Slashdot Mirror
US Military To Recruit Civilian Cybersecurity Experts
An anonymous reader writes The U.S. Army is to create a new cybersecurity division, Cyber Branch 17, and is also considering launching a cyber career track for civilians, according to an announcement made this week by Lt. Gen. Edward C. Cardon. Cardon, who currently heads the U.S. Army's cyber command, ARCYBER, spoke to the Senate Armed Services subcommittee on Tuesday about the growing threats and capabilities used in cyber warfare. He argued that creating a cyber career management field for civilians would result in an easier recruitment process, as opposed to recruiting internally and trying to retain the talent, he said. Cardon maintains that recruiting and retaining talent in the field is often challenging, given internal employment constraints surrounding compensation and slow hiring processes.
"Cardon maintains that recruiting and retaining talent in the field is often challenging, given internal employment constraints surrounding compensation and slow hiring processes."
Ah, internal employment constraints?
This is the same organization that will deploy a SEAL team with a suitcase of cash if the mission calls for it, and treat it like any other expendable item, and yet they can't seem to pull enough cash together to keep up with civilian pay rates.
Talk about your bullshit excuses out of the payroll department...I can't even count how many billions were "lost" in accounting. Ironically, neither can the US GAO.
The majority of major, targeted hacks (rather than just sweeping the net for vulnerabilities) - aka, the kind of stuff that the US military cares about - involves sending emails or making phone calls and introducing yourself as Bob from IT, and sorry to bother you but there's a problem that we need to discuss with you, but first a couple questions...
They don't need script kiddies, they need social engineers. Question number one in the job interview should be "Is your native language Russian, Chinese, Farsi, Korean or Arabic?" And even as far as the more traditional "hacking" goes, rather than script kiddies they're going to need people who are going to custom analyze a given system and assess it's individual vulnerabilities, people with real in-depth understanding. One would presume that in most cases that the sort of targets that the US military wants to hack are going to keep themselves pretty well patched to common vulnerabilities.
AIs doing hacking? What are you talking about? This is the real world, not Ghost In The Shell.
*Kid Rock runs for Senate* Democrats: We must run Kid Scissors.
By definition, a special forces team is doing something that cannot be done any other way. So of course they have access to whatever they need... otherwise people die.
Civilian employees (and this is not outside contractors), in contrast, are basically tied to the same government hiring processes as the IRS or the Fish and Game department.
No, that's the beauty of global outsourcing: all they need's a Hindu accent. "Hello, I am being Sanj - I mean, Bob, from IT. I am needing you to be visiting TeamViewer to be fixing the Windows errors on your terrorist cell's PC..."
More seriously, I thought the offensive hacking was more an NSA/CIA operation: Army cybersecurity would be all about keeping the Windows systems patched and stopping generals replying to hot students who want naked sexy time over Skype in exchange for their passwords. (OK, it turned out that one should have been a CIA job too lately...) There's only a passing reference in TFA to the US having offensive capabilities, everything else is about securing DoD and contractor networks from attack, as I'd expect.
This is a system that will work for a very big difference in how hiring just any ol tom dick or harry cybersecurity guy. You find those disillusioned ex-mil folks who are classically trained in cyber warfare (through either previous experience in that field) AND who have been in a military service component of some type. They will be easier to 'bring into the fold' of daily business while still exceeding the technical requirements and demands of such a mission. They won't care what the mission is, but they understand that the mission is what is is, and must be accomplished. Marry that with a strong technical background, and you have someone that wild deliver the capabilities you require, even if they don't care why. If they don't actively hold any of the mission objectives as opposing viewpoints you are golden.
OMG facts!
Stop Microsoft operating systems from being used.
FTFY. Stuxnet didn't care about "internet".
In other words, pay rates will ensure that the government will get what's left after the best and brightest have been hired by the free market.
Ok, so in other words, business as usual.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's actually stunning how many people are self proclaimed hacking experts and yet seem to get most of their knowledge about hacking from sensationalist news and Hollywood.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So, enemy combatants then.
The Seals are part of the Navy. And due to Sequestration, the Army will lose about 70,000 shortly.
The problem with accounting is indeed a problem. One doesn't not wave a magic wand and declare there to be accounting. DoD is vast, and they've never had a real audit. Their first real audit is coming due shortly, it took them years to prepare for it because new accounting systems had to be built to handle it.
