Thursday, August 03, 2006

Thoughts on Military Service

I recently received an email which contained the following request:

I would be greatly appreciative of any response from you regarding how your experience with the military has enhanced your knowledge and careers in information security and any advice you may have to offer.

I was a cadet at the Air Force Academy from 1990-1994, and an active duty officer from 1994 to early 2001. I received my first formal training in security during military intelligence training in 1996. I started my first hands-on security work in 1998 at the Air Force CERT, using our ASIM sensors to detect and respond to intrusions. I met Sguil developer Bamm Visscher there. I left the Air Force when the personnel system decided it was time for me to "career broaden" out of the technical world and into another field. No thanks!

From my perspective, the Air Force is a good way to gain responsibility at a young age. It was quite an experience to be 27 and in charge of detecting intrusions across the whole Air Force. I liked the sense that what we did "mattered." Management supported our mission. In fact, current CIA Director General Michael Hayden commanded Air Intelligence Agency while I was assigned there, and he invented our information gain - exploit - defend - attack (GEDA) framework.

While in the Air Force I had a chance to deal with high-end intruders who were financed, trained, and determined. Failure was measured in lost sensitive information and potentially lives. When taken seriously, that reality drove adopting what worked and eliminating what didn't. I developed my thoughts on network security monitoring based on my Air Force experiences. I was also proud to serve with some of the most motivated and talented people I've ever met.

8 comments:

Anonymous said...

To make the long story short… I could not be more proud of the experience that the AF afforded me, I recommend it to everyone! For the long story read on…

My time in the military helped to poise me for success for the rest of my career. As an 18 year old I joined because my financial situation did not include the possibility for a solid college education, I was faced with either getting into trouble around town or doing something productive with my life. I chose the later and instantly grew-up. I started in the Intelligence field and quickly learned the meaning of responsibility - my mistakes meant people died - talk about a sense of urgency. Learning responsibility, priority, urgency at that age and having it reinforced with every task built a sense of pride and confidence that has become part of me. After serving in the AF I too worked at AFCERT although I spent my days there learning from folks like Bamm, Richard and so many others that I couldn't possibly thank enough for supporting me through the years. Focusing on "real" information security threats was thrilling - learning to prioritize and work through the mundane incidents was also rewarding in this situation because of the caliber of people I was surrounded by. Working in that environment even further strengthened my ability to deal with any situation and also helped me to crystallize another important military premise – process. A single person’s ability to execute does not lend itself to a capability for an organization. Training and process development have significant place in building an ever increasing capability. Military life teaches you that quickly because people tend to move on quite quickly. Many civilian organizations ignore that fact until it is too late.

I've been very lucky in my career but I always attribute the source of my success to the Air Force, AF Intelligence training and AFCERT training I received and lived with for so many years. Now when I'm faced with pressure from sales people or supervisors it is very easy to put it in perspective and deal with it appropriately. Stress is something that just doesn't affect me in commercial situations any more.

To more directly answer the initial question “how your experience with the military has enhanced your knowledge and careers in information security and any advice you may have to offer.” My response is: I’ve parlayed my AF and AF related experience into a career that has had me leading commercial incident response teams, building and directing global security operations centers, building CIRT/CSIRC capabilities for government organizations, supporting global enterprise security management goals of the fortune 100 and government/intelligence agencies world-wide to now managing the careers of many of the best information security consultants I’ve had the pleasure to work with. I’d never have done any of this without first learning to “fly” in the AF.

Rocky.

LonerVamp said...

Awesome accounts, both of you! I think both of you got what so many of us really look for: guidance to get your feet on the ground technically, confidence, and a pushing to strive for excellence. I know I am 5 years out of college and still looking for those things.

Chris Harrington said...

I couldn't agree more the value of military experience, especially for younger people considering the field. It is a great way to get experience and a security clearance if you enter the right field, not to mention the educational benefits. If I could do it over I would have joined out of high school.

My first IT job was network admin for a retail chain in 1991. After 3 or 4 years of this I went back to college and ended up an Intelligence Specialist in the US Navy. I was a Naval Reserve Intelligence Specialist when I went to work for the NSA in late 1999. Having military and intel experience with a TS / SCI clearance made me a more attractive candidate. The experience, training and contacts I gained during my military / NSA days have opened countless doors for me in the private sector.

--Chris Harrington

Anonymous said...

(Please do not take this as an attack on our nation's military, troops, etc as my family and I have the utmost respect for all who've served, past and present.)

Richard and Rocky, in present day (since I'm assuming both of you served in the 1990's) would you recommend somebody with a bachelor's degree (and a great job already in the private sector) to enter the USAF to gain more information security related experience? How do you feel about joining now with the war in Iraq and the current events in Israel/Hezbollah?

