Tuesday, February 24, 2009

Buck Surdu and Greg Conti Ask "Is It Time for a Cyberwarfare Branch?"

The latest issue of the Information Assurance Technology Analysis Center's IANewsletter features "Army, Navy, Air Force, and Cyber -- Is It Time for a Cyberwarfare Branch of [the] Military?" by COL John "Buck" Surdu and LTC Gregory Conti. I found these excerpts enlightening.

The Army, Navy, and Air Force all maintain cyberwarfare components, but these organizations exist as ill-fitting appendages that attempt to operate in inhospitable cultures where technical expertise is not recognized, cultivated, or completely understood. The services have developed effective systems to build traditional leadership and management skills. They are quite good at creating the best infantrymen, pilots, ship captains, tank commanders, and artillerymen, but they do little to recognize and develop technical expertise. As a result, the Army, Navy, and Air Force hemorrhage technical talent, leaving the Nation’s military forces and our country under-prepared for both the ongoing cyber cold war and the likelihood of major cyberwarfare in the future...

The skill sets required to wage cyberwar in this complex and ill-defined environment are distinct from waging kinetic war. Both the kinetic and non-kinetic are essential components of modern warfare, but the status quo of integrating small cyberwarfare units directly into the existing components of the armed forces is insufficient...

The cultures of today’s military services are fundamentally incompatible with the culture required to conduct cyberwarfare... The Army, Navy, and Air Force are run by their combat arms officers, ship captains, and pilots, respectively. Understandably, each service selects leaders who excel at conducting land, sea, and air battles and campaigns. A deep understanding and respect for cyberwarfare by these leaders is uncommon.

To understand the culture clash evident in today’s existing militaries, it is useful to examine what these services hold dear -- skills such as marksmanship, physical strength, and the ability to jump out of airplanes and lead combat units under enemy fire. Accolades are heaped upon those who excel in these areas. Unfortunately, these skills are irrelevant in cyberwarfare...

The culture of each service is evident in its uniforms. Consider the awards, decorations, badges, patches, tabs, and other accoutrements authorized for wear by each service. Absent is recognition for technical expertise. Echoes of this ethos are also found in disadvantaged assignments, promotions, school selection, and career progression for those who pursue cyberwarfare expertise, positions, and accomplishments...

Evidence to back these assertions is easy to find. From a recent service academy graduate who desired more than anything to become part of a cyberwarfare unit but was given no other option than to leave the service after his initial commitment, to the placement of a service’s top wireless security expert in an unrelated assignment in the middle of nowhere, to the PhD whose mission was to prepare PowerPoint slides for a flag officer -- tales of skill mismanagement abound...

[W]e are arguing that these cultures inhibit (and in some cases punish) the development of the technical expertise needed for this new warfare domain.... Only by understanding the culture of the technical workforce can a cyberwarfare organization hope to succeed... High-and-tight haircuts, morning physical training runs, rigorously enforced recycling programs, unit bake sales, and second-class citizen status are unlikely to attract and retain the best and brightest people.

I agree with almost all of this article. When I left the Air Force in early 2001, I was the 31st of the last 32 eligible company grade officers in the Air Force Information Warfare Center to separate from the Air Force rather than take a new nontechnical assignment. The only exception was a peer who managed to grab a job at NSA. The other 31 all left to take technical jobs in industry because we didn't want to become protocol officers in Guam or logitisics officers in a headquarters unit.

Please read the whole article before commenting, if you choose to do so. I selected only a few points but there are others.

Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.


MFitz said...

Interesting article to say the least. I believe step towards the right direction that at least some people see the perils.

Personally, a family tradition has always been to join the armed forces in some fashion (mostly Army). I decided against it, decided to go to college and all that jazz. When the AirForce instituted that CyberCommand mandate I wholeheartedly thought I made the wrong decision. I guess, luckily, it was marred with problems which I'm sure everyone who follows it knows.

If they got something like this off the ground, I would be all over it.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Having recently left the Army from a very technical position I can attest that most/all of the article is correct. Although I can say that the Army and other services I worked with are slowly (very slowly) changing toward the better in this area.

