DoD Hires Hackers to Teach Cyber
At the same picturesque former hospital where Walter Reed taught medicine in the 1880s and ’90s, a new generation of cyber warrior is working on a very different kind of problem: how to teach the foundational skills needed to be a top-notch hacker for the government.
Like Reed’s research proved mosquitios transmitted yellow fever rather than humans and changed the way the Army treated infectious diseases, this modern experiment uses volunteers to prove the theory that almost anyone with native curiosity, self-motivation and a talent for problem solving can be taught to be a competent hacker in six months or less.
Today, the second cohort of volunteers are 10 weeks into a six-month course developing skills they acknowledge they may never use in real life. Researchers catalog what works and what doesn’t, how long it takes to teach each concept and which students excel and why. Already, adjustments are underway. The first cohort focused a little too much on offense, leaders decided. So the second group is spending more time learning defensive techniques.
The hope is this Cyber Operations Academy Course will become a model for cyber skills training across the services, one that sets aside conventional lecture-based learning for a more hands-on model in which teams of students work together with mentors to develop team-building, problem-solving and technical programming skills all at once. The course is overseen by Frank DiGiovanni, director of Force Training in the Office of the Secretary of Defense, who wants to accelerate the process of developing ethical hackers for government agencies.
“I’m trying to train confidence, trying to train cognitive problem solving skills, but in the cyber context, which is powerful,” DiGiovanni says.
The class started in April with 30 students; two were dropped and the others are progressing. By design, the students all bring wildly different backgrounds. Some have college degrees, others don’t. There is a PhD research scientist and also a Special Forces infantryman, both officers and enlisted people and civilians from the Department of Homeland Security. It’s mostly male and mostly white, but by no means exclusively so. By most measures, it’s a diverse group.
Students are grouped in “fire teams” of five to seven. The group approach is central to the idea of team learning, applying an academic concept called “zone proximal development” that holds that students will learn to master a task more quickly with the help of peers and mentors. The name fire team is a nod to the notion that cyber warfare is not so different from infantry.
DiGiovanni’s sees cyber as a battlefield domain and looks for parallels that can help drive that point home. The concept that cyber is best fought as a group activity – like any other battle – is central to his thinking.
A second tenet of DiGiovanni’s approach is that technical skills alone are inadequate for the challenge. Cyber involves technology, he says, but also politics, economics, tradecraft and culture. So students must learn to understand adversaries on multiple levels.
“What cyber effects needs to be effective is this: You need to know the cyber terrain,” DiGiovanni explains. “We infused the course with sociology, ethnography and anthropology.… You don’t conduct an assault on the enemy if you don’t know the terrain they’re in, what surrounds them. This is Sun Tzu on the cyber side.”
The social science disciplines help students better understand who they’re up against and why. Those facts can then be aligned with what we know of adversary’s signature techniques, tactics and procedures.
“Techniques give clues about who you are and could also tip off what you’re after,” DiGiovanni says. This includes the way adversaries might seek to cover their tracks. For example, Russia adapted the concept of maskirovka – literally, masking –from conventional battlefield usage and applied it to the cyber arena. Students learn to identify the tactics of different adversaries, as well as the techniques that can be employed to cover one’s tracks. They have to become adept at identifying what the adversary is doing as well as executing their own cyber missions without leaving digital fingerprints in their wake.
Scaling the Concept
Now program designers are starting to think about scaling the program. DiGiovanni says the course will continue at its present size – roughly 60 people split into two cohorts a year – on an experimental level. But as it stands today, this course’s low student-to-teacher ratio can’t realistically put a dent in the military services’ requirements for highly trained cyber warriors. They’re going to need to train cyber troops by the hundreds, if not thousands per year.
“That’s the biggest complaint about journeyman-apprentice: It doesn’t scale,” DiGiovanni says. That makes it more costly and slower, compared to traditional teaching methods. Journeyman-apprentice is another core concept built into this course. Instructors aren’t academics, but cyber practitioners from Point3 Security, a Baltimore firm, working side-by-side with the students to help them learn the skills of the trade. They guide, but don’t give away the answers. (When DiGiovanni asks the students later if their instructors help them with answers, they laugh. Instructors advise. They don’t do the work. So what do they do? “Google,” one student says. “It helps.”)
DiGiovanni doesn’t want to ditch the approach, just find a way to make it more efficient. So he and his team are studying an alternative “blended training model,” in which students would spend up to 80 percent of their time working at their own pace online and the balance working directly with instructor-mentors. Instead of a 5:1 or 6:1 student-teacher ratio, he says, blended learning can support a 50:1 ratio, a 10-fold improvement.
What Students Say
In a small auditorium up a flight or two of stairs, students and instructors spread out, with students mostly in the first few rows and instructors in the back and closer to the aisles. The dress is casual, with t-shirts and jeans predominating – it’s not so easy to tell students from staff. DiGiovanni greets everyone like a principal visiting high school seniors. After a few generalities and the mention that there’s a reporter in the room, he asks for questions. There’s a pause.
A soldier raises his hand and asks about the disparity in skill levels across a fire team. He’s concerned that those less skilled are holding back the others. I wonder: Is he complaining about his teammates?
The questions and comments are precise and insightful, the questioner intense, breaking down the system as he sees it and wondering how to make it better in later iterations.
