Battle Staffs Need More Cyber Training, Leaders Say

Battle Staffs Need More Cyber Training, Leaders Say

Developing cyber warfare capabilities turns out to be only one piece in the complex challenge military leaders have in trying to incorporate a new warfare domain into their mission management and planning process.

Commanders need to understand cyber effects if they’re to use the capabilities now at their disposal, and planners have to understand how best to leverage those capabilities to provide commanders with viable and ready options. The trouble is, cyber is still a new tool for most battle planners and experienced experts are rare. That’s raising a need to expand who gets trained on how to use cyber effects, as well as how to make that understanding more accessible to more planners.

“We focus on developing technical gurus,” explained Maryland Air National Guard Capt. Matthew “Tux” Weiner, group weapons and tactics officer of the 275th Air Force Support Squadron. “What we don’t teach them is how to be planners. We don’t teach them Joint Pub 5 [Joint Operation Planning], we don’t teach them Joint Pub 3-60 [Joint Targeting] and we don’t teach them about the Joint Target Cycle.”

Another problem: Cyber is still so highly classified that cyber operators are kept apart from planning and operations staffs. One result: Many commanders lack experience or understanding of how cyber can be used in military operations.

Both cyber operators and mission planners need more areas of common understanding, Weiner suggested. “The operators don’t need to be at that [senior planning] level, but you need trained and certified planners in the AOC [Air Operations Center] that understand our [cyber] capabilities, understand our effects, can distinguish between something called defensive cyber operations response actions and offensive cyber space operations,” he said. Planners must understand the nuances, such as the different authorities required for each and which cyber specialists can do which kind of work.

“I also believe we … haven’t built a standard on planning,” he added. With artillery and air power, for example, there are established planning methodologies and software to help imbue new planners with decades of military understanding and experience. That’s missing for cyber today. “We don’t have a solution out there … where you go in there and build off some piece of software or some piece of equipment and it takes you through your entire response action for what you’re going to do,” Weiner said.

That’s an immediate need, he added, posing a challenge to the military the training community to develop and standardize methods for training cyber mission planners.

“Within Army Mission Training Complexes, Cyber cells are being integrated in the mission operations training”, said retired COL Bob Pricone, VP of Training at GDIT. “We’re beginning to develop a body of knowledge to enable better cyber mission planning. But it’s still an emerging practice.”

Weiner said his command has begun the process and has a waiting list of 200 officers to get into the Guard’s program: a three-week tactical planner’s course that includes a week on JP-5 and two on JP-3-60. “But that shouldn’t be the first time they see it,” he said. “We need to start building cyber planners from the time they go through their service schools and come out into operations.”

Classification Conflicts
Frank DiGiovanni, DoD Director of Force TrainingFrank DiGiovanni, director of force training at the Pentagon, experienced this problem first hand when as an Air Force officer, “I had a cyber person and a space person working for me, but they could not talk in the battle staff about their capabilities.”

The two were sequestered in another part of the air operations center, he said, because of classifications that barred most AOC staff from knowing what they were doing or could do – a problem that has yet to be solved, he said.

“We have to fix the security issue to make sure the people on the battle staff are read in,” DiGiovanni said.

Just as important is making sure commanders understand the cyber capabilities at their fingertips and that they have confidence that those capabilities will have an impact once unleashed. Planners alone don’t ensure commanders will use capabilities they see as unproven or untested.

“If the commander isn’t confident in the capabilities – because he hasn’t seen it in training or exercises – it won’t be used,” DiGiovanni said. “It’s a complete value chain which includes the leaders, the planners, the operators and the maintainers. All those people have to be exercised and trained to understand the capabilities. It’s a big problem.”

Maj. Gen. Stephen Fogarty, chief of staff at U.S. Cyber Command, said though the Army is acutely aware of the problem, finding actual real-world experience is helping to shine the way forward. “There’s nothing like operations to accelerate learning,” he said. “We have learned tremendously.” The Army’s Cyber Center of Excellence is adapting its training to address the knowledge shortfall, Fogarty said, “so those lieutenants, NCOs and warrant officers in the training, they’re going to come away with not only the ability to [conduct cyber warfare] at the national level, but actually to provide effects down to the tactical level.”

