren Herbert work through the ideation process during a CyberWorx class session. “Ninety-five percent of the problems the Air Force has, industry has as well,” he comments. “We’re all dealing with the same challenges.” The Air Force Academy seemed the perfect location for CyberWorx, Collins claims, because “we have 100-plus PhDs here” and “we’ve got 4,000-plus bright, young, digital-native cadets.” “So, in terms of partnering with industry, we’re able to do that in a way that’s not possible anywhere else in the Air Force,” he says. While attending the 2014 CORONA meeting at the Academy, Chiaramonte approached Gen. John Hyten, then commander of Air Force Space Command at Peterson Air Force Base, and other senior Air Force leaders about the creation of a possible cyber center. “It took off from there,” he recalls. Today, CyberWorx is operating out of a temporary 2,000-square-foot space. Collins and Chiaramonte are the two active duty officers assigned to the project. The center also is currently supported by seven Air Force Reserve personnel and one civilian contractor. By next spring, the cyber center will move into newly renovated space on the fourth and fifth floor of USAFA’s McDermott Library (where the Center for Character and Leadership Development was previously housed). The 8,000 to 10,000 square feet of space will accommodate the 28 full-time staff members who are expected to be hired as CyberWorx ramps up to full operational capacity.

“In a traditional classroom, you have cadets working on projects for industry and they’re in a mentor/mentee relationship ... Here, they’re peers working together on a team.” — Lt. Col. Mike Chiaramonte

The first cadet class offered under the CyberWorx umbrella

is Management 495B, which began meeting in August. One of the primary goals of the initial course is to teach cadets and tech industry volunteers a new approach to brainstorming and addressing complex cyber-related questions. “In a traditional classroom, you have cadets working on projects for industry and they’re in a mentor/mentee relationship,” Chiaramonte explains. “Here, they’re peers working together on a team.” When a solution, fix or product is finally developed at the end of the semester, Chiaramonte says both the Air Force and private industry will benefit from the new innovation. The goal is to transfer the technology to partners so the U.S. economy, governmental units, other academic institutions and businesses all benefit. “What are our partners getting out of it?” he asks. “That’s important to us.”

DESIGN THINKING Human-centered design thinking — which came out of such elite design schools as Stanford University and Carnegie Mellon University — has helped spawn such technological advances as the iPhone. The design process suggests that right-brained creative types, working together with left-brained management and number-cruncher types, can effectively bounce ideas off each other to innovate and solve human problems. Academy faculty members were introduced to humancentered design concepts while going through a project with a private company, Frog Design, several years ago. The innovation strategy was appealing to the Academy and the Air Force, Chiaramonte says, because it often uncovers the best solutions in a minimal amount of time. That’s important in the technology and cyber realm, where state-of-the-art products and software solutions can be outdated within months or a couple years. “If you acquire technology on a five-, 10- or 20-year cycle — like our current acquisition system requires — that means you’re two, three or five generations behind,” he explains. Collins says senior leaders recognized the need to move faster in the cyber realm and have supported new approaches to attack the emerging challenges. “This is the digital age,” Collins says. “We know we aren’t moving fast enough. The acquisition system spends so much time trying to get the requirements exactly right … that by the time people are able to meet them, at least

in the cyber world, we’ve moved on and they’re not really relevant any more.” One of the key components in human-centered design thinking, Collins notes, is the acceptance of failure as teams brainstorm. “The goal is to make the officer corps less risk averse and more willing to fail fast in order to succeed quickly,” he says. Early in the design thinking process, teams begin to identify the right cyber solutions for the right problem. As the first class kicked off this fall, cadets and industry partners traveled to Air Force bases to help identify the challenges commanders and airmen face in communicating cyber risks. Eventually, team members returned to the classroom where they gathered their thoughts and debated how to proceed. Later, they were encouraged to construct low-cost “prototypes” to help visualize potential solutions. “We want to see what’s possible. You don’t really get a sense of that until you physically see it and you touch it,” Chiaramonte explains. In the initial stages, prototypes often are made of cardboard, paper or other inexpensive materials. Chiaramonte says if there isn’t much invested in one particular prototype, it’s easy to discard it and move on if it doesn’t work out. “The goal is to prototype as cheaply as you can to understand as much as you need to,” Chiaramonte explains. “But then, at some point, you have to progress past cardboard.” As teams zero in on a final solution, the prototypes become more elaborate. If the process works as it should, the most effective human-centered solution eventually rises to the top.

