Seems the vaunted cyber-warriors at US CYBERCOM were matched up recently against some US military reservists whose civilian jobs centered around IT security. The outcome, the UK’s Register reports, was decidedly grim for the DoD’s concept of a “cyber” command.
“The active-duty team didn’t even know how they’d been attacked. They were pretty much obliterated,” said one Capitol Hill staffer who attended, Navy Times reports.
Bear in mind that the opposing force to CYBERCOM did not consist of true hackers, but IT security people. The best of those IT security professionals will readily admit that the bad guys, the black hats and hackers, are way ahead of them in the ability to penetrate networks, exploit operating systems, and do so with very little chance of detection and virtually none of attribution.
DoD and the respective services are quick to point to someone or some group and label them “cyber experts”, when in reality those people may merely have some insights into network operations or limited experience with network security. In actuality, while those people may know considerably more than the average person, their depth and breadth of knowledge is woefully inadequate for even the very basics of what DoD claims it can do in what it euphemistically calls the “cyber domain”.
Retired Marine General Arnie Punaro, commenting as a member of the Reserve Policy Board, had a salient observation:
“It defies common sense to think that industry, in particular our high-tech industries, are not moving at light speed compared to the way government works.”
While Punaro was commenting about the 80/20 active duty/reserve mix in these “cyber” units, he is also seemingly laboring under some illusions about the ability of the US Military to recruit “cyber warriors”. The kinds of people who will stay up all night eating pizza and smoking grass, pulling apart this or that operating code just for the fun of it, are largely not the types of people whose sense of patriotic duty will put them on the yellow footprints at Parris Island, or have them running PT with a shaved head at 0600 while drawing meager pay and having to field day the barracks every Thursday. They are a free-spirited counterculture which often operates on both sides of the line of legality.
And those are just the “script kiddies”, whose motivations are often driven by some sense of social cause and are far less sinister than some. From those groups come those who are hired by some very bad people, nation-state and non-state actors, who mix the technical knowledge of the kiddies they hire (or develop indigenously) with a considerable knowledge of the targeted network(s) and their importance to critical infrastructure which is central to America’s industrialized and automated society. It is among that latter mix from which our most serious security threats emerge.
The concept of “information dominance”, so cavalierly and arrogantly thrown about, is a thoroughly bankrupt one. The whispered assurances that “Fort Meade knows all” when it comes to network security and the ability to conduct what we used to call “offensive cyber” are so much wishful thinking. The adversaries, the dangerous ones, are way ahead of them. Read any report written by McAfee or other security firm in the last five years and the tale is always the same. Network exploits and the hemorrhaging of sensitive information have often been ongoing for YEARS before a breach is even detected. And, without exception, attribution in any meaningful way has proven impossible.
DoD is way behind the eight-ball in all things “cyber”, including a realistic understanding of the problem set. Some F-16 pilot does not become a “cyber expert” in a ten-month IT course. He becomes just dangerous enough to overplay his hand. The depth of technical knowledge required for such expertise is years and decades in the making. We would be off to a good start in recognizing such.
I will finish with a football analogy. When you have just scrimmaged a freshman team and lost 63-0, you have a very long way to go before you are ready to play your conference schedule.
Oh, and you FOGOs who might vehemently disagree with what I wrote above? You may be doing so on a computer that is jump number 384,262 in a 600,000-machine bot-net that will shortly be bombarding the US State Department with hostile packets, or displaying “Free Julian Assange” on a Pentagon website.