And when it comes to money wasted, the biggest problem is Congress. DoD figures it has about 25% more physical plant than it needs, but it cannot cut it because it requires closing bases in congressional districts and Congress won't let them do that. They do go though a BRAC process about every 5 years and whack what they can, but Congress won't let them whack enough.
That said, the Air Force is easily the most stuck in the past. Their whizzy new planes are more or less overkill for Daesh. The A-10 is perfect for that, but the Air Force is tasked with countering China and Russia which have been putting money into advanced airplanes. Both have been putting new money into just about everything. This bodes trouble for the U.S. and the Biden Doctrine of bending over first, thinking if they see our a-holes, they'll realize we mean then no harm. So we get the Ukraine problem and China building a new island and new airstrip in the S. China Sea 1000 miles from any Chinese territory. The U.S. does nothing because the Biden Doctrine declares that if we smile a lot, the rest of the world will like U.S....unfortunately for the U.S., its allies that rely on it won't. So they too are starting to spend more on defense. The end result will be a lot of powder kegs splattered across the world that could go off for stupid reasons because men do stupid things. And that will force the U.S. defense budget higher in the long run, presuming the U.S. doesn't take one in the neck because it ignored an existential threat (N. Korea nuking LA, Iran nuking Washington (they are able to put satellites in space which you need to send one to Washington, etc.).
The main problem is that the "spirit" of hacking is diametrically opposite of what the military is like. Not that that "spirit" mattered much anymore, but it's still why most people get into the area. They usually stay for the money, Which is another thing that works against the military...
So the military is neither attractive to new people who want to get into the field, nor to seasoned veterans who learned just what salaries they can ask for.
Plus, despite money, most "hackers" still have some kind of moral limitations. At least the people I know, and I dare say that, would not easily be convinced that it's ok to blow up some nuclear plant by messing with its computers from afar for the odd chance that some terrorists may be near while killing a few million as collateral damage. Given the international structure of the community, it's very likely you actually know someone in the country that's supposed to be attacked.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
AI-based hacking is norm for most states, not teams of humans. Source code is obtained around the world, some stolen, some open-source, etc., then passed into machine learning classifiers that identify common problems. These identified areas are then passed to another machine learning system that attempts to generate code to exploit the error. Its a monte carlo/genetic algorithm based system. On success, it is added to a library of attack code, along with some tools to perform fingerprinting.
Then it can be deployed as needed and combined with other attacks to breach even the complex networks.
Its not really that hard to create, it just takes time to train properly.
All Cybersecurity guys I know will not tolerate testosterone fueled chain of command bullshit that is the backbone of the US military.
Exactly how do they think they will control and indoctrinate these people? Most are smart enough to know that most of the problems are CAUSED by the United States, and when ordered to do something unethical, they will say "go to hell"
So I am guessing threats of imprisonment is their motivator?
Do not look at laser with remaining good eye.
Social engineering is still the most common targeted attack vector. Humans are the weakest links in most secure systems, there is nearly always someone no matter how well trained and warned that will fall for well thought out social engineering tactics.
Until you guys stop complaining about government and make it cool to join and help, yea.
...try doing "cybersecurity" for the Army. It is truly suicide inducing. Source: been there, done that.
Asshole Officers are the issue. You can't pay me enough to work there. Well, perhaps you could $300K - yes?
My conscience is another issue. I've read the US Constitution, including the bill of rights. I've also read the bible and quran and have studied Buddhists traditions. I feel that spying is wrong. If we are at war - fine. Until war is formally declared, infiltrating any other organization - inside or outside the USA is wrong.
I come from a military family. Dad was a pilot and I saw him being an asshole to lots of subordinates. After he retired, it took about a year before he became a nice man again.
presuming the U.S. doesn't take one in the neck because it ignored an existential threat (N. Korea nuking LA, Iran nuking Washington (they are able to put satellites in space which you need to send one to Washington, etc.).
Those aren't existential threats, in fact, if you timed the hit on DC right, you'd probably get rid of the worst problem America has in one fell swoop. Or you'd just piss off America and get it riled up and ready to smash face, like taking a swing at Rocky. Sure, it might seem like you've done harm to the champ, but then you realize there's a freight train of hurt coming your way and there's no charge for delivery.
