Cyber security, an Air Force punchline?

Many U.S. generals will openly admit to knowing little about one of the threats they all agree is one that is most dangerous to U.S. national security — cyber security. Yet, those same generals have used their lack of knowledge on the subject often as a punchline.

Air Force Chief of Staff Gen. Mark Welsh stood up at the Air Force Association’s annual conference Sept. 18 and admitted he didn’t know what an IP address was. The comment drew plenty of laughter form the crowd of airmen and defense industry officials.

The Air Force’s top officer said he twitches when he says the word “cyber.” He explained that “we have a lot of people in this discussion who don’t really know what they’re talking about” when it comes to cyber issues.

“I know because they’re all like me,” Welsh said to more laughter from the crowd.

He didn’t question whether the Air Force needed to take cyber security seriously. He sees it as a priority. Welsh called it the future — “no doubt in my mind.”

“Everything we do can be affected either by or through [cyber],” Welsh said. “In either a good or a bad way.”

However, the Defense Department already receives about 10 million cyber attacks everyday. Cyber analysts suspect potential enemies are already establishing cyber war plans in case of a military engagement with the U.S.

Welsh pleaded with cyber experts to dumb down the way they explain threats to Air Force leaders.

“When you come to educate us, don’t come in using cyber talk,” Welsh said.

The Air Force four-star said he worried the investments made in cyber could be disappearing into a “black hole.” Welsh will wait until he understands the cyber topic better, he said.

“So you just need to know I’m going to be going a little slow on the operational side of cyber until I really understand what we’re doing,” he said. “I’ll be the one you’re dragging, Willy. I’ll warn you now.”

An Air Force officer, who asked not to be named, said as he walked out of the speech that he was surprised to hear the Air Force chief of staff plead ignorance.

“Can you imagine if he said something like that about aircraft or weapons or nuclear weapons?” the Air Force major said. “It would never happen. They’d run him out of the Pentagon.”

Welsh told the crowd the Air Force might have to wait awhile before they have the leaders in place with the appropriate cyber background to make decisions on the subject.

“In 30 years you’ll have experts making these decisions,” Welsh said. “Right now you’ve got idiots helping make these decisions. So common sense, plain English will really help us.”

About the Author

Michael Hoffman
Michael Hoffman is the executive editor at Tandem NSI and a contributor to He can be reached at
  • blight_

    Isn’t this the same crap that occurred when the Army divided itself between the up and comers who were talking mechanized warfare and the old timers who weren’t?

    Or the pro-battleship vs pro-carrier?

    A good amount of what happens in warfare is predicated on seeing what technology can deliver the warfighter or what new fields of combat are opened, then use those skills accordingly.

    • Carbon43

      Furthermore, I think that while what he’s saying certainly isn’t politically correct, or the best thing to be saying in a public speech, it is refreshingly honest. It acknowledges that he comes from a different time period, and needs things explained to him in a simple and straightforward way. (This is speaking as a technophile) I’d rather he admit that and give me a starting point than ignore the conversation or pretend to understand stuff he has no clue about.

      • blight_

        If the Air Force was born by splitting off of the Army, it won’t be long before we develop either a civilian or military analogue.

        Nobody expects the air force to understand how amphibious landings work, so why are we putting them in charge of military cyberwarfare and nation-state cyberdefense?

        Additionally, the AAC leveraged talented civilians and the nascent aviation industry to become better. It seems that the military has forgotten that it takes early pioneers in the system to communicate and build ideas with the civilian community to make something grow.

        • tmb2

          Considering each service has its own cyber personnel in almost fully developed career paths, it should be a joint command billet if it isn’t already. Depending on how much authority the commander of Cyber Command is given, there will be non-geek Generals (and members of Congress) making decisions affecting cyber defense/attack.

          • blight_

            The services will continue to need personnel for their own cyberdefense needs; either crosstraining with any future civilian/military cyber branch or seconded from a central branch.

            The thing about cyberwarfare is that it requires a different skillset than the one required to drop a bomb on an enemy or to clear a house. However, one could argue that any nation-state arm involved in direct, recognized attack on another, be it by planes, Marines, soldiers or tanks, is a military branch. Thus, a cyber attack by a nation-state player that does not hide its identity would be a military branch.

            Perhaps SOCOM might be a model for a cyberwarfare branch. Personnel seconded from a variety of services…but in terms of IT, most of your experts and best hackers will be civilians, and will want little or nothing to do with the military, let alone the government. Any cyber branch is likely to have its fair share of civilian CS guys, and can you imagine any staff college including courses on priviledge escalation to install malicious code?

