Cyber security, an Air Force punchline?

Many U.S. generals will openly admit to knowing little about one of the threats they all agree is one that is most dangerous to U.S. national security — cyber security. Yet, those same generals have used their lack of knowledge on the subject often as a punchline.

Air Force Chief of Staff Gen. Mark Welsh stood up at the Air Force Association’s annual conference Sept. 18 and admitted he didn’t know what an IP address was. The comment drew plenty of laughter form the crowd of airmen and defense industry officials.

The Air Force’s top officer said he twitches when he says the word “cyber.” He explained that “we have a lot of people in this discussion who don’t really know what they’re talking about” when it comes to cyber issues.

“I know because they’re all like me,” Welsh said to more laughter from the crowd.

He didn’t question whether the Air Force needed to take cyber security seriously. He sees it as a priority. Welsh called it the future — “no doubt in my mind.”

“Everything we do can be affected either by or through [cyber],” Welsh said. “In either a good or a bad way.”

However, the Defense Department already receives about 10 million cyber attacks everyday. Cyber analysts suspect potential enemies are already establishing cyber war plans in case of a military engagement with the U.S.

Welsh pleaded with cyber experts to dumb down the way they explain threats to Air Force leaders.

“When you come to educate us, don’t come in using cyber talk,” Welsh said.

The Air Force four-star said he worried the investments made in cyber could be disappearing into a “black hole.” Welsh will wait until he understands the cyber topic better, he said.

“So you just need to know I’m going to be going a little slow on the operational side of cyber until I really understand what we’re doing,” he said. “I’ll be the one you’re dragging, Willy. I’ll warn you now.”

An Air Force officer, who asked not to be named, said as he walked out of the speech that he was surprised to hear the Air Force chief of staff plead ignorance.

“Can you imagine if he said something like that about aircraft or weapons or nuclear weapons?” the Air Force major said. “It would never happen. They’d run him out of the Pentagon.”

Welsh told the crowd the Air Force might have to wait awhile before they have the leaders in place with the appropriate cyber background to make decisions on the subject.

“In 30 years you’ll have experts making these decisions,” Welsh said. “Right now you’ve got idiots helping make these decisions. So common sense, plain English will really help us.”

About the Author

Michael Hoffman
Michael Hoffman is the executive editor at Tandem NSI and a contributor to Military.com. He can be reached at mhoffman@tandemnsi.com.
  • blight_

    Isn’t this the same crap that occurred when the Army divided itself between the up and comers who were talking mechanized warfare and the old timers who weren’t?

    Or the pro-battleship vs pro-carrier?

    A good amount of what happens in warfare is predicated on seeing what technology can deliver the warfighter or what new fields of combat are opened, then use those skills accordingly.

    • Carbon43

      Furthermore, I think that while what he’s saying certainly isn’t politically correct, or the best thing to be saying in a public speech, it is refreshingly honest. It acknowledges that he comes from a different time period, and needs things explained to him in a simple and straightforward way. (This is speaking as a technophile) I’d rather he admit that and give me a starting point than ignore the conversation or pretend to understand stuff he has no clue about.

      • blight_

        If the Air Force was born by splitting off of the Army, it won’t be long before we develop either a civilian or military analogue.

        Nobody expects the air force to understand how amphibious landings work, so why are we putting them in charge of military cyberwarfare and nation-state cyberdefense?

        Additionally, the AAC leveraged talented civilians and the nascent aviation industry to become better. It seems that the military has forgotten that it takes early pioneers in the system to communicate and build ideas with the civilian community to make something grow.

        • tmb2

          Considering each service has its own cyber personnel in almost fully developed career paths, it should be a joint command billet if it isn’t already. Depending on how much authority the commander of Cyber Command is given, there will be non-geek Generals (and members of Congress) making decisions affecting cyber defense/attack.

      • Doctor Prosoco

        I’m glad his comments are not politically correct or a best thing for a public speech. Atleast he’s honest and that’s what you need.

        • blight_

          Points for honesty, but it means they should’ve looked carefully for a younger officer to put in charge. Fast-tracking someone to general’s stars has been done before to fill in a skillset deficiency up top..

          • tmb2

            The guy in the article is the Air Force Chief of Staff. He’s not the head of AFCyber.

    • Matt

      At least they’re acknowledging that it’s a dominate force of the future. That’s alot better than the people in the 1930s who saw trench warfare as the definitive war of the future or the those in the 1860s who still favored head on charges against dug in enemies.

  • Zed

    Everyone knows China would do the US what the US and Israel does to Iran, should the need arise. They have the added advantage of many of the parts made in China.

