HomeCyber CollegeArticle DisplayAn Airman's Guide to Cyber Power

50 Cyber Questions Every Airman Can Answer

1. What is the mission of the US Air Force?

The mission of the United States Air Force is to deliver sovereign options for the defense of the United States of America and its global interests—to fly, fight, and win in air, space, and cyberspace.

2. What is cyberspace?

Author William Gibson coined the term by combining cybernetics and space into the term cyberspace in his 1982 story "Burning Chrome" and popularized it is his 1984 novel Neuromancer. Gibson described cyberspace as "a consensual hallucination experienced daily by billions. . . . A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the non-space of the mind, clusters and constellations of data."1

In the minds of many, cyberspace became synonymous with the Internet. In September 2006 the Joint Chiefs of Staff endorsed a definition of cyberspace as "a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures."2

We dissect this definition to derive the scientific basis of its intent. The word "domain" instead of "environment" carries legal implications under the laws of armed conflict. Electronics and the electromagnetic spectrum refer to the wave-particle duality of radiation that, when modulated with information, creates a signal. Data and networked systems refer to digital information and application programs and the computers and networks on which they exist, in other words, data and applications at rest and in motion. For warfare purposes, we derive a working definition of cyberspace as "a domain in which signals hold at risk intelligent systems."

This definition recognizes three components to cyberspace: (1) the "effectors" encompass a broad range of signal-borne threats, analog and digital; (2) the "medium" enables effectors to access the targets, wired and wireless, hardware and software; and (3) the "targets" include weapons and systems that use computers or networks.

This working definition of cyberspace effectors is consistent with Department of Defense Information Operations (IO) Security Classification Guidance that excludes from consideration as IO weapons those conventional weapons that produce IO effects.3

3. What are the differences among data, information, and intelligence?

Data refer to low-level digital signals that tend to be time sensitive but disorganized. Information derives from organizing data in a logical manner. Intelligence refers to information placed in a contextual framework.

4. How does cyberspace differ from traditional war-fighting domains?

Fundamental differences between cyberspace and the traditional war-fighting domains of land, sea, air, and space include:

  • Low cost of entry: anyone with a computer and an Internet connection can create malicious effects against global US interests;
  • Anonymity through unauthenticated protocols and anonymizers; and
  • Jurisdictional uncertainty by transcending international borders.

The above challenges create legal implications on the authorities governing cyber defense, including from United States Code Title 10 for military activities, Title 18 for criminal activities, Title 32 for National Guard and state defense, and Title 50 for foreign intelligence surveillance.

5. Why are cyberspace effects important to mission success?

The increased reliance on information systems to accomplish mission­-critical tasks gives cyberspace effects an increasing influence on mission success. If a task or process requires information that can only be conveyed electronically, that task or process is potentially vulnerable to cyberspace effects. Additionally, if a platform or system interacts electronically with information, the operation of that platform or system depends potentially on the integrity of that information. There are myriad ways even subtle cyberspace effects can influence mission operations due to this class of dependencies.

6. Why does the Air Force require a separate cyber command?

Cyberspace is increasingly critical and inseparable from our national power and interests. Adversary denial of the domain to US military operations can take away battlespace awareness, command and control, and precision strike and leave our exquisite twenty-first-century capabilities paralyzed. We cannot afford to let this happen, so now is the time to focus on a consolidated effort to protect and defend the domain.

In 2003 the Department of Homeland Security published The National Strategy to Secure Cyberspace, a document that presented cyberspace security as a subset of homeland security and outlined a wide range of initiatives to "protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States."4

One of those initiatives calls for the government to "improve coordination for responding to cyber attacks within the U.S. national security community."5 The Air Force answered that call in December 2005 when it added cyberspace to its mission statement.

7. What are information operations?

Information operations refer to the integrated employment of electronic warfare, computer network operations, psychological operations, military deception, and operations security (OPSEC)—the five IO core capabilities—in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision making while protecting our own. Capabilities supporting IO include information assurance (IA), physical security, physical attack, counterintelligence, and combat camera. These are either directly or indirectly involved in the information environment and contribute to effective IO. Related IO capabilities consist of public affairs, civil-military operations, and defense support to public diplomacy.