            Maybe TheHackerNews should be required daily reading for the people at the top…

          • tmb2

            We already have a fair number of DA civilian or contractor personnel in our cyber offices, especially on the network defense side of the house. Automations and networking is done by plenty of soldiers, but you’re right that it gets ridiculously specialized when you’re talking about actual cyber warfare.

      • Doctor Prosoco

        I’m glad his comments are not politically correct or a best thing for a public speech. Atleast he’s honest and that’s what you need.

        • blight_

          Points for honesty, but it means they should’ve looked carefully for a younger officer to put in charge. Fast-tracking someone to general’s stars has been done before to fill in a skillset deficiency up top..

          • tmb2

            The guy in the article is the Air Force Chief of Staff. He’s not the head of AFCyber.

    • Matt

      At least they’re acknowledging that it’s a dominate force of the future. That’s alot better than the people in the 1930s who saw trench warfare as the definitive war of the future or the those in the 1860s who still favored head on charges against dug in enemies.

  • Zed

    Everyone knows China would do the US what the US and Israel does to Iran, should the need arise. They have the added advantage of many of the parts made in China.

  • Big-Dean

    Too damn funny, I thought the air force were masters of the air, space and cyber space-according to their own mission statements-apparently not!

    • Doctor Poroacoa

      Defeating your own ignorance and acknowledging it is the first step.

  • torquewrench

    “Air Force Chief of Staff Gen. Mark Welsh stood up at the Air Force Association’s annual conference Sept. 18 and admitted he didn’t know what an IP address was.”

    You can be sure that Welsh’s Chinese counterpart knows.

    According to the _Wall Street Journal_, China’s cyberspies have stolen “terabytes” worth of design and test data on the F-35. You’d be surprised at how much key information fits into even just one single terabyte.

    Here’s my own version of Elementary Information Security For Dummies With Stars On Their Uniform. Please feel free to add to it.

    (1) Comb all areas for wireless routers. If you find one, smash it with a hammer and instantly fire the turkey who installed it on sensitive premises. Make it clear the next person who installs one will get hit with the hammer themselves and THEN be instantly fired.

    (2) Air gaps are your friend. Things that can move across air gaps are not your friend. Remove CD/DVD optical drives and especially burners. (This would have thwarted the massive Bradley Manning leak.) Confiscate and ban thumb drives. Crush all that removed and confiscated stuff with the same hammer you used in (1). Plug USB and Firewire ports with epoxy.

    (3) Microsoft Windows delenda est. I always laugh to hear the media talk about “computer viruses”, when the absolutely overwhelming preponderance of those virii are not generic to computers in general, but highly specific to Windows, the leakiest and buggiest major operating system ever offered up. Of course, the geniuses at the five-sided loony bin on the Potomac have standardized on… Windows. Awesome.

    (4) Impose strict liability upon outside contractors for the security of government defense information entrusted to their systems. If that information is later found to have been compromised while in their possession, clawback of contract proceeds will ensue. (Yeah, like THIS will ever happen in the world of the military-industrial-Congressional complex.)

    • blight_

      Everyone goes for windows because everyone’s on windows.

      Though something with Unix underpinnings (Macs have FreeBSD, Linux has Unix…) might be safer?

      • tiger

        Confirmed non Winblows user.

        • blight_

          When you give admin/root/sudo privileges to a process you don’t fully understand, you’ve already lost.

    • Matt

      Honestly, a Chinese general born and raised in a similar era as Gen. Welsh probably wouldn’t know much better.
      Remember, this man is not single handedly resposibly for the USAF’s cyber security. America has plenty of young airmen who grew up with computers and actually understand them.

      • blight_

        Depends. If they’re smart they will fast-track the careers of young officers…and if they can’t find it in the military culture, then they will stand up hacker capability in their intelligence services.

        I don’t think they care so much if they wear uniforms or not, just if they can strike and strike hard.

    • Blue 1

      #2 is a great idea, until the share drive takes a dump. Ever try to share information with a co-worker only you have no electronic medium to transfer data with? The ‘Old Man’ ain’t waiting for the share drive, a 1300 Meeting is still a 1300 Meeting unless the building is fire. There are operations which are time sensitive in nature; given that, I’ll be ripping epoxy out to install an external drive.

      Contrary to popular belief, you can not thwart events and people like Bradley Manning except with involved Leaders and Supervisors. The simple fact that the information and the person are in the same room is enough for a leak of catastrophic size.

