The desire to create an “esprit de corps” around cyber operations forces
BY:
Eric De Grasse
Chief Technology Officer
PROJECT COUNSEL MEDIA
29 July 2022 – As we have noted before, the International Cybersecurity Forum in Lille, France is the major European cybersecurity event – a host of educational sessions, exhibitors, hands-on training workshops, “red team” events, detailed technical presentations, etc. And for us – the really fun part – you’ll find an enormous U.S. intel cybersecurity contingent in attendance. But all-in-all, the opportunity to meet the major players in cyber security and take stock of the tendencies and trends regarding cyber attacks, and especially of the solutions … and lack of solutions … given the problem is critical and we all seem to encounter it every day.
One theme heavily discussed this year – by private cybersecurity vendors, government intel officials, and pretty much everybody – was “how do we find the next generation of cyber talent”? This is especially crucial for the U.S. military. And one element we learned about was how the U.S. military is trying to find the next generation of cyber talent who don’t necessarily have a technical background.
As just one example, Defense One reported earlier this week that the Navy doesn’t have the manpower to go after the thousands of common vulnerabilities that plague Navy networks, like unpatched software and incorrect security settings. So U.S. Fleet Cyber Command authorized “Operation Cyber Dragon” – a process where sailors learn cyber techniques as they hunt down and fix problems in unclassified networks. And the Navy “is pretty much taking anybody into the program”.
So, about 10 out of the 50 participants accepted into the first program were not Navy-designated network analysts – and yet in March 2022 alone the team fixed more than 3,300 problems. The team also discovered several “probable spoofing certificates” and developed ways to fix problems and manage Department of Defense work in commercial clouds. Said a Navy representative:
“Probably the most beneficial thing about this is I can take anyone, as long as you have a common access card, and we have a network terminal, and you can read a standard operating procedure and you’re familiar with the internet. We’re not programming anything. We’re not writing any scripts. We’re scanning, we’re utilizing commercial scanning tools. And that’s a huge benefit”.
Moreover, sailors who lack security clearances can participate while they wait. Cyber Command wants to expand the program to cover the Navy’s swath of unclassified networks that aren’t necessarily national security concerns but still pose cybersecurity risks. Said a Cyber Command representative:
“Yes, we have a headquarters enterprise network that does our email and PowerPoints and what everyone typically uses a computer for. But then we have all these one-off or bespoke systems, like our morale, welfare and recreation networks, like our facilities management, our emergency management – all these other things that don’t quite fit the enterprise network model, but they’re still connected to the DOD network. And they need the security as well”.
As has been reported in other cybersecurity media, those networks are often managed locally, at the sub-command level and the organizations don’t necessarily have the tools, the talent, or even the bandwidth to be doing what they are doing: taking a holistic look at a network’s vulnerabilities from a hacker’s perspective. Cyber Dragon teams have found default usernames and passwords being used in some computer systems, which could have led to identity theft. One story: Navy data turned up on a private cloud provider’s servers in Southeast Asia:
“We have found data where we didn’t want data to be, right. And it’s, again, not because of any maliciousness. It’s just, you know, when you talk about the cloud, you don’t know what server it’s on, or where that server is hosted, and with the technology today, where that data sits right now can actually change and morph over time and can sit in a different place, just like that. It can easily get away from you”.
So the end-play is to have future iterations of the program focus on working with network operators to find and more quickly fix vulnerabilities. Because it’s one thing to have somebody from on high call down and say, “Hey, this is wrong, or you need to do this”. It’s a much different experience, if we’re calling down and you have these cyber teams say, “Hey, listen, this is a little off; we need you to correct it. We think these are the corrective measures. We’re not the experts on your network” and then come together as a group to figure out what the correct mitigation remediation is. It’s the approach.
And in an era when the Pentagon struggles to woo tech talent away from higher private-sector salaries, the Cyber Dragon program has already inspired several participants to deepen their knowledge and even their Navy career. There is the story of the Chase banker who is also a Navy Reserve cryptologic collection technician who felt underutilized during an eight-year reserve career, that changed as she participated in both phases of Cyber Dragon. She said “so honestly, I want to change career paths; I don’t want to be a banker anymore”.
So what you have is active service members and reservists assigned to a cyber-related unit but not necessarily with a technical background or education. What the Cyber Command does is take the trainees and pair them off with one having some cyber experience and the other being a novice. The results was the creation of teams that could learn from each other.
Yes, it’s slow going but it is filling in many gaps, especially when coupled with the massive cybersecurity education programs the U.S. military is developing. Said a Cyber Command representative:
“The intent is to get a pipeline of people that mature to and then want to stay in the command because of the cyber mission that we have. The closest I can come is our aim is to cultivate the same fervor that surrounds special operations forces, but for cyber. Everybody wants to be a special operations forces guy. We want to create that same esprit de corps around cyber operations forces”.