A couple of obeservations I noticed while still in were:
-most combatant commanders want to see flames and smoke coming from something destroyed. I still don't know of any exploits that can make sparks shoot from the keyboard.
-unrealistic expectations of what is possible ("Can you hack an enemy ship and take complete control of it?" Despite the fact that the ship was built in 1970 and isn't run by computers.)

Anonymous said...

I'm a Vietnam vet who spent 20 years in the Air Force in a technical job. Even though I had a graduate degree and top ratings from my superiors, I was passed over for promotions because the airlines were hiring a lot of Air Force pilots at the time. So the pilots who had fewer technical skills were promoted to keep them from leaving. The result was that many excellent non-pilot officers left to get jobs with industry.

I had a friend who was a top notch photo interpreter (which they needed a lot of during Vietnam). When that war was over, he was RIF'ed rather than retrained and retained. When he left the Air Force in 1976, he had to drive a truck for several months to make ends meet.

Lest we forget, during WWII, it was the crypto analysts who did as much to shorten the war as the guys with the guns. Now I'm not saying the combat arms of our military aren't important, but it is rather short-sighted to ignore the people who are technically-minded in favor of those in combat roles.

You can bet that if we get into another military conflict, cyber-warfare will be one of the most important aspects of it. Unless we keep ahead of the rest of the world, a well-placed cyber Pearl Harbor could render much of our military useless. You can't fight (well) if you can't communicate.

Norman Funk said...

While the reasoning behind the article is sound, I don't see it happening because of several things. A. "Looking Good" on performance reports will outweigh "Mission Ready" when it comes to promotion time. B. The chance to look like fools when S.O.P.s and Skills are lacking is too great to make the higher ups want to change. C. There is more than skills involved, it must be a cultural thing. The Guys in S.A.C. were downright b****rds but they were ready to go on a moments notice. Look at what the Fighter jocks did to them when they took over. After that it was "OOPS, where did those nukes go?, I'm not sure"

Anonymous said...

The politics will always take precedence against technical expertise.

Anonymous said...

Often technical personnel which enjoy the work have to move into "leadership" roles if they expect to be promoted.

Jason Lind said...

I enlisted in the USAF with a "guaranteed" placement in the Computer Programming career field. I did this after completing more than two years of Electrical and Computer Engineering at Marquette University and over seven years of professional experience in technology related positions in the private sector, including two years of programming. Oh yeah and I was 19 on the first day of basic training. I had scored a 99 on my ASVAB and passed a very tough placement test with a score of 90/120 (70 or higher needed for the programming career field).

I enlisted because I had a general lack of discipline and I was convinced by a boss who was a retired Navy Captain that it would do me some good. Basic was rough, I was recycled twice mostly due to being out of shape but I got through it only to find out that I was not eligible for a TS clearance due to the level of debt I had managed to incur before enlisting.

I was placed in back shop avionics and excelled in tech school classes which were mostly a dumbed down version of what I had already learned in college. However I had some what I would consider small and irrelevant disciplinary issues that my commanders felt prevented me from being an asset to the USAF. I was forcibly discharged for what amounted to being several minutes late to several formations over a 9 month span and losing my dorm key twice.

I did not receive an article 15 or anything even close to it, I followed the rules, obeyed my orders but slipped up a few times. Fair assessment or not I'm convinced the real reason was I didn't act like the other airmen, I played chess, I watched foreign and independent movies and when I was bored in tech school I played around with number theory.

After my discharge, which has been over 5 years ago now, I went back to private sector IT consulting where I am now a Software Architect that makes over $250k year. Things have all worked out probably for the best, but honestly I do miss it. Maybe I would have made a better officer than an enlisted man, I don't know. But what I do know I was more than willing and capable of serving my country and the USAF's culture was against me from day one.

Anonymous said...

I agree the military does not really have a good career path for technical and engineering oriented folks. I joined the Air Force after college (math/engineering) and was then trained as a Space Shuttle flight controller and then as a satellite operations engineer. I got my masters in aerospace engineering while in the Air Force. But after 5 1/2 years they wanted me to go sit in a missile silo for 3 years waiting to turn a freaking key to launch a nuke that would hopefully never be launched. My other alternative was to get out.. so I did. That was 15 years ago and now I make 300K in the corporate IT world where my technical/engineering skills have been recognized and rewarded.
Our nation's cyber security requires much more than whats on the table right now.. or perhaps the military should let the NSA do it all. Word has it they know how to treat their technical experts!

