Michael Peterson | Taking command in cyberspace

What is the status of Cyber Command? We have made some significant strides in the past year. The whole vision was announced in 2005 [by] our current secretary, Michael Wynne, and our chief of staff, Gen. Michael Mosely, [who] directed that we stand up a separate major command.So in 2005 to 2006, the planning work began, and [in 2007], we had a notion of what we wanted to do. In December 2007, Secretary Wynne signed the program management directive to stand up the Air Force Cyber Command and what it looked like. So by Oct. 1, 2008, we will have the initial operational capacity.Many of the things in the Air Force Network Operations and Information Operations will be in Cyber Command, but our definition of cyberspace is much broader than that [and] includes electronic warfare. It includes directed energy so you will also see electronic warfare systems and the management and operations of the radio-frequency spectrum. It's a pretty big portfolio that will unfold.Lots of work is left to do so we have a provisional command in place right now to do the staff work, write the directives [and select a location] for the wings associated with Cyber Command's headquarters. We need a provisional command to lead [the selection process], but it will be advised by or informed by all of the environmental laws and by our engineering teams. Before we put it anywhere, there has to be an environmental assessment, so doing it properly takes months. The military is starting to reconcile its traditional emphasis on data security with a more open posture on data sharing. Do you believe the military's stringent security requirements are compatible with the trend of increased data sharing? They are not incompatible. In fact, I met recently with John Grimes [the Defense Department's chief information officer], Dave Wennergren [DOD deputy CIO] and Lt. Gen. Charles Croom [director of the Defense Information Systems Agency], and a large part of our discussion was the topic of sharing and securing information.If you look at industry, you can see what they've done in information security. Look at how Amazon runs its networks or its public-facing Web capability. They do it through a technique called demilitarized zones, or DMZs, which are simply buffers.You place the data you want exposed in an environment where everyone can see it, use it and manipulate it, but you don't expose your internal databases to the public.We're working through what a joint architecture will look like right now. [The Air Force] had gone down a path that didn't look like it was going to be compatible in the end with the joint environment, so we have pulled that effort back, and we will fall in with the [architectural] work DISA is doing. DISA's work is not complete so how we can move to DMZs was a large part of the meeting. Have you seen more malicious traffic on the Air Force's networks recently, and would you characterize any of the hostile activities as organized or state-sponsored cyberattacks? We see cyberattacks continuously, minute by minute throughout the day, and they're much more sophisticated than before.Early on, we saw denial-of-service efforts that looked for ways to shut down DOD networks. Now, more and more, they're using techniques to try to exfiltrate data from our networks.That's a big deal because when we fight, much of the support and preparation is done across the Internet or the military form of the Internet.That's certainly true for the private sector that we have to do business with ' for example, all of our logistic partners and suppliers, the transportation community and certainly the medical community.A simple example is doing business [on the Internet] with the blood bank system that's a civil or commercial [enterprise] around the world. So we are tightly linked with the Internet,, and we will remain tightly linked with the Internet.We have exposed ourselves to attacks because of that, and the attacks are becoming more sophisticated and are less of an attempt to shut us down and more of an attempt to get information from our networks.But at the same time, we've become much more sophisticated in our response through the leadership of U.S. Strategic Command, first under [Marine] Gen. James Cartwright and now under [Air Force] Gen. Kevin Chilton, who were responsible for the Global Information Grid, which is the U.S. military's Internet. Is there a technology or combination of technologies that DOD can deploy across all of its networks that will help the military share data with greater transparency without compromising data security? Most of us understand service- oriented architecture, and the beauty of that is that it was designed with sharing in mind.One of the hurdles today is that we build systems that are enclosed or encapsulated by the security environment, and it's very hard to get information out. It's physically difficult because you have to have a very specific password and user name or a security token to get into the system to extract information.In a SOA environment, you expose the data that you want to share upfront, and you can expose it broadly or more narrowly depending on the line of business or mission area that you're supporting.So going down the path of SOA lets us create an environment for sharing information when we start building any new capability. And identifying people and devices on the network through publickey infrastructure-compatible security tokens also lets us protect information.Today, if there is a defined mission thread, you can get to any information that you need ' for instance, on the Air Force Distributed Common Grounds System, which is how we analyze surveillance products.The tools in that system were built to meet Air Force requirements, but you can access that capability if you need to get to its targeting service ' for example, if you're [a non-Air Force user] at a joint headquarters or you're an Army [noncommissioned officer]. We simply have to give you a user name and password to get you through a portal to get to the capability. But we can't authorize that user on the fly as easily if we haven't defined a mission thread.So we want an environment where I can easily and immediately give you access to the service or information you need if I know who you are without [needing] an engineering team or having to pay for changes to a system.