THE IDEATORS The current management class includes 16 cadets from six different majors, bringing a multi-discipline perspective that is important to a successful human-centered design process. Several times a week, six industry professionals, along with several military leaders, join the cadets to brainstorm and generate possible solutions to one central question. This semester the group is using human-centric design thinking to develop new ways to communicate the implications of cybersecurity and cyber threats that face commanders, airmen and civilian employees on a daily basis. Collins and Chiaramonte think the process has gone well so far. “The cadets seem to be really enjoying it,” Chiaramonte reports. “They’re learning a lot, and industry is really engaged. Everybody seems to be having fun learning as they go.” Checkpoints · December 2016 · 33

“Our objective is not to create more cyber officers,” Collins adds. “Our objective is to accelerate the Air Force’s understanding of how to use this warfighting domain and do it well.” C2C Benson Anderson, an economics major at the Academy, says the class and the CyberWorx process have helped him think more creatively. “So far I’ve loved every minute of the class,” he comments. “I’ve noticed that I’ve gotten a lot better with putting my thoughts into words. I’ve gotten a lot better interacting with other individuals. And I’ve gotten better with critiquing both my own and other people’s ideas.” As an economics major, Anderson says he’s used to working with numbers, theories and “hard facts.” But his fellow CyberWorx classmates challenge him to think in different ways. “It’s really neat to see how our different perspectives actually mesh a lot better than you would think,” he says. “And our trains of thought, while they are different, usually lead us to quite similar conclusions.” For that reason, Anderson says he’s learned to openly listen to all points of view. “I’ve learned that no idea is a bad idea,” he explains. “Even if someone comes up with a suggestion that may seem crazy, you can usually derive something from that thought that will be useful in the future.” Anderson says he’s excited to be among the first cadets involved in the CyberWorx effort. “I know that what I’m working on right now is going to have future implications for the Air Force,” he says. C1C Austin McWhirter, a computer science major, has similar praise for the class and the CyberWorx concept. “Instead of developing a program that solves a problem, I’m coming up with ideas and innovating with other people from different majors with different perspectives,” he says. “It gives me a more operational or more realistic view into what I will be doing after graduation.” When he signed up to be part of the first class, McWhirter admits he had no idea what he would be doing. But the CyberWorx concept and the innovative design effort appear to be a game-changer for the Air Force. He’s been impressed with the number of senior leaders who have stopped by to ask questions about what the group is accomplishing. “We’re at the forefront of answering this question for the Air Force,” he notes. “A lot of people are looking at us for ideas going forward.” Michael Garrity, systems engineer with Modern Technology Solutions, Inc., in Colorado Springs, is one of the industry partners who signed on to participate in the CyberWorx project. He says the “new way of approaching cyber” appears to make a lot of sense for the Air Force and its business partners. 34 · usafa.org

The ideation teams within CyberWorx collaborate to identify the real cyber problem that needs addressing, then whittle down the possible solutions to the one that will meet the needs of the end user. “It’s been great,” he explains. “We’re taking a little bit slower process, but in the end it will save so much more time both for us and for the customer. In the future years, it will help us build the correct prototype or the correct system.” Garrity says he’s never had the opportunity to use the design thinking process, but he’s found it worthwhile. “We hope to reach out to other cyber customers we work with — Air Force, Navy, Army and other agencies — and work with them to incorporate this process into their planning as well,” he notes.

GOING FORWARD The long-term plan for the CyberWorx program is to increase the number of cyber projects the teams are working on at any given time. Eventually, Chiaramonte predicts, cadets and industry partners could tackle up to 10 cyberrelated projects simultaneously. CyberWorx also plans to host innovation teams that do not include cadets, but perhaps just industry and military leaders. Those groups will participate in “design sprints,” with the expectation that final solutions would be developed in a few short weeks versus over an entire semester. The Academy also hopes to launch a cadet innovation club, which will employ the design thinking process to problemsolve but not function as a class with credits attached to it. When CyberWorx reaches full staffing, the center will have the capability to continue its design thinking process, but also develop stronger partnerships with industry representatives and nearby academic institutions. The faculty also will have the chance to explore a wide range of cyber topics, including ethics, legal ramifications, cyber operations and more. In the end, Collins says the Academy’s foray into design thinking and cyber innovation will help the institution attract more cadets interested in cyber-related professions and accomplished faculty members who are looking to be part of research projects that address real, complex problems. As the center evolves, USAFA plans to raise funds and construct a standalone building to house CyberWorx and other cyber programs. Currently, the target for construction could be as soon as 2021. The USAFA Endowment will assist CyberWorx in raising the capital necessary for its eventual new building. The Endowment is currently helping raise funds for the ongoing operation of CyberWorx.

