An absolute necessity in the preparation of Cyber Security is the identification of critical AFP information functions; and to include, information, information services, and infrastructures upon which these functions depend.

There must now be a lead office tasked to protect above-mentioned functions. The physical isolation of information, provisions for access control, and authentication of authorized personnel should be components of the desired protection. Moreover, the information infrastructure supporting critical functions should be designed for utility, resiliency, easy repair, and security. Of equal importance is the availability of verification that, through independent assessments, the design is being followed, protective measures are being implemented, where appropriate, and that the cyber security posture is accurate.

The indispensable requisites of tactical warning is monitoring, detection of incidents, and reporting of the incidents. Monitoring and detection of infrastructure disruptions, intrusions, and attacks are integral parts of the cyber security process. Providing an effective monitoring and detection capability will necessitate some policy initiatives, legal definitions, and an ambitious research and development program, all of which must be addressed by a lead office. All intrusions and incidents should be collated so that patterns of activity can be established to aid in strategic indications and warning.

It is probable that the information infrastructure will be attacked, in one form or another. There must therefore be some capability to limit the damage that result therefrom and to fully restore the operation of the infrastructure. The office has to devote to the basic procedures necessary to contain damage, let alone to the tools, which might provide some automated form of damage control. Restoration of the infrastructure assumes some capability to repair the damage and the availability of resources, such as personnel, stand-by services contracts, and the like.

Finally, cyber security should include some form of preparedness assessment to aid in determining the impact of an attack on critical functions and in determining the appropriate response to an attack.

A. Strategy
The strategy to achieve the capability for Cyber Security should be, as follows:

1. Aim for infrastructure, not just system or network, protection. While the design of systems and networks is generally based on efficiency considerations, infrastructure protection must be anchored on effectiveness considerations.

2. Effective management of risks. The cost of avoiding risk is incalculable. Protection must be based on both effectiveness and efficiency considerations.

3. The protection of information must be commensurate to its intended use. Under certain circumstances, unclassified but sensitive information (e.g., weather and terrain data) may have more tactical significance than classified information (e.g., outdated intelligence estimates).

4. Integrate policy, technical, operational, and personnel aspects. Each of these aspects is treated separately for the various communications, information, and security disciplines. They must be integrated for both efficiency and effectiveness.

5. Avail of the MDB/SEB and CCIB. Relevant activities must be reviewed to preclude reinventing the wheel.

6. Build on current programs and initiatives. Use the ongoing information security activities and programs and those of related security disciplines as the foundation for achieving a cyber security capability.

7. Emphasize solutions to the traditional weak link – the personnel. Nearly all espionage convictions are based on an inside threat. Cyber Security activities must therefore address this issue head on.

8. Harmonize activities – work toward a consistent approach and economy of scale in protecting these highly interconnected infrastructures.

9. Conduct vigorous interagency coordination. The rapidly evolving and highly complex computerization requires proactive measures to preclude duplication of effort and contradictory goals.


The AFP must tie several factors together, and it must start immediately. Although all the recommendations are important, the check marks [] indicate the priority actions where the author believes immediate response will jump-start the process of getting a handle on this challenge.

1. Designate an accountable Cyber Security focal point;
2. Organize for Cyber Security;
3. Increase awareness;
4. Define threat conditions and responses;
5. Assess Cyber Security readiness;
6. Hoist the shield;
7. Focus the Test and Evaluation;
8. Staff for success;9. Resolve the legal issues;
10. Provide the resources; and
11. Finally, DO IT NOW!

B. Action Points:
1. Designate a Focal Points. Addressing the Cyber Security issue is the most important proposal from ADM ROBERT F WILLARD, Commander of USPACOM, during the recent MDB/SEB engagement. Multiple lead organizations without a clear principal staff assistant have led to confusion and slow progress. Committees, boards and councils are important for discussing issues, but they have not and cannot provide the needed focus. Although many of the tools used to carry out information security have been around for a long time, the nature of information-dominated societies and activities makes it appropriate to view cyber security as a new area, which is unheard of ten years ago. Information security is not the responsibility of the field commanders, Major Service Commanders and the Area Commanders. Each of them is, however, responsible for a portion of this new area. The Chief-of-Staff, however, needs a single person and office to plan and coordinate this complex
activity, as well as to serve as a single focal point charged to provide staff supervision of the complex activities and interrelationships involved. This includes oversight of cyber security planning, technology development, and resources. Given the interconnected nature of the information infrastructures, it is critical that the left hand knows what the right hand is doing; and that these complex activities are coordinated.

