Share and discuss this blog

Monday, January 23, 2017

To fight a Cyber War we need to train more people

I am of the age where the major preoccupation in my youth was avoiding having to go fight in the Viet Nam War. Ironically, during those years I was supported in my work by the U.S. Defense Department (DOD). I justified doing this because I wasn’t helping anyone kill anyone. If my work was to be useful to DOD at all, it would be helping us defend ourselves.

But now I am working with DOD on offense. What happened?

In the last year I have become more involved with cyber security. Why? I, and the people who work for me, primarily build online learn by doing courses (using live mentors to help when students are confused and to provide feedback on their work. When the DOD began talking to me about building a cyber operations course for them, I was interested. Developing new ways to learn is my business after all. So, I listened. I interviewed hackers employed by DOD and other federal agencies,  attended DefCon (a hacker convention held in Las Vegas) and over time I recognized what plenty of other people already knew. 

Here are some recent news stories I found about cyber attacks:

Today: Lloyds cyber-attack details emerge

Today: As attacks grow, EU mulls banking stress tests for cyber risks

Two weeks ago: Ukraine power cut 'was cyber-attack’

Two weeks ago: London NHS hospital trust hit by cyber-attack

Two weeks ago: Indian banks are waking up to a new kind of cyber attack

Three Weeks ago: U.S. Grid in ‘Imminent Danger’ From Cyber-Attack, Study Says

This is a serious issue and I want to help. We are, right now, building a course in cyber security. The Pentagon has a serious problem. Here is what Frank DiGiovanni, the Director of Force Training in the office of the Assistant Secretary of Defense for Readiness has to say: "The security of our nation is at stake. I think it’s imperative for DoD to embrace the hacker community because of the unique skills they bring to the table. They want to serve and contribute, and the nation needs them.”

This is from

DiGiovanni built an instructor led course, but there are limits to how many people can be taught face to face. Lecturing is not a really effective method for learning how to do something. We learn how to do things with one on one mentoring and we learn from trying and failing. 

DiGiovanni knows this:
“We infused the course with sociology, ethnography and anthropology.… You don’t conduct an assault on the enemy if you don’t know the terrain they’re in, what surrounds them.”

The social science disciplines help students better understand who they’re up against and why. Those facts can then be aligned with what we know of adversary’s signature techniques, tactics, and procedures.
“Techniques give clues about who they are and could also tip off what you’re after,” DiGiovanni says. This includes the way adversaries might seek to cover their tracks. For example, Russia adapted the concept of maskirovka – literally, masking –from conventional battlefield usage and applied it to the cyber arena. Students learn to identify the tactics of different adversaries, as well as the techniques that can be employed to cover one’s tracks. They have to become adept at identifying what the adversary is doing as well as executing their own cyber missions without leaving digital fingerprints in their wake.

“The biggest complaint about journeyman-apprentice is: It doesn’t scale,” DiGiovanni says. That makes it more costly and slower, compared to traditional teaching methods. Journeyman-apprentice is another core concept built into this course.

DiGiovanni doesn’t want to ditch the approach, just find a way to make it more efficient.

So, DOD contracted with my company to build a course to train tens of thousands.

We will help the military fill its large need for hackers by creating hackers. DOD wants to teach offense and defense. We can’t just simply sit back and defend, we have to frighten the enemy to stop as well as get into their systems. This is a lot like building missiles to defend against missiles.  

It crossed my mind that I could re-employ the defense part of the course and use it to train people who work for companies that may be subject to attack. I discussed this with one of the hackers whom we rely on as an subject matter experts in our course. I was told that I had it wrong. In fact, I had a lot wrong (after all why would I know?) 

Some stuff I (and most people) had wrong.

  1. Students would need to be people who can program (not true)
  2. Companies can hire the people they need. (They can’t be found)
  3. There must be some existing courses to train more (There are but they are short, or lecture based, or generally like most courses that try to teach complex skills quickly without using learning by doing with lots of practice and help.)  
  4. Businesses need defenders not attackers (This is completely wrong because some of the best cyber people are penetration testers who break into their own company’s systems to find out where they are vulnerable.)

We have developed just enough right now to be able to try it out on people who want to help. We are finding the oddest of people who want to do this (a massage therapist, an acupuncturist (OK, she was a computer scientist before she retired), a recent H.S graduate taking a gap year, and the former head of research at a big consulting firm. They are getting good at this and love it. (You need to be someone who gets into complex puzzles and generally thinks breaking into things is fun.)

We have a public website (which is changing very day) if you want to see more.

Below is a something from the first page of the course which lists what students will learn to do:

I am excited about this because I think it matters. Personally, I like having electricity and knowing that my money is secure when I use a bank.

No comments: