I believe it is crucial for all of us to have dialogue about cybersecurity, both the threats, and the opportunities for all of our nations.
This is my first time in Colombia, and I am so excited to be here. If you are not familiar with the Inter American Air Forces Academy or IAAFA as we refer to it, I will touch on the importance of the Academy a little later in my comments.
INTRODUCTION
Over the last 15 years, I have served as an Air Force cyberspace officer focused on countering nation-state cyber activity both in the United States and overseas.
I have also spent a considerable amount of time as a staff officer working for the Chairmen of the Joint Chiefs of Staff focused on global cyberspace operations and operating within what we call the Information Environment.
While I have spent quite a bit of time operating at the tactical level, I have to admit as a Colonel, I might have lost my cutting edge technical cyber skills. However, as a Senior Leader, I have gained an understanding and an appreciation for bringing together very smart people and technology to address some of the hardest problems my nation faces … problems which I believe our nations share.
And it is this understanding that enabled me to successfully develop and implement a wide range of cyber and information warfare strategies and policies for the Joint Force and United States Cyber Command.
Much of this work focused on ensuring that United States policy supported and allowed for the growth of a strong cybersecurity and cyber defense ecosystem, but it also focused heavily on building and maintaining key relationships with a vast network of partners and allies.
Through this work it has become abundantly clear to me that the perspective that each one of you bring to the conversation is unique, very valuable, necessary and will be the key to generating excellent recommendations to our respective Senior Leaders and policy makers.
As one of the Department of Defense’s deepest thinking leaders, Secretary of Defense Mattis said, “Throughout history, we see nations with allies thrive and nations without allies wither.” Or as my 8-year-old son says when he asks if the entire neighborhood can spend the night, “Mom, you know, the more the merrier!” And he could not be anymore correct.
Today, I am serving as the Commander of the 37th Training Wing, the largest training wing in the United States Air Force. It is a Wing that has roots in Latin America that date back to 1939 when the 37th Pursuit Group was established at Albrook Air Force Station, Panama with the mission of protecting the Panama Canal from the Germans.
And it was here that the Wing’s moto “Defenders of the Crossroads” was born and the emblem is still on our current unit patches.
From 1943 to 1993 the Wing was based in various locations to include Vietnam, California, Nevada and eventually my current home, San Antonio, Texas. Though the mission and location of the Wing have changed over time, what has remained constant is our commitment to excellence.
Our Wing Priorities are Mission, People and Culture. Many times, the meaning of organizational priorities gets lost because the people don’t really understand the Commander’s motivation. So let me take a moment to explain why I believe these three priorities are supremely important to the success of not just my organization, but any organization.
First, mission is the foundation – it serves to align your people and your organization. Simply put, it your employees “Why”. Clearly articulating the mission enables the entire team to continue pursuing better tomorrows, to never give up and to always raise up the impossible problems.
Next, making investments in our extraordinary people remains our highest priority as leaders. Even as we take steps and act with urgency to accomplish the mission, accelerating our investment in our people must be one of our highest priorities. We must invest in building both technical and leadership abilities so that we can build the force we need to compete with our adversaries.
This is why institutions such as IAAFA and the Inter American Defense College are so important to building strategic partnerships by fostering broad thinking and encouraging curiosity while also instilling the rigor necessary to keep pace with the changing nature of warfare.
Caring for our extraordinary people is an objective we have in common with many countries throughout the Americas and we are truly honored to host so many of your officers and technicians across the United States Air Force. And I hope our relationships will continue to grow in future years … particularly in areas like cybersecurity and cyber defense.
And finally, the foundation to any winning team is a positive culture … built upon high levels of trust and a clarity of purpose and vision. It is the shared beliefs and values established by leaders that ensures the team will do the right thing when no one is watching – these are traits that are epitomized by the Non- Commissioned corps, which is why they are considered the backbone of our US Armed Forces.
A strong culture can fuel any team in a rough crisis, so I consistently challenge my team to build a strong rapport, build shared purposes, enable diverse perspectives and celebrate successes. We take these three priorities to heart in the 37th Training Wing.
As the 37th Training Wing Commander I have 4 distinct mission sets under two broad categories — Force Generation and Security Cooperation.
Under Force Generation, I have two main responsibilities. First, I oversee 100% of United States Air Force Basic Military Training. Each year a cadre of approximately 500 Military training Instructors transform 35,000 civilians into Basically training Airmen.
Second, I am responsible for then training approximately half of these Airmen in their Technical skill in 25 distinct Air Force Specialties. This includes Security Forces, Traffic Management, Vehicle Maintenance, Services, Enlisted Aviation and Aerospace Physiology to name a few.
