Cyber Operations: Assuring our Shared Missions Published April 19, 2012 By Col. Rob Lyman 88th Communications Group WRIGHT-PATTERSON AFB, Ohio -- In 2005, the Air Force added cyberspace to our mission statement as one of the warfighting domains where we fly, fight, and win. In 2009, 24th Air Force (24 AF) stood up as the Air Force's operational arm in the cyber domain. Then in 2010, United States Cyber Command (USCYBERCOM) stood up at Fort Meade, MD and was charged with unifying cyber operations DoD-wide. Each of these events acknowledges the importance of operating freely in cyberspace and normalizing cyber operations as an element of combat power. Many overlook that cyberspace is a highly contested domain where we are constantly exposed to new threats and vulnerabilities. That has implications far beyond the Air Force network (AFNET), but with several new instances of malicious software discovered every day, we must be ever vigilant in shoring up and adapting our defenses. Vigilance can not end with our cyber operators in 24 AF or base communications units. Every network user, when conducting day-to-day activities, is part of our cyber defense-in-depth strategy. In recent years, our ability to counteract cyber threats has matured, both in technology and in thinking, but we are still evolving. We have seen new defensive hardware and software implemented Air Force- and DoD-wide, and new policies enacted as a result of cyber security incidents. One of the most noteworthy incidents occurred in 2008 when military networks were infected by a worm that is believed to have been introduced by an infected USB flash drive. To combat it, the DoD launched Operation Buckshot Yankee and immediately suspended the use of USB flash drives on all military information systems. Another game-changing incident occurred in 2009-2010 when an American soldier allegedly copied and leaked thousands of classified documents and videos to a public Web site. Soon after the leak was discovered, USCYBERCOM banned the use of writeable removable media on classified networks and implemented a regimented waiver process to reintroduce removable media. These are both examples where policy was used to mitigate an operational risk. Those examples are just the tip of the iceberg with respect to the threats that exist on the AFNET. Infected flash media and the insider threat join other cyber threat vectors such as social engineering, spear phishing emails, and software vulnerabilities. Using common sense about the personal information you share on social networks and elsewhere can make AFNET users much less susceptible to targeted spear phishing emails, designed specifically to get you to allow malware to download to your system. With so many fronts to defend, it is critical that we immediately comply with the various cyber security-related orders. 24 AF typically disseminates Time Compliance Network Orders (TCNO), which must be acknowledged and complied with by all affected organizations. Though TCNOs may impose actions that are inconvenient, there is always a purpose behind them, even if it is not immediately evident to the average computer network user. Failure to comply in a timely manner leaves our networks, our information, and our missions vulnerable. When the Air Force changed the mission statement to include cyberspace, there were accompanying cultural changes that have been even more impactful. Communications units at all levels no longer just run new communications lines, answer help desk phones, and install new IT capabilities. While communications units still maintain the traditional role of a supporting organization, they now have an equally important operational role as a supported organization. Communications units still retain the legacy mission support role they have always had, but they now also have a responsibility to ensure their portion of the AFNET is secure, compliant with Air Force and DoD cyber policy and directives, and assure our shared missions. Simplistically, "BaseX.af.mil" is their cyber operations area. Keeping it secure cannot be accomplished without support from everyone who has access to military information systems and networks. Making operational risk decisions balancing security with mission requirements now is a very real consideration. So as users decide whether to open that e-mail attachment, click the link to a hilarious video, or plug in a shiny new MP3 player, they should take a moment, remember their Information Assurance training, and make a security-conscious decision. With everyone's help, we will continue to fly, fight, and win in cyberspace.