Buck Surdu and Greg Conti Ask "Is It Time for a Cyberwarfare Branch?"
The latest issue of the Information Assurance Technology Analysis Center's IANewsletter features "Army, Navy, Air Force, and Cyber -- Is It Time for a Cyberwarfare Branch of [the] Military?" by COL John "Buck" Surdu and LTC Gregory Conti. I found these excerpts enlightening.
The Army, Navy, and Air Force all maintain cyberwarfare components, but these organizations exist as ill-fitting appendages that attempt to operate in inhospitable cultures where technical expertise is not recognized, cultivated, or completely understood. The services have developed effective systems to build traditional leadership and management skills. They are quite good at creating the best infantrymen, pilots, ship captains, tank commanders, and artillerymen, but they do little to recognize and develop technical expertise. As a result, the Army, Navy, and Air Force hemorrhage technical talent, leaving the Nation’s military forces and our country under-prepared for both the ongoing cyber cold war and the likelihood of major cyberwarfare in the future...
The skill sets required to wage cyberwar in this complex and ill-defined environment are distinct from waging kinetic war. Both the kinetic and non-kinetic are essential components of modern warfare, but the status quo of integrating small cyberwarfare units directly into the existing components of the armed forces is insufficient...
The cultures of today’s military services are fundamentally incompatible with the culture required to conduct cyberwarfare... The Army, Navy, and Air Force are run by their combat arms officers, ship captains, and pilots, respectively. Understandably, each service selects leaders who excel at conducting land, sea, and air battles and campaigns. A deep understanding and respect for cyberwarfare by these leaders is uncommon.
To understand the culture clash evident in today’s existing militaries, it is useful to examine what these services hold dear -- skills such as marksmanship, physical strength, and the ability to jump out of airplanes and lead combat units under enemy fire. Accolades are heaped upon those who excel in these areas. Unfortunately, these skills are irrelevant in cyberwarfare...
The culture of each service is evident in its uniforms. Consider the awards, decorations, badges, patches, tabs, and other accoutrements authorized for wear by each service. Absent is recognition for technical expertise. Echoes of this ethos are also found in disadvantaged assignments, promotions, school selection, and career progression for those who pursue cyberwarfare expertise, positions, and accomplishments...
Evidence to back these assertions is easy to find. From a recent service academy graduate who desired more than anything to become part of a cyberwarfare unit but was given no other option than to leave the service after his initial commitment, to the placement of a service’s top wireless security expert in an unrelated assignment in the middle of nowhere, to the PhD whose mission was to prepare PowerPoint slides for a flag officer -- tales of skill mismanagement abound...
[W]e are arguing that these cultures inhibit (and in some cases punish) the development of the technical expertise needed for this new warfare domain.... Only by understanding the culture of the technical workforce can a cyberwarfare organization hope to succeed... High-and-tight haircuts, morning physical training runs, rigorously enforced recycling programs, unit bake sales, and second-class citizen status are unlikely to attract and retain the best and brightest people.
I agree with almost all of this article. When I left the Air Force in early 2001, I was the 31st of the last 32 eligible company grade officers in the Air Force Information Warfare Center to separate from the Air Force rather than take a new nontechnical assignment. The only exception was a peer who managed to grab a job at NSA. The other 31 all left to take technical jobs in industry because we didn't want to become protocol officers in Guam or logitisics officers in a headquarters unit.
Please read the whole article before commenting, if you choose to do so. I selected only a few points but there are others.
Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.
The Army, Navy, and Air Force all maintain cyberwarfare components, but these organizations exist as ill-fitting appendages that attempt to operate in inhospitable cultures where technical expertise is not recognized, cultivated, or completely understood. The services have developed effective systems to build traditional leadership and management skills. They are quite good at creating the best infantrymen, pilots, ship captains, tank commanders, and artillerymen, but they do little to recognize and develop technical expertise. As a result, the Army, Navy, and Air Force hemorrhage technical talent, leaving the Nation’s military forces and our country under-prepared for both the ongoing cyber cold war and the likelihood of major cyberwarfare in the future...
The skill sets required to wage cyberwar in this complex and ill-defined environment are distinct from waging kinetic war. Both the kinetic and non-kinetic are essential components of modern warfare, but the status quo of integrating small cyberwarfare units directly into the existing components of the armed forces is insufficient...
The cultures of today’s military services are fundamentally incompatible with the culture required to conduct cyberwarfare... The Army, Navy, and Air Force are run by their combat arms officers, ship captains, and pilots, respectively. Understandably, each service selects leaders who excel at conducting land, sea, and air battles and campaigns. A deep understanding and respect for cyberwarfare by these leaders is uncommon.