Under Security Cooperation, I also command the Defense Language Institute’s English Language Center and IAAFA. Both academies are responsible for delivering world class technical training to students from over 108 countries, of all ranks and skill levels. Each year we graduate over 4500 international students and set the standard for executing global Defense Security Cooperation training.
More specifically, IAAFA focuses on partnerships through education and training that ultimately enhances our interoperability to make us collectively stronger. And I am excited to report that the IAAFA team has some phenomenal updates on the horizon when it comes to cyber.
The team is currently developing a new Cyber Defense course which focuses on the implementation of processes and frameworks necessary to conduct effective defensive cyber operations. The content will closely mirror the curriculum of courses we use to teach our U.S. defensive teams.
We did this based on your assessment and feedback of theater needs; this training will offer attendees the opportunity to learn advanced processes and techniques required to defend against malign actors seeking to threaten the stability of your communications systems and infrastructure.
We expect it to be ready in the fall of 2023 and we look forward to having all of our partners attend. I know Technical Sergeant Chavez, who traveled with me here to Colombia is excited to tell you all about the new Cyber Defense curriculum during one of the breaks.
With all of the exciting updates to our curriculum, I would like to take a moment to strongly encourage you to continue to work with us through IAAFA to further strengthen the partnerships and relationships between our respective countries. This connection will be one of the strategic advantages that ensures that losing is never an option.
Across the 4 missions that I just explained, my organization is constantly updating our curriculum because the environment and technology are constantly changing. Our focus on agility is critical to our ability to support the National Defense Strategy and to accelerate the change necessary to be successful in the future fight.
This is also something that is extremely important to General CQ Brown, the Chief of Staff of the United States Air Force. In his Accelerate Change or Lose call to action, he stated “The status quo is insufficient, and failure is not an option. This means that in order for us to remain competitive in today’s strategic environment we must think inside the “Gray Space” and encourage Airmen at all levels to innovate.
This also means current and future educational opportunities must focus on developing unique expertise. And training must include exposure to a broad range of diverse perspectives that encourage the advancement of strategic, critical, and creative thinking. This task is enormous, and I love it!
MAIN TOPICS
That brings me to the three topics that I would like to speak with you about today.
First, Cybersecurity and cyberdefense training;
Next, Operations to protect your infrastructure;
And, finally how we can strengthen through our partnerships.
Our adversaries are advancing their malign activities in the information environment at greater scope, scale, and sophistication than we have ever seen.
Recently when referring to the National Defense Strategy of the United States, President Biden stated that we are living in a “decisive decade,” one stamped by dramatic changes in geopolitics, technology, and economics, and that this environment will require using the cyber and space domains to gain operational, logistical, and information advantages.
When it comes to cyber actors, we generally classify our adversaries into two main groups.
First, Nation-state actors such as China and Russia and to a lesser degree Iran and North Korea. These nation-state actors are utilizing all their instruments of national power to warp international opinions and norms to their advantage.
They work extensively to create high end exploits and command and control structures. And spend significant amounts of resources to target the United States and a handful of other countries.
According to the National Defense Strategy, the PRC will remain the United States most consequential strategic competitor for the coming decades.
I also believe this conclusion based on China’s increasingly coercive actions to reshape the IndoPacific region and the international system to fit its authoritarian desires. And as President Biden’s National Security Strategy notes, the PRC is “the only country with both the intent to reshape the international order, and, increasingly, has the economic, diplomatic, military, and technological power to do so.”
The Peoples Liberation Army is rapidly advancing and integrating its space, counterspace, cyber, electronic, and informational warfare capabilities to support its holistic approach to joint warfare.
We can see this influence by taking a look at Chinese-backed cyber actors exploiting world-wide vulnerabilities in a Microsoft Exchange server—which millions of people use for email, scheduling, and collaboration, however these cyber actors compromised tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims.
An unprecedented group of allies and partners – including the European Union, the UK, and NATO – joined the United States in exposing and criticizing the PRC’s malicious cyber activities as threatening security and stability in cyberspace.
Or we can look at the NotPetya cyber-attack, conducted by Russian cyber actors targeting the Ukraine in 2017, in which the world became acquainted with the most destructive malware ever to be deployed.
I am certain many of you are familiar with this event. However, if you are not, due to irresponsible cyber operations, the Russian attack impacted not only Ukraine’s entire system, but also businesses around the world, resulting in a total cost of $10 billion dollars to date.
This is enormous when you take into account the real-world damage and disruption that occurred. But these sorts of attacks aren’t just about monetary loss—they can impact people like you and me.