WHY WE NEED INDUSTRY FOR CYBER AGILITY By Col. Jeff Collins Director of Air Force CyberWorx

I’m privileged to be back at AFA, this time directing Air Force CyberWorx. We are a new unit, stood up specifically to unleash rapid warfighting advantages from cyberspace across all warfighting domains. We are accomplishing that mission by educating our cadets and partnering in new ways with industry to solve tough problems facing our nation. CyberWorx is using a method called “design thinking” to bring two immediate benefits to the Air Force: 1) CyberWorx increases the cognitive diversity of those engaged on tough problems, fostering new approaches and opening doors to some of our cadets, airmen and industry partners who have not yet been engaged in answering cyber questions facing our digital nation. 2) CyberWorx enhances our airmen’s innovative spirit by giving them and our cadets real opportunities to innovate rapidly toward solutions — this forms the intellectual prop-

erty (IP) that truly matters to warfighting capability for the Air Force now and in the future. Our relationship with cadets, active duty units, academia and industry forms a virtual circle, driving the Air Force’s multi-domain capabilities and agility higher. Industry is a key partner in this circle. The cyber industry, in particular, brings an unmatched diversity of ideas and the agility to implement those ideas at industry (rather than typical government) speeds. The IP resulting from our CyberWorx design sprints is precious and is shared, according to our agreements, by those who participate in these events. We, therefore, need industry involvement with us to work toward these solutions. You won’t be surprised to learn that not all of the best ideas are contained within the government. Industry also is a critical partner and supporter as we look to grow our capacity. We plan to grow from our current capacity to solve two simultaneous (unclassified) projects in a temporary design studio to a needed capacity to solve 10 simultaneous projects, including classified projects. We are designing the final studio to engulf participants (live and virtually) in the best possible collaborative environment for solving our nation’s toughest problems. We have heard overwhelming support from all levels of the Air Force and our graduates. The speed and level of support we are receiving is outstanding. Industry partners who are already engaged with CyberWorx attest to the tremendous benefits experienced by their employees in getting to work with our great airmen and cadet innovators, working to overcome real cyber problems for our Air Force. Just as the operational advantages available in and from the cyber domain are limited only by our imagination, there need be no limit to the contributions of this Academy to America’s warfighting capacity in cyberspace. CyberWorx is proud to lead this charge into the future. We look forward to working with you. Checkpoints · December 2016 · 35

TECH TRANSFORMATION Computer Science Department evolves to meet the changing needs of the Air Force and nation By Jeff Holmquist

he birth of the Internet can be traced back to the early 1960s when the Department of Defense worked to interconnect the main computers at the Cheyenne Mountain Complex, Pentagon and Strategic Air Command. Military officials at the time were concerned that a Soviet attack could cripple the nation’s telephone system. Setting up an interconnected network, they felt, would allow government and military leaders to communicate even if a war occurred. In the years that have followed, a long list of technological advancements emerged — email, ecommerce, social media, Internet banking, online education, remote monitoring/control systems and many more Internet-based systems. “No one imagined the Internet would become the enabling vehicle for our modern society,” recalls Barry Fagin, professor of computer science and director of the Academy Center for Cyberspace Research. Unfortunately, the underlying structure of the Internet remains virtually unchanged since its early years, Fagin explains, and its vulnerabilities are easily exploited by hackers and adversarial nation-states. “The problem with the Internet, and why it’s so hard to protect, is because it was designed initially without security in mind,” Fagin notes. “We’re stuck back-patching this system that has all these holes in it because it was designed in the 1960s.” The Academy, through its computer science department, is doing its part to innovate and change that dynamic. The department is producing between 30 and 40 graduates per year, many of whom will eventually be assigned to cyber operations units throughout the Air Force. In addition, the Academy established a new Computer and Network Security major and graduated its first three cadets from that program in June 2016. In 2017, the Academy expects 17 cadets to graduate from with the new major. “While we have lots of cyber challenges, I believe we are making a difference,” comments Col. David Gibson, professor and head of the Department of Computer Science. “Seeing our graduates out in the Air Force doing great things is encouraging. I can rest easy knowing that we have a strong cyber force.”

THE EARLY YEARS Since the 1980s, the United States Air Force Academy has offered a Computer Science major to cadets. 38 · usafa.org

When Gibson and Fagin joined the faculty in the early 1990s, they admit that much of the instruction in computer science revolved around keeping networks and systems operational. In 2010, the career field shifted toward a cyber operations and cyber warfare focus, Gibson notes. Many recent USAFA grads are now conducting defensive and offensive cyber missions for the Air Force and Department of Defense. “Back when I started, computer science primarily was a support career field,” Gibson recalls. “We were keeping the email up and running, as well as the data bases and the servers. And now, many of our graduates are conducting cyber operations against our adversaries and having a real impact in the defense of our nation, applying many of the things they’ve learned here.” Gibson says the Air Force is clamoring for cyber-proficient officers as it stands up a number of new cyber mission teams. The Academy stands ready to produce airmen who have a passion for identifying and solving cyberspace problems for the military and society in general, he assures.

