recommended reading

Hackers to Pentagon: You’re Doing Cyber Wrong

What happens when you bring together some of the nation’s leading hackers, the Pentagon’s chief of training and an Air Force Academy professor who teaches cyber skills to cadets? They all agree on one thing: The government’s approach to cyber security is coming up short.

They sat on the dais, an unusual assortment of experts at a conference for military simulation and training experts. No prepared speeches, just a wide open Q&A.

Their message in three bullets:

  • You can’t teach cyber defense without a thorough understanding and expertise in cyber offense
  • Cyber is all about breaking the rules. If you try to break cyber defense into a series of check-box requirements, you will fail
  • The Fifth Domain, as cyber is sometimes called in the military (joining air, land, sea and space) is not like the others. There is no high ground and the weapon you wield today may not even exist tomorrow

In the center was Frank DiGiovanni, director of Force Readiness and Training at the Pentagon, joined on his far left by Martin Carlisle, professor of computer science at the Air Force Academy. Sharing that stage were three of the best-known ethical hackers in the business: Jeff Moss, founder of Black Hat and DefCon, the two best-known annual hacker conferences; John Rigney, co-founder of Point3 Security, a Maryland cyber firm, who says he made his first hack at age 8; and Brian Markus, CEO of Aries Security, best known for his “Wall of Sheep” – an annual rite at the DefCon event, where he posts the names of all who have exposed themselves to security cyber hacks while attending the conference, which brings together some of the world’s top hacking talent.

What these five know about cyber security – or how to defeat it – can’t be cataloged. Indeed, part of their message is that cyber security, or cyber warfare, is so fluid, so rapidly evolving, that trying to define it or contain it is essentially impossible.

The government and industry are both in a quandary over the cyber challenge, partly because it’s unclear where their missions start and stop. America is fighting its cyber battles like the British fought in the American Revolution, he said. Back then, the British fought out in the open, following a well-drilled formula for combat. The Americans countered with guerilla warfare, fighting from the woods.

By limiting most of our defenders to defense-only approaches, the United States is effectively fighting while hand-cuffed. Cyber attackers, on the other hand, whether criminals or nation states, are playing without rules.

Said Markus: “We’re going up against a 300-pound fighter with one hand behind our back. We are going in with too many limitations.”

That’s the first thing cyber training needs to take into account: Cyber warriors have to be able to think like their attackers, and to do that they need to train like their attackers. Instead of focusing on rules and process, they need to focus on puzzle- and problem-solving.

Certifications are useful in understanding what people know, Carlisle said, but they are of limited use in fighting the active cyber attacker. Hackers buy cyber defense technology and then work on their own to defeat it. So one can’t be satisfied that having the best tools will be enough to protect your network.

The key to developing cyber talent isn’t to teach people to do well on certification tests, Carlisle and the others said, but rather to teach them to think and problem solve.

Said DiGiovanni: “If you think you can catalog every known thing that can happen to you, you’re wrong from the beginning…. To do this right, the training environ needs to be able to go beyond the square where you know exactly what you’re doing. The minute you do that, it’s exploitable. Someone will find a weakness in that training regimen and attack it.”

Similarly, Rigney questioned military efforts to standardize network design. “One attack profile means one target,” he said.

Cyber security is complex and fluid. Everything is changing, all the time, the panelists said. The military has the capability and the mission to develop the right tools. But to be successful, its policies and approach will have to change – and not just in how people are trained. One problem several panelists mentioned is that even when the military gets the training right, it sometimes mishandles the talent it produces.

This problem is not the military’s alone. Industry also makes mistakes. Markus described training programs to teach cyber skills that were highly successful, only to fail when it came to retaining talent. “When you train a bunch of people, and they get really excited, and amped up, and they have all this great knowledge of effects and warfare, and then you say, ‘Go watch the SOC [cyber operations center] logs,’ they say, ‘Fine, I quit. I want to go do something else.’ That’s why the industry is bleeding out people. They train them to be offensive warfare personnel, and then they have them go watch a gate.”

The military, everyone agreed, needs to be careful not to follow that model.

Carlisle, who emphasized he was speaking on his own behalf, and not for the Air Force Academy or the Air Force itself, said he rejects two common notions in military circles: First, that it’s ok to train for defense only out of concern about the risks involved with teaching people how to hack. “The military has certain fields, SEALs for example, who we accept that we train them to act with a certain degree of lethality. We should treat cyber the same way,” he said. Second, there are leaders who are satisfied to train cyber personnel only to lose them to industry after five or six years. Those leaders say what they really need are managers, not technical experts. “I reject that hypothesis,” he said.

The heart of cyber warfare, the panel agreed, is offensive operations. These are essential military skills they said, which need to be developed and nurtured – in order to ensure a sound cyber defense.

Tobias Naegele is the editor in chief of GovTechWorks. He has covered defense, military, and technology issues as an editor and reporter for more than 25 years, most of that time as editor-in-chief at Defense News and Military Times.

This content is made possible by our sponsor. The editorial staff of Nextgov was not involved in its preparation.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.