This single focal point should be required to report regularly on the state of the identified areas and to provide informed interaction to other interagency and intergovernmental activities, which activities are, to wit:

a. The elimination of confusion and slow progress to date where committees have not provided focus, precisely because Cyber Security is a new and uncharted area.
b. Staff supervision.
c. Promulgate integrated policy.
d. Ensure development of cyber security theory, doctrine and practice.
e. Assess and report regularly on:
– Policy and plans
– Preparedness
– Intelligence support
– Allocation of resources
f. Interface to interagency/intergovernmental activities.

This therefore, strongly recommends to OJ6 to create within the office a Cyberspace Division as the focal point. This is the most appropriate office for the AFP to handle the task.

2. Organize for Cyber Security. In discussing specific organizational structure, this section will also include what are the necessary capabilities for cyber security. It addresses the need for intelligence indications and warnings, current intelligence, and threat assessment.

a. Intelligence. To establish a Center for Intelligence (Indications/Warning, Current, & Threat Assessments). Current intelligence resources and processes are not optimized to provide an understanding of threats and potential adversary capabilities to conduct Cyber Security; nor are they presently capable of providing either Indications and Warning or Attack Assessment. An understanding of the cyber security process and indications of an attack will most probably require an unusual amalgamation of otherwise seemingly unrelated sets of data. The lack of previously identified and validated indicators for creates several additional difficult dimensions to the problem facing the AFP units to understand all aspects of Cyber Security.

b. Operations. It is a necessity to establish an operating arm for cyber security. It is unarguable that time is of the essence in dealing with an actual intrusion or attack. While not fully analogous, the Americans sometimes refer to these capabilities as 91l or emergency response capabilities. Remember that these operations capabilities must be distributed throughout the AFP.

The military operations center consists of two elements, namely:
(a) A small cell which is established in the AFPCC and will be staffed during normal duty hours and which will, during crises, will enable the AFPCC to exercise specific authorities over the second element,
(b) The Major Service Tactical Operation Centers (TOC). All Operating Centers are staffed 7 days a week, 24 hours a day, and will serve as the interface to the cyber security organizations.

A virtual center is available under current technology. This virtual center may draw on support from geographically dispersed elements, the initial staffing of which should come from existing assets. Its operational capability must be distributed among components of AFP and linking, for the most part, existing operations centers, emergency response teams and other similar units. AFPCC envisions links with other government centers.

Establishing the office will be relatively easy. However, developing and implementing the operational processes and procedures will be much more difficult.

c. Planning and coordination. The establishment of an office for cyber security Planning and Coordination should be geared toward preparedness activities. Its capabilities are referred to as “enhanced capabilities”. One of the more critical needs therefore is a continued capability to obtain an independent assessment of our cyber security posture. While these assessments may be carried out at any level, it is the consensus that there should be a capability established for which one may be held accountable. Moreover, the organization established to provide this capability should be staffed with people who are knowledgeable on all types of threats.

The role of the planning and coordination center, as shown below, will be to support the AFPCC in fulfilling its responsibilities as the focal point, and to facilitate the sharing of sensitive information within the AFP, among other offices and units, and with the national government.
1) Develop planning framework
2) Plans and policies
3) Preparedness
4) Intelligence support
5) Allocation of resources
6) Incident reports
7) Develop procedures and metrics for assessing infrastructure and information dependencies
8) Facilitate sharing of sensitive information (e.g. threats, vulnerabilities, fixes, tools, techniques) within AFP and among government agencies, the private sector service providers and professional associations.
9) Establish an Cyber Security planning and coordination center reporting to AFPCC with interfaces to the intelligence community, the Chief of Staff, the law enforcement community, and the police operations center

d. Office for System, Network and Infrastructure Design. It will also be an absolute necessity to establish an Office for System, Network and Infrastructure. The protection paradigm used by AFP is based upon the classification of information. However, most classified computer systems contain, and often rely on, unclassified information. This unclassified information often has little or no protection of the data integrity prior to entry into classified systems. An increasing number of AFP systems contain decision aids and other event-driven modules. These should be insulated from unclassified data whose integrity cannot be verified.