THE RIGHT STUFF Cyber operations aren’t for everyone, Fagin and Gibson admit. All cadets take a core introduction to computing class, which touches on topics ranging from programming, cyber operations and basic information technology. “For a good number of students, they really get excited and want to sign up for one of the related majors,” Gibson notes. “We also see plenty of cadets who say that’s the last thing they want to do for an Air Force career. And that’s probably the right answer for them.” Fagin explains that cadets best suited for the cyber mission are those who work hard, never give up and are detail oriented. They have to be comfortable in a rapidly changing field as well, he adds. “It’s not something that everyone can do,” he admits. “To become what the Air Force needs you to become — to have the skills, the competence and the intuition that the Air Force needs its cyber officers to have — it’s challenging.” Gibson suggests that cyber officers need to be “tenacious problem solvers” in order to be successful. Fagin agrees. “The hackers on the other side are going to be very tenacious,” Fagin explains. “They’re going to be knocking at the door. They’re going to be trying this, they’re going to be trying that. They’ve got tenacity and patience, so we need that too.”

Col. David Gibson (left), head of the USAFA Department of Computer Science, and Barry Fagin (right), director of the Academy Center for Cyberspace Research, both have witnessed their career field transform from a purely support function to a full-fledged warfighting domain. They envision many techological advances in the future that will continue to challenge cyber operators and senior leaders.

ACCR Just a decade ago, the Academy’s Computer Science Department fielded many questions from Air Force units and others struggling with computer and technology issues. But the department didn’t have the capacity to answer the questions nor the available funding to conduct research on emerging cyber issues. About 10 years ago, the Academy launched its Center for Cyberspace Research to address that growing need for reserch in cyber technologies. Funding from various sources made the center possible. Since then, faculty members and cadets have been involved in a myriad of successful research projects in the cyber realm. The research is conducted throughout the school year, as well as under the Cadet Summer Research Program. “We have a lot of smart people on the faculty, and we have an awful lot of bright cadets who are interested in and capable of doing research,” Fagin reports. “So, over the past few years, we’ve been able to do some very good work. We’ve dealt with problems that are of interest to the Air Force, and I think are impactful, relevant and interesting to society as a whole.” Past projects that Academy researchers have tackled include innovative malware detection programs and Internet software that has “provable security properties.” “Most Internet software unfortunately has security holes that you could drive a truck through,” Fagin explains. “But fortunately it’s possible to use mathematics and computer science research to improve that to the point where you can produce software for which these security flaws are provably absent.” Fagin predicts that ACCR will remain busy for years to come, as new cyber threats and ongoing malware intru-

sions threaten the Air Force’s mission and the nation’s economic stability. “Sadly, there’s an awful lot of security problems out there that need solving,” he adds. “We’ll always be able to contribute to that effort.”

THE FUTURE Artificial intelligence and autonomous systems are the next technological advancements that will impact society and the Air Force in the days ahead, Gibson predicts. Steady progress also is being made on a new “Iron Man suit” for the military, which will include liquid armor to protect the individual and sensors that will allow for constant online monitoring of the person’s vital signs and comfort. “Every piece of equipment in the military and the Air Force will eventually be wired and connected to the Internet,” Fagin predicts. “How do you secure that? With all this newer stuff, hopefully we’ll have a chance to get it right. We’ll use the power of computer science to get it right, so we won’t have quite as many problems as we’ve had with the existing Internet infrastructure.” Whatever the future holds, Fagin and Gibson say they are excited to play a role in moving the Air Force forward. “This is a really exciting field to work in, because there is always something new coming along,” Gibson says. “I’ve been here for over 20 years,” Fagin adds. “It’s been a great run and I look forward to at least a few more, watching and seeing the amazing things that are coming up on the horizon. I think it will be very interesting to see how that all plays out.”

