Compliance only gets you so far, explained one senior official.
The Air Force is working to escape the patch cycle with a new cyber-resilience strategy that keeps the mission going even when under attack.
"Resilience is not about protecting [against] the data breaches," said Daniel Holtzman, cyber technical director for the Air Force Materiel Command's life cycle management center. "It's about executing the mission, where the security side of the house, in our view, looks at how you protect the information so I can't execute my mission."
"How do we build things to be more secure?" Holtzman asked during a Nov. 7 presentation at Defense IQ's ISR & C2 Battle Management conference. "And how do I address the systems that I've built over 30 years that weren't designed in this space, when we didn't know about this space and we don't have enough Band-Aids to apply?"
Holtzman outlined the Air Force's seven lines of action for its Cyber Resilience Office for Weapons Systems (CROWS), which became fully operational in October: cyber mission thread analysis; integrating system security engineering or cyber resilience into security engineering; cyber workforce development (education and training); developing weapons systems agility and adaptability; creating a common security environment; assessing and protecting fielded fleet; and using intelligence to enhance communication.
CROWS is a small team of five or six, Holtzman said, with connectivity across the enterprise. Despite having no funding, the group recently stood up a cyber incidence response cell that can address threats, and has a safety mechanism that allows for the team to scrutinize the event and its cause.
So far, specific action items are in process of being developed but Holtzman hopes to have 70 by the end of the year. All of those will feed into the Air Force's overall cybersecurity campaign plan. Additionally, Holtzman plans on having a roundtable discussion with industry by February to get input on identifying other challenges, such as being able to explicitly map out activity for system operators in a way similar to aircraft control.
"Those are the kinds of things we don't appreciate when we're talking about what does cyber mean. Everything is connected to everything," Holtzman said. And determining how much security is "good enough" is what the Air Force, and government writ large, is struggling with.
But it all comes back to education, which Holtzman said was a top priority for service members.
"There's nothing we didn't know. Every instance [of a cyber threat handled by the cyber incidence response cell] so far is of someone not doing something they know they should have done, so engineering is not the solution," he said. "It's about understanding where the trends are so we know how to attack…and educate folks along the way."
The Air Force already has begun efforts to widen cyber education throughout the service and to members' families.
"We've grown up in a, culturally, compliance environment. Just do [now 900] controls and you're safe," Holtzman said. "So to believe you can do just 900 steps and you have security is the kind of challenge that we face."