      • blight_

        You could always open up the computer, disconnect the epoxied PCB with USB ports from the mobo and grab another one…or plug in a SATA hard drive then connect it to a SATA to USB enclosure.

        • UAVGeek

          There’s a saying in IT that if you have physical access, it’s already over.

    • elmondohummus

      Whoa, whoa, whoa… while you’ve got some kernels of truth in your post, you’ve also put some serious overreaction and misunderstanding in it.

      1. Are you talking about unauthorized, user installed wireless routers? If so, then yes, you’re right: An organization must be vigilant about non-organizationally blessed extensions of the network specifically for security. But if you’re talking about wireless networking period, then that’s an overreaction: 802.1x & WPA2-Enterprise can give an organization sufficient wireless security. And if you’re smashing access points but not implementing controls on your network (for example: Physical control of what goes into data jacks, traffic control and security i.e. implementing IPSec traffic between endpoints with sensitive data, IPS/IDS implementation, equipment auditing, etc.), then you’re just as wide open to infiltration or attack as you would be with an open wireless router. You’re just not going to see anyone attack it wirelessly, that’s all.

      • The_Hand

        Just to nitpick, WPA2 isn’t secure enough by itself. You have to assume it’s being eavesdropped on and you can get through the AES encryption in a day or two. You have to encrypt at the endpoints, for example using IPSec as you suggest, in order for that traffic to be considered secure. And you still have to reestablish the tunnels periodically to make sure eavesdroppers haven’t gotten through that.

        Wireless is also trivially easy to jam/DOS.

        • UAVGeek

          Actually it’s not trivially easy. You can degrade the performance of it quite a bit, but it’s quite difficult to blanket entirely, esp if you have your network set up the right way. You can also go a long way towards better security by Employing 802.1x and WPA2 Enterprise.

    • elmondohummus

      3. It is incorrect to imply that there’s not a way to implement a secure MS Windows environment, and you also ignore the fact that with an organization as large as the military, you NEED centralized control and standardization of platform. Windows in conjunction with technologies like Active Directory, SCCM (Microsoft System Center Configuration Manager), WSUS/Secunia/Shavlik patch management, etc. gives incredible and important centralized control, and that’s not trivial when you’re talking something the size of the military.

      • elmondohummus

        What’s all too often missing in critiques of Windows is the fact that Microsoft has one of the best management tools for “enterprise” organizations (aka places that manage thousands of computers across dozens to thousands of different geographic locations). You can definitely secure the hell out of a Linux system (I love Tripwire for *nix, but hate the versions adapted for Windows), but deploying that across 200,000+ computers across 2,500 miles is a whole other adventure. Sure, there’s ZENworks for Linux desktops, but Active Directory stuff is embedded in Windows, and Windows/AD are designed to work together. Secure deployment, on the fly organizational configuration change, and patch management is a whole hell of a lot less adventurous for a place that’s got XP, Vista, and Win7 computers than it is one that’s got to account for Ubuntu, SuSE, RHEL/Fedora, Mac OS (that’s Mach/BSD based, so it fits under the “Unix” rubric), etc.

        • elmondohummus

          I unreservedly grant that Windows is the top compromise target, and also that it’s frustrating to have to deal with the boatload of compromise issues that occur on a regular basis. There’s no denying that. But like I said above: What’s missing is the fact that for a large organization Windows system compromises can be configured against, responded to, and mitigated centrally because of the Microsoft tools that are available. And that’s far from being trivial or irrelevant. If I were a Pentagon based administrator and I was aware of an impending compromise in the wild, I could simply write a “Group Policy Object” that mitigtes it and deploy that at once across the local networks as well as the internet to all the regional locations I’m responsible for from my office. That task is more difficult – as well as more painful – with other operating systems.

          As an individual workstation, Windows has severe, maddening security flaws. Hell, half of my own job is sucked up by those. But in aggragate, networks composed of centrally managed Windows machines along with the management techologies Microsoft provides can more effectively respond en masse to threats than other setups.

    • UAVGeek

      Uhh comb the area for wireless routers? This ain’t 2002. It is possible to set up air monitoring in wireless networks with automated rouge AP smashing. In a corporate environment this may not be appropriate but in a secured military one it may be. There are off the shelf solutions that you can buy that will identify, locate and functionally disable any wireless AP plugged into your network that is not authorized. The brute force methods you suggest are not only unnecessary but a waste of time and manpower.