Related Articles

GM 250×250
GEMG 250×250
gdit cloud 250×250
gdit cloud 250×250
USNI News: 250×250
AFCEA DC Chapter: Mobile Tech Summit 250×250
How Changing the Requirements Process Could Boost Innovation

How Changing the Requirements Process Could Boost Innovation

The Pentagon and other government agencies spent much of the past two years experimenting with rapid-acquisition strategies designed to speed up technology insertion by shortening the requirements process, streamlining proposals and accelerating decisions.

The Defense Innovation Unit Experimental (DIUx) and a host of other rapid-acquisition, innovation and development offices across the department employ prototyping, iterative development and mostly small and non-traditional defense suppliers, to cut the time it takes to develop and deploy new capabilities.

Now, as a new administration arrives in Washington questioning high-priced defense programs and hoping to enforce a new brand of business-minded management, the question is whether this approach can accommodate both large-scale contracts and enterprise technology programs.

“Future Foundry,” a new report from the Center for a New American Security, lays out a strategic approach it calls “optionality.” The central idea: By placing more, smaller bets on competing technologies and concepts up front, the government can achieve a more diverse portfolio of choices over time.

The central problem its authors see is that major programs take so long to develop, it’s impossible to anticipate every potential future requirement at the outset. That, in turn, leads to the piling on of requirements up front, increasing complexity, risk and costs. Instead, they argue for investing in smaller-scale prototypes and demonstrators and then adding capabilities with rapid, incremental upgrades over time. The result: risk is minimized by committing to just one stage of development at a time; competition is enhanced because players remain in the game longer and costs are contained because large-scale program failures and cancellations are reduced or eliminated.

This, the report argues, should help DoD “exploit advantages, particularly human, in which the United States is expected to remain dominant in the foreseeable future.”

Sean O’Keefe, former NASA administrator, U.S. Navy secretary and Pentagon comptroller and now a Syracuse University professor, co-wrote the introduction to the report, which he said tries to address a fundamental problem: ensuring the largest possible pool of potential suppliers for defense requirements.

Today, O’Keefe said, “There is a very finite number of companies that are deeply engaged – almost to a point of exclusivity – in national security. And then there are others who could have applicability, but aren’t sufficiently attracted because there are so many things you’ve got to overcome, just to be a participant in that market. And the size of the market, relative to other opportunities today, leads many companies to conclude it just isn’t worth the gain.”

DIUx and other rapid procurement programs seek to reduce the barriers to entry by eliminating much of the contracting red tape that slows things down, but the strategy only goes so far. While small companies may see such work as valuable because it could spur investment or attract buy-out offers, established businesses are less willing.

“I have more opportunities than time to pursue them,” said Russell Stern, chief executive at Solarflare in Irvine, Calif. The company produces networking software and hardware that accelerates, monitors and secures network data and conducts low-latency networking. Though it has the skills and capabilities the government seeks, according to Stern, “we can’t afford to have someone sit there and spend months or years on a project that might not pay off.”

That’s where CNAS’ optionality concept comes in, says lead author Ben Fitzgerald, director of the think tank’s Technology and National Security Program. “The strategy is one in which DoD intentionally invests in many more and different types of systems. There are military reasons for doing that and also business reasons, to engender more competition and hopefully to lower some of these barriers to entry.”

The Pentagon needs a more nuanced approach to its industrial policy because it no longer dominates the technology markets it depends upon. Instead, it sources products from four distinct groups:

  • Manufacturers of military unique systems, such as submarines or aircraft carriers, in which competition is limited or non-existent
  • Makers of military unique systems, such as fighter aircraft and combat vehicles, where competition is viable
  • Commercial technology suppliers with products that can be adapted to military use
  • Purely commercial technology providers

“We don’t actually have any industrial policy for [the last two], despite the fact we talk about buying commercial technology all the time,” he said.

“We’re trying to expand the choices,” O’Keefe said, in order to escape a business model in which “you freeze-frame characteristics and then, for the rest of time, are restricted to the limits of what those capabilities are.”

The optionality approach, he said, offers “the agility to produce varying capabilities on the forward end of the spectrum” and the ability to choose, based on evolving threats, which is most effective and then field it contemporaneously. The current model locks in choices too soon, he says, and the process is so long that stakeholders tend to load up on requirements out of fear that if they miss their chance this time, it could be a decade or more before they’ll get another chance.

“We’re urging choices to take a range of different paths without commitment,” O’Keefe said.

