A Lesson in Information Humiliation


Seems the vaunted cyber-warriors at US CYBERCOM were matched up recently against some US military reservists whose civilian jobs centered around IT security.   The outcome, the UK’s Register reports, was decidedly grim for the DoD’s concept of a “cyber” command.

“The active-duty team didn’t even know how they’d been attacked. They were pretty much obliterated,” said one Capitol Hill staffer who attended, Navy Times reports.

Bear in mind that the opposing force to CYBERCOM did not consist of true hackers, but IT security people.  The best of those IT security professionals will readily admit that the bad guys, the black hats and hackers, are way ahead of them in the ability to penetrate networks, exploit operating systems, and do so with very little chance of detection and virtually none of attribution.

DoD and the respective services are quick to point to someone or some group and label them “cyber experts”, when in reality those people may merely have some insights into network operations or limited experience with network security.  In actuality, while those people may know considerably more than the average person, their depth and breadth of knowledge is woefully inadequate for even the very basics of what DoD claims it can do in what it euphemistically calls the “cyber domain”.

Retired Marine General Arnie Punaro, commenting as a member of the Reserve Policy Board, had a salient observation:

“It defies common sense to think that industry, in particular our high-tech industries, are not moving at light speed compared to the way government works.”

While Punaro was commenting about the 80/20 active duty/reserve mix in these “cyber” units, he is also seemingly laboring under some illusions about the ability of the US Military to recruit “cyber warriors”.  The kinds of people who will stay up all night eating pizza and smoking grass, pulling apart this or that operating code just for the fun of it, are largely not the types of people whose sense of patriotic duty will put them on the yellow footprints at Parris Island, or have them running PT with a shaved head at 0600 while drawing meager pay and having to field day the barracks every Thursday.  They are a free-spirited counterculture which often operates on both sides of the line of legality.

And those are just the “script kiddies”, whose motivations are often driven by some sense of social cause and are far less sinister than some.  From those groups come those who are hired by some very bad people, nation-state and non-state actors, who mix the technical knowledge of the kiddies they hire (or develop indigenously) with a considerable knowledge of the targeted network(s) and their importance to critical infrastructure which is central to America’s industrialized and automated society. It is  among that latter mix from which our most serious security threats emerge.

The concept of “information dominance”, so cavalierly and arrogantly thrown about, is a thoroughly bankrupt one.  The whispered assurances that “Fort Meade knows all” when it comes to network security and the ability to conduct what we used to call “offensive cyber” are so much wishful thinking.  The adversaries, the dangerous ones, are way ahead of them.   Read any report written by McAfee or other security firm in the last five years and the tale is always the same.  Network exploits and the hemorrhaging of sensitive information have often been ongoing for YEARS before a breach is even detected.  And, without exception, attribution in any meaningful way has proven impossible.

DoD is way behind the eight-ball in all things “cyber”, including a realistic understanding of the problem set.  Some F-16 pilot does not become a “cyber expert” in a ten-month IT course.  He becomes just dangerous enough to overplay his hand.  The depth of technical knowledge required for such expertise is years and decades in the making.  We would be off to a good start in recognizing such.

I will finish with a football analogy.  When you have just scrimmaged a freshman team and lost 63-0, you have a very long way to go before you are ready to play your conference schedule.

Oh, and you FOGOs who might vehemently disagree with what I wrote above?   You may be doing so on a computer that is jump number 384,262 in a 600,000-machine bot-net that will shortly be bombarding the US State Department with hostile packets, or displaying “Free Julian Assange” on a Pentagon website.

About these ads

8 Comments

Filed under Air Force, army, Around the web, China, Defense, history, marines, navy, recruiting, space, Uncategorized, veterans, war, weapons

8 responses to “A Lesson in Information Humiliation

  1. Stormy

    2 thoughts:

    1. I saw the story break a couple of days ago and forwarded the link to my son, currently earning his undergraduate in software engineering. His response: “Anyone who is any good at cyber warfare techniques will avoid government like the plague. Everyone knows that.”

    2. Take a look at what passes for a Master’s degree in Cyber-something from the Naval Postgraduate School: http://www.nps.edu/Academics/Schools/GSOIS/Departments/CAG/Education/degrees.html. Compare that with what you can expect the opposition in select eastern European and Asian nations is bringing to the table.

    Say, “Goodnight,” Gracie.

  2. Reblogged this on makeaneffort and commented:
    Must read.

  3. SFC Dunlap 173d RVN

    Scarey, believe it, applause, good night Gracie.

  4. David Navarre

    There is so much more money in private industry with so much less hassle. Even civilian government work in this sector pays poorly and comes with a load of nonsense that almost no brilliant techie would put up with.

  5. Paul L. Quandt

    So, how far are we from “put your head between your knees and kiss your ass goodbye”?

    Paul