Anonymous said...

Exactly the same thing here. Even got the USAF to pay for my PhD. Then they decided I needed to go to a SPO in Ohio. No thanks. Got my commander to check the "Do Not Promote" box and once I was passed over, took my money and my degree and ran.

This was best summed up by a colleague at the time, "If you don't put your hands on an aircraft on a daily basis, the USAF has no need for you."

Anonymous said...

It is definately time for a cyberwar organization but it is best leveraged via a socially networked group of professionals that are working collaboratively and towards a set of common prioritized goals and share intelligence and capabilities across the board to minimize duplication of effort. Models should be based on hybrid p2p organizational structures preferablly based on biorganism tenets and abilities to rapidly defend attack and adapt on a dime. Getting outside the realm of command and control and moving more towards a collaborative sentience is the key to defeating diffuse and nebulous networks of adversaries. O ya and also being ruthless and forcing consequences on your opponents. Anything else is just a waste of time. and money. Our money. Your taxes, our future.

Check out my website for more memes and incubative ideas on cyberwar and the threats we face


geowash01 said...

"When I left the Air Force in early 2001, I was the 31st of the last 32 eligible company grade officers in the Air Force Information Warfare Center to separate from the Air Force rather than take a new nontechnical assignment."

My heart bleeds. Listen up - it's a truism to say that the guys who will end up running the cyberwar of the future are the guys who fought their way through the nonsense to get to the top. You can't play, in other words, if you don't pay. Your problem was that you wanted your genius recognized, now, dammit! Did it work out for you when you took that attitude to the private sector?

Hopefully, one of your peers, probably the guy who went ahead with one of those protocol jobs, will end up at the top and remember the good things he wanted to accomplish back when he was a shavetail.

Here's some advice - occasionally take the long view, my friend. And don't forget the power of compound interest.

Richard Bejtlich said...

geowash01, you totally missed my point, even though you quoted it. Look at it from this point of view:

"31 of the last 32 snipers decided to leave the Marine Corps rather than become truck drivers."

"31 of the last 32 nuclear submarine officers decided to leave the Navy rather than become protocol officers."

"31 of the last 32 Patriot missile battery specialists decided to leave the Army rather than become logistics officers."

Are you still pointing fingers at the people leaving the service, or at the horribly broken personnel systems that force these decisions?

Richard Bejtlich said...

Personal ref: How Do Militaries Treat Their Nerds? linked here yesterday.

geowash01 said...

Richard, thanks for the response, but repeating your point over and over in different colors and louder doesn't fix it. Here's the deal, yes the system may be broken. It often is. Historical examples of broken military systems multiply without end, forever and ever, amen. (For example, it took four years in the trenches to find out how to beat trenches, partly with new tech-tanks-and partly with new tactics-see Wilhelm Rohr and the development of the Stormtroops.) My point is that you have to engage to win the battle. If you want to fix your car, moaning that GM didn't anticipate your breakdown serves no purpose. Of course, all the services are hidebound and conservative and focused on killing/breaking. Of course, they should be looking forward, but you must have heard the term 'leadership' somewhere before (even in the AF). All I'm saying is that this sort of problem requires leadership, and often interior leadership, which means stay and make it over in your way. And sometimes JOs make the difference in the end. Ike was a LtCol in '40. John Boyd never made it past colonel, but most practical planning is now done with his method.

Anyway, what did you do? If you didn't stay and you saw this big problem, are you in the industry feeding back to get it changed, are you in government fixing it, or is this the contribution? If the latter, I wish you luck, but I also recommend that you keep pounding away with more visible efforts, too.

Ted said...

This is pretty much right on - I've never been in uniform, but I've worked supporting the services since graduating college.

The best examples I have is in the Air Force, where they decimated the computer career field, combining it into comm/comp - where you are much more likely to be running a telephone exchange than technical computing.

