Posted on Oct 1, 2013
Cybersecurity in the Army: How to Identify, Train, and Retain Future Cybersecurity Warriors
15.5K
36
24
4
4
0
<p>Recently I had a conversation with a Signal co-worker concerning the military's cybersecurity strategy and how to get a foot in the door in the cyber career field. He was very interested in becoming a hacker and wanted to learn what kind of training he should focus on to stand out from the crowd. After being turned down for a reclass into a cybersecurity job he is strongly considering an ETS. This conversation epitomized to me what I think is a failure in our current plans in developing an elite cyber force.</p><p> </p><p>First, I think there exists a pop culture definition of hacking that creates critical misconceptions in any conversation about the subject. This misconception exists at all levels, often even amongst those that work in the field.</p><p> </p><p>No one can teach you to hack. It is not a skill that can be learned by rote and offered up on the platter of military training. Running a script or a program is not hacking. Typing a command into a bash shell is not hacking. Even programming a Remote Access Tool is not hacking! A hacker is simply a person that understands his/her targets' chosen technologies better than they do and can think in a critical, outside the box fashion. Skilled hackers can identify and exploit the mental scotomas of their victims, using their oversights as pivot points to open up a vast chess board with an unlimited field of movement.</p><p> </p><p>If you want to be a hacker you must have strong foundations in computers from the hardware to the bare bones of network technologies. Reading and digesting RFCs on various TCP/IP packets and then getting excited when you see a way to use that packet in a way no one intended is a step in the right direction. A hacker sees a program crash or a computer blue screen and wonders if its reproducible or causes buffer overflows. A hacker must be a Cisco Engineer, a Microsoft subject matter expert, a Linux guru, and a Python, Bash, PowerShell, Ruby, Java, Assembler fool. In summary, we need technologists that are passionate about IT, motivated to learn new technologies, and subject matter experts in multiple domains.</p><p> </p><p>1. How do you identify soldiers with exceptional technology skills and the aptitude to apply those skills to an asymetric task such as hacking?</p><p> </p><p>2. What kind of training should be used to enhance the skills of selected soldiers and prepare them for their missions?</p><p> </p><p>3. How do you retain those soldiers after you have invested considerable time and energy into their training?</p>
Cybersecurity
Computer Network Operations
Information Assurance
Cyber
Posted >1 y ago
Responses: 13
4
4
0
I agree with your thoughts of hacking being about the passion, capabilities, thoughtfulness, curiosity, and finesse. I've done just about every signal MOS short of going out with a manpack. I have observed, watched and patiently learned. I have studied and gotten elbow deep into equipment (breaking and repairing). I just wish I knew where to sign up for MOS' like cyber security. Because honestly our enemies are too different from us. They have drives and passions and motivations that could easily be exploited. They just as easily hire those who are not as knowledgeable about the equipment they use. They make mistakes and leave vulnerabilities. Show me where to sign, I'd love to become an asset in cyber security.
(4)
(0)
CW3(P) (Join to see)
Visit the 7 sig cmd link I have in the other post. It explains what MOS's are being accepted and how to apply, etc. Plus look into the new cyber enlisted MOS of 25D.
(2)
(0)
SGT (Join to see)
Talk to sfc hogan if you still have his contact. He helped recreate the 25D mos and has all the info.
(3)
(0)
SGT (Join to see)
Looked into 25D a big wall known as "not the MOS we are looking for" was there. They were only accepting SGT and above of the 25B MOS unfortunate for me.
(2)
(0)
2
2
0
1
1
0
1. How do you identify soldiers with exceptional technology skills and the aptitude to apply those skills to an asymetric task such as hacking?
Establishing an open capture the flag / skills assessment that will gauge any soldiers capability. There are many CTFs available as well as proven examples out there (netwars). This combined with psychological screening could provide the right people.
2. What kind of training should be used to enhance the skills of selected soldiers and prepare them for their missions?
Classes on self-learning methods, programming, reverse engineering, development and debugging, etc. These will establish a baseline - then incorporate popular frameworks.
3. How do you retain those soldiers after you have invested considerable time and energy into their training?
Incentives, money, and freedom to use skillsets. Adjusting the PCS schedule and training expectations would be helpful. "Pro" pay already exists for medical realm and bonus pay for needed MOS. These skillsets are different but also valuable and should be treated this way.
Establishing an open capture the flag / skills assessment that will gauge any soldiers capability. There are many CTFs available as well as proven examples out there (netwars). This combined with psychological screening could provide the right people.
2. What kind of training should be used to enhance the skills of selected soldiers and prepare them for their missions?
Classes on self-learning methods, programming, reverse engineering, development and debugging, etc. These will establish a baseline - then incorporate popular frameworks.
3. How do you retain those soldiers after you have invested considerable time and energy into their training?
Incentives, money, and freedom to use skillsets. Adjusting the PCS schedule and training expectations would be helpful. "Pro" pay already exists for medical realm and bonus pay for needed MOS. These skillsets are different but also valuable and should be treated this way.