8. What is the information environment?

The information environment consists of three conceptual dimensions: physical, informational, and cognitive. The physical dimension is the tangible, real world. It represents the devices, systems, computers, and networks that constitute weapon systems. The physical dimension also includes the stored computer programs and applications that impart utility to this dimension.

The information dimension is where information is created, manipulated, shared, and stored. This dimension links the real world of the physical dimension with the human consciousness of the cognitive dimension.

The cognitive dimension is where the individual processes the received information against norms, beliefs, and values. The cognitive dimension evaluates and processes information via an observe, orient, decide, act (OODA) loop and communicates decisions to the physical layer.

9. What is information power?

Information power refers to the ability to use information resources and forces to create discernible military and political effects. Together with airpower and space power, information power can help put friendly forces in a position of advantage. Information power is an inseparable part of the air and space power concept. Information power can be applied through kinetic (heat, blast, and fragmentation—bombs and bullets, basically) or nonkinetic means (through weapons or techniques that persuade, confuse, surprise, or contribute to the security of our forces). Further, information power can create lethal or nonlethal effects.

For Airmen, our information power capabilities contribute directly to the joint force campaign in several ways. First, these capabilities help prepare and shape the overall information environment for the joint force commander before, during, and after combat. Second, information power capabilities provide situational awareness to Air Force commanders about to employ air and space forces to achieve the objectives of the joint force commander. Third, information power can create real physical or psychological effects upon our adversaries. These effects may be discrete (individual) effects. More often, however, information effects enhance or support other physical or psychological effects created by other air and space forces. Finally, information power capabilities can support other airpower or space power missions.

10. What is a revolution in military affairs?

A revolution in military affairs (RMA) refers to a theory about future warfare linked to concepts, organization, and technological changes. In the context of cyber warfare, RMA refers to the dichotomy of military superiority enabled by net centricity and the commensurate vulnerability of kinetic-weapon dependency on cyberspace.

Famous RMAs in history include the English longbow that gave Henry V victory over the French army in the battle of Agincourt in 1415 and the rifled musket that decimated the Confederate army in Gettysburg in 1863. The success of the strategic bombardment RMA in World War II depended on a technology-enabled, industry-driven superiority. In contrast, the success of cyber warfare as an RMA depends on an education-enabled, technology-driven framework.

11. What is information assurance?

Joint Publication 3-13, Information Operations, defines IA as a set of measures that protect and defend information and information systems by ensuring their confidentiality, integrity, availability, authentication, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

IA is a supporting capability for IO. IO depends on IA to protect information and information systems, thereby assuring continuous capability. IA and IO have an operational relationship in which IO is concerned with the coordination of military activities in the information environment while IA protects the electronic and automated portions of the information environment. IO relies on IA to protect infrastructure to ensure its availability to position information for influence purposes and for the delivery of information to the adversary. IA relies on IO to provide operational protection with coordinated OPSEC, electronic protection, computer network defense, and counterintelligence against adversary IO or intelligence efforts directed against friendly electronic information or information systems.

12. What is confidentiality?

Confidentiality seeks to ensure that secrets remain secret. It deals with protecting data and programs from unauthorized access and display. Internet privacy concerns revolve around accidental and intentional disclosure of personal information and therefore a failure of confidentiality. Strong encryption often suffices to protect data and programs from unauthorized access, but encryption alone does not protect against malicious or negligent insider threat.

13. What is encryption?

Encryption refers to an arithmetic operation that uses a key to transform a message from plain text into cipher text. Cryptography is the study of encryption techniques, while cryptanalysis refers to the study of methods to break encryptions.

Private-key cryptography uses symmetrical encryption, where the encryption key is the same as the decryption key. The Data Encryption Standard is an example of private-key cryptography. Public-key cryptography uses asymmetric encryption, with different encryption and decryption keys. The Rivest-Shamir-Adleman algorithm is commonly used in public-key cryptography.

