Cyber skills honed at Red Flag

NELLIS AIR FORCE BASE, Nev. -- While traditional weapons systems like adversary aircraft and air defenses still exist, enemies have a new tool in their repertoire to use against America: cyber weaponry.

The Air Force recognizes the challenges from this new domain in warfare, and is defending against cyber threats. Part of that defense is Red Flag 12-3.

Red Flag, an annual Air Force Warfare Center exercise involving the air forces of the United States and its allies, is coordinated at Nellis Air Force Base, Nev., and conducted on the vast bombing and gunnery ranges of the Nevada Test and Training Range.

This year, cyber operations are playing a larger role in the exercise, with operators from Nellis and Lackland AFB, Texas, participating.

"Last year was the first time we had network defense play in Red Flag, although to a limited extent," said Lt. Col. Travis Hawker, 318th Information Operations Group Deteachment 2 commander. " This year we've significantly expanded our participation."

That expansion resulted from one year's worth of planning by Hawker's detachment.

"We started preparing for Red Flag 12-3 right after Red Flag 11-3," he said. "The time was necessary to prepare range network configurations, work through scheduling conflicts, negotiate security issues and build an increasingly realistic network from the ground up."

The exercise, which ran from Feb. 27 to March 16, consisted of three weeks of increasing levels of difficulty, said 2nd Lt. Robert Winchester III, Det. 2 officer in charge of cyber integration.

"We use a 'walk, run, sprint,' model for our operations," said 2nd Lt. Robert Winchester III, Det. 2 officer in charge of cyber integration. "The adversaries increase their capabilities each week, challenging the participants more and more as the exercise goes on."

Network defenders, known as the Blue Team, exercise every day with one goal: defending the combined air operations center from cyber infiltration. They start with an in-brief updating the situation with mission critical data, followed by a five hour vulnerability period where they actively defend the network.

Red Team aggressors and White Team referees constantly place hurdles in their way. After each day's activities are complete, each team debriefs their operations, offering feedback to increase the Blue Team's capabilities and training effectiveness.

"The Blue Team goes from having a completely clean network with few vulnerabilities to an increasingly contested, degraded and operations-limited environment," said Maj. John Picklesimer, 92nd Information Operations Squadron director of operations. "This is done to force the Blue Team into fighting through the attack and ensuring they are exposed to a wide range of training scenarios during their three weeks."

The Blue Team has plenty of resources at their disposal to keep operations running.

"From a network defense perspective, we brought more forces this year and organized them more efficiently," Picklesimer explained. "One of the biggest advantages they have is that we've delegated defense of the CAOC to a new position, the Defensive Counter Cyber Tactical Coordinator."

The new position allows the Blue Team to make quicker, more responsive decisions and take swifter action to defend their networks.

"The DCCTC coordinates network defense fires between five units located on the CAOC floor, including two Australian cyber operators, and personnel at Lackland to provide defensive counter cyber effects and mission assurance for the CAOC's command and control mission," Picklesimer said.

Beyond the improved organizational structure, the network used by Red Flag is another innovation that has paid dividends.

"Rather than operating off the military's established network infrastructure, a realistic and self-contained network has been developed for Red Flag," said Mark Cowden, Joint IO Range coordinator.

The secure JIOR environment is used for a variety of exercises, experiments and tests, Cowden said.

This year's Red Flag is the largest exercise ever, incorporating 16 of the range's 72 sites to connect locations as geographically separated as Nellis, Lackland AFB, Tex., and Scott AFB, Ill. Since this network is completely self-contained, the cyber teams can introduce debilitating actions that have significant effects on operations without harming actual Air Force missions.

"The ability to introduce those effects is at the crux of cyber participation in the exercise, said Winchester. "This red flag is all about using an integrated approach to meet Combined Force Air Component commander objectives."

In real-world conflicts, cyber warfare plays an ever expanding role in operations alongside traditional air and space assets, Hawker said.

Red Flag allows cyber operators to work alongside operational capabilities to accomplish the mission. This allows the entire war fighting community to test their integrated skills and develop tactics, techniques and procedures for future use. Plus, it helps break the mindset of cyber as a purely support function.

"Exercises like Red Flag push us to operationalize our mindset as we evolve from standard communications functions," Hawker said. "And it helps socialize the other operations communities to cyber as a viable option in the fight."