Just look at how well hiring external contractors worked for the NSA!
Snowden was a contractor, but Manning was a uniformed soldier.
Do I need to remind the government about TARGET, CHASE AND ANTHEM? I'm sure they were being protected from civilian cyber-security experts.
I'll start asking what I can do for my country instead of what it can do for me when government and industry lead as examples. I'm not your fucking Boxer.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Its worse then what he describes. Currently the NSA / USCYBERCOM will try to hire graduates from college at at GS-9. That is 45k to 55K a year. For all but the Air Force, the new hires are being stationed at NSA Washington, meaning they will be trying to make due, and start their families at this salary, paying off student debt (NSA does not participate in the federal student loan forgiveness program), and save up for a house. In this area a cheap one bedroom apartment can run you around $1500 a month.
That same person can leave and go work for a federal contractor or commercial company in the same area demanding the same skills for over $100k. So I ask you -- Do you need to work for USCYBERCOM as much as USCYBERCOM needs you?
Government employees are typically better paid then their private sector counter parts.
The exception is high demand labor of any kind. Someone able to run a company as CEO is going to get more money in the private sector than in the government's employ. However if you're a paper pushing cubical monkey then you will get better pay and job security in the government.
The issue is whenever people say the government should play some employee more they tend to mean ALL of them. And that's neither reasonable nor sustainable. The result is that you over pay for low to middle skilled people and then under pay the top talent.
yes yes... no big pay discrepancies are politically incorrect these days. It doesn't matter. The guy I'm talking about can turn your job down and go to the private sector and make more money. The cubical monkeys working for the government can't do that. They'll be paid worse in the private sector because the government is typically over paying them. There is a reason that the area around Washington DC is the highest income growth sector in the country, has the strongest realestate market, and is generally the healthiest economy. All those office workers are being paid better in DC than anywhere else in the country.
And here some bright spark will say "well then why don't we do that everywhere!"... the answer being that it isn't especially sustainable only doing it at the level it is already done at... expanding it beyond this point is a little like saying "that shot of heroine was good, lets double it!"... what could possibly go wrong?
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Having been in the military, and then as a contractor on TS level projects, I can confirm your first few points. The Military is often made out to be the problem child by the left, but in reality the Military WANTS to cut spending in areas where there is massive waste. Congress won't let them. So they have to cut spending on stupid shit like office supplies and people. Weapon's programs and facilities rarely get cut due to Congressional pressure to keep jobs/money in their districts/states. That is why when the Berlin wall fell it was so damn easy for us to massively scale back our presence in Europe, but stateside it has been very very difficult. When Robert Gates asked to end F-22 orders because we didn't need them, Congress told him "No, your going to buy those damn planes and you're gonna like it!" Instead, we cut military personnel and anything that doesn't involve lucrative contracts.
If you don't get the employees you need for other parts of the organization to work properly, then people die (because the military missions fail). You don't get the employees you need if you don't pay enough.
The exception is high demand labor of any kind. Someone able to run a company as CEO is going to get more money in the private sector than in the government's employ.
I don't think we're talking about overpaid suits here, we're talking about engineers and other technical people. The government is not known to pay them well either.
All those office workers are being paid better in DC than anywhere else in the country.
So basically a bunch of incompetent paper-pushers are being given largesse by the rest of the nation, and the economies in the rest of the nation would be better off if they seceded from the federal government, since they wouldn't have to spend so much funding all that waste?
Most "cybersecurity experts" probably want nothing to do with the military. Look at the average set of comments from any Snowden leak and you'll find that anyone you would want doing this kind of work has a real problem with authority. In the military, authority is what you get. No matter how high up the food chain you are, there's always someone telling you what to do. Combine this with mandatory combat training, mandatory physical fitness testing/standards and tons of bureaucracy, and you have a job that people don't want to do.
This is in addition to the fact that government/military pay scales are incredibly rigid. Government can't compete with the highly paid "elite cybersecurity firm" jobs that involve flying around the country giving PowerPoints to executives and collecting six-figure fees. To join government service or the military, you need to have a sense of service, and the willingness to stick it out until the end to get the actual benefits (a real pension, job security, etc.) Without trying to offend, volunteer military service looks to be a good way out for someone who has very few other opportunities. But with the civilian option, the Army might be able to attract people who can't live with the other restrictions that a military career comes with.
