Cybersecurity in the Army: How to Identify, Train, and Retain Future Cybersecurity Warriors

2013-10-01T21:49:27-04:00

Recently I had a conversation with a Signal co-worker concerning the military's cybersecurity strategy and how to get a foot in the door in the cyber career field. He was very interested in becoming a hacker and wanted to learn what kind of training he should focus on to stand out from the crowd. After being turned down for a reclass into a cybersecurity job he is strongly considering an ETS. This conversation epitomized to me what I think is a failure in our current plans in developing an elite cyber force. First, I think there exists a pop culture definition of hacking that creates critical misconceptions in any conversation about the subject. This misconception exists at all levels, often even amongst those that work in the field. No one can teach you to hack. It is not a skill that can be learned by rote and offered up on the platter of military training. Running a script or a program is not hacking. Typing a command into a bash shell is not hacking. Even programming a Remote Access Tool is not hacking! A hacker is simply a person that understands his/her targets' chosen technologies better than they do and can think in a critical, outside the box fashion. Skilled hackers can identify and exploit the mental scotomas of their victims, using their oversights as pivot points to open up a vast chess board with an unlimited field of movement. If you want to be a hacker you must have strong foundations in computers from the hardware to the bare bones of network technologies. Reading and digesting RFCs on various TCP/IP packets and then getting excited when you see a way to use that packet in a way no one intended is a step in the right direction. A hacker sees a program crash or a computer blue screen and wonders if its reproducible or causes buffer overflows. A hacker must be a Cisco Engineer, a Microsoft subject matter expert, a Linux guru, and a Python, Bash, PowerShell, Ruby, Java, Assembler fool. In summary, we need technologists that are passionate about IT, motivated to learn new technologies, and subject matter experts in multiple domains. 1. How do you identify soldiers with exceptional technology skills and the aptitude to apply those skills to an asymetric task such as hacking? 2. What kind of training should be used to enhance the skills of selected soldiers and prepare them for their missions? 3. How do you retain those soldiers after you have invested considerable time and energy into their training?

Response by CW3(P) Private RallyPoint Member made Oct 2 at 2013 2:46 PM

2013-10-02T14:46:18-04:00

This is the new hotness for cyber: http://www.7sigcmd.army.mil/CPTWeb/index.html.

Response by SGT Private RallyPoint Member made Oct 2 at 2013 11:15 PM

2013-10-02T23:15:59-04:00

I agree with your thoughts of hacking being about the passion, capabilities, thoughtfulness, curiosity, and finesse.  I've done just about every signal MOS short of going out with a manpack.  I have observed, watched and patiently learned.  I have studied and gotten elbow deep into equipment (breaking and repairing).  I just wish I knew where to sign up for MOS' like cyber security.  Because honestly our enemies are too different from us.  They have drives and passions and motivations that could easily be exploited. They just as easily hire those who are not as knowledgeable about the equipment they use.  They make mistakes and leave vulnerabilities.  Show me where to sign, I'd love to become an asset in cyber security.

Response by SSG Private RallyPoint Member made Oct 3 at 2013 2:52 PM

2013-10-03T14:52:34-04:00

Do you have any information about what 35Qs actually do?

Response by Cpl David Hall made Mar 6 at 2014 11:57 PM

2014-03-06T23:57:11-05:00

I am currently a security specialist and I concur with most of what you say ssg. One of the problems that the military faces is that once the person gets to that level there is absolutely no way the army can compete with the type of salary retirement or any other package that  they can not  write for themselves in the public sector. As a moderate security guy I obtain 6 figures a year and to be fair I fall in the category of somewhat skilled not a Steve jobs etc,  as far as a hacker  you wanting to have those skills I would suggest contacting the guys a EC-COUNCIL and  suggesting or setting up course to your men from them they would be able to at least give them the basics of hacking after that it is up to them.  

Response by 1LT Private RallyPoint Member made Mar 7 at 2014 6:35 AM

2014-03-07T06:35:35-05:00

SSG Sweeney,

You may find these references potentially helpful in reviewing opportunities:

http://www.afcea.org/events/tnlf/southwest/documents/Tr1S1MIConway.pdf

http://smallwarsjournal.com/jrnl/art/combat-identification-in-cyberspace

http://smallwarsjournal.com/jrnl/art/cyber-threat-indications-warning-predict-identify-and-counter

http://smallwarsjournal.com/jrnl/art/why-your-intuition-about-cyber-warfare-is-probably-wrong

http://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf

http://smallwarsjournal.com/jrnl/art/on-the-spectrum-of-cyberspace-operations

http://smallwarsjournal.com/jrnl/art/the-cyberspace-operations-planner

https://www.atrrs.army.mil/atrrscc/search.aspx ( set Enlisted MOS 25D3 25D4 35Q3 )

http://www.armyreenlistment.com/Messages/MILPER/MOS_35Q_12_187_20120621.pdf

My military / industrial / academic colleagues who work in the cyberwarfare field often prefer mathematically trained individuals who can play a musical instrument well (key sign of intrinsic core mental abilities), studied number theory, and open source cryptanalysis. Our typical entry level cryptanalytic technical methods trainee should be able to breeze through any common open source textbook ( e.g., http://math.scu.edu/~eschaefe/book.pdf ) without major difficulty on a quarter time basis over the course of a 10 (fast) - 15 (slow) week period.