“We’re working on time constraints, so you only have so much time for a project. If I’m too slow, then eventually someone’s going to have to jump in and try and bring me up to speed,” he says.
No, he’s not complaining about the others. He’s concerned he’s holding them back. There’s a parallel here to infantry, where one person’s weaknesses or failures mean others will have to carry their load, which in turn could end up getting other people killed.
DiGiovanni accepts the criticism as fair, but explains the course was structured that way by design.
“When you get in the team, it’s not about you. It’s the team,” DiGiovanni says. “If you get behind on an exploit, or behind in your part, you have to let them know.” He explains the concept of zone proximal development, but it doesn’t seem to resonate. In addition to his day job at the Pentagon, DiGiovanni is working on a doctorate in education at the University of Pennsylvania, and he can geek out on educational theory.
Still, he’s seen the benefits of the concept and believes it can be critical to uncovering talent that might otherwise be ignored. One of the most successful students in the first cohort was a self-described Air Force cable puller whose computer skills were so basic he had to be taught how to right-click with his mouse. “I’m serious,” Digiovanni says. “He didn’t’ know how to right-click.”
By the end of the six months, however, the airman was among the best in the class. “He blossomed.”
Someone else asks about certifications. “How do we convey what we learned that explains the equivalency?” he asks. He’s concerned that after six months in the class he will go back to his unit with an unfamiliar course under his belt and no way to demonstrate he’s got additional skills. “Like, if I had JCAC, people would know what that means.”
JCAC is the Joint Cyber Analysis Course, a conventional course broken down into 10 modules. “It’s Powerpoint learning for six months,” DiGiovanni says. His course by contrast, provides more hands-on learning, teaching the skills one would use on the job. It aims to deliver at least one and a half times what JCAC students learn in the same time. “We’ve had JCAC graduates take this course,” he explains to the class. “They were like, ‘Before this course I would throw up my hands’” if they were stumped by a problem. After it however, they had the skills to problem-solve on their own.
But he acknowledges the concern. After the first course was complete, he wrote to every student’s senior commander, explained the extraordinary training they had just received and urged an open mind if making the greatest use of that training, regardless of the job or skill set the individual had before taking the course. Despite that, most graduates went back to the jobs they were doing before taking the course.
So a credential would have value, DiGiovanni says. “I have to get you an internationally recognized certification.”
Students will take the Offensive Security Certified Professional exam. According to DiGiovanni’s staff, fewer than 20 percent of test takers typically pass the exam. But after the first course, 10 of 18 students passed.
Next someone asks about the Internet connection, a frustration for everyone. Future cyber-training classrooms will certainly have access to robust network infrastructure and cyber ranges. But today, even basic connectivity can be a struggle. The cyber students can’t be on the base network, DiGiovanni says, because the sites they visit and the work they do would violate security protocols. A dedicated fiber connection set up for the first cohort was disconnected, however, and DiGiovanni and his team have so far been unable to get it turned on again. For now, students use wireless hotspots, which are workable, but slow and frustrating.
Working on it, DiGiovanni says. “That’s on me.”
The Cyber Classroom
The Q and A over, students return to their make-shift workspaces in small upper rooms. They’re seated around folding tables, laptops open, facing each other. Energy drinks, snacks, daypacks and a tangle of cables and wires give the room a make-shift vibe. It’s part college group project, part ops meeting.
This fire team includes three active duty soldiers, a National Guard member and an Air Force Research Laboratory PhD. The Guardsman is attached to a Georgia cyber unit and works in information assurance in his civilian capacity. He was a journalism and public relations major in college, but found his calling doing network security. He’s one of three members from his unit taking this course and he’s skeptical.
“There’s a big difference between writing an exploit and defending a network,” he says. “For my unit, we’re there to make sure the water’s running and the electricity stays on. We’re not sending exploits across the wire.”
DiGiovanni and the instructor staff expect cyber troops to be asked to do both. Hack attacks are not typically one-shot deals, but on-going affairs with moves and counter moves, like Cold War spy-on-spy maneuvers or live military engagements.
The fire team members expected more tool-based training, hard skills they could take back to their jobs. Instead, they’re getting a combination of hard and soft skills, and it’s difficult for them to see at this stage how that will apply to the jobs they’ll have when they return to work.
“This course would be a phenomenal program for people with programming skills,” says the soldier who asked earlier about holding back his team. “As is, it’s not the best fit for taking someone from zero to hero.”
Establishing pre-requisites could help, they think, and they’re excited about the online course. “That would allow people to focus on the elements they need,” one soldier says. Another sees the potential for individual students to drill down on particular areas, “like a major in college, so there could be a defensive track, an offensive track, and so on.”
That’s all possible someday. But now there’s work to be done. Like any fire team with a job to do, they’re feeling the pressure to get back to work. They’ve got an assignment.
DiGiovanni, meanwhile, has moved on to another meeting. He may not be ready now to re-write the rules on cyber education. But day by day, he’s adding data points to the picture. The military and industry need people who can reverse engineer malware, identify weaknesses in operating systems, develop and execute exploits. Cyber red teams need people with the skills to challenge cyber defenders. Exercises like the recent “Hack the Pentagon” effort, in which hackers were awarded prizes for identifying weak spots in DoD defenses, prove the point. DoD either has to develop its own hackers or find a way to bring outsiders into its fold. The Cyber Academy Course does a little bit of both.