Checkpoints · December 2016 · 39

WELCOME TO CYBERCITY Miniature community helps cadets visualize impact of cyber operations By Jeff Holmquist

A fully operational miniature city, dubbed CyberCity, dominates one classroom in Fairchild Hall. The tiny community is fully wired, allowing cadets to use offensive and defensive cyber effects to better understand how systems, utilities, computer networks and Internet services can be impacted by hackers and enemies.

computer hacker has attacked the community’s radar tower control system and the tower is no longer functioning. The hack is putting airline passengers at risk. United States Air Force Academy cadets spring into action to uncover the reason for the tower malfunction and to restore its operation. The cyber investigators assigned to the task open up the command code for the tower control system and examine its contents. Several lines of software code appear out of place and are likely the culprit. As the cadets disable the offending lines of code left by hackers, the tower springs back into action. The airport’s radar system is again operating as it should. Welcome to CyberCity, a fully wired, miniature community that dominates one classroom inside Fairchild Hall at the Academy. At first glance, CyberCity appears to be nothing more than a fancy model train layout with the requisite tiny buildings, cars and streets. “It’s much more than that,” assures Capt. Lucille McMinn, CyberCity director. “It really is a whole city.” The miniaturized community features a remote-controlled electrical power distribution system, as well as a water system, 40 · usafa.org

traffic lights, airport, transit system, hospital, commercial businesses, bank and homes. The community also includes about 50,000 operating email addresses and numerous websites promoting all of the fake organizations and businesses within CyberCity. The brains behind CyberCity are the embedded controls that are scattered throughout the miniature layout. They are patched in to a huge control panel in the back of the classroom and it’s all linked via the Internet. Like actual embedded controls in real cities, most of the systems and controls in CyberCity are vulnerable to cyber attacks. That’s where the learning occurs. CyberCity, which was installed on campus in April, provides cadets and faculty members with a high-tech educational tool designed to mimic real-life cyber situations. Imagined and created by the SANS Institute, a nonprofit research and education organization, the Academy’s CyberCity is one of just two fully operational miniature cities in the world. The fall semester was the first time CyberCity was used in a classroom setting. Students in a senior-level capstone class, Computer Science 438, tackle various pre-programmed,

CyberCity includes everything from an airport (above) to downtown businesses, public transportation systems and utilities (below) to give cadets a visual representation of the kinds of systems vulnerable to cyber intrusion. defensive and offensive cyber scenarios to hone their ability to counteract adversaries. As they complete their cyber missions, which each take between six and eight hours to complete, the students can actually see how their efforts impact the city and its systems. “It gives them positive feedback right away,” Capt. McMinn says. “We don’t teach at a theoretical level. We actually teach them how to do it. It’s more valuable than having them just staring at a screen.” Capt. McMinn says the new educational tool has proven to be an effective way to teach cyber security and cyber operations to future leaders for the Air Force. It also has helped faculty members stay current with cyber threats and state-ofthe-art cyber educational tools. “The Air Force has been securing computer service for a long time,” Capt. McMinn notes. “But a lot of people haven’t broached securing embedded systems, which is really the most dangerous thing because it controls the physical realm.” Capt. McMinn says most people don’t realize that systems with embedded controls are everywhere. “These systems outnumber traditional systems, such as laptops or desktops, three to one,” she says. “And they are very insecure.” Security systems, smart refrigerators and smart doorbells are just a few examples of embedded control systems that are vulnerable to hacking inside people’s homes. Traffic lights, airport runway lights, web cameras, utility systems and more are community assets that are at risk. Capt. McMinn claims CyberCity has increased the awareness among cadets that embedded systems, not just computer networks and servers, deserve monitoring and protection. The Academy hopes to expand CyberCity in the future, adding more cyber attack scenarios and building more community assets (i.e. a nuclear power plant and others). Even though it’s relatively new, CyberCity is already generating a lot of attention for the Academy and its cyber operations efforts. McMinn says industry and government partners now understand that USAFA is training fully

capable cyber warriors who can make a difference for the Air Force and for society as a whole. “I don’t want cadets to solve problems that I come up with; I want them to solve a problem that the world has or that industry has,” she says. “CyberCity gives us that foot in the door.” Checkpoints · December 2016 · 41

FIGHTING THROUGH ‘They’re going to hit us where we are at our weakest’ By Jeff Holmquist

Lt. Gen. Bill Bender, chief information officer for the Air Force, attended the September CORONA meeting at the Air Force Academy, where cyber was a key topic of conversation among the Air Force’s four-star generals.