  • Clarence

    Isn’t the NSA and the CIA the USCC right now.Don’t they handle the cyber warfare right now. Correct me if I’m wrong.

  • Zach

    “Smash it with a hammer”, “fill it with epoxy” that’s precisely the difference the military doesn’t get. You don’t need and it can be counter productive to apply physical force to what is really a software issue. I can disable your usb ports, cdrom drive, microphone, camera in software. If you can’t get that right the rest of your security probably sucks. If you can just plug a wifi router into your network and get access then you’ve got some network security issues. Making policies and punishing people who don’t know any better is not going to protect you from a sophisticated adversary.

    • Blue 1

      I do like the hammer idea, nothin’ says Friday afternoon better than smashing/damaging military purchased equipment (of course there is an associated statement of charges and 15-6). It almost as good as making 20x 30 page copies of a briefing, then shredding 19 of them because they only needed them to follow the slides…

  • Big-Dean

    The air force is the only branch who states the ‘cyber’ space is a part of their core mission-

    “The mission of the United States Air Force is to deliver sovereign options for the defense of the United States of America and its global interests — to fly and fight in Air, Space, and Cyberspace. ”

    Here’s the Navy

    “The mission of the Navy is to maintain, train and equip combat-ready Naval forces capable of winning wars, deterring aggression and maintaining freedom of the seas.”


    “shall, at any time, be liable to do duty in the forts and garrisons of the United States, on the seacoast, or any other duty on shore, as the President, at his discretion, shall direct.”


    The Army exists to serve the American people, to defend the Nation, to protect vital national interests, and to fulfill national military responsibilities. Our mission is enduring: to provide necessary forces and capabilities to the Combatant Commanders in support of the National Security and Defense Strategies.

    But the only cyber thing the air force protects is the air force’s! They do not protect the cyber assets of the other branches or of the DOD as a whole. And I find it amusing that they make a big deal about it.

    On the other hand, US Cyber Command is a joint command that coordinates all DOD cyber activities, including the air forces’. It can be commanded a member from any branch of the services

    • JMLaser1

      Who do you think oversees the Cyber Command? The Secratery of the Air Force. So indeed the Air Force is responsible for the entire DOD Cyber Security.

  • elmondohummus

    I think it’s being oversensitive for the general to worry about flag rank cyber expertise. Non-military government agencies as well as non-governmental ogranizations (I’m thinking businesses, educational organizations i.e. college systems, area school systems, etc.) face that exact same problem – A non-IT experienced individual being the business administrator for the IT divisions within the organizations – and they’re able to deal with it just fine. As the general noted: The key is to be able to communicate clearly what the issues are and what recommendations logically flow from that. It doesn’t have to be “cyberspeak”, and in truth, at the C-exec level of business (the closest thing I can think of that compares to flag rank in the military), it isn’t that any longer.

    I don’t have to explain what a port is in networking and operating system terms in order to explain what firewalling does. I can simply create an analogy to radio tranmission channels, which is something any flag ranked officer should understand. Or even doors in a building, if I must (which would make explaning NAT – “Network Address Translation” – an adventure, but I digress…). (Cont’d…)

    • elmondohummus

      … cont’d:

      I don’t necessarily have to explain what buffer overflows, command injections, use-after-free errors, cross-site scripting, yadda yadda are in order to get across that many vulnerabilities take advantage of unpredicted ways operating systems react to commands. I can simply abstract things with the explanation that malicious programmers (i.e. “hackers”, although 1950’s era MIT computer geeks would loudly object to that application of the term) can find weaknesses in operating systems and force commands through, then go on to explain why aggressive patch management, “principle of least priviledge”, etc. is utterly important in an organization. (Cont’d…)

      • elmondohummus

        … cont’d:
        I understand that the general feels a bit sensitive about not having the technological understanding he feels is necessary to handle the job being thrust upon military leadership in the modern, internet era. But it’s the same challenge that every C-level exec and large organization administrator faces. The honesly important thing is to make sure that the IT staff that actually executes the IT plans understand things and can explain them clearly to “upper management”. And the other half of that is to have a C-level – or in the military, a flag rank – staff who are good at listening to and learning from those experts. If you have that, you can do okay. (Cont’d…)

        • elmondohummus

          … cont’d:
          Now, of course, high ranking expertise is nothing to sneeze at. It got my attention that a 2009 study of hospitals noted that the best quality of care came from Medical Doctor administered facilities (Souce: “Perspective: Educating Physicians to Lead Hospitals, Academic Medicine, Gunderman, Richard MD, PhD; Kanter, Steven L. MD). It does ease communications to have relevant expertise at the top. But at the same time, we’re also all aware of the truism that it’s not always the best players that make the best coaches: College basketball’s Bob Knight was never an outstanding college player, and the NFL’s Bill Belichick never even played. And on the flipside, outstanding NBA player Isiah Thomas and all-time legend Michael Jordan are not exactly known for good management of the business side of basketball teams. My point behind all of that is to note that it is indeed nice to have relevant topic expertise in the top ranks, but it’s not essential. An organization can function quite well without it if need be.