Effects from an information attack have not been observed and are not well understood. Further, good data are not available with which to conduct modeling and simulation. Data must be collected to support the modeling and simulation of the effects of specific information warfare attacks and defenses. Detailed data should be gathered by using several means, such as, but are not limited to:

1) Measure the specific local effects of a standard battery of attacks against common components such as operating systems, firewalls, routers, etc. Experiments should be conducted using various configurations and settings of the components and attack variations so as to arrive at a complete a picture as may be humanly possible.

2) Measure the effects and possible consequences for a standard battery of attacks against many common configurations of generic networked systems. The technologies and configurations selected for these experiments should be common to a large percentage, including telecommunications, power, and control systems. Again the simulated attacks should be carried out in multiple variations against multiple target system types and configurations, with various types of defenses, so as to obtain accurate data on the measurable effects of attacks under all circumstances.

3) Measure the effects and possible consequences for a battery of attacks that could include application-specific attacks on stereotypical defense systems. Measure the effects on mission effectiveness.

To achieve the goal of protecting information systems from possible attacks, a comprehensive, principled approach for architecture, design, and analysis of secure, survivable distributed information systems must be developed. These new principles and approaches should build upon, and be synthesized from, existing and emerging information system engineering principles based on work in fault-tolerant systems, trusted systems, and secure distributed systems. The principles must be promulgated as guidelines, so that they will be widely applied.

1) Develop and promulgate policies, architectures, standards
2) Design for utility, resiliency, repairability and security
3) No one event/attack should be able to do the system in
4) Classified systems vulnerable to attack from unclassified data sources
5) Back-up repositories of data must be implemented and regularly updated
6) Diversity should be a key aspect of design
7) Develop and implement configuration management process
8) Conduct independent verification of design and procurement specifications
9) Establish a joint security architecture/design office within AFPCC to design the infrastructure in accordance with the above principles to shape the design of the AFP information infrastructure
11) Establish a process to independently verify and enforce adherence to these design principles

e. Reaction Team. It refers to the Computer Emergency Response Team or CERT. It will also be desirable to establish a Reaction Team for Independent Assessments. Reaction Teaming is an essential component of the cyber security strategy and technology development process. It is recommended that the concept be extended to include vulnerability analyses as well as carefully planned attacks during experimental activities in controlled test beds and during training/planning exercises. The Reaction Team exercises should be conducted under proper rules of engagement to avoid unnecessary damage or disruption to information systems.

It bears repeating that developing new attack methodologies in addition to reusing and applying of current attacker techniques is necessary. For example, simulated attacks should be designed which would exploit the system’s survivability features. A sophisticated attacker would probably know about these features. In formulating these attack strategies, models should first be developed for system vulnerability and its likely defenses, and these models should be exploited in the attack strategies. Vulnerability analyses and Reaction Team attacks should be conducted at the application and system level, as well as at the subsystem level, with the goal of uncovering how operations can be disturbed (e.g., the planning and execution of an air tasking order or the deployment of sensors and communication assets), and how supporting communication links, or specific computers and network nodes, can be compromised.

It is said that, “You can only expect what you inspect.” There is therefore a need for independent assessments. Many activities throughout the AFP are in the process of forming Reaction Teams for the purpose of conducting vulnerability analyses, training, readiness assessments, and so on.