For other applied cyberwarfare positions, some colleagues might advise getting to know the opposition players, technologies, methods, capabilities, sentiments, motivation, and strategies via the ebook3000, defcon, blackhat, kali linux, tor, and similar hacker resources.

While learning traditional technologies may be helpful, mainly we need curious puzzle solvers.

We can easily teach a trainee to code, compile, decompile, debug, and run hardware, software, simulator, synthetic, aperature, broadband, acquisition, recording, filtering, detecting, decoding, encoding, decoy, spoofing, jamming, and countermeasure systems.

But, you must already intrinsically possess fine mental ability, sensitivity, dedication, very keen attention to detail, competitiveness, persistence, and sheer joy in breaking opposition puzzles / defending friendly targets to succeed in this exceedingly tedious technical work.

As others have suggested, you may find options somewhat limited within the military. Much of the more intellectually interesting work is done by our contractors or civilian agency personnel. However, there are still physically challenging and geographically interesting enough raw data collection sources / methods that appeal to military personnel. Some of the manned platforms may do mach 3+ / angels 80+ where other sites keep station on water, rock, or ice to acquire strategic tracking, telemetry, or other signals. New unmanned platforms remotely operated via satellites may be interesting. We also need people to defend our internal computing assets.

Of course, I grew up when computers had small magnetic donuts strung on wires for memory and were built up from discrete transistors and other components wedged between a pair of multiple layer circuit boards flooded with freon. Integrated circuits were still mostly a laboratory curiosity. We stored data and programs on paper tape, 9 track tape, and disk drives the size of washing machines. So, my opinion may be somewhat limited by my antiquated education.

Others may chime in with differing opinions. But, this is my sense re entre into this community.

Warmest Regards, Sandy ( http://www.linkedin.com/in/armynurse )

p.s. It may not hurt to learn a few languages spoken and written by major cyber adversaries.

E½²®#Ê.»±»6`lË$9ª°Ç"b³Þ2;¢&»f³¾Ý°lBT1v,¿X]·S³¨xÿ£WXTÔ'^ãÏ++oVÖXDA×óVyS;iÛDÇczãK-LÂÄ^P{4%¥ d¤hTg[?4#=cº{0ã+0©Í®ZÁOìÜá~îÄþ$¹¬ZÁÓ.yE~È¹§üdå\½³íæÆ¼"7>;ö¦£H¸üÈha¾"5é
é9j½ÍËóÅ2±saíN...

Response by CPT Private RallyPoint Member made Feb 18 at 2015 12:34 AM

2015-02-18T00:34:29-05:00

SFC Private RallyPoint Member, another component of this is increasing overall levels of technological literacy across the force. Tactically, we lack a baseline of competency (let alone expertise) needed to be defensively functional because we don't understand the operating environment and how it can be used to our (dis)advantage.

Considering the most basic of IT-related tasks: how many SMs are guilty of using default passwords when allowed, have trouble mapping a printer or prefer to leave everything up to S6, EWO or the CEMA (Cyber Electromagnetic Activities) guy because 'that's their job'? I've been guilty of a few (please don't anyone try to hack my RP PW) and am learning everyday how we must increase baseline competency to remain competitive as a force given our reliance on IT and the interwebs (sic).

Leadership can't be meaningfully engaged in retaining talent if they only have a vague understanding of what that talent means or brings to the table.

Response by Sgt Abdullahi Mohamud made May 3 at 2015 12:18 PM

2015-05-03T12:18:15-04:00

I'm working on my Masters degree in Cybersecurity. I agree on all the above mentioned list of skills. In addition, language proficiency, regional cultural studies focussing on specifics are must haves in this field. Most important, it is ability to analyze all data collection. Thus, without the ability of analytical aptitude, the Gladiators of Cyber will slaughter Cyber Sentries of the US in the colosseum. In order words, without competency of analysis, all data collection and the technical skills will not prevent the intrusions and the attacks of a formidable opponents. For that reason, retaining the brightest and Patriots should be prerequisite for retention not clowns that swear allegiance to a Smartphone- ISO or Android.
Semper Fidelis

Response by SSG Derek Scheller made May 18 at 2015 1:02 PM

2015-05-18T13:02:23-04:00

So I know this is an old question, but after reading some of the comments I feel the need to respond. The term hacker has become a misplaced term among most of society. Hackers come in many forms. In the IT field a Hacker is a person who can look at an error or a code and find a way to exploit its mistakes, whether someone forgot a ; or an entire line all together that allows the attacker to execute malicious code. However, not all code is malicious and not all hackers are bad.

Many of the common hackers your hear about today are great at social engineering and being a script kiddie. It doesn't take much for someone to start up kali linux, run the setoolkit and exploit someone because they don't know how to NOT open an e-mail or click a link.

