Cyber security, an Air Force punchline?

Many U.S. generals will openly admit to knowing little about one of the threats they all agree is one that is most dangerous to U.S. national security — cyber security. Yet, those same generals have used their lack of knowledge on the subject often as a punchline.

Air Force Chief of Staff Gen. Mark Welsh stood up at the Air Force Association’s annual conference Sept. 18 and admitted he didn’t know what an IP address was. The comment drew plenty of laughter form the crowd of airmen and defense industry officials.

The Air Force’s top officer said he twitches when he says the word “cyber.” He explained that “we have a lot of people in this discussion who don’t really know what they’re talking about” when it comes to cyber issues.

“I know because they’re all like me,” Welsh said to more laughter from the crowd.

He didn’t question whether the Air Force needed to take cyber security seriously. He sees it as a priority. Welsh called it the future — “no doubt in my mind.”

“Everything we do can be affected either by or through [cyber],” Welsh said. “In either a good or a bad way.”

However, the Defense Department already receives about 10 million cyber attacks everyday. Cyber analysts suspect potential enemies are already establishing cyber war plans in case of a military engagement with the U.S.

Welsh pleaded with cyber experts to dumb down the way they explain threats to Air Force leaders.

“When you come to educate us, don’t come in using cyber talk,” Welsh said.

The Air Force four-star said he worried the investments made in cyber could be disappearing into a “black hole.” Welsh will wait until he understands the cyber topic better, he said.

“So you just need to know I’m going to be going a little slow on the operational side of cyber until I really understand what we’re doing,” he said. “I’ll be the one you’re dragging, Willy. I’ll warn you now.”

An Air Force officer, who asked not to be named, said as he walked out of the speech that he was surprised to hear the Air Force chief of staff plead ignorance.

“Can you imagine if he said something like that about aircraft or weapons or nuclear weapons?” the Air Force major said. “It would never happen. They’d run him out of the Pentagon.”

Welsh told the crowd the Air Force might have to wait awhile before they have the leaders in place with the appropriate cyber background to make decisions on the subject.

“In 30 years you’ll have experts making these decisions,” Welsh said. “Right now you’ve got idiots helping make these decisions. So common sense, plain English will really help us.”

About the Author

Michael Hoffman
Michael Hoffman is the executive editor at Tandem NSI and a contributor to He can be reached at
  • blight_

    Isn’t this the same crap that occurred when the Army divided itself between the up and comers who were talking mechanized warfare and the old timers who weren’t?

    Or the pro-battleship vs pro-carrier?

    A good amount of what happens in warfare is predicated on seeing what technology can deliver the warfighter or what new fields of combat are opened, then use those skills accordingly.

    • Carbon43

      Furthermore, I think that while what he’s saying certainly isn’t politically correct, or the best thing to be saying in a public speech, it is refreshingly honest. It acknowledges that he comes from a different time period, and needs things explained to him in a simple and straightforward way. (This is speaking as a technophile) I’d rather he admit that and give me a starting point than ignore the conversation or pretend to understand stuff he has no clue about.

    • Matt

      At least they’re acknowledging that it’s a dominate force of the future. That’s alot better than the people in the 1930s who saw trench warfare as the definitive war of the future or the those in the 1860s who still favored head on charges against dug in enemies.

  • Zed

    Everyone knows China would do the US what the US and Israel does to Iran, should the need arise. They have the added advantage of many of the parts made in China.

  • Big-Dean

    Too damn funny, I thought the air force were masters of the air, space and cyber space-according to their own mission statements-apparently not!

  • torquewrench

    “Air Force Chief of Staff Gen. Mark Welsh stood up at the Air Force Association’s annual conference Sept. 18 and admitted he didn’t know what an IP address was.”

    You can be sure that Welsh’s Chinese counterpart knows.

    According to the _Wall Street Journal_, China’s cyberspies have stolen “terabytes” worth of design and test data on the F-35. You’d be surprised at how much key information fits into even just one single terabyte.

    Here’s my own version of Elementary Information Security For Dummies With Stars On Their Uniform. Please feel free to add to it.

    (1) Comb all areas for wireless routers. If you find one, smash it with a hammer and instantly fire the turkey who installed it on sensitive premises. Make it clear the next person who installs one will get hit with the hammer themselves and THEN be instantly fired.

    (2) Air gaps are your friend. Things that can move across air gaps are not your friend. Remove CD/DVD optical drives and especially burners. (This would have thwarted the massive Bradley Manning leak.) Confiscate and ban thumb drives. Crush all that removed and confiscated stuff with the same hammer you used in (1). Plug USB and Firewire ports with epoxy.

    (3) Microsoft Windows delenda est. I always laugh to hear the media talk about “computer viruses”, when the absolutely overwhelming preponderance of those virii are not generic to computers in general, but highly specific to Windows, the leakiest and buggiest major operating system ever offered up. Of course, the geniuses at the five-sided loony bin on the Potomac have standardized on… Windows. Awesome.

    (4) Impose strict liability upon outside contractors for the security of government defense information entrusted to their systems. If that information is later found to have been compromised while in their possession, clawback of contract proceeds will ensue. (Yeah, like THIS will ever happen in the world of the military-industrial-Congressional complex.)

