Sunday, July 06, 2008

Air Force Cyber Panel

Last month I participated in a panel hosted by the US Air Force. One of my co-panelists, Jim Stogdill, summarized some of the event in his recent post Sharing vs. Protecting, Generativity on DoD Networks.

I'd like to add the following thoughts. Before the event most of the panelists met for breakfast. One of the subjects we discussed was the so-called "People's Army" China uses for conducting cyber operations. You can read about this phenomenon in the great book The Dark Visitor.

In the US, our DoD relies upon professional, uniformed military members, government civilians, and an immense contracting force to defend the nation and project its military power. In China, their PLA mixes uniformed military with ordinary civilians, some of whom act at the behest of the military and government, with others acting on their own for "patriotic means."

This latter model is almost unheard of in the US and completely outside any formalized mechanism offered by the DoD. Imagine a group of "patriotic" teenagers approaching the DoD, saying they had hacked into some uber-secret Chinese network! How would generals even wrap their heads around such a scenario? That's illegal! Those kids aren't cleared! Government officials cannot accept donations!

This creates an amazing scenario. In one corner, the military-industrial complex. In the other, the People's Army. Who will win?

During the panel the question of recruiting "cyber warriors" was raised. I responded that recruitment wasn't the real problem; retention is. I left the Air Force Information Warfare Center (along with 31 of my fellow 32 company grade officers) because there was no career path that could keep me "in front of a computer screen." (That reminds me of the problems pilots have "staying in the cockpit.") When I was told it was "time to move," I was given the choice of being a protocol officer, a logistics officer, or an executive officer. The Air Force calls this "career broadening." I decided to broaden my way right out of the service rather than accept any of those non-intelligence, non-cyber jobs. I am hopeful the new Cyber Command will give young officers a real future conducing computer operations.

We discussed open source software briefly. I told the audience that if Windows XP were open source, no one would really care if Microsoft ended support. If the OS were truly that important to the mission, and it was an open source product, the Air Force could fork it and maintain its own patches and development. I am constantly amazed that some people advocate Microsoft's commercial "support" for XP as a reason for shunning open source software, when those "customers" are being instructed by Microsoft to migrate to Vista as XP's support ends.

I still think the Air Force's decision to stick with Microsoft was stupid. Can you imagine it's been almost four years since the AF-Microsoft super deal was signed? Think of all the Microsoft-targeting client-side attacks that could have been avoided if the client had not been running applications on Microsoft Windows.

Yes, I know, other operating systems have problems, other applications have problems, client-side attacks aren't everything, blah blah. Shifting to something other than Windows would still have increased the intruder's cost of exploitation. Suddenly instead of focusing all their R&D on attacking Windows, the bad guy has to open a second exploit development shop, and be far more careful when attacking the Air Force. What did NSA spend all that effort on SELinux for anyway?

Overall, I really enjoyed the panel and even got to visit a few friends from way back in the Air Force CERT who also attended the conference. I met some cool people on the panel too. Please feel free to reunite us anytime!

5 comments:

stretch said...

"I responded that recruitment wasn't the real problem; retention is."

No kidding. In a time where we're at war in several countries, the USAF has seen fit to lay off some 40,000 airmen. "Force shaping" is the euphemism they use, at least for the enlisted side.

I was one of those 40,000. As a 3C251 (tech controller) approaching the completion of a four-year enlistment, I was told to retrain or get out. Hmm, should I pick a new career to suit the Air Force, or get out and keep doing a job I love with pay rivaling that of a general? This was not a difficult decision, for me or for my former coworkers facing the same ultimatum.

Sadly the USAF will never retain a significant amount of talent without drastically improving the benefits offered to and its respect toward the individual.

oneguynick said...

Put me in the "me too" column. I was a 3C051 that had been through BIP200 and certified for NetSec/IA work. They force shaped me right into a wonderful civilian life doing what I love. I was mustered a few weeks ago and it made me sad as I truly loved the military. Such is the world of bean counters and GS slots.

The thought of coming from my IA Tech Lead slot back to an E3 slot scared me silly. I made less than 20k those 3 years!

I am afraid that if universal healthcare ever comes into play the military will have a VERY hard time getting folks in.

Bob Huber said...

I agree retention is a tough issue facing the military; however, with many states standing up Cyber Guard units, it does provide an option to be a Cyber Warrior and don the uniform on a part time basis.

Anonymous said...

Comming soon: US Cyber Militia

rybolov said...

Hi Richard

It's both recruiting and retention. When you're looking at an overall lack of skilled people in the private sector, how are you going to find skilled people that want to be an E2? According to Cyber Command's adjutant, they want to recruit people who want to be in the Air Force first and then take the ones that have the apptitude and put them in a cyber career field. Sorry, but that doesn't work in my world, and it's 19th-century military mentality to think that you can manage geeks like you can infantrymen.

The only people you will get are people who want the training and the experience who will jump ship as soon as they can. I've seen it with other highly-skilled jobs in the military like the linguists and intel analysts.

We'll solve the personnel problem like we do for all the other career fields: give you a highly-scoped job description and a task list to train on that's outdated the day that it's finalized and that sure, you can do just the tasks in your list but if you want to be good you need to know a whole bunch more.

The people who know the "much more" will leave, just like I left active duty after 8 years of enlistment.