5% 77AM ROE Organizing for Information Warfare An Air Staff Perspective Purpose o Propose C2 Relationships for XXXXX o Discuss IW Requirements Generation Process o Formulate AF XO Positions CSAF Initiative o ELIGIBLE RECEIVER and SOLAR SUNRISE highlight IW C2 shortfalls o JTF-CND Stood-up as interim solution o CJCS approves UCP Change for permanent solution - JTF-IS for offense and defense Oct 00 assigned to USSPACE Oct 99 CSAF Wanted Answer to Who's in Charge for Air Force and DoD IW JTF-CND Overview SECDEF o Coordinate and direct DoD defenses against computer network attack o CSAF began to push JTF solution in Nov 97 JTF-CND CINCs Other DoD Agencies AFFOR NAVFOR ARFOR Intel Community MARFOR DISA CSAF Initiated UCP Change CJCS Approved Jan 99 SECDEF CINCSPACE Oct 99 JTF-CND JTF-IS Oct 00 Defensive IW Only Both Defensive and Offensive IW AFFOR-CND Established to Support JTF-CND o AFFOR-CND established by AF XO to implement Air Force C2 for JTF-CND o AFOSI and AFNOC assist but not part of AFFOR o No existing or planned C2 links to Base NCC MAJCOM NOSC JTF-CND AFFOR AFOSI AFCERT AFNOC Embedding IW into AOCs o CORONA decided to embed AIA IW flights into NAFs MAJCOMs o 609 IWS to be disbanded o ACC-developed CONOP to soon begin coordination o FY99 7AF 9AF o FY00 12AF 13AF USAFE NAF CC A2 A3 5 IW Flight 1 Intel 14 A6 NOSC-D 16 IW Core 14 NOSC Planners 4 AIA UTC 37 The State of Current CND C2 Why We're Here Strategic Level Operational Level SECDEF NAF CC JTF-CND A2 AFFOR AFOSI AFCERT A3 5 AFNOC IW Flight 1 Intel 14 IW Core 14 A6 NOSC-D 16 Tactical Level NOSC Planners 4 AFFOR NOSC NCC NCC NCC AIA UTC 37 Operations function is to engage the Enemy Using Air Space and Info Forces Combat Operations Must Be Integrated -- NO Stovepipes Option 1 CINCSPACE JTF-IS AFSPC Offense Defense AFCERT AFNOC AFFOR IO NAF AFFOR CC IW Wing AFFOR A3 6 Groups Sqdrns Option 1 Support to Warfighting CINCs CINCSPACE JFC OPCON Chop JTF-IS AFSPC IO NAF IW Wing Offense Defense Groups Sqdrns AFFOR CC AFFOR A3 6 JFACC AOC IW Flight Option 1 C2 of AF Enterprise CND CINCSPACE JFC OPCON Chop JFACC JTF-IS AOC IW Flight AFSPC AF Enterprise IO NAF IW Wing Groups Offense Defense Sqdrns AFFOR CC AF Level AFFOR A3 6 MAJCOM NOSC 24 7 OPCON of CND Functions Base NCC Option 2 Relationship w Flights CINCSPACE JFC OPCON Chop JTF-IS AFSPC IO NAF IW Wing Offense Defense Groups Sqdrns AFFOR CC AFFOR A3 6 JFACC AOC IW Flight Option 2 C2 of AF Enterprise CND CINCSPACE JFC OPCON Chop JFACC JTF-IS AOC IW Flight AFSPC AF Enterprise IO NAF IW Wing Groups Offense Defense Sqdrns AFFOR CC AF Level AFFOR A3 6 MAJCOM NOSC OPCON of CND Functions at Higher INFOCONs Base NCC Option 3 No Change from Current AF Service IW Chain AFSPC Air Force Lead AFMC AFSOC AMC ACC Spec Ops Lead MAF Lead CAF Lead CINC ANG AFRC AETC ORD AC2ISRC PACAF MAP USAFE ORD and MAP Transition to AFSPC Recommendations o AMC finishes preliminary ORD forwards to XOR for coordination AC2IWRC completes FY00 MAP - AFSPC takes lead for both o CND and IA doctrinal distinction codified in AFDD 2-5 Backups CIO Responsibilities CND More Than Net Management o Ties Directly to Commander's Warfighting Objectives o Scenario Hacker attack threatens network providing F-117 imagery Shutting down network could disable near-term air ops Operational risk management decision required o Enemy Attacks Can Affect Us Across Info Systems not just Networks o Scenario