Information Technology
For information technology systems, the concept would require a fundamental shift in how systems are typically procured. The requirements process for government information technology systems maps directly to commercial best practices for IT acquisition, as defined by industry standards like the Information Technology Infrastructure Library (ITIL) or Capability Maturity Model Integration (CMMI).

“It’s rooted in the need to build something aligned with a business or mission need, and that must work reliably, securely and supportably,” said Stan Tyliszczak, vice president of technology integration at General Dynamics Information Technology. “Every change has multiple, disparate downstream effects – and the bigger the enterprise, the greater the impact of those effects.”

But while that may be the right approach for a system where the underlying uses are all well understood, such as when an existing system is being replaced in a one-for-one upgrade, it is less than ideal for situations in which brand new capabilities are being introduced. In those circumstances, it’s not possible to foresee all the potential requirements.

“An Amazon doesn’t build everything at once,” Tyliszczak said . “They develop a platform and then deploy agile increments later.” Those increments include both planned capabilities and new ideas fueled by user interactions.

That’s what makes agile development different. Unlike block upgrades on a weapons platform, agile iterations are launched in a series of sprints, rather than planned and scheduled years in advance, and can be pushed out as they are ready. Requirements are treated more fluidly and can change over time. That’s a fundamental shift for government acquisition.

Making that work in a government contracting context will require a different approach to defining requirements. While there’s no one-size-fits-all approach, Tyliszczak said, one way to accomplish that could be to treat some efforts not as fixed, long-term capabilities, but as short-term, flexible purchases: Acquire a capability for a specific use, then once that mission is complete, take a fresh look. That could mean scrapping the system in favor of a new approach or enhancing what is already in use. But because the system wasn’t contracted with full life-cycle expectations and costs, the initial investment is smaller and the agency has more options at the end.

“Individual sprints might even be developed by different contractors,” Tyliszczak said. “There might be one integrator to pull together all the pieces, but additional capabilities could be procured from different providers.”

The concept isn’t applicable to everything. “But having the ability to provide this agile or incremental overlay on top of an acquisition is probably a good thing to do,” Tyliszczak said.

DoD’s Dependence on Commercial Tech
William J. Lynn III, the former Deputy Defense Secretary who is now chief executive at Leonardo North America and DRS Technologies, and with O’Keefe, co-authored the forward to the report, agrees with Tyliszczak: “We can’t have a one-size-fits-all policy,” he says.

There are too many barriers to entry to the defense market, Lynn says, citing the need for separate accounting systems as one example. “If you’re a big IT behemoth, why would you bother?” Ideally, DoD should promote policies that support each of the four technology sectors on which DoD depends. “But if DoD doesn’t do that, industry will have to on its own.”

U.S. military strategy is centered on technological superiority being a force multiplier on every battlefield – land, sea, air, space and cyberspace. But while the military was able to drive that development in decades past, today it no longer wields the same influence.

“The United States’ ability to maintain its military-technical edge is tied to its ability to leverage advances in commercial technology,” the report argues. “Theoretically, the DoD possesses the legal authorities and acquisition regulations to procure these systems. [But] in reality, the lack of an acquisition workforce familiar with these types of procurement, the nature of the current requirements system, and a lack of support from mid-level leadership mean that commercially adapted military technologies remain stuck. Even prototypes are acquired in the same way as military unique systems.”

To fix that, the report urges the Pentagon to “establish agile methods by which validated experiments, challenge grants, competitive wargaming, emerging combatant command considerations, and prototypes can be used by the services and OSD to establish needs and start new acquisition projects.” Likewise, experimentation, prototyping, capability improvement and upgrade opportunities should be used “to identify and define problems, developing technologically informed requirements before proceeding to production.”

The report’s authors acknowledge that the existing acquisition system is built for military-unique programs, and that the bureaucracy is large and often resistant to change. So they argue for creating a new acquisition pathway that can operate in parallel, one designed expressly for prototyping new systems and adapting commercial off-the-shelf and existing military systems for new uses.

Noting that the 2017 National Defense Authorization Act requires DoD to create a new undersecretary for research and engineering, the report suggests this office could become the new home for DIUx and DoD’s Strategic Capabilities Office, the Joint Rapid Acquisitions Cell and small business programs, providing sufficient organizational heft to drive policy and protect this alternative acquisition pathway.