14. What is integrity?

Integrity refers to the protection of data and programs against unauthorized modification. Databases of enemy targets, Airmen medical records, supply purchase orders, and rendezvous coordinates for tankers and fighters are susceptible to data modification with potentially catastrophic consequences. Cyber-attack vectors recently have targeted computer applications and operating systems with a more advanced threat to system integrity.

15. What is availability?

System availability and data availability refer to at-will access to resources. As traditional war-fighting domains depend increasingly on cyber assets, the uninterrupted availability of hardware and software assets plays a vital role in mission accomplishment. Denial of service attacks undermine the availability of cyber assets.

16. What is a distributed denial-of-service disruption?

Distributed denial-of-service (DDoS) disruptions flood a network resource, like a web server, with huge amounts of data from many different machines and locations in an effort to bring the server down and deny its availability. DDoS disruptions deny users access to the information and services residing on the resource. The incidents can be launched from information systems across the Internet unified in their efforts or by compromised information systems controlled by servers that hide the true origin of the attack.

17. What is authentication?

Authentication refers to identifying digitally, and with certainty, the identity and need to know of an access request to a cyber resource. Digital signatures, trusted certificates, two-form factors, and biometrics provide various means of authentication with differing strengths. Although authentication verifies with high probabilistic certainty the identity of a user or process accessing a resource, authentication alone does not provide for attribution.

18. What are attribution and nonrepudiation?

Attribution refers to tracing back the origins of an authorized or an unauthorized access to a resource. Nonrepudiation refers to holding accountable a verified and authenticated access to a resource. Attribution and nonrepudiation are interchangeable for authorized accesses. Since the Internet operates on inherently unauthenticated protocols, attribution and nonrepudiation collide often with anonymity. Obfuscation techniques, source address spoofing, and anonymizers increase the difficulty of attribution.

19. What role does attribution play in deterrence?

Classic deterrence relies on threatening a potential adversary with an overwhelming use of force as a means to dissuade unfavorable action. In the cyber framework, attribution becomes an essential prerequisite to deterrence. Motivation and intent play a key role in classical deterrence. Assured mutual destruction provided nuclear deterrence during the Cold War. Assured mutual coexistence provides some form of deterrence in the space domain of today.

Strategic deterrence considers return on investment as the principal metric in dissuading hostile activity. Deterrence in a culture where the ultimate sacrifice is a normal part of life, and where attribution becomes inconsequential, necessitates reducing significantly the potential rewards. As investment approaches infinity, deterrence works best by reducing potential return to zero. Thus, strategic deterrence in cyberspace seeks to minimize or neutralize the potential gain from an attack as a means to deterring it.

20. What are network warfare operations?

Network warfare operations (NW Ops), a subset of cyber warfare operations, are the integration of the military capabilities of network attack, network defense, and network warfare support. The integrated planning and employment of NW Ops along with electronic warfare operations, influence operations, and other military capabilities are conducted to achieve desired effects across the information domain. NW Ops, when employed with other information operations, ensure our ability to operate in a contested information environment:

  • Network attack employs network-based capabilities to destroy, disrupt, corrupt, or usurp information resident in or transiting through networks.
  • Network defense employs network-based capabilities to defend friendly information resident in, or transiting through, networks against adversary efforts to destroy, disrupt, corrupt or usurp it.
  • Network Warfare Support is the collection and production of network-related data for immediate decisions involving NW Ops. Network warfare support is critical to network attack and network defense actions to find, fix, track, and assess both adversaries and friendly sources of access, as well as vulnerability for the purpose of immediate defense, threat prediction and recognition, targeting, access and technique development, planning, and execution in NW Ops.

21. What is the International Standards Organization Open System Interconnection reference model?

The International Standards Organization (ISO) Open System Interconnection (OSI) reference model consists of seven layers and seeks to standardize interfaces among network software and hardware manufacturers. The primary function of the physical layer is to provide an ordered bit pipe. The data-link layer provides a virtually error-free link by breaking the data stream into packets and implementing error detection and retransmission. The network layer allows routing among nodes and networks. The transport layer provides host-to-host transport that shields the underlying network infrastructure. The session layer enables session management through login and logout, authentication, and passwords. The presentation layer deals with data presentation, data compression, and encryption. The application layer interfaces the user to the network through special- and general-purpose applications.