I have been told by many that I am an exception to the IT world. I am not an elite hacker by any means. But, I make it my mission to no everything there is to know about Cyber and IT in general. I consider myself for the time being an IT Specialist. I study linux, mac, windows, cisco, novell, python scripting, and just about all fields of IT. I have the inate ability to absorb anything I am taught when it comes to computers. However, not all people can. I love to analyze code, and flaws, and websites. I love learning how exploits work, and their design. Rootkits and scripts, just about anything in the cyber realm i make it my mission to learn.

Though the one thing that can set you apart from everyone else, is not just the knowledge or the know-how to be a "Hacker" but the ability to learn different languages as well. A lot of what we in the US are attacked with contain foreign languages like Russian, Chinese, etc. So to be a true expert Hacker you must not only know your ways in and out of a system covertly, but you must also be able to analyze the exploit that has just come across your system in a foreign language.

Response by SGM Private RallyPoint Member made Jun 8 at 2015 4:44 PM

2015-06-08T16:44:34-04:00

SFC Private RallyPoint Member, this is a topic I have been concerned about for years, not just cybersecurity, but how we retain soldiers with critical skills. The obvious answer is proficiency pay.

As you noted, cybersecurity is something you have to teach yourself. You don't need everything on your list, but you have to start somewhere and you have to be dedicated to learning more. That means you have to be self-motivating.

Enlisted soldiers are the blue-collar workforce of the military, and I have my doubts that the average enlistee going into cybersecurity will ever be better than a script-kiddie. But that doesn't mean they can perform useful service. (Red teams, helping units with basic-level security, i.e. to not be low-hanging fruit.) However the question is how to train and retain top-level talent. My suggestions:

1) The above concerns say Warrant Officer to me. Those who surpass the script kiddie level should be considered for Warrant slots.
2) Consider how linguists retain their language. Regular, perhaps daily practice, audio tapes, and publications in their language. So why shouldn't there be a lab setup with Metasploitable, and every current major Linux, Windows, database, and similar server as target machines, and Kali Linux set up on attack boxes? Add in SNORT, Metasploit, honey farms, all major antivirus and antispyware programs,and other offensive and defensive tools, and make that a daily part of training. Surely each major military base could stand up such a lab, for the protection it could provide. And having such a playground would be an incentive to stay in. I have only a fraction of the above, and I built/purchased it all myself. I'd reup in a heartbeat for such a lab setup.

Response by CPT Private RallyPoint Member made Jul 15 at 2015 11:16 AM

2015-07-15T11:16:47-04:00

1. How do you identify soldiers with exceptional technology skills and the aptitude to apply those skills to an asymetric task such as hacking?

Establishing an open capture the flag / skills assessment that will gauge any soldiers capability. There are many CTFs available as well as proven examples out there (netwars). This combined with psychological screening could provide the right people.

2. What kind of training should be used to enhance the skills of selected soldiers and prepare them for their missions?

Classes on self-learning methods, programming, reverse engineering, development and debugging, etc. These will establish a baseline - then incorporate popular frameworks.

3. How do you retain those soldiers after you have invested considerable time and energy into their training?
Incentives, money, and freedom to use skillsets. Adjusting the PCS schedule and training expectations would be helpful. "Pro" pay already exists for medical realm and bonus pay for needed MOS. These skillsets are different but also valuable and should be treated this way.

Response by SSG Private RallyPoint Member made Aug 31 at 2015 4:35 AM

2015-08-31T04:35:52-04:00

I agree hacking is never a skill learned it's understanding the working of the computer signal and that only happens through lots of self taught readings and learnings with practical applications...people don't hack for the sake of hacking...although some people do...most do it to learn and understand the workings of the Internet environment and ability to use the signals and what's available to use...kinda like sports you don't get better unless you practice and learn other methods to succeed

Response by SSG Private RallyPoint Member made Oct 4 at 2015 4:22 AM

2015-10-04T04:22:34-04:00

1. I disagree, I believe hackers can be taught with the right tools...the first for identification is passionate for technology and how often do they stay updated and what is their capacity of understanding of a technology. I believe hacking is both experience and education but more experience to help build the skillset and understanding. I believe hacking is about exploring and understanding how a system works if you don't receive the right education as well 2. I'd look at the basics of understanding security and main programming lingo mainly UNIX, Linux, Dos and Python and basically set up a versus team to hack each others computer in a local server based on a firewall built by themselves which helps increase their cyber defense skills while learning to attack 3. Retaining them is basically providing them missions in relation to their job or skillset...this is where talent management comes in...for example the person who's good at building firewalls continue to train him or her up to further ithe skill while training up on the others maybe as STt so you build your own experts to train each other. That's what I would do.

Response by CDR Private RallyPoint Member made Oct 19 at 2015 10:43 AM

2015-10-19T10:43:47-04:00

Just wanted to add that I had loads of cybersecurity training, computer science education and hands on experience in coding, and would never ever consider myself a success at hacking. In my view the successful hackers have something I don't. They have an incredible ability to stay focused on a problem and never give up. They are persistent in ways I could never be. For me that is the most important trait of the successful hacker. They need skills and training, but need persistence above all.