Such an alternative path will have to overcome perceptions that it is either one administration’s pet concept or that it favors one group of contractors over another. Whether DIUx survives the change in administration is an open question. Concerns that it and other rapid-acquisition programs lean too heavily on the use of Other Transaction Authority (OTA), a contracting tool designed to let the Pentagon more easily contract with small and non-traditional defense suppliers, also muddy the outlook. “If they can do it for them they should do it for everybody,” says Alan Chvotkin, executive vice president and counsel at PSC.

Ultimately, no one sector or group of companies holds all the keys to innovation. To maximize their effectiveness, alternative acquisition pathways should be open to good ideas wherever they come from.

Related Articles

GM 250×250
GEMG 250×250
gdit cloud 250×250
gdit cloud 250×250
USNI News: 250×250
AFCEA DC Chapter: Mobile Tech Summit 250×250
Here’s How DoD Aims to Grow its Own Hackers

Here’s How DoD Aims to Grow its Own Hackers

With the US government retaliating against Russia for cyber attacks affecting the U.S. Presidential election, demand for more hacking talent within the Department of Defense is sure to rise. The National Security Agency is the primary trainer for military cyber skills until 2019, but after that, the military services are supposed to take over.

“What we are looking for is that hacker mindset,” said Maryland Air National Guard Capt. Matthew “Tux” Weiner, group weapons and tactics officer of the 275th Air Force Support Squadron. A former master sergeant, Weiner stood up the initial cadre of the U.S. Air Force Cyber Warfare Operations Weapon Instructor Course, an elite course in cyber at Nevada’s Nellis Air Force Base.

Finding hackers in uniform is like finding a needle in a haystack. To find them, the Air Force starts with a challenging assessment test that weeds out 99 percent of test takers. “The smartest people I know take this assessment and don’t pass,” Weiner told a packed room full of cyber and training professionals at the Interservice/Industry Training, Simulation and Education Conference late last month. It follows with rigorous training that weeds out half of the select few who qualify.

But Weiner said the service has identified the factors that predict success: military experience, an intense level of effort and exceptional attention to detail. Trainees work their way through a series of training courses, beginning with foundational training – now handled online – followed by operational training and ultimately professional development through three stages: apprentice, journeyman and master-level operator. Once in the field, apprentice operators are paired with more experienced journeymen, continuing the training process.

Getting trainees through costs in excess of $250,000 per person, Weiner said, in part because the washout and attrition rates are so high. Master-level operators are extremely scarce.

Students must master networking, the UNIX and Windows operating systems, security and all the related protocols.

“It isn’t just learning TCP/IP and network security,” Weiner said. “It’s wanting to go in there, understand security and break the system. It’s about having the mindset that you want to hack into something and break it.”

Just like for other military capabilities, the defense industry plays a key role in building DoD’s hacking capacity, said Rear Adm. (Ret.) Tony Cothron, a former chief of naval intelligence and now vice president for customer requirements at General Dynamics Information Technology. Industry provides a “surge” capability with additional hacker manpower, as well as other cyber mission support resources. Companies are investing in training and developing their own cyber talent and for people seeking cyber security careers without having to sign up for the military culture, they can be an excellent alternative, he said. “The demand for personnel with cyber expertise and who are cleared is only going to increase.”

Hackers Are Different
John “Rigs” Rigney, co-founder and chief technology officer of Point3 Security agreed. A lifelong hacker and former NSA cyber operator, said there are really only two routes to recruiting cyber talent: Find these people or grow them yourself.

“I grew up in this world as a hacker,” Rigney said. “I broke into my first system when I was 8 and haven’t really stopped since. When I talk to people about recruiting, I find they’re looking in the wrong places. What I often see is they’re going in to job sites like LinkedIn. I don’t know anyone who has these skills who is on LinkedIn.

“That’s just the wrong place. This is a culture,” he said. “You do this because you’re obsessed with it, because you’re a crazy person. That’s why we do this.”

Rigney has been the lead instructor running and developing the Cyber Operations Academy Course (COAC), an initiative driven by Defense Department Director of Force Training Frank DiGiovanni. The course aims to develop a scalable model for teaching cyber skills to military members with varying levels of cyber knowledge and turn them into operators in just six months, bypassing the conventional hierarchical approach requiring years of schooling and a college degree.