    • blight_

      Everyone goes for windows because everyone’s on windows.

      Though something with Unix underpinnings (Macs have FreeBSD, Linux has Unix…) might be safer?

      • tiger

        Confirmed non Winblows user.

        • blight_

          When you give admin/root/sudo privileges to a process you don’t fully understand, you’ve already lost.

    • Matt

      Honestly, a Chinese general born and raised in a similar era as Gen. Welsh probably wouldn’t know much better.
      Remember, this man is not single handedly resposibly for the USAF’s cyber security. America has plenty of young airmen who grew up with computers and actually understand them.

    • Blue 1

      #2 is a great idea, until the share drive takes a dump. Ever try to share information with a co-worker only you have no electronic medium to transfer data with? The ‘Old Man’ ain’t waiting for the share drive, a 1300 Meeting is still a 1300 Meeting unless the building is fire. There are operations which are time sensitive in nature; given that, I’ll be ripping epoxy out to install an external drive.

      Contrary to popular belief, you can not thwart events and people like Bradley Manning except with involved Leaders and Supervisors. The simple fact that the information and the person are in the same room is enough for a leak of catastrophic size.

    • elmondohummus

      Whoa, whoa, whoa… while you’ve got some kernels of truth in your post, you’ve also put some serious overreaction and misunderstanding in it.

      1. Are you talking about unauthorized, user installed wireless routers? If so, then yes, you’re right: An organization must be vigilant about non-organizationally blessed extensions of the network specifically for security. But if you’re talking about wireless networking period, then that’s an overreaction: 802.1x & WPA2-Enterprise can give an organization sufficient wireless security. And if you’re smashing access points but not implementing controls on your network (for example: Physical control of what goes into data jacks, traffic control and security i.e. implementing IPSec traffic between endpoints with sensitive data, IPS/IDS implementation, equipment auditing, etc.), then you’re just as wide open to infiltration or attack as you would be with an open wireless router. You’re just not going to see anyone attack it wirelessly, that’s all.

    • elmondohummus

      3. It is incorrect to imply that there’s not a way to implement a secure MS Windows environment, and you also ignore the fact that with an organization as large as the military, you NEED centralized control and standardization of platform. Windows in conjunction with technologies like Active Directory, SCCM (Microsoft System Center Configuration Manager), WSUS/Secunia/Shavlik patch management, etc. gives incredible and important centralized control, and that’s not trivial when you’re talking something the size of the military.

      • elmondohummus

        What’s all too often missing in critiques of Windows is the fact that Microsoft has one of the best management tools for “enterprise” organizations (aka places that manage thousands of computers across dozens to thousands of different geographic locations). You can definitely secure the hell out of a Linux system (I love Tripwire for *nix, but hate the versions adapted for Windows), but deploying that across 200,000+ computers across 2,500 miles is a whole other adventure. Sure, there’s ZENworks for Linux desktops, but Active Directory stuff is embedded in Windows, and Windows/AD are designed to work together. Secure deployment, on the fly organizational configuration change, and patch management is a whole hell of a lot less adventurous for a place that’s got XP, Vista, and Win7 computers than it is one that’s got to account for Ubuntu, SuSE, RHEL/Fedora, Mac OS (that’s Mach/BSD based, so it fits under the “Unix” rubric), etc.

    • UAVGeek

      Uhh comb the area for wireless routers? This ain’t 2002. It is possible to set up air monitoring in wireless networks with automated rouge AP smashing. In a corporate environment this may not be appropriate but in a secured military one it may be. There are off the shelf solutions that you can buy that will identify, locate and functionally disable any wireless AP plugged into your network that is not authorized. The brute force methods you suggest are not only unnecessary but a waste of time and manpower.

  • Clarence

    Isn’t the NSA and the CIA the USCC right now.Don’t they handle the cyber warfare right now. Correct me if I’m wrong.

  • Zach

    “Smash it with a hammer”, “fill it with epoxy” that’s precisely the difference the military doesn’t get. You don’t need and it can be counter productive to apply physical force to what is really a software issue. I can disable your usb ports, cdrom drive, microphone, camera in software. If you can’t get that right the rest of your security probably sucks. If you can just plug a wifi router into your network and get access then you’ve got some network security issues. Making policies and punishing people who don’t know any better is not going to protect you from a sophisticated adversary.

  • Big-Dean

    The air force is the only branch who states the ‘cyber’ space is a part of their core mission-

    “The mission of the United States Air Force is to deliver sovereign options for the defense of the United States of America and its global interests — to fly and fight in Air, Space, and Cyberspace. ”

    Here’s the Navy

    “The mission of the Navy is to maintain, train and equip combat-ready Naval forces capable of winning wars, deterring aggression and maintaining freedom of the seas.”


    “shall, at any time, be liable to do duty in the forts and garrisons of the United States, on the seacoast, or any other duty on shore, as the President, at his discretion, shall direct.”


    The Army exists to serve the American people, to defend the Nation, to protect vital national interests, and to fulfill national military responsibilities. Our mission is enduring: to provide necessary forces and capabilities to the Combatant Commanders in support of the National Security and Defense Strategies.

