The word ''
Articles • Names • Photos • Contact

Cyber warriors protect Air Force computer network

By Staff Sgt. C. Todd Lopez

WASHINGTON (Oct. 10, 2002) -- Air Force computer systems around the globe are kept safe from viruses and unauthorized users by a dedicated group of computer network defenders.

Because the Air Force computer network is a weapons system and is under constant attack by viruses and illegal entry attempts by adversaries, defending that weapons system has become an ongoing war, said the director of operations for the 33rd Information Operations Squadron, home of the Air Force Computer Emergency Response Team at Lackland Air Force Base, Texas.

A pentagon icon.

"We believe we are on the front lines of the cyber war every day," said Lt. Col. Rob Kaufman. "Our crews are well-trained, motivated and committed to stopping network intrusions and viruses."

AFCERT has strong allies in its fight to protect the global Air Force computer network, he said.

"In this fight, we are not alone," Kaufman said. "Fellow computer network defenders at major command network operations and security centers and base-level network control centers are in the fight with us. Together we are able to fight off malicious hackers that range from the nuisance 'script kiddies' to the professional hackers."

Kaufman and other cyber warriors use an arsenal of software and hardware to defend the Air Force computer network.

"We have a sensor out there at every single one of our bases and even some non-Air Force bases," Kaufman said. "That is our primary defensive mechanism."

Computer experts at Lackland's Air Force Information Warfare Center developed the current sensor platform, which has been acknowledged as a "one-of-a-kind" capability second to none. The sensors scan network traffic for virus signatures -- telltale strings of ones and zeros that indicate the presence of malicious logic. When they find such a string, AFCERT moves quickly to let everybody know about it.

"What we will do is put out advisories to the field so they will understand what an exploit or vulnerability can do to a computer and what mitigating steps they can take to protect themselves," Kaufman said. "If the threat is very bad and we think it is a system-wide type of threat, we will release a time compliance network order, which directs field units on what steps to take to protect themselves."

AFCERT monitors the network traffic for some 500,000 Air Force computers, he said. Those machines generate around 10 billion network events each year, including e-mail messages, Web page views, telnet sessions and other network traffic. That opportunity allows AFCERT to be the first to come in contact with a lot of potential viruses.

"We can actually get viruses 'in the wild,' tear them down and see what they do," Kaufman said. "We reverse engineer the viruses and, based on what we see in those viruses, we are able to build alert strings for our sensor so we can get an indication or warning when a new virus comes out. It also allows us to develop countermeasures for those viruses."

In addition, countermeasure engineers at the Air Force Information Warfare Center help develop more robust and long-term solutions against the emerging threats, he said.

Those countermeasures and alert strings are not just sent to local bases. Sometimes they are sent to commercial anti-virus software developers so they can be added to the global database of computer viruses. In this way, Kaufman said, results of AFCERT's work reach beyond the Air Force. "There is a community of interest out there that will feed information to commercial vendors, and we have specifically fed them information that they have not seen elsewhere," he said. "We have identified technical threats and have passed them off to commercial vendors so they can protect the nation."

Although more than 100 individuals at AFCERT work in conjunction with major command NOSCs, base-level NCC personnel, the Air Force Information Warfare Center, and the Air Force Office of Special Investigations to secure Air Force computer systems worldwide, Kaufman said the computer user is still the key to network defense.

"Air Force computer users can help by using strong passwords and by ensuring their anti-virus software is current on both their work machines and home machines," Kaufman said. "They should only open attachments they are expecting and ensure new systems are properly configured and patched to the latest revision levels."

AFCERT's efforts to defend the Air Force network are proving successful, he added.

"Three years ago, we had close to 10,000 Air Force computers that were compromised with viruses. That was about the time the Melissa virus came out. It was a very bad situation," Kaufman said. "In 2001, we had fewer than 700 Air Force computers compromised by viruses and the number is down even more in 2002."

Kaufman said he believes AFCERT is ready to handle future threats as well.

"Like fighting an air war, the cyber environment is extremely dynamic," he said. "It is changing constantly as technology improves and new vulnerabilities and tactics are discovered."

Air Force communications, intelligence and engineering professionals understand the dynamic nature of the network, and Kaufman said he believes they are equipped to deal with whatever comes along.

"We are trained to do the in-depth analysis, event correlation, incident response, and countermeasure development necessary to secure our networks," he said. "Every hour of every day, we Air Force network defenders are standing watch."

A tiny four-by-four grid of dots. A tiny representation of the Mandelbrot Set. An oscillator from the Game of Life. A twisty thing. A snowflake.