The views and opinions expressed or implied in WBY are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government or their international equivalents.

Mission Defense Team Training Gap Analysis

Wild Blue Yonder --

With the rapid advancement of technology, Air Force missions are becoming increasingly dependent on cyberspace. These dependencies on networks and computers open up new attack vectors that adversaries can exploit to put our missions at risk. Aware of this threat, US Cyber Command created defensive teams under the Cyber Mission Force (CMF) construct to protect missions and defeat adversaries in cyberspace. Cyberspace protection teams (CPTs) stood up under CMF with the purpose of augmenting our traditional defensive measures and defending priority networks against priority threats.1 However, CPTs have a limitation. They are not permanently assigned to any one mission set and often walk in blind to new networks as their tasking process dictates. CPTs, while adept at techniques for tracking down adversaries, have a big challenge in becoming familiar with a new environment, making it very difficult to baseline “normal” operations of a network. To help address this limitation, the Cyber Squadron Initiative (CS-I) was created by the Air Force and then implemented by a Program Action Directive.2 This initiative formalized the decision to “execute wing-level mission assurance capabilities” with a new team type: mission defense teams (MDT).3 Wing commanders would now be able to transform their communications squadrons, with a focus on availability and the functioning of a network, into a cyber squadron that also provides persistent mission assurance through MDTs. By staying within the wing, MDTs can now focus their efforts on the Wing Commander’s priorities and spend as much as needed to create an effective baseline—something a CPT cannot do. MDTs, as a new team, need a training pipeline. Air Combat Command (ACC) is responsible for training, planning, programming, budgeting, and execution requirements.4 One might think of an MDT as a CPT that stays in place and naturally leverage the existing CPT training pipeline. This argument, alongside the associated cost savings, might seem like a good idea but requires the proper implementation to be completely effective. MDTs face many unique training and integration issues that CPT training cannot account for.

How Does CPT Training Translate to MDTs?

It is helpful to start with the MDT training memorandum signed in 2019 by Brigadier General Kennedy, Director of Cyberspace Strategy in Policy, with the subject of “Mission Defense Team Training Requirements.”5 This letter has an attachment of the initial skills training (IST) and initial qualification training (IQT) course list for MDTs in anticipation of the transition to the CS-I initiative of cyber squadrons. Notably, these training requirements are to be completed before MDT personnel can attend the cyber vulnerability assessment & hunter (CVA/H) course. CVA/H is the weapon system that a CPT member uses, and it was decided that MDTs would use them as well. However, CVA/H is not a one size fits all solution. CVA/H can currently only interact with networks using TCP/IP, the suite of protocols most commonly used on the internet. If an MDT is dealing with a mission set that utilizes something other than TCP/IP—e.g., serial communication—then CVA/H will not help.

Using CVA/H also brings in many training requirements as outlined in ACCMAN 17-2v1 signed 19 January 2021. In addition to IST and IQT, the ACCMAN states that anyone certified on CVA/H will need to remain current with continuation training (CT). ACC publishes a ready cybercrew program tasking memorandum (RTM) that lists annual tasks, broken out by CVA/H crew position, to meet CT requirements. There are two things to be careful with in relation to MDTs and CT. First, defining top-level RTM tasks at the ACC may be difficult for MDTs due to the variance in the core missions that they are assuring. While all CPTs generally do the same missions using the same techniques, this will not be true for MDTs. Creating tasks for MDTs runs the risk of being too vague or imposing requirements on MDTs who gain no training value from the task. Second, when not feasible on a mission, CPTs conduct CT on a shared training simulator using CVA/H operator/contractor-developed training scenarios. This has been a massive financial/man-hour hurdle for CPTs and the 67th CW to overcome. The good news is that training created by one CPT is relevant to all. However, MDTs face a dilemma in that if they want their simulator training to provide the most value, it will need to be unique and catered to their mission. This can become very expensive as the scenarios will not be easily shared among other MDTs and will be reliant on the number of personnel available in the new Cyber Squadrons to develop training. Otherwise, an MDT would need to package their training requirements for development by an entity outside of the unit with funding needing to come from somewhere. The severity of these impacts will be dependent on how the RTM is written for MDTs.

Is the CPT Training Model Adequate for MDTs?

By adding up the number of total hours required for an individual to go through MDT training, we end up with roughly 13 weeks of training. Five of those weeks consist of virtual/non-residence training. A CPT operator starting on their journey to get qualified on CVA/H will need to complete 23 weeks of training for IST alone. Then, another five weeks of training is required for the CVA/H course. Following CVA/H, the Host Analyst course will be five and a half weeks and the Network Analyst course will need another three weeks depending on crew position. With at least 28 weeks of CPT training compared to MDT’s 13 weeks of training, MDT personnel will not have enough training to be comparable to a CPT member’s raw technical skills. Although, this skill shortfall is not the only consideration showing us that MDT training based on a shortened version of CPT training is not adequate.

There is no offset that exists in CPT training to teach MDTs their specific wing mission. To address this gap, MDT training will need to cover the wing mission in its Mission Qualification Training (MQT). MQT is training developed by the local unit that teaches incoming members how to utilize what they learned in IST/IQT and apply it to the unique mission set faced by that unit. In order to develop MQT, MDT members will need to know how to interface with Airman from various career fields and be able to understand how the mission they are assuring works. For example, if an MDT is protecting the E-3 AWACS mission, they should have some idea of how this mission functions and knowledge of basic air operations. CPT members can get away without knowing because there would not be enough time in the world to learn every mission set; they hunt and respond based on intel (targeted searches not requiring whole system knowledge). Therefore, it is no surprise that no CPT training exists for understanding other mission sets. However, MDTs will live in the mission they are supporting. They will know something is wrong because they know what their network “neighborhood” looks like. MDTs are missing training in IQT that will help them learn the processes and supported mission “language” that will set them up for success in MQT.