Tthe Reaction Team must be established to perform independent assessments. The new organization should be a stand-alone organization although it may be housed in an existing organization. There is unanimity in the AFP that the Team will require significant management attention and be, although reporting through AFPCC, also accountable to J6 for its activities. To establish a Reaction Team for Independent Assessments Functions, it is necessary that the following be present, thus:
1) Acquisition – assess vulnerabilities
a) Existing and planned AFP systems and networks
b) Include products and services provided to AFP by private sector
2) Operations – conduct attacks
a) Verify readiness posture and preparedness
b) Assess physical, cyber, and people aspects
3) Spectrum of attacks
a) Facilities, networks and systems, and people
b) Hardware, software, databases, systems, networks, communication.
c) Deception, corruption, exploitation, denial

Actions for AFPCC:
1) Establish a Reaction Team
2) Accountable to J6 independent of design, acquisition, operations
3) Important management considerations
4) Tight leash and significant management attention
5) Integrated product team
6) Develop procedures for employment of the Reaction Team

There is traditional resistance to self-assessment because of potential embarrassments, which may result therefrom. However, developing and maintaining an independent assessment capability is very important because it is essential that the AFP should have the capability to evaluate its cyber security preparedness and not wait to learn of any major shortfalls because of the actions of an adversary. This Reaction Team should have a small permanent cadre for management and technical continuity and should be staffed by civilian and military personnel on a rotating joint duty basis.

3. Increase Awareness. A vital and cost effective first line of cyber security is a user and operations community that is aware of potential threats and is well trained in protection, detection, and reaction tactics, techniques and procedures. A well-trained and educated cadre of security and automated information system professionals can provide an effective second line of defense. Current AFP modeling and simulation efforts do not adequately address issues that can be expected to arise in the event of an information warfare attack environment. For example, little or no consideration is given to the tactical impact of compromised or exploited computing and networking resources, beyond perhaps the classical effects of jamming or techniques as applied to the battlefield communications infrastructure.

The awareness campaign should be designed for several purposes. The internal campaign should make AFP personnel more aware of the threats, vulnerabilities, and remedial measures should be implemented in order to make AFP a better informed customer in the acquisition of systems, products, and services. The external program should make AFP suppliers better aware of AFP needs and should make the civil agencies and the general public understand AFP dependence on infrastructures and the role of AFP in the information-age “common defense.”

Military doctrine does not adequately address Cyberspace vulnerabilities. There is a crying need to apprise senior-level government and industry executives of what is at stake. To accomplish this, it is necessary to:
a. Pursue all avenues (briefings, conferences, seminars, articles, etc.)
b. Establish an internal and external cyber security awareness campaign for the public, industry, Services and Agencies and Public Affairs.
c. Expand the cyber security Net Assessment to include assessing the vulnerabilities
d. Review joint doctrine for needed cyber security
e. Large-scale cyber security demonstrations for the purpose of understanding cascading effects and collecting data for simulations.
f. Implement policy to include cyber security realism in exercises.

4. Define Threat Conditions and Responses. In the traditional operations community, the cyber security operations group at CEISSAFP requires an alerting mechanism to heighten awareness and preparedness as the threat increases. In addition, there should be some prescribed response by the cyber security operations community to increasing threat conditions, such as minimizing the traffic on the networks, restricting personnel access to operational facilities, disconnecting certain systems from networks which are likely targets, and possibly implementing wartime modes of operation. While the effort is urgently needed, it will be complicated by the extensive interconnectivity of systems and networks, and because some actions will be required by the private sector in part, because much of the Defense Information Infrastructure is embedded in the public switched and data networks.
a. Conditions and responses required for risk management:
1) Conditions analogous to Defense Conditions
2) Responses might include:
a) Minimize
b) Personnel actions
c) Disconnecting from the “net”
d) Use of Alert Mode protocols
b. Defense of the information infrastructure is complicated by:
1) Interconnectivity – heightened state of alert must extend to all connected systems and networks
2) Reliance on private sector – may require legislative or regulatory actions.

The chart below illustrates what a structured threat condition and response table might look like.
CONDITION SITUATION REQUIRED RESPONSE
I Normal Normal threat-crime/incompetents; Normal activities in all sectors; Normal actions and requirements.
II Annoyance 10% increase in incident reports, regional or functionally base;
15% increase in all incidents; Increase in incident monitoring;
Look for patterns across a wide range of variables; Alert all agencies to increase awareness activities; Begin selective monitoring of critical elements.
III Heightened
Defense Posture 20% increase in all incident reports; Condition II with special contexts; Disconnect all unnecessary connections; Turn on real-time audit for critical systems; Begin mandatory reporting to central control.
IV Serious Major regional of functional events that seriously undermine RP interests; Condition II/III with special contexts; Implement alternate routing; Limit connectivity to minimal states; Begin “aggressive” forensic investigations.
V Brink of War Widespread incidents that undermine RP’s ability to function; Condition III/IV with special contexts; Disconnect critical elements from public infrastructure; Implement War Mode protocols; Declare state of emergency
Chart 1: Sample Threat Condition and Response