The program has so far proved effective through demonstrations, but scaling it remains a challenge. DiGiovanni believes technology could help with that eventually. Like the Air Force’s operational set-up, this training curriculum is built on a journeyman apprentice model, with more experienced members helping less experienced ones.

Rigney, a lifelong hacker and former NSA cyber operator, observed that many of the most talented hackers are simply unaware that they can get well-paying jobs “doing this kind of work.” Making matters worse, the government and industry often aren’t sure where to look. “I see recruiters looking on sites like LinkedIn,” Rigney said. “These guys just aren’t there.”

To find talented hackers, Rigney suggested agencies and contractors sponsor more capture-the-flag cyber events which showcase hackers’ talent in the cyber game of cat and mouse. Such events are signature elements of hacker conferences like Def Con and provide the kind of challenge that brings hackers out into the open. Rigney led a team that won the Def Con capture the flag contest three years ago.

But not every cyber team seeks that kind of hacker. Some want more conventional cyber defenders. Most hackers argue that unless defenders have the skills and mindset to think like hackers, they won’t be able to seal off networks or successfully hunt down intrusions. The hackers they say, will remain a step ahead.

Another problem is that military members – whether ground pounders, air crew or logisticians – need to meet physical fitness standards that may exclude some hackers. Others might have legal issues keeping them out of uniform.

While COAC trains people with or without specific cyber expertise and Rigney said the course has proved with the right encouragement, students do demonstrate the obsessive, addictive behavior he sees as critical to hacking successfully. “They’ve got to have that obsession,” Rigney said, noting that as a military course, students are expected to show up at 8 each morning, yet he continued to get text messages and questions from them into the wee hours of the morning. Students are encouraged students to take schoolwork home, a marked difference from most military cyber training, which requires students to pack up and leave their classified environments and all work behind.

Once trained, cyber students need to go to work, sitting side-by-side with more experienced perators, and applying their newly developed skills. There, they can refine their knowledge and build up their tradecraft, he said.

But it’s also important to protect cyber practitioners from burnout. Speaking from experience, he said the shortage of cyber talent means military units tend to overburden the few truly talented people they have.

“We’ve got to figure out a way to avoid burning these guys out,” Rigney said. The surest way to do that? “Train many more of them.”

Related Articles

GM 250×250
GEMG 250×250
gdit cloud 250×250
gdit cloud 250×250
USNI News: 250×250
AFCEA DC Chapter: Mobile Tech Summit 250×250
DoD Battles to Train Enough Cyber Practitioners

DoD Battles to Train Enough Cyber Practitioners

A new report from the Presidential Commission on Enhancing National Cybersecurity calls for national workforce programs to train 100,000 cyber practitioners by 2020 and a national cybersecuirty apprenticeship program to train 50,000 more.

It’s the latest in a series of reports and recommendations pressing the federal government to combat the vast shortage of cyber talent in the public and private sectors.

But actually recruiting and training cyber experts remains a challenging, confusing and sometimes confounding problem. Just days before report’s release, a panel of experts drilled down on those challenges at the annual Interservice/Industry Training, Simulation and Education Conference (I/ITSEC).

Diana Banks, deputy assistant secretary of defense for force education and training

Diana Banks, deputy assistant secretary of defense for force education and training

“What we really should be thinking about with cyber is a pipeline,” said Diana Banks, deputy assistant secretary of defense for force education and training. “It is a trainable skill.”

Indeed, the federal government has taken an unusually long-range view on developing such a pipeline. The National Security Agency (NSA) funds GenCyber summer camps for middle and high school students – and their teachers – in more than 30 states and the District of Columbia. The camps supported more than 4,000 students and 900 teachers last summer. Held on university campuses, sessions last a week or two and are designed with the express intent to spark an interest in computer science, cyber security and ethical hacking early in students’ academic development.

Similarly, both the Pentagon and the Department of Homeland Security have programs geared towards, attracting college students.

But while the presidential commission report acknowledges the essential value of such efforts, the near-term needs for cyber skills are growing faster than current pipelines can deliver.

“The economic and national security of the United States cannot wait a decade or longer for initiatives in primary and secondary education to bear fruit,” the report states. “Closing the gap in the near term will require a national surge that increases the workforce and provides a structure for on-the-job training to ensure that the current workforce has the right skill set.”