If you go and try to do a personnel search of 61S (scientist) and 62E (engineer) personnel with a computer background, you come up with a very thin field - then select for who is movement eligible, you quickly get the null set, without even figuring out if they are competent to fill your needs.

I really don't understand this, when we are trying to run many >$1B acquisitions where most of the operational capability is implemented with software - which is the red-headed stepchild of the services.

Richard Bejtlich said...


Any more insults and I'll just start deleting your posts. If that's the best you can do, you don't deserve any readership on my blog.

Incidentally, the Slashdot commentary has inspired me to form the Association of Former Information Warriors. I'm trying to be constructive, beyond all the other work I've done during the past 11 years.

Anonymous said...

I've done military consulting off and on for years (army, navy, air force). In my last couple of military jobs I was a software architect for high-profile ($100Billion+) projects. Most of my co-workers were former members of the military who weren't allowed to do what they were good at, and had to go commercial. A prime example was one who had a high Navy rank (0-5 Commander), who wrote much of the Navy's rules of engagement, yet had to leave. There's no promotions beyond a point when your focus is technical, no matter how good you are, and if you don't promote you're out the door. That's insane. In the real world you don't force the best doctors or software architects or lawyers to take administration-only jobs or quit, but that's exactly what the military does. The military needs to hang on to their best technical people.

Consulting firms, military or not, typically recruit the best engineers and appreciated them, but even there it often becomes apparent that much of the work is wasted effort. Many of the overpriced projects turn out to be ideal solutions to a threat that doesn't exist or a situation that will never happen. Or they are forced into a framework which has tons of good aspects, yet is done on a scale that isn't financially feasible (I worked on the Navy's DD(X), which is that way). This is mainly due to the fact that the people who set the requirements for projects aren't technically qualified to do so. If they knew how to do it, they wouldn't need a consultant. A chicken-and-egg problem. In the case of the military, since they underutilized their best people and drove them away, they don't have the skills. An outside firm can't work miracles for the military when the military doesn't know what they need. Sadly, now that that Congress is cutting budgets on projects, the ones that are being saved aren't the best ones, they're the ones with the most political clout behind them, really just "make work" projects (when your funding is from underqualified people, the situation gets even worse). I moved back to doing non-military, after they moved me to one of those projects that I saw little value in (the Army Future Combat Systems). The only thing I've liked better is that keeping costs down is rewarded (military contractors want to be just cheap enough to win the project, but not a penny cheaper, since their profits are based mostly on volume). But I find I still have to take jobs which don't pay so well if I want to do things that are technically interesting.

Marcus J. Ranum said...
This comment has been removed by the author.
Marcus J. Ranum said...

I think that what you're alluding to is the rather dramatic way in which "information warfare" was oversold in the early 1990s. Instead of a big new evolution in warfare, what we got was a rather sensible application of IT to intelligence operations and battlefield communications. That wasn't rocket science, though - it was simply inevitability.

When aerial warfare became practical, it had a huge transformative effect on intelligence-gathering as well as adding a new axis to combined arms. Is "information operations" anywhere like that big a deal? I sincerely doubt it. Perhaps in another 100 years; we are still in the very early stages (and by the time "information operations" are absorbed into warfighter doctrines fully, they will be just "computerized command/control", "computerized intelligence-gathering", "computerized logistics" (why does everyone want to leave out logistics?!? I know it's about as sexy as Rosie O'Donnell but logistics is on par with the other branches of the military art, in terms of importance.

The notion of "cyberwar" is too broadly drawn. For convenience sake, some practitioners call even the silliest things (ooo! spam!) "cyberwar" or attempt to conflate intelligence-gathering under the rubric of warfighting in spite of the fact that one is predominantly a strategic activity and the others are tactical.

Richard, as you know, I've been having the occasional belly-laugh about "cyberwar" for the last 15 years and I still see no sign that it's anything other than an agenda in search of a budget.

You might be amused by my recent podcast on the topic, as well as some of the set-up for it in the Tenable blog.
episode 4 and

As always, I don't pretend to be 100% right about everything (or even a fraction of it) but I think that many of the community's presuppositions about cyberwar and information operations are hugely oversold.