5. Assess Cyber Security Readiness. Needless to say, information warfare defense should be viewed from an actual war-fighting perspective. Operational forces should be able to detect, differentiate among, warn of, respond to, and recover from disruptions of supporting information services. Recovery from disruptions resulting from failures or attacks might involve repair, reconstitution, or the employment of reserve assets. In some cases, network managers may have to isolate portions of the network, including users of the network, to preclude the spread of disruption. Given the speed with which disruptions can propagate through networks, these capabilities may need to be available in automated form within the network itself. Finally, there must be some means to manage and control these capabilities. At its heart, this is an operational readiness matter.

A standardized process to enable commanders to assess and report their operational readiness status as it relates to their specific dependency on information and information services is an essential element of operational readiness. A standard vocabulary will enable common description of risk scenarios and assessment methodologies. The use of a structured assessment and reporting process will help move information assurance from a global and unsolvable problem to the identification of discrete information and information service dependencies that illuminate quantifiable risk to specific information-dependent activities within a commander’s sphere of responsibility. A similar assessment and reporting process can be applied by supporting elements, and in the commercial sector.

Cyber security must be adapted to the mainstream as a readiness issue. A means must be developed for including cyber security issues in readiness reporting and a process must be developed to assess the cyber security readiness posture independently. The assessment scenarios differ from the threat conditions discussed earlier in that the assessment scenarios are used to assess readiness against a wide range of possible threats to specific units, missions, and functions, while the threat conditions are used to describe the existing threat condition to the broad interconnected population. The assessment scenarios are applied locally, while the threat conditions are applied globally. Standardized assessment scenarios could be used for planning considerations, in warning orders, and so forth.
a. A proposed standardized, graduated assessment regime
b. An unknown information assurance capability for a specified threat scenario.
c. Engineering estimate based on design parameters and recovery plans
d. Engineering estimate based on design, simulation exercises, and review of recovery plans, but no physical testing for a specified threat scenario
e. Internal assessment organization and live contingency plan exercise
f. Independent security assessment organization and live contingency plan exercise
g. Establishment of a standardized cyber security assessment system for use by AFP, Major Services, and Combat Support Agencies
h. A standard Cyber Security preparedness reporting system using assessment factors from previous exhibit;
i. The incorporation of cyber security preparedness assessments in Joint Reporting System and Joint Doctrine
j. The addition of CYBER SECURITY preparedness to overall unit readiness rating;
k. The addition of explicit review of Cyber Security to review of Operation/ Contingency Plans;
l. Addressing Cyber Security preparedness in new annual Planning, Programming and Budgeting (PPB) cycle;
m. The inclusion of Cyber Security, which should also apply to Military Camps;
n. The addition of Cyber Security posture to assessment factors;
o. The modification of present guidelines to include status reporting on major computing resources; and
p. The inclusion military units and service mobilization & sustainment assets.

The AFP Chief-of-Staff should incorporate information warfare preparedness assessments into the Joint Reporting System and Joint Doctrine. The systems, reports and publications cited are only examples to illustrate how these assessments might be incorporated. Additional details will be provided in a written report as may be warranted.

6. Hoist The Shield With High-Payoff, Low-Cost Items. There are a number of things the AFP can acquire that are relatively low cost, but which will hoist the shield significantly for potential system and network intruders. Training and awareness have already been emphasized. There is an existing Executive Branch policy regarding this matter. The use of banners to alert users is a good way to increase awareness. Certification by users of banner understanding is another technique to emphasize its importance. The procedure used in some companies, on a periodic basis, is that users of the network are presented with a security awareness quiz. If the questions are not answered correctly after three tries, the user must have the systems administrator provide access to the system or network.

a. Training, awareness and improve security of AFP’s unclassified computers:
1) Access control (get rid of default/fixed passwords!)
2) Identification and authentication
3) Much more effective than encryption in “raising the bar”
b. Promote use of government approved commercial security technologies
c. Recommended actions:
1) Direct the immediate use of approved products for access control
2) Examine the feasibility of using approved products for identification and authentication
3) Require use of biometrics and escrowed encryption for critical assets
4) Preclude rogue employee from locking up systems and networks, Data bases, program libraries, applications, transaction logs

One of the most important acts the AFP should undertake is to improve its security of unclassified computers by instituting dynamic access control and authentication of users. Until this is done, the AFP has little assurance that it has any control over these systems. Many of which are essential to critical support functions. The AFP should also promote the use of existing commercial and government security technologies.


7. Focus the Test & Evaluation. The AFP has no capacity for Research and Development (R&D); instead, it would dwell more on the Test and Evaluation (T&E) of finished products. New information security products, from biometric personnel identification devices to advanced firewalls, are being introduced every day in the commercial marketplace. Many of the products are either designed for protection against network-based intrusions or are attempting to enable some form of electronic commercial sales pitch. However, these products often do not work well in large distributed environments, are too expensive, and are too difficult to configure.

The AFP should monitor the progress in commercial information technology and take care not to duplicate or reinvent the progress being driven by market forces. As cost-affordable technologies are developed, they should be given early tests in the AFPCC. Respective user is aware of several of the ongoing information system security initiatives under way. However, AJ6 suggests a tighter and more integrated focus on support to defense activities.

The AFP should focus on aspects of information protection and assurance. The program must emphasize cost and operational realism. For example, it would be helpful if the primary design criteria included per-seat costs for installation, training, and support. Test and Evaluation is necessary for the following reasons:

a. Because current security products are not designed to protect large distributed environments, it must devote its attention to verifying security configuration of a rapidly assembled system for Joint Task Force or coalition environments; and AFP must carefully evaluate these emerging commercial technologies and products.

b. To focus evaluation efforts which also involves the academia, industry and
government. However, this may be somewhat difficult due to certain factors, such as:
1) Few universities currently have related courses or research programs.
2) There are no established avenues for sharing experience and knowledge in resilient system design.

c. To focus the AFP’s evaluation program on the following areas:
1) Robust survivable system architectures
2) No one event/attack should lead to failure of a critical function
3) Design should provide for graceful degradation and rapid restoration of critical functions
4) Techniques and tools for modeling, monitoring and management of
large-scale distributed /networked systems;
5) Tools and techniques for automated detection and analysis of localized or coordinated large-scale attacks;
6) Tools for synthesizing and projecting the anticipated performance of survivable distributed systems;
7) Tools and environments for Cyber Security oriented operational training;
8) Test beds and simulation-based mechanisms for evaluating emerging
Cyber Security technology and tactics;
9) Work with the Department of Science and Technology (DOST) to develop new technologies; and
10) Research in U.S. computer science and computer engineering programs.

Educational programs for curriculum development at the undergraduate and graduate levels in resilient system design practices will also be desirable. The development of robust survivable systems resistant to information warfare attack, as well as other types of failure, must involve major advances in technology and will require the efforts of a vigorous research community embracing the academia, industry, and government. Earlier R&D efforts have focused on areas such as computer and network security, encryption technology, and single node failures. Little attention, if any, has been paid to surviving willful malicious attack, or detecting and eliminating corrupt software.

The area of robust survivable systems offers an opportunity for a unifying theme to develop a broad-based research effort to overcome the current lack of significant new ideas and problem solutions. Particular emphasis should be given to the following areas:
a. Designing a system such that no one event/attack will lead to process failure
b. Designing methods for work processes and software that enable the monitoring of functional activities, provide for the graceful degradation of functional activities, and ease the rapid restoration of functions.

Specific attention should be paid to verifying the configuration of a rapidly assembled system for use in Joint Task Force or coalition environments. This should include positive identification of system components with passive identification of users, in both the static and mobile environments. Regarding test beds and simulation-based mechanisms, it will be important to:
a. Verify whatever security claims are made for a product
b. Understand and model cascading events from an information warfare event
c. Understand the impact (and psychology) of multiple carefully timed attacks.