Military Requirements

Maj. Gen. Stephen Fogarty

Maj. Gen. Stephen Fogarty, chief of staff at U.S. Cyber Command

The military services are already in a race to train thousands of troops with cyber skills and to keep up with growing internal demand from military commanders, said Maj. Gen. Stephen Fogarty, chief of staff at U.S. Cyber Command. The more field commanders learn about what they can do with cyber effects, the greater their demand for practitioners in front-line units. (Commanders, in fact, are often unaware of the full extent of the cyber skills they can bring to bear, because classification levels typically keep that information from them – a procedural and administrative hurdle Fogarty and other officials acknowledge needs to be addressed.)

Fogarty said the Army is finding success recruiting young people to the field. “They’re willing to join the military to get a skill and we’re going to invest a significant amount of effort to make them into very, very good cyber operators,” he said. “How do we actually attract professionals into government service? For initial entry, my carrot is: I will train you. We have soldiers, sailors, airman and Marines who have college degrees and who want to enlist.” He said the Army’s first Cyber Officer Leader Course also attracted a high-quality cohort: “I had an MIT grad, I had a Harvard grad, I had graduates of West Point’s Cyber Leadership Development Program, and the rest of the students were graduates of some of the best universities in the United States.”

So the issue isn’t that the military can’t compete. Rather, it’s that attrition and growing demand even among the military services themselves means the goal posts are moving even as the Defense Department gets deeper into the game.

“We will not be able to fill all our requirements with active duty military,” Fogarty said. Government civilians, contractor talent and the National Guard and Reserve will be critical to augmenting military capacity. Guard and Reserve members, in particular, give the military access to the best of both worlds. “Some of those individuals work in the industry every day and they bring a lot of maturity and experience to us,” Fogarty says.

NSA’s Cyber School
Grant Wagner, distinguished chair at the National Cryptologic School at NSA, said his agency is working with the military services and DHS to develop a consistent curriculum and a productive talent pipeline. It’s important, he said, “that we’re teaching the same thing – that the universities hear the same message from across the government. That this is the set of skills that we need.”

The government incentivizes universities to follow that model by providing scholarships and guaranteed employment after graduation. “That gives us a broad base of foundational skills and nationwide production.”

The agency is also identifying “key universities,” he said, and working with them through its Centers for Academic Excellence programs across the academic spectrum. “There’s a Center for Academic Excellence in every community, so there’s one for the two-year colleges and for folks who are coming out of high school or changing careers.” There are also four-year programs and another set of programs for advanced degrees.

“Altogether, I’ve got about 216 universities across the nation that I’m working with in one way or another,” he said. “They’re sharing among themselves on what sort of classes are working and what sort of training experiences are working in terms of appealing to the students.”

That pipeline is only the beginning, Wagner said. “Once they’re at the agency, now I have to train them with the special skills necessary to complete their training.” NSA has hands-on laboratory training and platform training today. “But that’s not going to get us where we need to be in the coming years.”

NSA is developing “a set of initiatives that are going to make us much more content agile,” Wagner continued. “In this field, there’s something new every week, and the stuff you did last year is only about half right [today]. We have to be student centered and keep them up to date without taking too much time away from mission, and I have to do that in a very scalable, global structure.”

The agency is also adjusting to a changing world in which it can no longer count on hiring young staff and keeping them for their entire careers. Increasingly, the agency must hire mid-career talent as well, which makes continuous staff assessment more important now than in the past. “I have to have a new set of assessment tools that aren’t onerous on the student and don’t take time away from mission, but still give me an idea of the sorts of training these people need to get back in the groove.”

DoD’s Cyber Academy
Though NSA is the primary trainer for military cyber skills, beginning in 2019, the military services are supposed to take over that responsibility.

Frank DiGiovanni, DoD Director of Force Training

Frank DiGiovanni, DoD Director of Force Training

The Defense Department has experimented through a series of pilot training courses dubbed the Cyber Operations Academy Course (COAC), an initiative driven by DoD Director of Force Training Frank DiGiovanni. The course aims to develop a scalable model for teaching cyber skills to military members with varying levels of cyber knowledge. It turns them into operators in just six months, bypassing the conventional hierarchical approach that requires years of schooling culminating in a college degree.

