Cyber Practices: What Can the U.S. Air Force Learn from the Commercial Sector?

Abstract : To meet the challenges of the cyberspace era including the rapid rate of change in technology, the growing cyber threat, and the need to integrate cyber operations with operations in other warfighting domains the U.S. Air Force (USAF) must find effective ways to organize, train, and equip its cyber forces. Progress on these issues has been made over the past decade and continues with the maturation of United States Cyber Command. However, the criticality of cyber missions has led USAF to seek further improvements. As such, USAF asked RAND Project AIR FORCE (PAF) to assist in identifying improved approaches to cyber organizational and workforce issues. Specifically, this report describes our efforts to identify successful processes and practices from the commercial sector that might be applicable to USAF. To identify successful commercial practices, we took a twofold approach a wide-ranging literature review and interviews with a carefully crafted set of commercial organizations, selected for their similarities to USAF and for their reputations of cyber excellence. Companies were identified to be similar to USAF in size, cyber functions performed, exposure to cyber threats, and operational environment. We found strong parallels in the commercial sector for Department of Defense information network operations (DoDIN Ops) and defensive cyber operations (DCO). Although none of the companies we interviewed were as large as USAF or required to function in deployed and contested operating environments, the commercial practices we describe might provide effectiveness and efficiency gains and, at the very least, are informative for USAF.