In addition to the above, the R&D community should also consider establishing a focused effort on the theory, science and analysis of high assurance, massively distributed systems, which should include:
a. Developing rigorous mathematical approaches and principles for complex system analysis and synthesis.
b. Developing advanced modeling and analysis techniques extending existing formal method approaches.
c. Developing advanced formalized techniques for predicting, testing, and verifying complex system performance.

Finally, the AFP should work with, and even possibly provide seed money to, the National Science Foundation of DOST to establish research and education programs for a resilient system design in the universities and colleges.

8. Staff for Success. Cyber Security vulnerability is often due to human error, insufficient training, lack of knowledge of or failure to follow procedures, or to adhere to policy. This vulnerability represents a gap that cannot be closed by means of technology alone. Currently, capabilities of systems, network administrators and system managers vary widely. This is partially due to a lack of appropriate training, and partially due to the difficulty in using existing security products and in obtaining information on how to configure a system securely.

A cadre of high-quality, trained professionals with recognized career paths is an essential ingredient for defending present and future information systems. The author recommends that research be conducted toward the development of techniques, curricula, tools, and technology specifically for security-focused training for system and network administrators. Developing partnerships with universities, colleges, and vocational schools for the purpose of curriculum development will be an essential ingredient of this process. It will also be important to capitalize on emerging distributed interactive simulation technology to provide a realistic, dynamic, operations center-like training environment indicative of a real-world Cyber Security combat setting.

This study likewise strongly recommends the establishment of a skill specialty for military personnel to enable the formation of a cadre of knowledgeable and experienced defensive information warfare specialists. The skill specialty is recommended instead of a career path to ensure that operational experience is reflected in the performance of the cyber security duties, and to preclude the possible formation of a closed community of experts.
a. Systems/network administrators are the first line of defense; and they should:
1) Need a professional cadre – not “other duties as assigned”
2) Keep the defenses in good order
3) Serve as the “picket line” to sound the warning
b. Need Cyber Security skills and awareness in all functional areas
c. Actions necessary in order to create the professional cadre are:
1) The establishment of a career path, and to mandate training and certification of systems and network administrators
2) The establishment of a skill specialty for Cyber Security
3) The development of specific Cyber Security awareness courses with strong focus on operational preparedness.

9. Resolve The Legal Issues. Legal issues can be a distraction from and, sometimes, an obstacle to, moving on with what can be done. During the course of this study, the author found some confusion among the AFP’s representatives regarding the scope of their authority to conduct security survey and inspection of the systems and networks. As discussed earlier, the advent of distributed computing has and will continue to blur the boundaries of the systems and networks that AFP uses. Confusion also stems from uncertainty over when or whether a wiretap approval is needed. All AFP system and network administrators should assume that any intrusion is a hostile intrusion and should therefore also assume that they have the legal authority to take action to minimize the effects of the intrusion and report the intrusion for purposes of tactical warning and to obtain necessary protective support, including law enforcement.
a. Issues which need to be clarified are:
1) Defending AFP systems – needed authority; rules must be clarified;
2) Defending other government and civil systems – Need government-wide guidance (perhaps legislation);
3) Areas to examine include:
a) AFP assistance to the private sector (e.g. Computer Security Act)
b) Attacker of unknown nationality (intelligence versus persons)
c) Tracking attackers through multiple systems
d) Obtaining/requiring reports from the private sector owners and operators of critical infrastructures
e) Rules of engagement for self-protection (including active response) and civil infrastructure support.
f) The authority to conduct “hot pursuit” of intruders, and the ability to obtain reports from the operators of critical elements of the civil infrastructure.

To lessen, if not eliminate, the confusion, CSAFP should direct his J6 to explore this matter and issue rules of engagement regarding appropriate defensive actions that may be taken upon detection of intrusions into and attacks against AFP systems and networks. .

10. Provide the Resources. Resources must be provided if a viable defensive information warfare capability is to be achieved. This need has been recognized in part since an EDP/MIS budget has been submitted which addresses this particular need. The AFP must make a detailed estimate.

OJ6 must develop a detailed plan of action to implement the recommendations and a detailed estimate of the resource required.