The Institute of Electrical and Electronics Engineers specifications and the Internet protocol (IP) standards map loosely onto the ISO OSI reference model. The physical layer maps to components which reside in physical space. The medium access control layer maps to the lower half and the logical link control maps to the upper half of the data link layer. IP maps onto the network layer. Transmission control protocol maps onto the transport layer, and protocols like hypertext transfer protocol belong to the application layer.

22. How fast do electrons travel in cyberspace?

Contrary to general belief, electrons do not travel at the speed of light, even in cyberspace. Quantum theory defines the speed of light as the speed at which a photon travels in free space, at about 300 million meters per second. Weighing 9.11 x 10-28 grams each, electrons are too heavy to accelerate to the speed of light. Since electrons are charged particles, their motion generates a fast-propagating electromagnetic field that can reach speeds of 200 million meters per second on an electrical cable, about two-thirds the speed of light in free space.

23. What is cyber warfare?

Cyber warfare refers to the use of information and signals to deliver effects against military systems. The access media in cyberspace include all forms of data storage and transmission—physical and virtual, static and dynamic, electronic and optical. Network warfare is a subset of cyber warfare that uses networks—particularly the Internet—as the access medium. Cyber warfare integrates the three capabilities of offense, defense, and warfare support.

24. What are the technical challenges in cyber offense?

Cyber offense deals with delivering precision effects against a range of adversary targets to affect the adversary's perceptions and will to fight. The fundamental cyber offense challenges facing the science and technology community consist of access, stealth, and effects.

25. What does access to adversary systems entail?

Access refers to the challenge of delivering and installing an intelligent agent on a target system. The agent consists of either hardware or software and provides a command, control, and communication architecture. Target systems of interest to cyber warriors include a wide range of intelligent systems from desktop computers to personal communication devices (cell phones), embedded command-and-control systems (flight avionics), and supervisory control and data acquisition systems.

Exercising an attack vector against system vulnerability provides a common technique for delivering an effect onto a target. Vulnerabilities occur at all network protocol layers. Attacks against the physical layer may take the form of physical modification of a system; attacks against the network layer may exploit IP vulnerabilities through malformed packets or stack overflow; attacks against the session layer may employ social engineering to obtain a user password; and attacks against the application layer may use e-mail to target an individual.

The ability to remotely access a vulnerable computer system connected to the Internet becomes harder with common information-assurance practices, and the level of difficulty escalates for closed systems isolated from the Internet. Proprietary systems pose additional access challenges, as do active avoidance and deception procedures.

26. What are stealth and persistence in cyberspace?

Successful access to a target system and the installation of an intelligent agent carry little value unless the agent can persist and survive normal operations. To a malicious agent, the host system presents a potentially hostile environment fraught with virus scanners, intrusion detectors, malware sanitizers, systems reinstallation, and hardware upgrades.

The survival of the agent and its persistence as a command-and-control platform for payload delivery depend on its ability to hide, morph, and masquerade.

Agent developers play a cat-and-mouse game with malware detectors in what shapes up as a long, drawn-out battle. On the surface, this battle favors the offense given the proliferation of hiding places in a computer. However, secure virtualization techniques and an engineered introduction of custom hardware for securing trust promise to level the playing field and increase the stakes.

27. What does it mean to deliver precision effects?

Delivering cyber effects refers to the "D" family: deter, deny, disrupt, deceive, dissuade, degrade, destroy, and defeat adversary systems through lethal and nonlethal means. The impact of these effects ranges from user annoyance, through system control, to affecting the will of a nation to follow a desired course of action.