The only thing I can see going wrong is that this will just be an excuse to hire idiots from Accenture, CSC, IBM and the usual suspects. Lots of government contracts end up getting messed up by inserting an expensive consulting firm in the middle.
It doesn't fucking matter
Jesus Autistic Christ. >__
The point was "high demand labor"... which includes anyone that has special skills that are not easily trained to acquired in the market.
I gave an example a CEO because that is the most extreme example. But that same example also works for medical professionals, computer professionals, engineering professionals, scientific professionals... and anyone else that has skills that are rare in the general population.
The problem is that the government has pay grades. Fixed tiers of compensation. Those tiers work fine for most people. They're fucking useless for anyone exceptional that must be paid significantly more.
In regards to you absurd strawman that I'm suggesting we secede from the government because there is some waste and incompetence in the government... is that really the only option you're capable of accepting? So in your mind, I either have to accept anything the government might do... and amount of incompetence... or I have to secede? Really?
Please quote the bit where I said we should secede from the federal government. Quote me, bitch. I said that no where. What is up with the fucking straw men today? Seriously? Can none of you fucks make a coherent argument without misrepresenting your opposition?
I'll tell you what. I'll defend seceding from the federal government if you defend your rampant pedophilia. Tell me why you keep supporting bestiality and necrophilia.
No where in your post did you say anything about that. But apparently that isn't required for me to pretend that you did... by your own fucking example.
You owe me apologies asshole. You won't offer them... which will just mean you're a degenerate... to which I'll just say eat all the dicks. Every last one.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Soldiers have the up or out rules that limit there you don't want to lose a good tech guy who does not want to go management or be forced out of the unit due to there rank being to high.
It needs to be civilians based. Also some tech people may have a hard time with boot camp and I not just talking about the PT part of it. Also people with disabilities who can do a desk job but can't do boot camp as well.
This supports my theory that for any group of special talents within an organization that involves digital, there are WAY more people outside that organization than within it and that statistics demands that the odds are that that outside population has a whole lot more smart people.
There are WAY more people who are not military. Among those extant, there WILL be some people who are more talented than the military. Those people either have jobs or are making money as black hats.
The military recognizes that, but they are making a huge mistake. People outside the military are not as gung-ho on the patriot bullshit and are liable to do what's in their best interests or just for lulz.
It little behooves the best of us to comment on the rest of us.
The Government, and the Military as a whole, has several problems when it comes to hiring and retaining talented network/IT/etc security people. Much of that is endemic to it being the government and military, as others have noted, and I won't belabor those (valid) points.
What this seems to be largely about though is restructuring their internal codes. Pretty much every job in the military or government, civilian or otherwise, has a particular job code and career field, from park ranger to law enforcement to, yes, Special Forces (which is 18 series for the Army). When they talk about "Cyber Branch 17" that's what they mean, it's the designation for that series of military occupational specialties (MOS), just like 11 is infantry, 12 is combat engineer, etc.
Now, on the civilian side, one of the problems the government in general has had is that they don't/didn't have a career field for "Cyber." Everyone that I met was being shoehorned in either as an Intelligence billet or as a general IT billet, neither of which apply quite correctly, as IT Security has focuses and training that would not apply to the majority of the jobs previously classified as those fields, at least in the sense that the Government does. Someone might have 10+ years of experience as either, but know absolutely nothing about advanced IT security.
That's the reason I got out. If they still had this I *might* have stayed in longer. They gave me a direct order to go to the NCO academy because I'd refused previously 'offered' slots and I was the senior E-4 in my brigade. So, I attend, kick the shit out of the course (which is not difficult for your average slashdotter if they're in decent shape) coming in 2nd out of 110 losing out to a US Army Ranger with an electrical engineering degree (yes, he was enlisted, no, he didn't give a fuck about being an officer... he just wanted to be a commando for a few years; I guess it was on his bucket list). The one thing they couldn't order me to do was to 'volunteer' for the promotion board, which pissed them off. To add insult to injury, my unit somehow managed to ensure that my reenlistment NCO got to see me monthly for the last year of my hitch (I had signed a six year contract to get a very nice MOS and a TS clearance).