Like more recently, when the Colonial Pipeline was ransomed, the Department of Defense partnered with the Federal Bureau of Investigation and the Department of Homeland Security, two domestic partners to resolve it … which did result in imposed costs against the malicious cyber actor.
However, the impacts to the American populace were unprecedented. When the pipeline shut down it affected regular Americans along the entire East Coast, and it was a scary reminder of the power of one password in the hand of a hacker focused on a network with a single factor login system.
Fortunately, for many of you in the room, you don’t regularly find yourself as a target of these high-end actors, however equally disruptive is the second group of actors, cyber criminals … which often times are either supported or tolerated by the nation-state actors that I just mentioned. And as the cyber landscape increases so does the threat landscape.
McAfee stated that in 2020 cyber crime caused nearly $1 Trillion US dollars in damage a number that will only increase as a greater number of people work remotely as a result of COVID.
The recently published, 2022 Crowd Strike Global Threat Report paints a picture that shows enterprise network risk is coalescing around three critical areas: endpoints and cloud workloads, identity and data.
Threat actors are continuing to exploit vulnerabilities across endpoints and cloud environments and ramping up innovation on how they can use identities and stolen credentials to bypass legacy defenses — all in effort to reach their goal, which is YOUR data.
However, it is important to point out that cyber security threats are the result of both external malicious actors and internal vulnerabilities.
Many of you know the threat and have been working hard to address it in your respective organizations. So, my guess is your question is focused on the latter, internal vulnerabilities and how can we address this invisible enemy, and more importantly, how do we prevent future attacks on our networks.
First, decision makers at every level have to remember that every connected device provides attackers with an entry point. And the interdependency of devices means that the point of intrusion is not necessarily the ultimate target.
So as countries increase their use of IT, they simultaneously increase the size of their cyber-attack surface and their vulnerability to nation states and cyber criminals which requires ever increasing cyber defense and security.
Cloud- based technologies and API-based architecture enlarges this attack surface even wider. And the problem is even further exacerbated by the growing volume, variety, and velocity of data, which increases vulnerability by again … both widening the attack surface and presenting more opportunities for cyberattacks. So by now you are probably asking well how do we combat this growing threat?
I will admit, this is not an easy task, even for many of the leading experts in cybersecurity and cyber defense.
My first recommendation is that using Top 10 lists published by various organizations such as Datamation or the National Security Agency is a great place to focus efforts.
For example, on the Datamation site the recommendation that caught my attention was Enterprise Security Tool Sprawl. How many times in your respective organizations did you adopt a new tool to fix a challenge only to find that 10 additional tools were needed to “connect” key systems.
The U.S. Air Force recently experienced this when two security tools were conflicting with one another and severely impacted network performance. In addition to diminished network performance, tool sprawl also diminishes threat detection and delays threat response, which only serves to make the network more vulnerable.
Therefore, it would make sense to choose carefully a few tools sets and then expand on them only when absolutely necessary or where it makes operational sense to do so.
The second, recommendation that caught my eye was Misconfigured Security applications at scale, specifically the statement that it is near-impossible to secure Microsoft Active Directory manually and that the largest recent security incidents SolarWinds, Microsoft Exchange, the Zerologon, and ProxyLogon vulnerabilities all have one common denominator: Active Directory.
According to Derek Melber, chief technology and security strategist at Tenable, a cybersecurity platform provider, “Active Directory has proven to be a popular attack vector for threat actors who leverage it to gain entry into corporate networks, move laterally, and escalate privileges, eventually owning and wreaking havoc on an organization’s entire IT infrastructure.”
Since 90% of Fortunate 1000 companies use Active Directory to authenticate — it means network owners must build automated tools to check for misconfigurations or to detect actors that are creating or using existing misconfigurations. It also requires network owners to build a series of queries that utilizes machine learning to look for intrusions or known TTPs of malicious cyber actors.
This is where tools such as the MITRE Adversarial Tactics, Techniques, and Common Knowledge Framework also known as The MITRE ATT&CK framework becomes extremely helpful to any organization.
If you are unfamiliar with this framework, it is a knowledge base for cyber adversary behavior that reflect the various phases of an adversary’s attack lifecycle and the platforms they are known to target. And it is an open-source tool that is available to everyone.
The framework was created in 2013 as a result of MITRE’s Fort Meade Experiment where researchers emulated both adversary and defender behavior in an effort to improve post-compromise detection of threats through telemetry sensing and behavioral analysis. There are three primary ATT&CK Matrices, each addressing distinct environments: Enterprise, Mobile, and Industrial Control Systems.