(1)
(0)
1
1
0
SFC (Join to see), this is a topic I have been concerned about for years, not just cybersecurity, but how we retain soldiers with critical skills. The obvious answer is proficiency pay.
As you noted, cybersecurity is something you have to teach yourself. You don't need everything on your list, but you have to start somewhere and you have to be dedicated to learning more. That means you have to be self-motivating.
Enlisted soldiers are the blue-collar workforce of the military, and I have my doubts that the average enlistee going into cybersecurity will ever be better than a script-kiddie. But that doesn't mean they can perform useful service. (Red teams, helping units with basic-level security, i.e. to not be low-hanging fruit.) However the question is how to train and retain top-level talent. My suggestions:
1) The above concerns say Warrant Officer to me. Those who surpass the script kiddie level should be considered for Warrant slots.
2) Consider how linguists retain their language. Regular, perhaps daily practice, audio tapes, and publications in their language. So why shouldn't there be a lab setup with Metasploitable, and every current major Linux, Windows, database, and similar server as target machines, and Kali Linux set up on attack boxes? Add in SNORT, Metasploit, honey farms, all major antivirus and antispyware programs,and other offensive and defensive tools, and make that a daily part of training. Surely each major military base could stand up such a lab, for the protection it could provide. And having such a playground would be an incentive to stay in. I have only a fraction of the above, and I built/purchased it all myself. I'd reup in a heartbeat for such a lab setup.
As you noted, cybersecurity is something you have to teach yourself. You don't need everything on your list, but you have to start somewhere and you have to be dedicated to learning more. That means you have to be self-motivating.
Enlisted soldiers are the blue-collar workforce of the military, and I have my doubts that the average enlistee going into cybersecurity will ever be better than a script-kiddie. But that doesn't mean they can perform useful service. (Red teams, helping units with basic-level security, i.e. to not be low-hanging fruit.) However the question is how to train and retain top-level talent. My suggestions:
1) The above concerns say Warrant Officer to me. Those who surpass the script kiddie level should be considered for Warrant slots.
2) Consider how linguists retain their language. Regular, perhaps daily practice, audio tapes, and publications in their language. So why shouldn't there be a lab setup with Metasploitable, and every current major Linux, Windows, database, and similar server as target machines, and Kali Linux set up on attack boxes? Add in SNORT, Metasploit, honey farms, all major antivirus and antispyware programs,and other offensive and defensive tools, and make that a daily part of training. Surely each major military base could stand up such a lab, for the protection it could provide. And having such a playground would be an incentive to stay in. I have only a fraction of the above, and I built/purchased it all myself. I'd reup in a heartbeat for such a lab setup.
(1)
(0)
1
1
0
I'm working on my Masters degree in Cybersecurity. I agree on all the above mentioned list of skills. In addition, language proficiency, regional cultural studies focussing on specifics are must haves in this field. Most important, it is ability to analyze all data collection. Thus, without the ability of analytical aptitude, the Gladiators of Cyber will slaughter Cyber Sentries of the US in the colosseum. In order words, without competency of analysis, all data collection and the technical skills will not prevent the intrusions and the attacks of a formidable opponents. For that reason, retaining the brightest and Patriots should be prerequisite for retention not clowns that swear allegiance to a Smartphone- ISO or Android.
Semper Fidelis
Semper Fidelis
(1)
(0)
1
1
0
SFC (Join to see), another component of this is increasing overall levels of technological literacy across the force. Tactically, we lack a baseline of competency (let alone expertise) needed to be defensively functional because we don't understand the operating environment and how it can be used to our (dis)advantage.
Considering the most basic of IT-related tasks: how many SMs are guilty of using default passwords when allowed, have trouble mapping a printer or prefer to leave everything up to S6, EWO or the CEMA (Cyber Electromagnetic Activities) guy because 'that's their job'? I've been guilty of a few (please don't anyone try to hack my RP PW) and am learning everyday how we must increase baseline competency to remain competitive as a force given our reliance on IT and the interwebs (sic).
Leadership can't be meaningfully engaged in retaining talent if they only have a vague understanding of what that talent means or brings to the table.
Considering the most basic of IT-related tasks: how many SMs are guilty of using default passwords when allowed, have trouble mapping a printer or prefer to leave everything up to S6, EWO or the CEMA (Cyber Electromagnetic Activities) guy because 'that's their job'? I've been guilty of a few (please don't anyone try to hack my RP PW) and am learning everyday how we must increase baseline competency to remain competitive as a force given our reliance on IT and the interwebs (sic).
Leadership can't be meaningfully engaged in retaining talent if they only have a vague understanding of what that talent means or brings to the table.
