User Center
My Training Class
Feedback
Research Questions
- What should Air Force official policy and strategy for addressing cybersecurity look like?
- How should the roles and responsibilities for cybersecurity risk assessment be managed in the Air Force?
- Should the provision of information technology network services and the cybersecurity of those networks be managed together or separately?
- How should preparatory and operational cybersecurity activities be apportioned?
- In what ways can leaders foster a culture in which all airmen, civilians, and contractors understand and play their roles in cybersecurity?
Current cyberspace threats are highly dynamic, complex, and ubiquitous in time and space. Activities to ensure resiliency to adversarial cyber operations throughout the Air Force have organically organized themselves to be somewhat fractionated, with blurred lines of authority and no overall coordinating mechanism to ensure that all related activities are identified, tasked, and implemented and act in concert to achieve enterprise objectives. The authors develop a foundation for better managing efforts to ensure resiliency to adversarial cyber operations at the enterprise level aimed at mission assurance in the Air Force. This structure includes guidance on the allocation of roles and responsibilities for tasks to ensure resiliency to adversarial cyber operations and mechanisms to create a cohesive initiative in which each individual and organization is working toward a common goal. The authors also stress the need for leaders to instill in airmen, civilians, and contractors an understanding that the conflict in cyberspace is ubiquitous in time and space; that operations in cyberspace might be decisive in warfare; that all airmen, civilians, and contractors play a role in ensuring resiliency to adversarial cyber operations; that nothing can be completely secure in cyberspace, which leads to a sense of responsibility to carry on mission(s) in the face of an attack through cyberspace; that connecting one system to another (or to a network) carries potential risks; and that personnel have an obligation to report anomalies in data, nonnominal procedures, and potential cyber incidents.
Key Findings
Enterprise management to ensure resiliency to adversarial cyber operations has gaps
- The DoD and the Air Force lack a clearly stated objective for cybersecurity and cyber resiliency that concisely articulates the objective for all airmen, civilians, and contractors.
- High-level policy in the Air Force does not comprehensively delineate tasks for resiliency to adversarial cyber operations and does not allocate the roles and responsibilities for these tasks to each organization.
- The culture for cybersecurity in the Air Force is immature and in need of shaping by leadership.
Recommendations
- The Air Force should issue a clearer objective and strategy for cybersecurity, embracing both cyber defensive measures and the ability to continue missions through adversary cyber operations holistically.
- This treatment of cybersecurity activities should employ a balance of cyber defensive measures and cyber resiliency measures (of systems and missions) and employ a balance of enterprise networks and cyber-physical systems.
- Activities that require quick decisions using detailed knowledge in a complex environment should be distinguished from those that do not.
- Leaders should institute cultural change, promoting recognition that there is conflict in cyberspace between the United States and others that is ubiquitous in time and space and that all individuals and organizations within the Air Force play a role in being resilient to adversarial cyber operations. Failure to perform that role effectively could be decisive.
Table of Contents
Chapter One
Framing the Problem
Chapter Two
Specifying the Objective, Strategy, and Tasks
Chapter Three
Issues for Apportioning and Coordinating the Labor
Chapter Four
Discussion of Apportioning and Coordinating the Labor
Chapter Five
Improving the Cyber Culture
Chapter Six
Conclusions and Recommendations
Research conducted by
This research was commissioned by the Air Force Chief Information Dominance and Chief Information Officer in the Office of the Secretary of the Air Force and conducted within the Resource Management Program of RAND Project AIR FORCE.
This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.
Report
Share
Comments
Something to say?
Log in or Sign up for free