Another important training gap exists for wing commanders. With the CS-I putting wing commanders in charge of their mission assurance capabilities, they will need to know how MDTs work and how to effectively use them. During this transition period from communications squadrons to cyber squadrons, those squadron commanders might have a difficult time balancing the sometimes-conflicting priorities of the functioning and availability of the network and doing what is needed to practice good cyber security to assure the mission. With a well-informed wing commander, these tradeoffs will become clear and distinct and should create a collaborative environment within the wing. The wing commander will then also be able to create and foster meaningful relationships within the wing and truly integrate cyber into the bigger picture. This will require a recalibration of the old comm squadron’s success metrics. Moving from availability and “is my email working?” metrics to briefing the wing commander at staff meetings on open and significant cyber findings will be imperative to integration. What’s missing is some type of MDT familiarization course for leadership.

Recommendations

Before funding gets allocated in conjunction with the Program Action Directive being signed, now is the perfect time to assess the training needs for MDTs. I recommend starting at IQT. Currently, the only shared training among MDTs is based on CPT training. This misses what makes MDTs unique; they have a persistent mission of defending a wing’s weapon systems. For this reason, they stand to gain great benefit from a common understanding of how the operational Air Force works to utilize, maintain, and upgrade weapon systems. A course developed to discuss Program Management Office processes, Weapon System lifecycle and change management, resourcing considerations, how a wing organizationally functions, and other operational and weapon system considerations would give MDT members the core understanding needed to assure their Wing’s mission when they arrive on station. Additionally, as an MDT better understands their operating environment, they may see opportunities to improve the cyber security posture of their wing based on process analysis and network engineering concepts that require unique training beyond identification, and response to, cyber malfeasance.

An entirely new training class for wing commanders would be beneficial as well. With the majority of wing commanders not having been in comm themselves, they might not use their new cyber squadrons effectively or efficiently. MDTs provide persistent defensive measures for a wing’s mission-relevant terrain-cyber (MRT-C). Knowing how to interface with their MDTs and provide that MRT-C will be foundational to the prioritized work that an MDT performs. There will not be enough members on an MDT to prioritize an entire network and the wing commander will need to prioritize for them based on their provided analysis. This training makes sense to develop at ACC’s level to give it credibility, weight, and standardization.

Conclusion

Using CPT training as a baseline for MDTs will not produce the most effective teams. CVA/H weapon system requirements, watered-down technical training, and a lack of MDT core IQT makes for a team not technical enough to be a CPT, burdened with ill-fitting requirements, and not educated enough to integrate with an existing mission. MDTs, with ACC’s help, will need to forge their own path with training and ensure that IST and IQT are as effective and relevant as possible so that they are not stuck holding the bag when it comes time to develop unit MQT. An MDT-focused training pipeline, combined with effective leadership training, will allow for successful integration and ultimately lead to effective operations for the Air Force.

Capt. Philipp M. Wittmaack
Capt. Philipp M. Wittmaack is the Recruiting Officer (RO) for Air Force Reserve Officer Training Corps (ROTC) Detachment 520 at Cornell University, Ithaca, N.Y. He concurrently serves as an instructor for aerospace science classes. He recruits, trains, motivates, and mentors young men and women aspiring to be Air Force and Space Force officers.

Capt Wittmaack was commissioned through ROTC at Det 538, Rochester Institute of Technology, Rochester, N.Y. in 2014. He graduated from Undergraduate Cyberspace Training in the summer of 2015 and having been selected to pursue a 17S assignment, he went on to Hurlburt Field, Fla. to attend the Cyberspace Vulnerability Assessment/Hunter (CVA/H) course. He operated the CVA/H Weapon System at his first assignment defending Air Force key cyber terrain.

Prior to his current position, the captain was the Branch Chief, Current Operations for 16th Air Force, Joint Base San Antonio (JBSA), Texas. He led the daily orders management process for operational cyberspace teams in accordance with Air Forces Cyber, Joint Forces Headquarters-Cyber (Air Force), and United States Cyber Command priorities and objectives. Prior to that, Capt. Wittmaack served as the 67th Cyberspace Wing Chief of Training at JBSA, Texas. There he oversaw the training programs for three Air Force Cyberspace Weapon Systems executing both defensive and offensive cyberspace operations. During this time, he had a pivotal role in the development of 17-2 training volumes as well as representing the Air Force at United States Cyber Command requirement symposiums. This research was conducted as part of the SOS Air University Advanced Research (AUAR) elective.

Notes



1 Joe W. Kirschbaum, DOD TRAINING - U.S. Cyber Command and Services Should Take Actions to Maintain a Trained Cyber Mission Force (Washington, D.C.: United States Government Accountability Office, 2019).
2 Headquarters United States Air Force (HQ USAF), IMPLEMENTATION OF DEPARTMENT OF THE AIR FORCE CYBER SQUADRONS D15-03 (Washington, D.C.: Headquarters of the United States Air Force, 2020).
3 Air Combat Command, Air Force Mission Defense Team (MDT) Operating Concept, 2020.
4 HQ USAF, IMPLEMENTATION OF DEPARTMENT OF THE AIR FORCE CYBER SQUADRONS D15-03.
5 K. B. Kennedy, Mission Defense Team Training Requirements (Washington, D.C.: SAF/CIO A6S, 2019).
USAF Comments Policy
If you wish to comment, use the text box below. AF reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The AF and the AF alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the AF, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying AF endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

AF does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. AF may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. AF does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the AF or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.

Wild Blue Yonder Home