I've been pondering the idea of joining the USAF to work in the information security/intellgience fields, however family members have given me reason not to join(yet). My cousin, came back from a year long tour in Iraq in March 06'. He is a Marine and he said it was hell. If I were to join the AF, chances of becoming an officer (relatively simple according to their website, just go to OTS) then is slim and chances are, you're going to the front. My cousin told me to get a Master's Degree, and then I may be worth a little more and keep me behind the lines. My parents have invested a lot in me and would hate to see me just throw everything I've gained and just blow "shit" up.

I've come to reason and agree on this with him, but would also like to hear your opinions and anything you may add too or dispute.

Thank you

Richard Bejtlich said...

Anonymous,

I think you emphasize an important point: first, join the military to defend the country -- above all else. Join second for career benefits. If you joined for the second reason and find yourself being shelled in a foxhole, you'll wonder why you ever signed that contract!

Keydet89 said...

My own experience is somewhat different...I came from a military family, and all I ever knew through high school was that I was going into the military. My folks couldn't afford to send me to college, so I got an ROTC scholarship and headed off to one my folks *could* afford, out in the Shenandoah Valley.

In the late 80s, the military still had some of the remnants of the Reagan era of military build up around. The Marines said they were the toughest and the best, and challenged young men such as myself to see if we had what it took to become one of them. At that age...17 to 21...it was a challenge that I couldn't resist.

These days, people look at me and say, "oh, you're that way because you were in the Marines." That isn't entirely true...I was that way before I became a Marine, and the Marines valued those traits.

I did a lot of things while I was in the Marines, and I'm proud of my service. That being said, one cannot honestly use the words "Marine Corps" and "cutting edge technology" in the same sentence. However, the experiences I had of meeting and working with different people, doing different things, all led to where I am today.

Would I recommend military service to folks today? Most definitely...in fact, every day I see our youth who would really benefit from some time "in the trenches", as it were. However, the one caveat I always have is to choose military service for the right reasons, and with your eyes open. Look around, talk to folks, figure out what you want to do, and then go after it. If you don't want to be a grunt, then do something else...those other grunts aren't going to want you around if you don't want to be there. Like Richard said, don't go into the military for career benefits...that's the wrong reason. However, there's nothing wrong with learning a valuable skill while you're serving your country. One of the great things about the military is that they will not only teach you to do something (build things, blow things up, fly/drive things, etc.) but they'll provide you with valuable experience actually doing those things.

Anonymous said...

Hi Rich, Key, and Anonymous,

I used to work with Rich (for a short while) while at the AFCERT and I served as Incident Response Lead there and also am currently a lead working reverse engineering for the Air Force. I have done nothing but information security for the 6 years I've been in. The Air Force is downsizing right now so it is harder to "get in". If you want to do information security/intelligence as an officer you would most likely have to be a comm officer (33) or an engineering officer (62), and possibly intel. The problem with wanting to do a certain job in the Air Force is that your first assignment is often "luck" and often impacts what you will eventually do. You may want to do information security, but may find it very difficult once you get in. As they say....the needs of the Air Force.... As far as deploying, it is almost guaranteed that you will. However, you will not be in the same environment as a Marine or Army guy. That doesn't mean you can't get taken out by an IED or sniper, just that you will be in a support role not directly fighting.

Ultimately, I agree with what Rich and Key said don't get in the Military for the job, get in because you want to serve your country. If you get in for the job don't be surprised when you're unhappy because your assignment doesn't turn out the way you wanted. Me, I've been fortunate so far, and I actually plan on staying in for awhile longer both because I love what I'm doing, enjoy serving, and "keep my fingers crossed" can stay in information security positions. They are currently offering bonuses for engineers to get out, and they are also non-volunteering people out as well. Two or three years ago I probably would have jumped at the money, but I have learned quite a bit more than I had bargained for in the military.

David Chaboya

Tom Williams said...

I have to completely agree. I joined the Marine Corps at 18, fresh out of high school. I went into an Aviation Maintenance Administrator/Data Analyst field. I got some damn good skills. I got out and transferred to the Army and went through their IT school. It was unfortunately discovered that I have 2 bulging disc in my back, and I was medically discharged.

All of the skills I gained, as well as the security clearance, got me the job I currently have, supporting the largest interconnected network of computers in the world (beside the internet) known as NMCI.

I grew up because of the Marine Corps. I gained skills because of the Marine Corps. I became damn good at what I do because of the Marine Corps. The military was the best thing I ever did.