  • Big-Dean

    Too damn funny, I thought the air force were masters of the air, space and cyber space-according to their own mission statements-apparently not!

    • Doctor Poroacoa

      Defeating your own ignorance and acknowledging it is the first step.

  • torquewrench

    “Air Force Chief of Staff Gen. Mark Welsh stood up at the Air Force Association’s annual conference Sept. 18 and admitted he didn’t know what an IP address was.”

    You can be sure that Welsh’s Chinese counterpart knows.

    According to the _Wall Street Journal_, China’s cyberspies have stolen “terabytes” worth of design and test data on the F-35. You’d be surprised at how much key information fits into even just one single terabyte.

    Here’s my own version of Elementary Information Security For Dummies With Stars On Their Uniform. Please feel free to add to it.

    (1) Comb all areas for wireless routers. If you find one, smash it with a hammer and instantly fire the turkey who installed it on sensitive premises. Make it clear the next person who installs one will get hit with the hammer themselves and THEN be instantly fired.

    (2) Air gaps are your friend. Things that can move across air gaps are not your friend. Remove CD/DVD optical drives and especially burners. (This would have thwarted the massive Bradley Manning leak.) Confiscate and ban thumb drives. Crush all that removed and confiscated stuff with the same hammer you used in (1). Plug USB and Firewire ports with epoxy.

    (3) Microsoft Windows delenda est. I always laugh to hear the media talk about “computer viruses”, when the absolutely overwhelming preponderance of those virii are not generic to computers in general, but highly specific to Windows, the leakiest and buggiest major operating system ever offered up. Of course, the geniuses at the five-sided loony bin on the Potomac have standardized on… Windows. Awesome.

    (4) Impose strict liability upon outside contractors for the security of government defense information entrusted to their systems. If that information is later found to have been compromised while in their possession, clawback of contract proceeds will ensue. (Yeah, like THIS will ever happen in the world of the military-industrial-Congressional complex.)

  • Clarence

    Isn’t the NSA and the CIA the USCC right now.Don’t they handle the cyber warfare right now. Correct me if I’m wrong.

  • Zach

    “Smash it with a hammer”, “fill it with epoxy” that’s precisely the difference the military doesn’t get. You don’t need and it can be counter productive to apply physical force to what is really a software issue. I can disable your usb ports, cdrom drive, microphone, camera in software. If you can’t get that right the rest of your security probably sucks. If you can just plug a wifi router into your network and get access then you’ve got some network security issues. Making policies and punishing people who don’t know any better is not going to protect you from a sophisticated adversary.

    • Blue 1

      I do like the hammer idea, nothin’ says Friday afternoon better than smashing/damaging military purchased equipment (of course there is an associated statement of charges and 15-6). It almost as good as making 20x 30 page copies of a briefing, then shredding 19 of them because they only needed them to follow the slides…

  • Big-Dean

    The air force is the only branch who states the ‘cyber’ space is a part of their core mission-

    “The mission of the United States Air Force is to deliver sovereign options for the defense of the United States of America and its global interests — to fly and fight in Air, Space, and Cyberspace. ”

    Here’s the Navy

    “The mission of the Navy is to maintain, train and equip combat-ready Naval forces capable of winning wars, deterring aggression and maintaining freedom of the seas.”

    Marines

    “shall, at any time, be liable to do duty in the forts and garrisons of the United States, on the seacoast, or any other duty on shore, as the President, at his discretion, shall direct.”

    Army

    The Army exists to serve the American people, to defend the Nation, to protect vital national interests, and to fulfill national military responsibilities. Our mission is enduring: to provide necessary forces and capabilities to the Combatant Commanders in support of the National Security and Defense Strategies.

    But the only cyber thing the air force protects is the air force’s! They do not protect the cyber assets of the other branches or of the DOD as a whole. And I find it amusing that they make a big deal about it.

    On the other hand, US Cyber Command is a joint command that coordinates all DOD cyber activities, including the air forces’. It can be commanded a member from any branch of the services

    • JMLaser1

      Who do you think oversees the Cyber Command? The Secratery of the Air Force. So indeed the Air Force is responsible for the entire DOD Cyber Security.

  • elmondohummus

    I think it’s being oversensitive for the general to worry about flag rank cyber expertise. Non-military government agencies as well as non-governmental ogranizations (I’m thinking businesses, educational organizations i.e. college systems, area school systems, etc.) face that exact same problem – A non-IT experienced individual being the business administrator for the IT divisions within the organizations – and they’re able to deal with it just fine. As the general noted: The key is to be able to communicate clearly what the issues are and what recommendations logically flow from that. It doesn’t have to be “cyberspeak”, and in truth, at the C-exec level of business (the closest thing I can think of that compares to flag rank in the military), it isn’t that any longer.