he United States Air Force has always prided itself on being better, faster and smarter than the enemy. Today, however, it doesn’t enjoy such an advantage over foes in the cyber realm, according to Lt. Gen. Bill Bender, Air Force chief of information dominance and chief information officer. In fact, in some instances, our country has fallen behind in its ability to defend against hostile cyberattacks or execute offensive missions in cyberspace. “There are literally thousands of Chinese, both in and out of military, focused on this effort every day,” Bender explains. “They are trying to disadvantage us.” He says many of our nation’s enemies have no desire to engage in traditional warfare with the U.S., but they are eager to wage battle in the cyber realm. “They’re going to hit us where we are at our weakest,” Bender warns. That’s why the Air Force is stepping up efforts to become more cyber secure and resilient. Only a few years ago, cyber topics were a footnote at CORONA meetings involving the Air Force’s four-star generals. At the September CORONA gathering at the Air Force Academy, cyber was a primary discussion item. “The chief, the secretary and all the generals are super concerned and super interested in making sure we have a coherent strategy across the Air Force,” Bender reports. 44 · usafa.org

“We’re going to be just as good or better than any would-be adversary in the future.” Information technology is critical to every aspect of the Air Force’s mission, Bender says, so it’s important that threats and intrusions are minimized as quickly as possible. Bender applauds the Academy’s new CyberWorx program, as well as the Department of Defense initiatives such as the Defense Innovation Unit Experimental (DIUx) and Defense Digital Service (DDS), which are speeding up cyber solutions and using unconventional methods to accomplish the task. “I can’t stress enough the importance of the work that’s being done,” he notes. “We have to be willing to fight and win in this new domain, and we’ve done an awful lot to move the ball forward.” Most U.S. citizens and Air Force personnel would be shocked to discover how prevalent cyberattacks against the nation’s military and commercial networks have become, Bender continues. That new reality requires that the Air Force, with its partner industries and academic institutions, focus more attention on cyberspace. “We’re still the strongest Air Force and have great advantages over any would-be adversary,” he says. “But now we’re in this new cyber-contested environment. The Air Force finds itself probably years behind where we would like to be. We have some work to do.”

The Air Force has done a remarkable job of protecting its networks thus far, Bender says, but weapons platforms and a myriad of mission applications and other linked systems remain vulnerable. “All of that is the wild, wild west at this point,” he suggests. “The more we learn, the more we realize that we should have been doing this five or 10 years ago.” To help expand the awareness of cyber issues throughout the Air Force, Bender says a yearlong campaign is underway. “We’re not going to make an Einstein out of every commander,” Bender explains. “But what they have to have is an operational mindset and an understanding of the critical vulnerabilities that can impact their mission. It’s the responsibility of commanders and airmen, officers, enlisted, civilians and our contracting force to really get serious about cyber security. It’s a whole of Air Force effort.”

*** Lt. Gen. J. Kevin McLaughlin ’83 is on the front lines of the cyber fight, serving as the deputy commander for U.S. Cyber Command. It’s a fight he never envisioned being a part of. After graduating from the Academy, Lt. Gen. McLaughlin went on to enjoy a long career in space operations. But while serving as the director of space operations for the Air Staff in 2013, Lt. Gen. McLaughlin received an unexpected phone call — he was being tapped to become the new Air Forces Cyber commander with the 24th Air Force. Not having “grown up as a cyber guy,” Lt. Gen. McLaughlin was surprised by the assignment. He’s come to appreciate the role that cyber plays in the Air Force mission, he admits, but he had never actually led in that area. Like many of his previous unexpected assignments, Lt. Gen. McLaughlin says Air Force leaders knew better than him that it was a perfect fit. After a year in that role, Lt. Gen. McLaughlin was promoted to his current USCYBERCOM position. “It’s been the most fascinating couple of assignments and the most challenging I’ve had, and yet I wouldn’t have picked it,” he admits. “It’s fascinating because I love being part of new things. In the cyber area, everything we’re doing is just about brand new.” In its sixth year of operation, USCYBERCOM has been ramping up 133 Cyber Mission Force teams to perform offensive and defensive cyber missions. About a third of the teams (39 to be exact) are under the 24th Air Force/Air Forces Cyber Command umbrella. Lt. Gen. McLaughlin reports that all the teams attained their initial operating capability on Oct. 21, 2016, and are conducting offensive and defensive cyber missions on a daily basis. He notes that approximately 5,000 personnel are part

of the Cyber Mission Force with hopes to grow to 6,200 personnel. The majority of the team members are assigned to Fort Meade, Maryland; Fort Gordon, Georgia; San Antonio, Texas; and Hawaii. The rest are scattered around the globe. “The nice thing about cyberspace … you can be anywhere in the world and generate a cyber effect,” he notes.