John “Rigs” Rigney, co-founder and chief technology officer of Point3 Security, piloted the journeyman-apprentice approach DiGiovanni favors as the lead instructor in the COAC. A lifelong hacker and former NSA cyber operator, Rigney said there are really only two routes to recruiting cyber talent: Find such people or grow them yourself.

“I grew up in this world as a hacker,” Rigney said. “I broke into my first system when I was 8 and haven’t really stopped since. When I talk to people about recruiting, I find they’re looking in the wrong places. What I often see is they’re going to job sites like LinkedIn. I don’t know anyone who has these skills who is on LinkedIn. That’s just the wrong place. This is a culture. You do this because you’re obsessed with it.”

The problem, Rigney added, is reaching the right people: “A lot of the most talented [hackers] are simply unaware they can get well-paying jobs doing this kind of work.”

To find them, government and industry should sponsor more capture-the-flag cyber events to challenge hackers, either working alone or in teams, to outdo others, Rigney said. Such events are signature elements of hacker conferences like Def Con and provide the kind of challenge that brings hackers out into the open.

That answers part of the problem, but not everything. Many skilled hackers won’t qualify for military service – with its additional fitness requirements – or won’t want to put up with all of its other constraints. That’s why it’s also important to identify people who are already in the military who have the native talent to develop hacking skills.

Rigney said the COAC has proven that the military can train its own by developing an environment in which students discover the obsessive, addictive nature of computer hacking for themselves. The most successful students are self-learners who approach problems they’re given with a passionate, obsessive desire to find the answer, even if that means staying up all night.

“They’ve got to have that obsession,” Rigney said, noting that as a military course, though students are expected to show up at 8 a.m., he continued to get text messages and questions from them into the wee hours of the morning.

Most military cyber training doesn’t allow for that continued at-home experience – frustrating students, Rigney said. “Our training facilities and approaches don’t necessarily foster that kind of environment.”

Adding even more complexity to the cyber talent equation is the need for Command and Control of cyber-warriors.

“Although improving hacker skills is an important part of strengthening cyber defenses, those skills need to be combined with a disciplined focus on Tactics, Techniques and Procedures (TTP), just like any other weapons system”, said Stanley Tyliszczak, vice president of technology integration and chief engineer at General Dynamics Information Technology. “Hackers are technically very savvy, but their motivations aren’t necessarily the same as a determined adversary’s. Hackers can afford to be ad-hoc and define ‘mission success’ after the fact, based on results accomplished.

“In cyber warfare, we still need training on TTPs for how to employ and defend against cyber weapons – detailed analysis of things like risks, threats, vulnerabilities and targeting,” Tyliszczak continued. “We need cross-functional teams that understand different motivations – things like financial gain, economic disruption and political mischief as well as traditional espionage. We have to learn how to understand different threats and achieve specific results based on planned actions. It has to be a disciplined approach.”

Meeting the Numbers
Developing enough cyber talent that the work can be spread out and doesn’t overburden just a few is still a critical problem. Rigney praised the on-the-job learning experiences he enjoyed as an operator at NSA, but said most of the people he worked with left ended up leaving the government due to burnout.

“We’ve got to figure out a way to avoid burning these guys out,” he said. His solution: Find and “train much more of them.”

Maryland Air National Guard Capt. Matthew “Tux” Weiner, group weapons and tactics officer of the 275th Air Force Support Squadron, agreed with Rigney that identifying candidates with “that hacker mindset” is critical. A former master sergeant who stood up the initial cadre of the U.S. Air Force Cyber Warfare Operations Weapon Instructor Course, an elite course in cyber at Nellis Air Force Base, Weiner has first-hand experience with finding, training and retaining valuable cyber talent.

The service today starts with a notoriously challenging assessment test – “the smartest people I know take this assessment and don’t pass,” he said – and continues with rigorous training that weeds out half of the select few who qualify to attend. Successful operators combine military experience, intense level of effort and attention to detail to survive, Weiner said, working their way through foundational training, operational training and then professional development that takes them from apprentice to journeyman to master level operator.

Just training them to the point of operational readiness costs in excess of $250,000 per person, he said, in part because the washout and attrition rates are so high. The Air Force struggles in particular to hold on to its few master-level operators, he said.

Students need to be able to master networking, the UNIX and Windows operating systems, security and all the related protocols. “It isn’t just learning TCP/IP and network security,” Weiner said. “It’s wanting to go in there, understand security and break the system. It’s about having the mindset that you want to hack into something and break it.”