Delivering precision effects became synonymous to low-collateral damage in some doctrinal circles. This narrow interpretation ignores meaningful historical lessons where high-collateral damage constituted a desired precision effect. The Doolittle Raid on Tokyo on 18 April 1942 delivered the precision effect of shaking the confidence of the Japanese military in its ability to protect the emperor, and the bombing of Hiroshima and Nagasaki delivered the precision effect of an unconditional Japanese surrender.

Understanding the full range of possible D effects permits cyber warriors to develop technologies and tactics to operate across a broad range of targets. In addition to providing the president or secretary of defense with true sovereign options in cyberspace, an unconstrained approach to cyber offense science and technology carries immediate dividends to cyber defense. By divorcing intent from technology when modeling the cyber threat and by recognizing the reality that some adversaries may not play by our rules, a defender expands his toolkit to provide much broader utility against irregular threats.

28. What are cyber threats?

The traditional method to examine threats is to classify them according to the motivation and intent of the actors:

  • "Hackers and crackers" seek notoriety.
  • Criminals seek financial benefit.
  • Terrorists seek ideological gain.
  • Nation-states seek political and military advantage.

A technological look at threat focuses on risk and vulnerabilities, regardless of motivation and intent. The National Institute of Standards defines the risk to information systems as a function of the likelihood of a given threat exercising a particular potential vulnerability. As the complexity of computer and network systems increased, the potential vulnerabilities increased correspondingly. Risk mitigation must therefore seek reductions in both threat and vulnerability.

29. What is digital radio frequency memory?

Digital radio frequency memory (DRFM) is a high-speed digital storage device that can operate at radio frequencies. Equipped with proper antennas, an analog-to-digital converter on the front end and a digital-to-analog converter on the back end, DRFM can store and replay very high frequency signals in the gigahertz range. This capability permits DRFM devices to mount replay attacks against a range of cyber systems, mimicking the exact properties of the original signal without the need to break its encryption.

30. What is phishing?

Phishing refers to an application layer threat in which attackers combine technical deception with social engineering to steal personal information from Internet users. Phishing uses e-mails with spoofed sender addresses or contents to drive recipients to counterfeit websites that solicit private information or install malware on the target computer.

Spear phishing uses more advanced social engineering to target a spoofed e-mail to a specific individual, using detailed knowledge on the victim to customize the subject and content of the e-mail. Phishing remains a common technique to lure individuals into cyber traps.

31. What is the difference between a virus and a worm?

Both viruses and worms exploit vulnerabilities in the computer network stack to install and propagate malicious code. Viruses require typical user action to infect a machine and propagate to its next target. In contrast, worms propagate automatically from one vulnerable machine to another without user action. For example, the Melissa virus propagated when a user opened an infected attachment in an e-mail. This caused the virus to e-mail the infected document to the alias list found on the victim computers. By comparison, the Morris Internet worm propagated on its own among Unix computers without user assistance, exploiting any one of several possible operating system vulnerabilities.

32. What are the tenets of cyber defense?

Cyber defense seeks to anticipate and avoid threats, detect and defeat threats, and survive and recover from attacks. In an analogy to the OODA loop, cyber defense seeks to operate inside the OODA loop of the threat.

Cyber warfare affords the planners an alternative approach to risk assessment through assumptions. In a game-changing thought process, analogous to a shift away from stochastic poker playing toward deterministic chess analysis, the cyber defender possesses the luxury of considering the entire space of threat scenarios, at least a couple of moves deep, and instituting defenses against the most devastating threats, not simply the most likely ones.

33. How does cyber defense anticipate and avoid threats?

Anticipating and avoiding threats eliminate the need to fight them and save the concurrent cost to data and system integrity, making prevention an effective first line of defense against cyber threats. Anticipating a cyber threat includes setting up over-the-horizon early warning systems that detect anomalous activity, analyzing rapidly its forensic fingerprint to predict future behavior, and communicating through viable reach-back options to avoid the threat.

From a war-fighting perspective, the Internet traditionally favored the defense over the offense. This inherent advantage to the attacker resulted from the design of the Internet protocols for tolerance to failure rather than resilience to attack. Modifying the cyber domain to favor the defense may provide an effective method for attack avoidance.