Lt. Gen. J. Kevin McLaughlin ‘83 is among the nation’s leaders in the cyber fight. USCYBERCOM’s three key missions are to operate, defend and secure the Department of Defense information network; provide full cyber capabilities to the Joint Force Combatant Commands; and defend against cyberattacks of significant consequence to the nation, when directed. As deputy commander of U.S. Cyber Command, Lt. Gen. McLaughlin assists Commander Admiral Michael Rogers with the day-today operation of the Joint Force cyber fight. Lt. Gen. McLaughlin says the cyber fight has come a long way in the past few years. “We’re conducting routine, dynamic offensive and defensive missions across the Joint Force today,” he reports. “And we’ve got a robust command and control structure, and a planning and execution structure, all things from a warfighter perspective that did not exist just a few years ago. So we really are energizing a new domain of warfare.” But there are plenty of challenges ahead as the nation deals with securing existing systems and controls, while also building and securing new technologies and platforms, Lt. Gen. McLaughlin says. And the future prospects for making a huge difference are exciting, he adds. Lt. Gen. McLaughlin encourages current cadets — the future leaders in the Air Force — to be open to emerging and challenging opportunities like he was, whether it’s in the cyber realm or not. “There really isn’t a recipe … in order to be successful,” he says. “The Air Force has surprised me with amazing opportunities, and often they weren’t what I was thinking. I think our young folks just ought to trust the Air Force to send them to those assignments. Give your opinion when you’re asked — but for the most part bloom where you’re planted and I think you’ll always be surprised at how much fun it will be.” Checkpoints · December 2016 · 45

CYBER CENTRAL Colorado Springs area learns the power of collaboration By Paul Henry ’67

olorado Springs is becoming a hub of cybersecurity activity. This vision is not a pipe dream. It is very real, thanks to a far-reaching collaboration of state and local officials, military organizations, educational institutions and businesses. Arguably, cybersecurity is one of the dominating issues of our time. Instances of hacking information systems, denial of Internet service, and compromise of personal data make headlines virtually every day. Our modern computer-driven environment, so critical to the basic functioning of society, is ironically the very vulnerability that the bad guys exploit and that cybersecurity measures seek to protect. In a recent interview with Checkpoints, Andy Merritt, chief defense industry officer with the Colorado Springs Regional Business Alliance, points out some aspects of the problem. “Information vulnerabilities and infrastructural vulnerabilities touch everybody,” he says. “Exposure is higher for modern sophisticated societies. Almost every aspect of peoples’ day-today work and personal lives is computerized.” Statistics also indicate that people spend up to seven hours a day on mobile devices, Merritt says, and by next year 70 percent of the world’s population will have access to such devices. “These represent a whole new area where unique solutions have to address a rapidly evolving cyber threat. Cybersecurity cannot be an ‘add-on.’ It has to be a part of all we do,” Merritt explains. The key ingredient to the ultimate success of the city’s national role in meeting these and other cybersecurity challenges is the synergy of elements already present here in the Springs. More than a year and a half ago, Martin Wood, senior vice chancellor at the University of Colorado-Colorado Springs (UCCS), headed a multi-discipline team of government, military, education, industry and technical experts in researching cyber assets in the community. At the team’s request, the Regional Business Alliance conducted an asset mapping exercise to help answer the question. The results proved most impressive. 46 · usafa.org

Core units at all local major military installations include cybersecurity as a key mission space, and locally based commands are specifically responsible for leading the cybersecurity effort and liaising with their service-specific chief information officers at the Pentagon and beyond. There also is an extensive local network of educational institutions with cyber expertise. Four of these have been conferred National Security Agency certification as cyber centers of excellence. A fifth school is in the process of certification. Additionally, cyber-related industries are expanding and starting up throughout the community. At the time of the original asset survey, there were more than 80 cyber-specific businesses and organizations in Colorado Springs — a historically aerospace-centric town. These businesses include some of the nation’s acknowledged cybersecurity innovators. Since the survey, as Colorado Springs Mayor John Suthers pointed out during a community cyber update, additional business expansion has brought the number of local cyber companies and organizations to 105. Anyone who has ever marshaled an innovative concept from notion to reality knows that the right ingredients have to be available as a precursor to success. But the vision of Colorado Springs as a cyber hub may have remained only a vision without sustaining support from key state and local leaders and organizations. Here too, the “right stuff” has come together at a fortuitous intersection of preparation and opportunity. Colorado Gov. John Hickenlooper, having heard about the impressive concentration of cybersecurity capabilities in Colorado Springs, came to Mayor Suthers’ office and was briefed by the study team. One of its recommendations — that a National Cybersecurity Center be fielded here — resonated with Gov. Hickenlooper, who was fresh from a visit to just such a center in Israel. It also helped that promoting Colorado Springs as a cyber hub was a good fit for the governor’s commitment to what he characterized in a recent Bloomberg interview as a “fully