To understand the culture clash evident in today’s existing militaries, it is useful to examine what these services hold dear -- skills such as marksmanship, physical strength, and the ability to jump out of airplanes and lead combat units under enemy fire. Accolades are heaped upon those who excel in these areas. Unfortunately, these skills are irrelevant in cyberwarfare...
The culture of each service is evident in its uniforms. Consider the awards, decorations, badges, patches, tabs, and other accoutrements authorized for wear by each service. Absent is recognition for technical expertise. Echoes of this ethos are also found in disadvantaged assignments, promotions, school selection, and career progression for those who pursue cyberwarfare expertise, positions, and accomplishments...
Evidence to back these assertions is easy to find. From a recent service academy graduate who desired more than anything to become part of a cyberwarfare unit but was given no other option than to leave the service after his initial commitment, to the placement of a service’s top wireless security expert in an unrelated assignment in the middle of nowhere, to the PhD whose mission was to prepare PowerPoint slides for a flag officer -- tales of skill mismanagement abound...
[W]e are arguing that these cultures inhibit (and in some cases punish) the development of the technical expertise needed for this new warfare domain.... Only by understanding the culture of the technical workforce can a cyberwarfare organization hope to succeed... High-and-tight haircuts, morning physical training runs, rigorously enforced recycling programs, unit bake sales, and second-class citizen status are unlikely to attract and retain the best and brightest people.
I agree with almost all of this article. When I left the Air Force in early 2001, I was the 31st of the last 32 eligible company grade officers in the Air Force Information Warfare Center to separate from the Air Force rather than take a new nontechnical assignment. The only exception was a peer who managed to grab a job at NSA. The other 31 all left to take technical jobs in industry because we didn't want to become protocol officers in Guam or logitisics officers in a headquarters unit.
Please read the whole article before commenting, if you choose to do so. I selected only a few points but there are others.
Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.
Comments
Personally, a family tradition has always been to join the armed forces in some fashion (mostly Army). I decided against it, decided to go to college and all that jazz. When the AirForce instituted that CyberCommand mandate I wholeheartedly thought I made the wrong decision. I guess, luckily, it was marred with problems which I'm sure everyone who follows it knows.
If they got something like this off the ground, I would be all over it.
A couple of obeservations I noticed while still in were:
-most combatant commanders want to see flames and smoke coming from something destroyed. I still don't know of any exploits that can make sparks shoot from the keyboard.
-unrealistic expectations of what is possible ("Can you hack an enemy ship and take complete control of it?" Despite the fact that the ship was built in 1970 and isn't run by computers.)
I had a friend who was a top notch photo interpreter (which they needed a lot of during Vietnam). When that war was over, he was RIF'ed rather than retrained and retained. When he left the Air Force in 1976, he had to drive a truck for several months to make ends meet.
Lest we forget, during WWII, it was the crypto analysts who did as much to shorten the war as the guys with the guns. Now I'm not saying the combat arms of our military aren't important, but it is rather short-sighted to ignore the people who are technically-minded in favor of those in combat roles.
You can bet that if we get into another military conflict, cyber-warfare will be one of the most important aspects of it. Unless we keep ahead of the rest of the world, a well-placed cyber Pearl Harbor could render much of our military useless. You can't fight (well) if you can't communicate.
I enlisted because I had a general lack of discipline and I was convinced by a boss who was a retired Navy Captain that it would do me some good. Basic was rough, I was recycled twice mostly due to being out of shape but I got through it only to find out that I was not eligible for a TS clearance due to the level of debt I had managed to incur before enlisting.
I was placed in back shop avionics and excelled in tech school classes which were mostly a dumbed down version of what I had already learned in college. However I had some what I would consider small and irrelevant disciplinary issues that my commanders felt prevented me from being an asset to the USAF. I was forcibly discharged for what amounted to being several minutes late to several formations over a 9 month span and losing my dorm key twice.
I did not receive an article 15 or anything even close to it, I followed the rules, obeyed my orders but slipped up a few times. Fair assessment or not I'm convinced the real reason was I didn't act like the other airmen, I played chess, I watched foreign and independent movies and when I was bored in tech school I played around with number theory.
After my discharge, which has been over 5 years ago now, I went back to private sector IT consulting where I am now a Software Architect that makes over $250k year. Things have all worked out probably for the best, but honestly I do miss it. Maybe I would have made a better officer than an enlisted man, I don't know. But what I do know I was more than willing and capable of serving my country and the USAF's culture was against me from day one.
Our nation's cyber security requires much more than whats on the table right now.. or perhaps the military should let the NSA do it all. Word has it they know how to treat their technical experts!
This was best summed up by a colleague at the time, "If you don't put your hands on an aircraft on a daily basis, the USAF has no need for you."