Cyberspace domain modification can occur at any of the seven layers of the OSI reference model. Just as a carrier battle group sails the oceans rather than sitting still in one location, so can a network or system move around the IP address space for deception and attack avoidance. Polymorphic networks, thin clients, and secure virtualization offer potential risk reduction through lower vulnerability.

The tenets of antitamper protection technologies seek to reduce vulnerability by reducing the scope of protection and focusing on critical components—the "crown jewels" in a system—making them harder to access. This approach allows the defenders to impose high penalties on the attacker and deter the threat.

34. What is a firewall?

A firewall provides network perimeter defense in the form of a network-layer device that enforces the rules in an access control list on all packet traffic. A firewall typically allows or blocks packets based on protocol and port, permitting usually unrestricted outbound traffic but blocking unsolicited incoming traffic. In a layered defense posture, a firewall prevents external devices from connecting to machines inside the firewall perimeter.

35. What is public key infrastructure?

Public key infrastructure (PKI) enables users of an unsecure public network such as the Internet to securely and privately exchange data through the use of a public and a private cryptographic key pair obtained and shared through a trusted authority. PKI provides a digital certificate that can identify an individual or an organization and directory services that can store and revoke certificates.

The "key" element of the PKI refers to an asymmetric key pair comprised of a public key and a private key generated simultaneously using an irreversible mathematical process. The private key is given only to the key owner, and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is not shared or sent across the Internet. The key owner uses the private key to decrypt text encrypted with his public key by someone else. PKI enables assurances not previously available:

  • Confidentiality prevents unauthorized access to data,
  • Integrity alerts of unauthorized modification of data,
  • Authentication verifies user identity, and
  • Nonrepudiation provides attribution.

36. What is a common access card?

The common access card (CAC) is a US Department of Defense (DOD) smart card issued as standard identification for active duty military personnel, reserve personnel, civilian employees, and eligible contractor personnel. The CAC is used as a general identification card as well as for authentication to enable access to DOD computers, networks, and certain DOD facilities. It also serves as an identification card under the Geneva Convention. The CAC enables encrypting and signing e-mail, facilitates the use of PKI authentication tools, and establishes an authoritative process for the use of identity credentials. PKI credentials or certificates are encrypted in the integrated circuit chip located on the front of the CAC and protected by a personal identification number.

37. How does cyber defense detect and defeat threats?

Cyber threat detection often follows one of two methods: (1) classifying normal system behavior and looking for anomalies or (2) looking for a match in a precompiled catalog of known malicious activity. The first method suffers from high heuristic complexity and uncertain results, while the second method misses new malware for which no signature exists. System malfunction software bugs and malicious or inadvertent insider threats further complicate threat detection. The ability to discriminate between accidental and malicious activity often requires advanced analysis that eludes automated systems.

Threat defeat seeks to cancel out the adverse effects of threats. Defeat techniques aim to restore the threatened system to a prior known steady state. This restoration may include killing unauthorized processes, uninstalling malicious programs, deleting malicious files, and reconfiguring peripherals. However, some defeat techniques result in file deletion, program modification, and loss of settings, requiring extensive system recovery beyond basic threat defeat.

38. How do systems survive and recover from attacks?

The ability to fight through an attack and recover to fight another day characterizes a resilient system. In response to the threat from internal fires and those of (external) torpedoes, naval vessels feature double hulls that permit a ship to survive a direct hit and continue to fight through the battle. Similarly, cyber systems must continue to function properly, albeit at a graceful degradation in the face of an attack.6

At the system-of-systems level, hardware and software diversity increases the ability of a complex system to survive a discriminating attack against a specific class of systems. A zero-day exploit targeting an unpatched vulnerability inflicts more damage on a vulnerable homogeneous system than it does against a diverse heterogeneous system with a mix of machines.

A defense layered in depth makes allowance for successful attacks and sets in place procedures for postthreat recovery. Cyber attacks rarely result in permanent destruction of systems that necessitate hardware replacement. In either case, recovery necessitates pre-established systematic procedures to restore a system to a known stable state.