diversified state economy” that goes beyond traditional gas, oil and real estate development. Putting real “oomph” behind the cyber hub effort, the governor announced in his 2016 State of the State address a commitment to creating a Springs-based National Cybersecurity Center to be “the country’s foremost authority on cybersecurity research and development, training and education.” The center, Hickenlooper says, would “provide real time response capability … to detect, prevent, remediate and recover from threats and hacks.” House Bill 16-1453 was approved a short time later, providing nearly $8 million in funding for the project. The legislation was signed by the governor in May of this year. A number of state and local organizations have lent their expertise and support to the Colorado Springs cyber hub initiative. The Denver-based Colorado Technology Association helped identify and assemble a cybersecurity leadership team. They also are committed to influencing development of a talent pipeline that helps meet the demand for qualified workers in technology-focused businesses, including cybersecurity. Here in Colorado Springs, participants in the collaborative working spaces of Catalyst Campus are focused in part on advancing “technology from industry partners, the military, the government and/or other advanced industries through state-of-the-art cyber and space and operations center.” Dedicated to a wide range of economic development initiatives, the campus seeks to facilitate partnerships between government, industry and education entities in the area, and has made cybersecurity a primary focus of that effort. According to its managing director, Erin Miller, the nonprofit Center for Technology, Research and Commercialization (the technology transfer arm of Catalyst Campus) has gathered field specialists and researchers in a range of disciplines together with a number of industry partners and the U.S. Air Force Academy’s CyberWorx lab to develop a 21st century cyber training module for the Air Force. That collaboration (whose product is currently undergoing review by the Secretary of the Air Force) will continue across at least four more projects next year. Looking toward the future, Miller indicates that C-TAC’s planned course deliverables in these programs will facilitate a broadening cybersecurity partnership among Catalyst Campus, local cyber educational institutions and the National Cybersecurity Center (NCC). Another Catalyst Campus-based nonprofit is also playing a key role in the cyber transformation of the region. The Southern Colorado Technology Alliance has brought large companies and small together, providing access to the extensive infrastructure and resources of the campus. Half of the alliance’s members are cybersecurity focused. Don Kidd is SCTA’s executive director. “From a cyber standpoint” he says, “we are trying to bring together a community to solve big problems. All of us — businesses, schools, and the NCC — are contrib-

uting to make the Colorado Springs cyber hub real.” To help address today’s labor shortfall in the cyber marketplace, SCTA is also embarking on a major effort to define priority training needs and articulate potential solutions. The Colorado Springs Regional Business Alliance is fostering the prerequisite atmosphere of collaboration (as opposed to competition) across local business entities and nonprofits in evolving cyber solutions that benefit the community at large. Additionally, the RBA is cultivating growth of the available Colorado Springs cyber workforce (already the fifth largest in the country) to meet the projected rising labor demand for this rapidly expanding industry. The National Cybersecurity Center is no doubt the lynchpin of Colorado Springs’ journey to cyber hub status. And here, too, a lot of progress has been made over a short time. During a recent RBA-sponsored Cybersecurity Center update, interim NCC CEO Ed Anderson reviewed the fundamental structure of this groundbreaking public-private partnership, and walked his audience through the key milestones in its march to initial operating capability, formally declared on Nov. 1, 2016. Over a six-month span beginning last March, NCC advocates conducted extensive outreach to hundreds of federal, state and local constituents of the center to help identify cybersecurity gaps and needs, and in securing NCC sponsorships. Also, a Board of Directors was established in July. Anderson describes how the NCC and its three component centers — the Cyber Institute, the Cyber Research, Education, and Training Center, and the Rapid Response Center — will be deployed in a UCCS-owned 135,000-square-foot building adjacent to the campus. Previously a TRW aerospace manufacturing facility, the site is ideal for accommodating sensitive cybersecurity work. A contractor has been secured to accomplish building renovations and infrastructure updates, while the small but expanding NCC staff operates from a temporary suite of offices provided by UCCS. Following a national search, the NCC Board in October appointed a highly experienced cybersecurity executive, Ed Rios, the permanent CEO. “The NCC is a true start-up,” Rios asserts. “It is also a neutral and objective organization, a neutral nonprofit spreading cybersecurity knowledge. It is the ‘Aspen Institute’ of cyber.” As with any start-up, he says, the key challenges are “expectation management, identification of resources, development of the business and funding plans, and oversight of facility renovations.” He is committed to making the NCC inclusive in meeting the needs of the broadest possible constituency. Not that there aren’t challenges to be met, but this kind of upbeat confidence will help bolster Colorado Springs’ cyber central status. And the extraordinary collaboration of regional policy makers and leaders in government, education and business is strengthening that image. Checkpoints · December 2016 · 47