Check out my website for more memes and incubative ideas on cyberwar and the threats we face
www(.dot)conanthedestroyer(.dot)net
My heart bleeds. Listen up - it's a truism to say that the guys who will end up running the cyberwar of the future are the guys who fought their way through the nonsense to get to the top. You can't play, in other words, if you don't pay. Your problem was that you wanted your genius recognized, now, dammit! Did it work out for you when you took that attitude to the private sector?
Hopefully, one of your peers, probably the guy who went ahead with one of those protocol jobs, will end up at the top and remember the good things he wanted to accomplish back when he was a shavetail.
Here's some advice - occasionally take the long view, my friend. And don't forget the power of compound interest.
"31 of the last 32 snipers decided to leave the Marine Corps rather than become truck drivers."
"31 of the last 32 nuclear submarine officers decided to leave the Navy rather than become protocol officers."
"31 of the last 32 Patriot missile battery specialists decided to leave the Army rather than become logistics officers."
Are you still pointing fingers at the people leaving the service, or at the horribly broken personnel systems that force these decisions?
Anyway, what did you do? If you didn't stay and you saw this big problem, are you in the industry feeding back to get it changed, are you in government fixing it, or is this the contribution? If the latter, I wish you luck, but I also recommend that you keep pounding away with more visible efforts, too.
The best examples I have is in the Air Force, where they decimated the computer career field, combining it into comm/comp - where you are much more likely to be running a telephone exchange than technical computing.
If you go and try to do a personnel search of 61S (scientist) and 62E (engineer) personnel with a computer background, you come up with a very thin field - then select for who is movement eligible, you quickly get the null set, without even figuring out if they are competent to fill your needs.
I really don't understand this, when we are trying to run many >$1B acquisitions where most of the operational capability is implemented with software - which is the red-headed stepchild of the services.
Any more insults and I'll just start deleting your posts. If that's the best you can do, you don't deserve any readership on my blog.
Incidentally, the Slashdot commentary has inspired me to form the Association of Former Information Warriors. I'm trying to be constructive, beyond all the other work I've done during the past 11 years.
Consulting firms, military or not, typically recruit the best engineers and appreciated them, but even there it often becomes apparent that much of the work is wasted effort. Many of the overpriced projects turn out to be ideal solutions to a threat that doesn't exist or a situation that will never happen. Or they are forced into a framework which has tons of good aspects, yet is done on a scale that isn't financially feasible (I worked on the Navy's DD(X), which is that way). This is mainly due to the fact that the people who set the requirements for projects aren't technically qualified to do so. If they knew how to do it, they wouldn't need a consultant. A chicken-and-egg problem. In the case of the military, since they underutilized their best people and drove them away, they don't have the skills. An outside firm can't work miracles for the military when the military doesn't know what they need. Sadly, now that that Congress is cutting budgets on projects, the ones that are being saved aren't the best ones, they're the ones with the most political clout behind them, really just "make work" projects (when your funding is from underqualified people, the situation gets even worse). I moved back to doing non-military, after they moved me to one of those projects that I saw little value in (the Army Future Combat Systems). The only thing I've liked better is that keeping costs down is rewarded (military contractors want to be just cheap enough to win the project, but not a penny cheaper, since their profits are based mostly on volume). But I find I still have to take jobs which don't pay so well if I want to do things that are technically interesting.
When aerial warfare became practical, it had a huge transformative effect on intelligence-gathering as well as adding a new axis to combined arms. Is "information operations" anywhere like that big a deal? I sincerely doubt it. Perhaps in another 100 years; we are still in the very early stages (and by the time "information operations" are absorbed into warfighter doctrines fully, they will be just "computerized command/control", "computerized intelligence-gathering", "computerized logistics" (why does everyone want to leave out logistics?!? I know it's about as sexy as Rosie O'Donnell but logistics is on par with the other branches of the military art, in terms of importance.
The notion of "cyberwar" is too broadly drawn. For convenience sake, some practitioners call even the silliest things (ooo! spam!) "cyberwar" or attempt to conflate intelligence-gathering under the rubric of warfighting in spite of the fact that one is predominantly a strategic activity and the others are tactical.
Richard, as you know, I've been having the occasional belly-laugh about "cyberwar" for the last 15 years and I still see no sign that it's anything other than an agenda in search of a budget.
You might be amused by my recent podcast on the topic, as well as some of the set-up for it in the Tenable blog.
See:
http://www.rearguardsecurity.com/
episode 4 and
http://blog.tenablesecurity.com/ranums_rants/
As always, I don't pretend to be 100% right about everything (or even a fraction of it) but I think that many of the community's presuppositions about cyberwar and information operations are hugely oversold.