          • FMJohnson

            Elmondohummus — you should edit all this together as an opinion piece and offer it to Defense Tech. It’s great.

          • blight_

            To spin it better, you could offer that Guderian was a communications specialist and Rommel’s background was infantry, yet both became known for mobile warfare.

  • Sgt. Bilko

    Military deception at its finest.

  • crazy

    Sad. Is it any wonder we’re plagued by unauthorized disclosures and persistent weapon system software delays and integration failures? Meanwhile let’s transform to unmanned systems…

  • Paul M. Albert, Jr.

    As a veteran Army Artillery Officer I proudly note that the Army Mission Statement starts by saying “The Army exists to serve the American people…”

  • bbb

    He has a point. The guys in charge now don’t know about computers, and all he wants is for the guys who report him to use English that old men can understand.

    The fact that he’s using his lack of knowledge as a joke says to me that he at least has some basic knowledge. Otherwise he’d keep his mouth shut and use an internal memo instead of a speech.

    Compared to generals of yesteryear who stifled innovation with every decision they made, I’d call him progressive.

    The list of things generals have hated in spite of common sense is long enough to fill a few books.

  • Louis Ciufolo-Dickey

    If the Airfotce ney all the military leaders wait 30 myears to have educated leaders in place to make cyberspace desisions, we’ll be done for. I don’t think the general was serious about what he said. The dangers of coordinated attacks using conventional armiesd with coordinated cyberattacks could and would be I am sure the head of USCYBERCOM is well aware. I am surprised at his comments as the Air Force was one arm of the military that recognized the threat early on.

  • Gio

    Most of institutions are too big , but the headers need to know something about include if there are a specialized department that diive the cyber war . The chief could be go to the meeting with a member of the staff , but the chief need to know about www and systems . The war only will be used when a country is affected or is in dagerous situations . The army will be appart of economic matters. Army is to serve the nations an citizens , not to the corporative staff . Bur the cyber war is a reality in this time . This is teh time when the information is the clue for all for all the nations and industries. Freedom, Peace and Honor is the goal of the Army . War only if is neccessary

  • Bob

    I would suggest that Cyber is now part of the world battlefield and if you are going to be a leader in any branch of today’s military you need to educate yourself as part of your job responsibilities. If you are not qualified to make intelligent decisions on the expenditure of resources in order to maintain an adequate defensive and offensive posture then you are just not qualified to do the job. In the civilian sector people are replaced when they cannot do their job.
    That being said it also falls on the computer/network folks to do their best to communicate effectively however most of the people who do talk to the upper layer of general officers do not have a solid understanding of IT, and the threats and opportunities it provides.

  • guest

    There are some people in charge of Cyber Security who passed certifications, like the CISSP, but they are just managers and don’t really understand technology. They come from other fields and ended up as Managers in Cyber Security. So that to me is an even bigger problem.

  • Cyber Tyger

    “one of the threats they all agree is one that is most dangerous to U.S. national security — cyber security”

    I work in Cyber Security. I guess I ‘m a threat? Maybe the writer meant the lack of cyber security understanding is a threat. But actually that would be a vulnerability, not a threat.

  • ServedatMoodyAFBtoo

    According to the General’s official bio, in 1987 he received a Master of Science degree in computer resource management, Webster University, paid for courtesy of the U.S. taxpayers. I have no formal computer training, but I have known what an IP address is for many years. Maybe he should have studied a little harder in school?

    • JMLaser1

      Putting this into context in 1987 computer resource management dealt with prioritizing access to the installation’s Main Frame. As late as 1992 over 90% of the PCs operated by the military were stand alone units which were allocated a few minutes each day to transfer data to the mainframe via modem. Having been on active duty in the Air Force during this period The first time I saw real time network access was 1994.

  • 11


  • Thank you for the good writeup. It actually used to be a entertainment account it.
    Look complicated to more introduced agreeable from you!
    By the way, how can we communicate?