39. What is cyber craft?

Cyber craft provides the root of trust for an integrated cyber defense. It resides on friendly computers and weapon systems to provide persistent situational awareness on its environment; collaborates with other cyber craft to map the environment into a layered picture for a command-level view of cyberspace; establishes a trusted command, control, and communication architecture; provides a guarantee of self-protection that drives a formal description of its state; and thereby implements the intent of the commander by deploying payloads to defeat threats.

40. What is trust?

In his speech to the C4ISR Integration conference in Crystal City, Virginia, 2 November 2006, Secretary of the Air Force Michael Wynne asked,

What new habits of thought do we need in order to create and develop technology, and to fight in the twenty-first century? The answer is to . . . think in terms of trust. Our operations in each of our Services all rely on trust. That is, the pilot can trust information that a target is the foe, not innocent inhabitants of a school building or hospital or embassy. The ground fighter with a communication device can trust that the device is not being tracked by a foe, potentially exposing the ground force unnecessarily. This new way of war is data-dependent. So we need to think in terms of trust and securing trust."7

We consider trust the single most important parameter in cyberspace. From a mathematical perspective, we do not measure trust in binary fashion—one or zero, true or false, present or absent—but rather on a continuum from little trust to a lot more trust. To a cyber defender, the trust in a defensive posture, such as cyber craft, provides a measure of the cost to the adversary of defeating this defense.

41. What technologies support cyber warfare?

Effective cyber offense and cyber defense require support function to visualize the domain, quickly analyze events of interest, and derive timely situational awareness and actionable intelligence.

42. What is cyber intelligence?

Cyber intelligence (CYBINT), the newest addition to the "INT" family, refers to an automatic process of enumerating a cyber neighborhood, identifying assets, detecting vulnerabilities, and developing attack vectors. CYBINT seeks to transform raw network connectivity data into actionable information. In a changing topology due to attack or preventive polymorphism, CYBINT plays an equally important role in characterizing the blue assets of the defender as the red assets of an attacker.

CYBINT goes beyond the intelligence preparation of the battlespace. The former takes into consideration both players in a cyber conflict, while the intelligence preparation of the battlespace tends to focus on the target of an attack. In this context, CYBINT refers to the use of intelligence in support of cyber. Conversely, cyber exploitation can provide valuable intelligence information on adversary systems. System intrusion may yield valuable information to complete the intelligence picture of an unknown system. In this context, CYBINT refers to the use of cyber in support of intelligence.

43. How can rapid cyber forensics enable deterrence?

Cyber operations occur in the compressed time domain of milliseconds and seconds, the time it takes for packets to travel among network nodes and for programs to execute on computers. This pace of activity necessitates the automation of defensive steps of threat detection, classification, course-of-action selection, and defeat. These four steps correspond to the OODA loop.

The compressed timescale of cyber attacks necessitates automating the response OODA loop. In particular, the orient step necessitates rapid real-time forensics of the blue systems under attack for the purposes of attribution and course-of-action selection. Attribution serves a dual role of identifying the authority applicable to the threat (criminal versus military) and enabling deterrence through active defense. Cyber geolocation, the virtual GPS of the cyber world, increases attribution fidelity by locating the origin of a threat in cyberspace as well as geographically.

Accurate attribution may result in deterrence through the threat of precise retaliation. Deterrence works especially when the motivation for cyber attacks seeks modest return on investment. While a common criminal may seek a high return on a small investment, an activist may offer the ultimate investment to achieve ideological returns. Since attribution provides no deterrence to high-investment attackers, trivializing the potential return may produce the desired deterrence.

44. What brings situational awareness to cyberspace?

Unlike traditional domains characterized by geography and time, cyberspace transcends physical boundaries onto logical and virtual dimensions. The layered representation of links and nodes, domains and processes, and applications and organizations complicates the development of a common operating picture of mission impact and capabilities.