(1)
(0)
Suspended Profile
SSG Sweeney,
You may find these references potentially helpful in reviewing opportunities:
http://smallwarsjournal.com/jrnl/art/the-cyberspace-operations-planner
http://www.armyreenlistment.com/Messages/MILPER/MOS_35Q_12_187_20120621.pdf
https://www.atrrs.army.mil/atrrscc/search.aspx ( set Enlisted MOS 25D3 25D4 35Q3 )
My military / industrial / academic colleagues who work in the cyberwarfare field often prefer mathematically trained individuals who can play a musical instrument well (key sign of intrinsic core mental abilities), studied number theory, and open source cryptanalysis. Our typical entry level cryptanalytic technical methods trainee should be able to breeze through any common open source textbook ( e.g., http://math.scu.edu/~eschaefe/book.pdf ) without major difficulty on a quarter time basis over the course of a 10 (fast) - 15 (slow) week period.
For other applied cyberwarfare positions, some colleagues might advise getting to know the opposition players, technologies, methods, capabilities, sentiments, motivation, and strategies via the ebook3000, defcon, blackhat, kali linux, tor, and similar hacker resources.
While learning traditional technologies may be helpful, mainly we need curious puzzle solvers.
We can easily teach a trainee to code, compile, decompile, debug, and run hardware, software, simulator, synthetic, aperature, broadband, acquisition, recording, filtering, detecting, decoding, encoding, decoy, spoofing, jamming, and countermeasure systems.
But, you must already intrinsically possess fine mental ability, sensitivity, dedication, very keen attention to detail, competitiveness, persistence, and sheer joy in breaking opposition puzzles / defending friendly targets to succeed in this exceedingly tedious technical work.
As others have suggested, you may find options somewhat limited within the military. Much of the more intellectually interesting work is done by our contractors or civilian agency personnel. However, there are still physically challenging and geographically interesting enough raw data collection sources / methods that appeal to military personnel. Some of the manned platforms may do mach 3+ / angels 80+ where other sites keep station on water, rock, or ice to acquire strategic tracking, telemetry, or other signals. New unmanned platforms remotely operated via satellites may be interesting. We also need people to defend our internal computing assets.
Of course, I grew up when computers had small magnetic donuts strung on wires for memory and were built up from discrete transistors and other components wedged between a pair of multiple layer circuit boards flooded with freon. Integrated circuits were still mostly a laboratory curiosity. We stored data and programs on paper tape, 9 track tape, and disk drives the size of washing machines. So, my opinion may be somewhat limited by my antiquated education.
Others may chime in with differing opinions. But, this is my sense re entre into this community.
Warmest Regards, Sandy ( http://www.linkedin.com/in/armynurse )
p.s. It may not hurt to learn a few languages spoken and written by major cyber adversaries.
1
1
0
I am currently a security specialist and I concur with most of what you say ssg. One of the problems that the military faces is that once the person gets to that level there is absolutely no way the army can compete with the type of salary retirement or any other package that they can not write for themselves in the public sector. As a moderate security guy I obtain 6 figures a year and to be fair I fall in the category of somewhat skilled not a Steve jobs etc, as far as a hacker you wanting to have those skills I would suggest contacting the guys a EC-COUNCIL and suggesting or setting up course to your men from them they would be able to at least give them the basics of hacking after that it is up to them.
(1)
(0)
Suspended Profile
SPC (Servicemember),<div><br></div><div>Before you play with malware, get and use an isolated sandbox !!!</div><div><br></div><div>Then look for a decompiler in the IDA PRO family and related tools.</div><div><br></div><div>Why are you contemplating such a potentially hazardous project???</div><div><br></div><div>Warmest Regards, Sandy</div>
Suspended Profile
My group dabbled in cyber methods quite some time ago. But, it was just a tool; not a core market for us.
SPC P K.
I am certain the big military contractors must have a substantial investment in this capital intensive field.
Have you seen any small nimble TS/SCI teams compete successfully for prime or subcontract work in this area?
Warmest Regards, Sandy
(0)
(0)
SGM (Join to see)
I've taken the CEH course and I was massively unimpressed. The course contains 20 sections, some with almost 300 slides. What that means is that there's little discussion of which tool to use where, what tool is better than another for a specific application, or what applications a tool is especially suited for. In addition, EC Council is so afraid that someone is going to pirate their class, that the material was 2.5 years out of date (which is forever in hacker terms.)
I have a suggested solution, but I'll post it in another thread.
I have a suggested solution, but I'll post it in another thread.
(0)
(0)
1
1
0
0
0
0
Just wanted to add that I had loads of cybersecurity training, computer science education and hands on experience in coding, and would never ever consider myself a success at hacking. In my view the successful hackers have something I don't. They have an incredible ability to stay focused on a problem and never give up. They are persistent in ways I could never be. For me that is the most important trait of the successful hacker. They need skills and training, but need persistence above all.
(0)
(0)
Read This Next
Continue with Facebook 
Continue with Google