Here’s How DoD Aims to Grow its Own Hackers
With the US government retaliating against Russia for cyber attacks affecting the U.S. Presidential election, demand for more hacking talent within the Department of Defense is sure to rise. The National Security Agency is the primary trainer for military cyber skills until 2019, but after that, the military services are supposed to take over.
“What we are looking for is that hacker mindset,” said Maryland Air National Guard Capt. Matthew “Tux” Weiner, group weapons and tactics officer of the 275th Air Force Support Squadron. A former master sergeant, Weiner stood up the initial cadre of the U.S. Air Force Cyber Warfare Operations Weapon Instructor Course, an elite course in cyber at Nevada’s Nellis Air Force Base.
Finding hackers in uniform is like finding a needle in a haystack. To find them, the Air Force starts with a challenging assessment test that weeds out 99 percent of test takers. “The smartest people I know take this assessment and don’t pass,” Weiner told a packed room full of cyber and training professionals at the Interservice/Industry Training, Simulation and Education Conference late last month. It follows with rigorous training that weeds out half of the select few who qualify.
But Weiner said the service has identified the factors that predict success: military experience, an intense level of effort and exceptional attention to detail. Trainees work their way through a series of training courses, beginning with foundational training – now handled online – followed by operational training and ultimately professional development through three stages: apprentice, journeyman and master-level operator. Once in the field, apprentice operators are paired with more experienced journeymen, continuing the training process.
Getting trainees through costs in excess of $250,000 per person, Weiner said, in part because the washout and attrition rates are so high. Master-level operators are extremely scarce.
Students must master networking, the UNIX and Windows operating systems, security and all the related protocols.
“It isn’t just learning TCP/IP and network security,” Weiner said. “It’s wanting to go in there, understand security and break the system. It’s about having the mindset that you want to hack into something and break it.”
Just like for other military capabilities, the defense industry plays a key role in building DoD’s hacking capacity, said Rear Adm. (Ret.) Tony Cothron, a former chief of naval intelligence and now vice president for customer requirements at General Dynamics Information Technology. Industry provides a “surge” capability with additional hacker manpower, as well as other cyber mission support resources. Companies are investing in training and developing their own cyber talent and for people seeking cyber security careers without having to sign up for the military culture, they can be an excellent alternative, he said. “The demand for personnel with cyber expertise and who are cleared is only going to increase.”
Hackers Are Different
John “Rigs” Rigney, co-founder and chief technology officer of Point3 Security agreed. A lifelong hacker and former NSA cyber operator, said there are really only two routes to recruiting cyber talent: Find these people or grow them yourself.
“I grew up in this world as a hacker,” Rigney said. “I broke into my first system when I was 8 and haven’t really stopped since. When I talk to people about recruiting, I find they’re looking in the wrong places. What I often see is they’re going in to job sites like LinkedIn. I don’t know anyone who has these skills who is on LinkedIn.
“That’s just the wrong place. This is a culture,” he said. “You do this because you’re obsessed with it, because you’re a crazy person. That’s why we do this.”
Rigney has been the lead instructor running and developing the Cyber Operations Academy Course (COAC), an initiative driven by Defense Department Director of Force Training Frank DiGiovanni. The course aims to develop a scalable model for teaching cyber skills to military members with varying levels of cyber knowledge and turn them into operators in just six months, bypassing the conventional hierarchical approach requiring years of schooling and a college degree.
The program has so far proved effective through demonstrations, but scaling it remains a challenge. DiGiovanni believes technology could help with that eventually. Like the Air Force’s operational set-up, this training curriculum is built on a journeyman apprentice model, with more experienced members helping less experienced ones.
Rigney, a lifelong hacker and former NSA cyber operator, observed that many of the most talented hackers are simply unaware that they can get well-paying jobs “doing this kind of work.” Making matters worse, the government and industry often aren’t sure where to look. “I see recruiters looking on sites like LinkedIn,” Rigney said. “These guys just aren’t there.”
To find talented hackers, Rigney suggested agencies and contractors sponsor more capture-the-flag cyber events which showcase hackers’ talent in the cyber game of cat and mouse. Such events are signature elements of hacker conferences like Def Con and provide the kind of challenge that brings hackers out into the open. Rigney led a team that won the Def Con capture the flag contest three years ago.
But not every cyber team seeks that kind of hacker. Some want more conventional cyber defenders. Most hackers argue that unless defenders have the skills and mindset to think like hackers, they won’t be able to seal off networks or successfully hunt down intrusions. The hackers they say, will remain a step ahead.
Another problem is that military members – whether ground pounders, air crew or logisticians – need to meet physical fitness standards that may exclude some hackers. Others might have legal issues keeping them out of uniform.
While COAC trains people with or without specific cyber expertise and Rigney said the course has proved with the right encouragement, students do demonstrate the obsessive, addictive behavior he sees as critical to hacking successfully. “They’ve got to have that obsession,” Rigney said, noting that as a military course, students are expected to show up at 8 each morning, yet he continued to get text messages and questions from them into the wee hours of the morning. Students are encouraged students to take schoolwork home, a marked difference from most military cyber training, which requires students to pack up and leave their classified environments and all work behind.
Once trained, cyber students need to go to work, sitting side-by-side with more experienced perators, and applying their newly developed skills. There, they can refine their knowledge and build up their tradecraft, he said.
But it’s also important to protect cyber practitioners from burnout. Speaking from experience, he said the shortage of cyber talent means military units tend to overburden the few truly talented people they have.
“We’ve got to figure out a way to avoid burning these guys out,” Rigney said. The surest way to do that? “Train many more of them.”