

US Cyber Command Staffed by "Warriors", not "Geeks" - jcnnghm
http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092303000.html?hpid=topnews

======
tptacek
I'm pretty convinced that all the publicity accorded to the "US Cyber Command"
is a decoy, meant (a) to command the attention of the public, (b) send a
message that the government is taking the issue seriously, and (c) deflect
questions from the real efforts the national security establishment is making
to grapple with offensive technology.

I know much less about military/intelligence computing than a lot of other
security people, but in a career spent neck-deep in vulnerability research,
you get data points in dribs and drabs. They include:

* The immense role of military contractors in securing DHS/DOD networks.

* The NSA's (incidental) role as a feeder for offensive computing specialists into industry.

* The (very shadowy) network of business fronts for vulnerability purchasing, along with the notional understanding of the kinds of vulnerabilities they seem most interested.

* The large, contractor-run malware research groups set up around the country.

There are serious infosec people in the DoD --- particular the Air Force[1]
--- but I don't have the sense that DoD runs the show on this. I think
articles like this are a red herring.

[1] During the early '90s hacker rennaissance (the Operation Sun-Devil era),
AF-OSI really did seem to run the table on computer security for the
government.

~~~
borism
_> (a) to command the attention of the public_

 _> (b) send a message that the government is taking the issue seriously_

are you serious? the whole article seems to be written by, for and about 5
year olds. Did you get to the part where they talk about planning to bomb Iraq
when it turns out they were hacked by some teenagers? how much attention and
seriousness is that inserting into US population?

 _> The immense role of military contractors in securing DHS/DOD networks._

The immense role of contractors in DoD budget is not exactly news

 _> The large, contractor-run malware research groups set up around the
country._

any evidence?

~~~
count
Did you get the part where that was over 12 years ago?

~~~
borism
Actually that part was the only one of interest. I didn't know Clinton was
planning to bomb Iraq in 1998.

~~~
tptacek
Uh... Clinton _did_ bomb Iraq in 1998.

~~~
borism
Indeed. Same in 1996.

------
Eliezer
I attended a military conference once on future threats.

They don't understand the Internet.

I mean, at all.

Imagine every stereotype about how old people don't get the Internet. That is
the stage of thinking the military is still at.

One of them was trying to futuristically imagine Internet-coordinated mob
attacks, and I got up in front of the conference and told them that this was
already happening in real life and they needed to ask a fourteen-year-old how
it works on 4chan instead of making things up.

~~~
blasdel
But this has nothing to do with the internet or technology, and everything to
do with projection: <http://essays.dayah.com/lazy-evil-genius>

------
protomyth
Uhm... You get great pilots to fly planes and great hackers to defend / attack
networks. Having a pilot pick programmers is as stupid as having the MBA
choose them.

~~~
count
The services haven't had Infosec personnel long enough to really have many
senior people with that background. So they pick from the pool of people who
need desk jobs - like grounded pilots.

The vast majority of infosec leadership in the services that I've encountered
has been grounded pilots.

It goes as well as it sounds like it would.

------
jcnnghm
If this article is actually indicative of how our electronic security is being
managed, the United States is in serious trouble.

 _"It was supposed to be a war fighter unit, not a geek unit," said task force
veteran Jason Healey, who had served as an Air Force signals intelligence
officer.

A fighter would understand, for instance, if an enemy had penetrated the
networks and changed coordinates or target times, said Dusty Rhoads, a retired
Air Force colonel and former F-117 pilot who recruited the original task force
members. "A techie wouldn't have a clue," he said._

Unfortunately, it's unlikely that the warrior would either know how to defend
the network, or that it was penetrated at all. The skills necessary for
electronic security are so far removed from physical security that the
implication that someone that had been involved with physical security would
somehow have a better understanding is ludicrous on its face.

~~~
dkarl
The key point: _In the world of defending military networks, it takes fighters
- not merely techies - to do the job._

All that means is you need someone with domain knowledge. You need someone who
can recognize non-technical signs of infiltration, who knows the value of
different targets, and who knows the consequences of a particular system being
compromised at a particular time. For military work, that means "fighters."
The military's mistake, if indeed they're making this mistake, is taking it
for granted that the best way to create good leaders and decision-makers is to
train military guys in computer security, when they really need to open it up
from both sides. Anybody who writes software in business knows that the really
effective people who understand the technical and domain ends well enough to
coordinate them emerge from both sides of the business, not just from the
technical side and not just from the domain side.

P.S. I would be most alarmed by the small size of the Cyber Command, but I
assume it's misinformation.

~~~
count
RE: The size.

The Cyber Command is a combatant command (like CENTCOM or AFRICOM) - just a
staff/HQ organization. It directs the service components (US Navy Cyber
Command, US Air Force Cyber Command, etc.) to actually DO things for it.

It won't typically staff actual workerbees - only planning and coordination
type personnel, not hackers and firewall geeks.

------
borism
wow, simply wow! someone is surely on crack!

 _"It looked as though Saddam was about to take down massive amounts of
infrastructure . . . because we were threatening to bomb him," recalled one
former intelligence official. Tensions were building. President Bill Clinton
was briefed. Senior officials convened another meeting in the Pentagon's
"tank," the Joint Chiefs' conference room. The threat was no longer
hypothetical, it seemed.

Then the real culprits were identified: A pair of 16-year-old boys in
California and a teenager from Israel who had exploited a known vulnerability
in the Solaris (UNIX) operating system._

~~~
tptacek
You think _anyone_ was capable of securing _any_ system plugged into _any_
network in 1998? 1998 is the late Cretacious period for software security.

~~~
borism
No. What I find amusing is that President was being briefed about cybersec
issues.