    I don’t have to explain what a port is in networking and operating system terms in order to explain what firewalling does. I can simply create an analogy to radio tranmission channels, which is something any flag ranked officer should understand. Or even doors in a building, if I must (which would make explaning NAT – “Network Address Translation” – an adventure, but I digress…). (Cont’d…)

    • elmondohummus

      … cont’d:

      I don’t necessarily have to explain what buffer overflows, command injections, use-after-free errors, cross-site scripting, yadda yadda are in order to get across that many vulnerabilities take advantage of unpredicted ways operating systems react to commands. I can simply abstract things with the explanation that malicious programmers (i.e. “hackers”, although 1950’s era MIT computer geeks would loudly object to that application of the term) can find weaknesses in operating systems and force commands through, then go on to explain why aggressive patch management, “principle of least priviledge”, etc. is utterly important in an organization. (Cont’d…)

  • Sgt. Bilko

    Military deception at its finest.

  • crazy

    Sad. Is it any wonder we’re plagued by unauthorized disclosures and persistent weapon system software delays and integration failures? Meanwhile let’s transform to unmanned systems…

  • Paul M. Albert, Jr.

    As a veteran Army Artillery Officer I proudly note that the Army Mission Statement starts by saying “The Army exists to serve the American people…”

  • bbb

    He has a point. The guys in charge now don’t know about computers, and all he wants is for the guys who report him to use English that old men can understand.

    The fact that he’s using his lack of knowledge as a joke says to me that he at least has some basic knowledge. Otherwise he’d keep his mouth shut and use an internal memo instead of a speech.

    Compared to generals of yesteryear who stifled innovation with every decision they made, I’d call him progressive.

    The list of things generals have hated in spite of common sense is long enough to fill a few books.

  • Louis Ciufolo-Dickey

    If the Airfotce ney all the military leaders wait 30 myears to have educated leaders in place to make cyberspace desisions, we’ll be done for. I don’t think the general was serious about what he said. The dangers of coordinated attacks using conventional armiesd with coordinated cyberattacks could and would be devistating.as I am sure the head of USCYBERCOM is well aware. I am surprised at his comments as the Air Force was one arm of the military that recognized the threat early on.

  • Gio

    Most of institutions are too big , but the headers need to know something about include if there are a specialized department that diive the cyber war . The chief could be go to the meeting with a member of the staff , but the chief need to know about www and systems . The war only will be used when a country is affected or is in dagerous situations . The army will be appart of economic matters. Army is to serve the nations an citizens , not to the corporative staff . Bur the cyber war is a reality in this time . This is teh time when the information is the clue for all for all the nations and industries. Freedom, Peace and Honor is the goal of the Army . War only if is neccessary

  • Bob

    I would suggest that Cyber is now part of the world battlefield and if you are going to be a leader in any branch of today’s military you need to educate yourself as part of your job responsibilities. If you are not qualified to make intelligent decisions on the expenditure of resources in order to maintain an adequate defensive and offensive posture then you are just not qualified to do the job. In the civilian sector people are replaced when they cannot do their job.
    That being said it also falls on the computer/network folks to do their best to communicate effectively however most of the people who do talk to the upper layer of general officers do not have a solid understanding of IT, and the threats and opportunities it provides.

  • guest

    There are some people in charge of Cyber Security who passed certifications, like the CISSP, but they are just managers and don’t really understand technology. They come from other fields and ended up as Managers in Cyber Security. So that to me is an even bigger problem.

  • Cyber Tyger

    “one of the threats they all agree is one that is most dangerous to U.S. national security — cyber security”

    I work in Cyber Security. I guess I ‘m a threat? Maybe the writer meant the lack of cyber security understanding is a threat. But actually that would be a vulnerability, not a threat.

  • ServedatMoodyAFBtoo

    According to the General’s official bio, in 1987 he received a Master of Science degree in computer resource management, Webster University, paid for courtesy of the U.S. taxpayers. I have no formal computer training, but I have known what an IP address is for many years. Maybe he should have studied a little harder in school?

    • JMLaser1

      Putting this into context in 1987 computer resource management dealt with prioritizing access to the installation’s Main Frame. As late as 1992 over 90% of the PCs operated by the military were stand alone units which were allocated a few minutes each day to transfer data to the mainframe via modem. Having been on active duty in the Air Force during this period The first time I saw real time network access was 1994.

  • 11

    hi

  • Thank you for the good writeup. It actually used to be a entertainment account it.
    Look complicated to more introduced agreeable from you!
    By the way, how can we communicate?