Iraq jams GPS intelligence and comm satellites in conjunction with computer network attacks and physical attacks Operations must coordinate all three reactions o Synergy of Computer Network Attack Exploitation and Defense all connected functions engaging the enemy Future IW Organization Must Cover Functions from Passive Defense to Offense Info Assurance Active Defense Internal Active Defense External Offense Future IW Organization Must Cover Functions from Passive Defense to Offense IO NAF IW Group Network Operations AFNOC Incident Response AFCERT AFFOR A3 6 Active Defense No Existing Organization Aggressor Sqdn NOSCs NCCs AFFOR CC Red Teams Offense Engineering Support AFWIC EA AFCA et al CND Paradigm Per Joint Staff Briefing to JCS Tank 23 Jul 98 Computer Network Defense is not IO and not IA Information Operations Defensive IO Information Assurance Computer Network Defense The IA - CND Relationship Outward Focused Engages Enemy Active Requires Ops Expertise CND IA TASKS TASKS Connection Denial Trackback Attack I W Intel Net Management Sys Administration Maintenance Patches Inward Focused Doesn't Engage Enemy Passive Requires Net Mgmt Expertise Info Assurance '00 to '03 POM Funding Summary Program FY98 FY99 FY00 FY01 FY02 FY03 Total Base Information Protection PKI COMSEC 58 0 40 0 24 8 61 8 37 0 21 8 243 4 59 7 62 4 61 3 62 9 65 8 66 9 379 AFIWC AFCERT 38 6 47 8 48 5 49 2 54 0 55 4 293 5 IWS 8 9 5 6 6 6 6 7 6 8 6 9 41 5 Research and Development FYDP Total 5 0 8 4 8 1 7 4 7 1 7 2 43 2 170 2 164 2 149 3 188 0 170 7 156 4 Explaining the Different Perspectives o XO CND is warfighting--defenses to engage enemy in cyberspace integrated with offensive action and other combat operations - Tied to a commander's warfighting objectives - Requires accurate assessments of defensive status and capabilities - Warfighters require mechanisms for operational control over attack detection response and recovery o SC CND is part of network management-should not be separated from info assurance - OPTN provides base network management capabilities - CITS BIP tools for base continue to be deployed What's Missing from the SC's Picture o Defending against an interacting enemy different than recovering from a natural disaster -- no enemy changing his attack in response no deception PSYOP counterintel o Other CND activities intel I W attack outside SC purview o SC lacks operational perspective--planning to outsource net managemet while insisting networks are weapon systems o SC overselling current CND capabilities - Limited coverage provided by ASIMs and sustainment ends 1 Oct 99 with no plans for continuance - Implementation plans for Base Information Protection BIP Intrusion Detection System replacement flawed - Extensive presence of backdoors into AF networks behind ASIM coverage and firewalls Recommendations Air Staff MAJCOM AOC Base o AF XOI assume responsibility for a new CND PE including funds currently programmed for AFIWC AFCERT IWS and MAJCOM base CND activities o Move AFCIC SYNI technical and commscomputer expertise under AF XOI to enable an integrated operational focus to planning programming and implementation of AF CND o Consolidate MAJCOM CND functions in DO o Air Operations Center CND activities be aligned under A-3 5 vice A-6 Supported by ACC DO o Move base Comm Squadrons from Support Group to Ops Group This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu