In the domain of warfare known as cyberspace, the Air Force’s cyber warriors naturally play a lot of defense, but they do it with the help of cyber weapons designed to add an important layer to the protection of the service’s operations and data. One example is the Air Force Cyberspace Defense (ACD) weapon system, a custom-built, $543 million suite that automates monitoring and analysis of activity on the Air Force Network (AFNET).
ACD, comprising hardware devices and software programs, provides continuous monitoring of classified and unclassified networks, focusing on four basic areas of cyber defense: incident prevention, detection, response, and computer forensics.
The system is hosted at Joint Base San Antonio Lackland, Texas, where the 33d Network Warfare Squadron (NWS)–one of seven of the Air Force’s cyber weapons systems teams–monitors 600,000 to 700,000 endpoints that feed into AFNET’s 16 gateways.
“The gateways are very complex architecture that support massive amounts of traffic and data flowing through them,” Lt. Col. Samuel Snoddy, commander of the 33rd NWS, told Air Force Magazine. “[There are] probably hundreds of devices and programs that make up each one of these gateways across the Air Force.”
Essentially, ACD forms the networks’ outer defenses. “It’s the border wall,” Snoddy said. “If we see something we don’t like, we stop it at the gate.” The system categorizes incidents on a scale of one to nine, with Category One being the most serious, which helps the operations team decide whether to open an investigation, an event that happens more than 1,000 times in an average year.
ACD is the biggest piece in an array of automated cybersecurity weapons the Air Force runs. Because of cyberspace’s increasing importance to military operations, and the escalating threats to the Defense Department’s networks and communications systems, DOD officially classified cyberspace as a domain of warfare in 2011. Two years later, the Air Force classified six of its cyber capabilities as weapons systems. Along with ACD, the others are:
- Automated Remediation Asset Discovery (ARAD), a modification of the original Cyber Security and Control System (CSCS), which monitors network activity, filters traffic going in and out of Air Force base domains and blocks suspicious software.
- Air Force Intranet Control (AFNIC), the primary Internet interface for each base, providing defense-in-depth, proactive defense, network standardization, and situational awareness.
- Cyberspace Defense Analysis (CDA), which works in concert with the other cyber weapons systems, monitors Internet and email traffic, unclassified telephone networks, radio frequency communications, cyberspace operational risk assessment, and Web risk assessment. It also provides unintentional and intentional insider threat monitoring.
- Cyberspace Vulnerability Assessment/Hunter (CVA/Hunter), which provides vulnerability assessments, and performs penetration testing and other white hat hacker operations to identify vulnerabilities.
- Cyber Command and Control Mission System (C3MS) acts as the quarterback for the other cyber weapons systems, synchronizing their operations in support of combatant commands around the world.
The Air Force’s systems are primarily defensive, focusing on prevention, detection, and response, but they reflect DoD’s growing emphasis on cyber weapons of all kinds–offensive as well as defensive–in an escalating environment of cyber conflict. The department has put forth plans for streamlining acquisition of cyber weapons and ensuring their resiliency.
NATO has also recently added a cyber weapons capability, saying that in some cases (particularly mentioning Russia) a cyber response could be a more appropriate response than conventional military action. As with conventional weapons, NATO would integrate the cyber capabilities of member states, though each nation involved would still own them.