I agree with your sentiment on civilians, but as another poster put it, many CS/engineering security types have a problem with authority. I worked for not only NCOs but commissioned officers who were functionally illiterate (and no, I'm not saying this because I didn't like the army). Come off a college football scholarship and you're not going to get picked up to go pro? What do you do? Oh yeah, there's OCS (if they hadn't been in ROTC already). I strongly dislike working for stupid people, and the military is chock full of them. Don't even get me started on the affirmative action promotion folks I'd worked with.
The bottom line is, if you're going to enlist at some point you *will* be in charge of people and not playing with security in a lab, conducting pen testing, auditing, or remediating. If this is *not* your bag then you might want to think it over.
The problem is that the government has pay grades. Fixed tiers of compensation. Those tiers work fine for most people. They're fucking useless for anyone exceptional that must be paid significantly more.
Why? Regular large corporations do pretty much the same thing with their engineers, and it works fine. They have "Engineer I", "Engineer II", "Engineer III", "Senior Engineer I", "Principal Engineer", etc. When someone gets promoted to a higher level, that puts them in a higher pay grade. Yeah, the corporations have pay ranges for those positions rather than fixed, exact dollar amounts, but the principle is the same. The government could do exactly the same thing.
No, this won't work for positions which are entirely up to negotiation. Most technical positions do not need to be like this. They just need to have pay grades and actually pay competitively with private industry.
Quote me, bitch. ... Can none of you fucks
Yeah, that's a great way to converse with people. Do you talk this way at work?
It's a cute reference to the fact that the 'hacker culture' is full of dope smokers, transvestites, leftists, etc; and the security clearance process itself (if they would even be allowed through it) turns them off so much that the best people either don't apply or are easily hired away to commercial companies (ie: san francisco startups). And in all honesty, having an employer that doesn't give the slightest shit about your personal life makes you far less bribe-able than one that has a lifestyle gauntlet to get in and makes examples of people who get into small troubles after they are through.
The military comes up with lame names.
"Nationalism is an infantile sickness. It is the measles of the human race." -Albert Einstein
Soldiers have the up or out rules that limit there you don't want to lose a good tech guy who does not want to go management or be forced out of the unit due to there rank being too high
Probably the best solution if they insisted upon the new "cyber warrriors" being a member of the service would be direct appointment as warrant officers. There is less focus on up or out and the rank is specifically designated as a technical position so there is no risk of being forced into management like with the higher enlisted and officer ranks.
Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
The tiers in corporations are more guidelines. In the government they're pretty inflexible. Which is what the DoD is saying.
If it were really the same then the private sector would enjoy no competitive advantage over the government for competing for top tier labor.
They do. The tier system works quite well for the majority of labor... if anything it over pays most people dramatically. But for top tier labor it underpays them and so they don't accept the job.
As to you eating every last dick, you are attempting strawmen and neither owning up to it or apologizing. So better get whatever your favorite dick eating sauce is because you have a lot of work to do.
You said this:
""So basically a bunch of incompetent paper-pushers are being given largesse by the rest of the nation, and the economies in the rest of the nation would be better off if they seceded from the federal government, since they wouldn't have to spend so much funding all that waste?""
Quote where I said we should secede from the US government over this issue.
Or apologize for attempting a STUPID straw man.
Or enjoy your bottomless buffet of dicks for being a degenerate.
I even explained why your strawman was unacceptable. You totally missed it all. Could I suddenly in the middle of a conversation start to demand you explain your rampant pedophilia? Not legitimately. But if anyone is allowed to just make up fucking anything even if the other side said nothing about it then that would be as valid as anything.
Repent. You fucked up. Admit it. I will accept your apology and we can move forward. Being proud with me here is not making you look strong, it is making you look dishonest. You fucked up. Own it. Or you've earned your bottomless bucket of dicks.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
That's a load of crap, front to back.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
By definition, a special forces team is doing something that cannot be done any other way. So of course they have access to whatever they need... otherwise people die.
Civilian employees (and this is not outside contractors), in contrast, are basically tied to the same government hiring processes as the IRS or the Fish and Game department.
And as long as they treat an elite hacker the same as a fucking fish and game warden, they'll end up with the same lack of talent they have today. And they'll be here again next year, trying to recruit, just as they were a decade ago at Black Hat.
Ironically, they don't consider a good hacker as a tool that can get things done that cannot be done any other way...
Put my post on pastbin because /. was rejecting the post for no reason.
http://pastebin.com/EazdNjdG
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.