Situational awareness (SA) deals with complementary perspectives of cyberspace. At the micro level, SA provides a representation of the environment from the perspective of a node or an agent, where availability and reliability play important roles. At the macro level, SA provides the commander with a high-level view of cyberspace with mission functionality and capability. The mapping of mission-essential functions onto the underlying physical infrastructure and taking into account the fluidity of the intermediate protocol layers pose a fundamental challenge to cyber SA.

45. What is steganography?

Steganography is the art and science of hiding data. Unlike cryptography that transforms plaintext into ciphertext, steganography hides data by embedding them into carrier files or vessels. Most common vessels include pictures, audio files, and video files; however, any computer file can hide data within its structure. Steganography uses mathematical techniques to maximize the hiding capacity of a vessel. Steganalysis, the science of detecting and recovering hidden data, relies heavily on signal-processing techniques. Oftentimes, cryptographic techniques encrypt the data prior to hiding to mask their properties and make detection even harder.

46. What is digital watermarking?

Digital watermarking uses strong steganography techniques to embed uniquely identifiable information inside data files. As its name implies, watermarking seeks to protect the integrity of a file, permits the detection of tampering, and allows tracking and attribution.

47. What is the difference between cyber career force and cyber career field?

Cyber career force refers to Airmen with diverse skills and backgrounds who receive specialized training on commercial network management tools. Cyber career field refers to Airmen educated in the science and technology of cyber warfare, covering the gamut of fundamentals from mathematics to physics, linear algebra to electromagnetism, computer software to hardware, and electronics to cryptography.

48. What is cyber training?

Cyber training is a myth, just like javelin catching at track meets.

49. What is the ace?

The Advanced Course in Engineering (ACE) Cyber Security Boot Camp is an elite program to educate the next generation of Air Force officers to command the cyber revolution in military affairs. Created in 2003 in response to Pres. George W. Bush's National Strategy to Secure Cyberspace, the ACE accepts college seniors in computer engineering, electrical engineering, and computer science with a minimum GPA of 3.0 into a 10-week intense residential summer program of graduate education, problem solving, research internships, officer development, weekly 8-mile runs, 24x7 cyber warfare, and an all-out capstone winner-takes-all hackfest. ACE graduates commission into cyber warfare positions throughout the Air Force and form the core of officers in the cyber career field.

50. What question did we forget?

Please let us know so that we can start compiling the next update: "50 More Cyber Questions Every Airman Can Answer."


1. William Gibson, Neuromancer (New York: Ace Books, 1984), 51.

2. Gen Peter Pace, USMC, chairman of the Joint Chiefs of Staff, National Military Strategy for Cyberspace Operations, December 2008, ix, http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-023.pdf.

3. Department of Defense Instruction O-3600.02, Information Operations Security Classification Guidance, 28 November 2005, 2, http://www.dod.gov/pubs/foi/Reading_Room/Other/14-F-1161_DoD_Instruction_3600-02_Information_Operations_IO_Classification_Guidance.pdf.

4. Department of Homeland Security, The National Strategy to Secure Cyberspace, (Washington, DC: Department of Homeland Security, February 2003), iii, https://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf.

5. Ibid., xii.

6. Graceful degradation is "the ability of a computer, machine, electronic system, or network to maintain limited functionality even when a large portion of it has been destroyed or rendered inoperative." Search Networking (website), accessed 19 October 2016, http://searchnetworking.techtarget.com/definition/graceful-degradation.

7. Secretary of the Air Force Michael Wynne (speech, C4ISR Integration conference, Crystal City, VA, 2 November 2006), http://www.af.mil/AboutUs/SpeechesArchive/Display/tabid/268/Article/143968/cyberspace-as-a-domain-in-which-the-air-force-flies-and-fights.aspx. C4ISR stands for command, control, communications, computers, intelligence, surveillance, and reconnaissance.

Dr. Kamal Jabbour is senior scientist, information assurance, Air Force Research Laboratory.

Originally published as "50 Cyber Questions Every Airman Can Answer" (Wright Patterson AFB, OH: Air Force Research Library, 7 May 2008).



Email List

* indicates required