    But the only cyber thing the air force protects is the air force’s! They do not protect the cyber assets of the other branches or of the DOD as a whole. And I find it amusing that they make a big deal about it.

    On the other hand, US Cyber Command is a joint command that coordinates all DOD cyber activities, including the air forces’. It can be commanded a member from any branch of the services

  • elmondohummus

    I think it’s being oversensitive for the general to worry about flag rank cyber expertise. Non-military government agencies as well as non-governmental ogranizations (I’m thinking businesses, educational organizations i.e. college systems, area school systems, etc.) face that exact same problem – A non-IT experienced individual being the business administrator for the IT divisions within the organizations – and they’re able to deal with it just fine. As the general noted: The key is to be able to communicate clearly what the issues are and what recommendations logically flow from that. It doesn’t have to be “cyberspeak”, and in truth, at the C-exec level of business (the closest thing I can think of that compares to flag rank in the military), it isn’t that any longer.

    I don’t have to explain what a port is in networking and operating system terms in order to explain what firewalling does. I can simply create an analogy to radio tranmission channels, which is something any flag ranked officer should understand. Or even doors in a building, if I must (which would make explaning NAT – “Network Address Translation” – an adventure, but I digress…). (Cont’d…)

    • elmondohummus

      … cont’d:

      I don’t necessarily have to explain what buffer overflows, command injections, use-after-free errors, cross-site scripting, yadda yadda are in order to get across that many vulnerabilities take advantage of unpredicted ways operating systems react to commands. I can simply abstract things with the explanation that malicious programmers (i.e. “hackers”, although 1950’s era MIT computer geeks would loudly object to that application of the term) can find weaknesses in operating systems and force commands through, then go on to explain why aggressive patch management, “principle of least priviledge”, etc. is utterly important in an organization. (Cont’d…)

  • Sgt. Bilko

    Military deception at its finest.

  • crazy

    Sad. Is it any wonder we’re plagued by unauthorized disclosures and persistent weapon system software delays and integration failures? Meanwhile let’s transform to unmanned systems…

  • Paul M. Albert, Jr.

    As a veteran Army Artillery Officer I proudly note that the Army Mission Statement starts by saying “The Army exists to serve the American people…”

  • bbb

    He has a point. The guys in charge now don’t know about computers, and all he wants is for the guys who report him to use English that old men can understand.

    The fact that he’s using his lack of knowledge as a joke says to me that he at least has some basic knowledge. Otherwise he’d keep his mouth shut and use an internal memo instead of a speech.

    Compared to generals of yesteryear who stifled innovation with every decision they made, I’d call him progressive.

    The list of things generals have hated in spite of common sense is long enough to fill a few books.

  • Louis Ciufolo-Dickey

    If the Airfotce ney all the military leaders wait 30 myears to have educated leaders in place to make cyberspace desisions, we’ll be done for. I don’t think the general was serious about what he said. The dangers of coordinated attacks using conventional armiesd with coordinated cyberattacks could and would be I am sure the head of USCYBERCOM is well aware. I am surprised at his comments as the Air Force was one arm of the military that recognized the threat early on.

  • Gio

    Most of institutions are too big , but the headers need to know something about include if there are a specialized department that diive the cyber war . The chief could be go to the meeting with a member of the staff , but the chief need to know about www and systems . The war only will be used when a country is affected or is in dagerous situations . The army will be appart of economic matters. Army is to serve the nations an citizens , not to the corporative staff . Bur the cyber war is a reality in this time . This is teh time when the information is the clue for all for all the nations and industries. Freedom, Peace and Honor is the goal of the Army . War only if is neccessary

  • Bob

    I would suggest that Cyber is now part of the world battlefield and if you are going to be a leader in any branch of today’s military you need to educate yourself as part of your job responsibilities. If you are not qualified to make intelligent decisions on the expenditure of resources in order to maintain an adequate defensive and offensive posture then you are just not qualified to do the job. In the civilian sector people are replaced when they cannot do their job.
    That being said it also falls on the computer/network folks to do their best to communicate effectively however most of the people who do talk to the upper layer of general officers do not have a solid understanding of IT, and the threats and opportunities it provides.

  • guest

    There are some people in charge of Cyber Security who passed certifications, like the CISSP, but they are just managers and don’t really understand technology. They come from other fields and ended up as Managers in Cyber Security. So that to me is an even bigger problem.

  • Cyber Tyger

    “one of the threats they all agree is one that is most dangerous to U.S. national security — cyber security”

    I work in Cyber Security. I guess I ‘m a threat? Maybe the writer meant the lack of cyber security understanding is a threat. But actually that would be a vulnerability, not a threat.

  • ServedatMoodyAFBtoo

    According to the General’s official bio, in 1987 he received a Master of Science degree in computer resource management, Webster University, paid for courtesy of the U.S. taxpayers. I have no formal computer training, but I have known what an IP address is for many years. Maybe he should have studied a little harder in school?

  • 11


  • Thank you for the good writeup. It actually used to be a entertainment account it.
    Look complicated to more introduced agreeable from you!
    By the way, how can we communicate?