The framework is one of many used worldwide that is vastly improving cyber security and defenses globally, however threat matrices are only as good as the support they receive from across the global enterprise. Highlighting and sharing Indicators of Compromise and analysis of toolset is an opportunity to highlight adversarial network maneuver and a phenomenal opportunity to out the technologies that our adversaries use.
Recently, Maj Gen Hartman, the Commander of the Cyber National Mission Force under United States Cyber Command stated “it is more and more clear to us every day that the same actors threatening the U.S. military, and its homeland, are threatening so many others around the world. We’ve learned it is better to work together than alone, when these shared threats we face are global… they are in our computers, our systems, and our networks.”
He went on to say, “partnerships are powerful, because cybersecurity is a team sport, and what harms one can harm all.”
Empowering cyber leaders through education, partnerships, and innovative research is absolutely necessary to maintain a work force that can think critically and holistically about cyber, military operations and national security. This also requires each of us to foster a culture that values cyber hygiene and continually creates mitigation strategies focused on cyber criminals using commonly available exploits and tools.
The GOAL is to not just develop digital people, but to seize the moment and capitalize on the opportunity to bake cyber hygiene into the fabric and culture of the next generation digital citizen.
WOMEN, PEACE AND SECURITY
Which leads me to my final point … As this cyber threat continues to increase, we can no longer afford to leave good talent behind. In the United States and worldwide we have seen that women are also extremely capable of participating in cyber security and cyber defense.
In addition to education and technical solutions to combat the evolving cyber threats to our nations, it is as equally important to ensure we are promoting gender equality among our ranks … this focus will only serve to maximize the innovation, creativity, and strategic thinking in of our current and future cyber leaders.
Women, Peace and Security programs and integration is not just a women’s issue, it is an everyone’s issue. It is about valuing the entire spectrum of our human capital. Integrating gender considerations requires routinely assessing gender-based differences of women and men as reflected in their social roles, the distribution of power, and access to resources throughout all mission activities, including policies, training, doctrine and personnel practices.
One of the many things that I have found to be wonderful about Colombia is that it was one of a few countries recognized for offering digital entrepreneurship training programs to enable women to sell their products online during the COVID-19 pandemic.
And I am extremely proud of the numerous notable female senior leaders in the Colombian Armed Forces such as Command Sgt Major Consuelo Diaz Alvarez, the first female Senior Enlisted member of the Colombian Army. And Navy Captains, Beatriz Helena Garcia Restrepo and Carolina Gomez de Castillo who were both selected to attend the prestigious General Staff Officer course.
Implementing robust Women, Peace and Security programs isn’t just the right thing to do; it is the smart thing to do. And the good news about being more inclusive of women in cyber, technical fields, and in leadership roles is that the United Nations finds that societies that promote gender equality also increase peace and security.
And together, we are uniquely positioned to reinforce global leadership against our adversaries in continuing to promote women, peace, and security objectives in our shared exercises, during professional development courses and through continued academic engagement.
The full participation of all people, including women, is essential to the health and security of our nations and the world, thus ensuring our respective countries are more successful and more productive, which is something that I think we all can agree is important and desirable.
CLOSING
In closing, I would like to highlight that now more than ever we are a connected society. We have a huge attack surface, and we have skilled and dedicated nation state adversaries, cybercriminals, hacktivists, lone wolves, and others who threaten us all on a daily basis.
The threat is real… and it is growing every day. But we must, and we can, act – knowing that we all have a part to play. It is events like this conference, Cyber Wings, that allows us to strengthen our collective stability through dialogue about our adversaries, creating more robust communications that enable all of us to be effective in competition and if necessary, conflict.
I know we are stronger together— more resilient and therefore, safer because we are building lasting relationships that will posture us for success by cementing the joint capacity needed to address our collective challenges.
I am confident that the United States, along with our partners and our Allies around the world, are well positioned to meet these challenges of this decisive decade. It’s a journey we’ll make together as friends, as partners, and as allies.
Thank you again for hosting me, it has been my distinct pleasure to talk with you today.
*U.S. Colonel Lauren Courchaine, 37th Training Wing commander, speech at the Cyber Wings 2022 in Bogotá, Colombia, Nov. 25, 2022. The conference focused on cyber defense and cyber security issues, and brought together professionals from Argentina, Brazil, Chile, Colombia, Dominican Republic, Ecuador, Mexico, Panama, and the United States.
Disclaimer: The views and opinions expressed in this article are those of the author. They do not necessarily reflect the official policy or position of any agency of the U.S. government, Diálogo magazine, or its members.
