The views and opinions expressed or implied in WBY are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government or their international equivalents.

Mission Defense Team Training Gap Analysis

  • Published
  • By Captain Philipp M. Wittmaack

With the rapid advancement of technology, Air Force missions are becoming increasingly dependent on cyberspace. These dependencies on networks and computers open up new attack vectors that adversaries can exploit to put our missions at risk. Aware of this threat, US Cyber Command created defensive teams under the Cyber Mission Force (CMF) construct to protect missions and defeat adversaries in cyberspace. Cyberspace protection teams (CPTs) stood up under CMF with the purpose of augmenting our traditional defensive measures and defending priority networks against priority threats.1 However, CPTs have a limitation. They are not permanently assigned to any one mission set and often walk in blind to new networks as their tasking process dictates. CPTs, while adept at techniques for tracking down adversaries, have a big challenge in becoming familiar with a new environment, making it very difficult to baseline “normal” operations of a network. To help address this limitation, the Cyber Squadron Initiative (CS-I) was created by the Air Force and then implemented by a Program Action Directive.2 This initiative formalized the decision to “execute wing-level mission assurance capabilities” with a new team type: mission defense teams (MDT).3 Wing commanders would now be able to transform their communications squadrons, with a focus on availability and the functioning of a network, into a cyber squadron that also provides persistent mission assurance through MDTs. By staying within the wing, MDTs can now focus their efforts on the Wing Commander’s priorities and spend as much as needed to create an effective baseline—something a CPT cannot do. MDTs, as a new team, need a training pipeline. Air Combat Command (ACC) is responsible for training, planning, programming, budgeting, and execution requirements.4 One might think of an MDT as a CPT that stays in place and naturally leverage the existing CPT training pipeline. This argument, alongside the associated cost savings, might seem like a good idea but requires the proper implementation to be completely effective. MDTs face many unique training and integration issues that CPT training cannot account for.

How Does CPT Training Translate to MDTs?

It is helpful to start with the MDT training memorandum signed in 2019 by Brigadier General Kennedy, Director of Cyberspace Strategy in Policy, with the subject of “Mission Defense Team Training Requirements.”5 This letter has an attachment of the initial skills training (IST) and initial qualification training (IQT) course list for MDTs in anticipation of the transition to the CS-I initiative of cyber squadrons. Notably, these training requirements are to be completed before MDT personnel can attend the cyber vulnerability assessment & hunter (CVA/H) course. CVA/H is the weapon system that a CPT member uses, and it was decided that MDTs would use them as well. However, CVA/H is not a one size fits all solution. CVA/H can currently only interact with networks using TCP/IP, the suite of protocols most commonly used on the internet. If an MDT is dealing with a mission set that utilizes something other than TCP/IP—e.g., serial communication—then CVA/H will not help.

Using CVA/H also brings in many training requirements as outlined in ACCMAN 17-2v1 signed 19 January 2021. In addition to IST and IQT, the ACCMAN states that anyone certified on CVA/H will need to remain current with continuation training (CT). ACC publishes a ready cybercrew program tasking memorandum (RTM) that lists annual tasks, broken out by CVA/H crew position, to meet CT requirements. There are two things to be careful with in relation to MDTs and CT. First, defining top-level RTM tasks at the ACC may be difficult for MDTs due to the variance in the core missions that they are assuring. While all CPTs generally do the same missions using the same techniques, this will not be true for MDTs. Creating tasks for MDTs runs the risk of being too vague or imposing requirements on MDTs who gain no training value from the task. Second, when not feasible on a mission, CPTs conduct CT on a shared training simulator using CVA/H operator/contractor-developed training scenarios. This has been a massive financial/man-hour hurdle for CPTs and the 67th CW to overcome. The good news is that training created by one CPT is relevant to all. However, MDTs face a dilemma in that if they want their simulator training to provide the most value, it will need to be unique and catered to their mission. This can become very expensive as the scenarios will not be easily shared among other MDTs and will be reliant on the number of personnel available in the new Cyber Squadrons to develop training. Otherwise, an MDT would need to package their training requirements for development by an entity outside of the unit with funding needing to come from somewhere. The severity of these impacts will be dependent on how the RTM is written for MDTs.

Is the CPT Training Model Adequate for MDTs?

By adding up the number of total hours required for an individual to go through MDT training, we end up with roughly 13 weeks of training. Five of those weeks consist of virtual/non-residence training. A CPT operator starting on their journey to get qualified on CVA/H will need to complete 23 weeks of training for IST alone. Then, another five weeks of training is required for the CVA/H course. Following CVA/H, the Host Analyst course will be five and a half weeks and the Network Analyst course will need another three weeks depending on crew position. With at least 28 weeks of CPT training compared to MDT’s 13 weeks of training, MDT personnel will not have enough training to be comparable to a CPT member’s raw technical skills. Although, this skill shortfall is not the only consideration showing us that MDT training based on a shortened version of CPT training is not adequate.

There is no offset that exists in CPT training to teach MDTs their specific wing mission. To address this gap, MDT training will need to cover the wing mission in its Mission Qualification Training (MQT). MQT is training developed by the local unit that teaches incoming members how to utilize what they learned in IST/IQT and apply it to the unique mission set faced by that unit. In order to develop MQT, MDT members will need to know how to interface with Airman from various career fields and be able to understand how the mission they are assuring works. For example, if an MDT is protecting the E-3 AWACS mission, they should have some idea of how this mission functions and knowledge of basic air operations. CPT members can get away without knowing because there would not be enough time in the world to learn every mission set; they hunt and respond based on intel (targeted searches not requiring whole system knowledge). Therefore, it is no surprise that no CPT training exists for understanding other mission sets. However, MDTs will live in the mission they are supporting. They will know something is wrong because they know what their network “neighborhood” looks like. MDTs are missing training in IQT that will help them learn the processes and supported mission “language” that will set them up for success in MQT.