Once those people are trained and ready, it’s essential the services nurture them as valued assets, providing additional training, plenty of support and opportunities to grow. There’s no shortage of cyber work to be done. But there remains – and will for some time – a shortage of talent to get those jobs done.

Related Articles

GM 250×250
GEMG 250×250
gdit cloud 250×250
gdit cloud 250×250
USNI News: 250×250
AFCEA DC Chapter: Mobile Tech Summit 250×250
DISA Racing to Streamline Cyber Toolsets

DISA Racing to Streamline Cyber Toolsets

The Defense Information Systems Agency (DISA) will pare back its cybersecurity software stack in order to simplify the security architecture, eliminate redundancies, ease the burden on operators – and reduce licensing costs.

The rapid evolution of cybersecurity software tools is driving the shift. As vendors expand the reach and breadth of their toolsets, what had been distinct programs are beginning to overlap. Eliminating that duplication serves two purposes: reducing the complexity of the security architecture and easing the burden on often-overtaxed cyber defenders, said Col. Brian Lytell, DISA’s deputy director of cyber development.

“Integration has become increasingly complex and difficult,” Lytell said. “That is driving inefficiencies in the operational forces, not just within DISA but also within the services themselves. The amount of data that moves through there and the choices [of available tools] is making it difficult and complex [for operators] to understand.”

The result: “I’m going to have to eliminate some things within the architecture itself to try to simplify it and reduce it down,” Lytell continued.

He acknowledges that do-it-all security suites may not be as good at every task they perform as some specialized tools.

“We have to strike a balance between those individual niche products and the Swiss Army utility knife that does everything OK,” he said. “We’ll have to be very careful about what we do there.” But streamlining is necessary, as much for front-line security managers as for the bottom line savings. “We’re overwhelming the network defenders and the analysts with the number of indicators and warnings that come through.”

DISA is effectively the Internet service provider to the Defense Department (DoD) and the security tools it employs defend the entire network and the services it supports. The agency provides security at multiple levels, starting at the perimeter with content filtering and email security and continuing through endpoint, data center and regional security through the Joint Regional Security Stack (JRSS) architecture. In addition, the agency must defend against distributed denial of service (DDoS) attacks and support secure data exchanges with coalition partners. The agency employs about 40 different cybersecurity tools to do all that.

“Not only do we have defense in depth,” Lytell says, “but we also have different vendors, and we have vendor-in-depth. That compounds the problem.” Many of the tools don’t integrate well with each other, he said. “Increased interoperability between tool sets is highly desired.”

Looking forward, Lytell tied DISA’s cyber program to DoD’s Third Offset Strategy, which aims to harness disruptive technologies into a revolutionary technological edge over adversaries. Also wanted: a Big Data platform to plow through the massive amount of data inside DoD’s networks and identify specific threats, “to get inside the kill chain” and take action before an initial penetration becomes an active campaign with damaging effects.

John Hickey, DISA’s chief cyber executive and Lytell’s boss, said the agency pits its cyber tools against each other in test settings to see how they perform against the specific threats facing live defense networks each day. The results of those reviews will be used to determine which of the many tools DISA uses can be cut out of the security stack.

“What are those products that are providing us the most defense for the cost of investment?” Hickey asks.

To do that, DISA is conducting a NIPRNET SIPRNET Cybersecurity Architecture Review (NSCSAR – pronounced “NASCAR”) to see how tools perform against “real threats we see within DoD,” he said.

NSCSAR is intended to “evolve the cybersecurity architecture as necessary and create an implementation road map” for the DoD Information Network (DODIN) “based on an end‐to‐end holistic review of the security architecture and current implementations and plans,” according to agency documentation.

The project looks at DISA networks in the same way adversaries do, recognizing areas of strength and seeking out potential weaknesses. DISA does not discuss details of those performance results, because they are classified. But the effort has helped officials understand the relative strength and value of its defensive tools.

Using the cyber kill chain as a framework, Hickey said, DISA will apply those insights with a very specific purpose: “We’re looking now at where do we invest and where do we de-invest.”

Related Articles

GM 250×250
GEMG 250×250
gdit cloud 250×250
gdit cloud 250×250
USNI News: 250×250
AFCEA DC Chapter: Mobile Tech Summit 250×250