Another important training gap exists for wing commanders. With the CS-I putting wing commanders in charge of their mission assurance capabilities, they will need to know how MDTs work and how to effectively use them. During this transition period from communications squadrons to cyber squadrons, those squadron commanders might have a difficult time balancing the sometimes-conflicting priorities of the functioning and availability of the network and doing what is needed to practice good cyber security to assure the mission. With a well-informed wing commander, these tradeoffs will become clear and distinct and should create a collaborative environment within the wing. The wing commander will then also be able to create and foster meaningful relationships within the wing and truly integrate cyber into the bigger picture. This will require a recalibration of the old comm squadron’s success metrics. Moving from availability and “is my email working?” metrics to briefing the wing commander at staff meetings on open and significant cyber findings will be imperative to integration. What’s missing is some type of MDT familiarization course for leadership.

Recommendations

Before funding gets allocated in conjunction with the Program Action Directive being signed, now is the perfect time to assess the training needs for MDTs. I recommend starting at IQT. Currently, the only shared training among MDTs is based on CPT training. This misses what makes MDTs unique; they have a persistent mission of defending a wing’s weapon systems. For this reason, they stand to gain great benefit from a common understanding of how the operational Air Force works to utilize, maintain, and upgrade weapon systems. A course developed to discuss Program Management Office processes, Weapon System lifecycle and change management, resourcing considerations, how a wing organizationally functions, and other operational and weapon system considerations would give MDT members the core understanding needed to assure their Wing’s mission when they arrive on station. Additionally, as an MDT better understands their operating environment, they may see opportunities to improve the cyber security posture of their wing based on process analysis and network engineering concepts that require unique training beyond identification, and response to, cyber malfeasance.

An entirely new training class for wing commanders would be beneficial as well. With the majority of wing commanders not having been in comm themselves, they might not use their new cyber squadrons effectively or efficiently. MDTs provide persistent defensive measures for a wing’s mission-relevant terrain-cyber (MRT-C). Knowing how to interface with their MDTs and provide that MRT-C will be foundational to the prioritized work that an MDT performs. There will not be enough members on an MDT to prioritize an entire network and the wing commander will need to prioritize for them based on their provided analysis. This training makes sense to develop at ACC’s level to give it credibility, weight, and standardization.

Conclusion

Using CPT training as a baseline for MDTs will not produce the most effective teams. CVA/H weapon system requirements, watered-down technical training, and a lack of MDT core IQT makes for a team not technical enough to be a CPT, burdened with ill-fitting requirements, and not educated enough to integrate with an existing mission. MDTs, with ACC’s help, will need to forge their own path with training and ensure that IST and IQT are as effective and relevant as possible so that they are not stuck holding the bag when it comes time to develop unit MQT. An MDT-focused training pipeline, combined with effective leadership training, will allow for successful integration and ultimately lead to effective operations for the Air Force.

Capt. Philipp M. Wittmaack
Capt. Philipp M. Wittmaack is the Recruiting Officer (RO) for Air Force Reserve Officer Training Corps (ROTC) Detachment 520 at Cornell University, Ithaca, N.Y. He concurrently serves as an instructor for aerospace science classes. He recruits, trains, motivates, and mentors young men and women aspiring to be Air Force and Space Force officers.

Capt Wittmaack was commissioned through ROTC at Det 538, Rochester Institute of Technology, Rochester, N.Y. in 2014. He graduated from Undergraduate Cyberspace Training in the summer of 2015 and having been selected to pursue a 17S assignment, he went on to Hurlburt Field, Fla. to attend the Cyberspace Vulnerability Assessment/Hunter (CVA/H) course. He operated the CVA/H Weapon System at his first assignment defending Air Force key cyber terrain.

Prior to his current position, the captain was the Branch Chief, Current Operations for 16th Air Force, Joint Base San Antonio (JBSA), Texas. He led the daily orders management process for operational cyberspace teams in accordance with Air Forces Cyber, Joint Forces Headquarters-Cyber (Air Force), and United States Cyber Command priorities and objectives. Prior to that, Capt. Wittmaack served as the 67th Cyberspace Wing Chief of Training at JBSA, Texas. There he oversaw the training programs for three Air Force Cyberspace Weapon Systems executing both defensive and offensive cyberspace operations. During this time, he had a pivotal role in the development of 17-2 training volumes as well as representing the Air Force at United States Cyber Command requirement symposiums. This research was conducted as part of the SOS Air University Advanced Research (AUAR) elective.

Notes



1 Joe W. Kirschbaum, DOD TRAINING - U.S. Cyber Command and Services Should Take Actions to Maintain a Trained Cyber Mission Force (Washington, D.C.: United States Government Accountability Office, 2019).
2 Headquarters United States Air Force (HQ USAF), IMPLEMENTATION OF DEPARTMENT OF THE AIR FORCE CYBER SQUADRONS D15-03 (Washington, D.C.: Headquarters of the United States Air Force, 2020).
3 Air Combat Command, Air Force Mission Defense Team (MDT) Operating Concept, 2020.
4 HQ USAF, IMPLEMENTATION OF DEPARTMENT OF THE AIR FORCE CYBER SQUADRONS D15-03.
5 K. B. Kennedy, Mission Defense Team Training Requirements (Washington, D.C.: SAF/CIO A6S, 2019).

Wild Blue Yonder Home