Cyber Stars

/* Warning: Extensive over-use of the word “cyber” ahead. */

 

The other day my old friend and colleague Bob Gourley Tweeted:

Random thought: There are 24 four-star flag officers in the U.S. military. Every 4 star I have ever met is really smart. But only one of those 24 has real cyber war experience, and he is retiring soon. How do we change that for the better?

My friendly, snarky-a** response at the time was:

First: Get a time machine

The services have had “cyber” components for several years now, and the US Cyber Command has been active since 2009. But a military officer could have been exposed to what we would recognize as the cyber mission these days at roughly the turn of the century. For the sake of discussion let’s say this was their first assignment out of training. The average amount of time officers spend at various ranks breaks down something like this:

Rank / Time in Service

 

2nd Lieutenant / 1 year

1st Lieutenant / 1.5 years

Captain / 4 years

Major/ 10 years

Lieutenant Colonel/ 16 years

Colonel/ 22 years

 

So if our notional lieutenant started her career in cyber in ‘99, she attended all the right schools, got sufficient command time, and punched all her staff assignment tickets, she might be a G2 (chief intelligence officer) or battalion commander. If she was a “rock star” she may have received several “below the zone” promotions (getting advanced ahead of her peers) and might even be looking at colonel in the very near future.

But…

Time in service doesn’t mean time spent doing the job. The first 4-6 years of an officer’s career is learning the ropes. It is probably when they’re the most technically oriented. Once they get a company-level command their life is basically paperwork (and shaking their head ruefully and the shenanigans of the junior enlisted in their charge).

After company command is staff jobs (more paperwork), and higher civilian and military education. Lieutenant colonel is an officer’s next opportunity at command, and where they’re exposed in-depth to sub-disciplines and how to make all those moving parts work as a coherent whole. Then more staff time until colonel, and with luck brigade command.

In 20 years Colonel Duty Bound is a very well-rounded officer, but she has spent less than half of that time actively working the mission.

“But Mike, there were more senior officers who were working the mission back then. The pipeline of experienced cyber offices isn’t so grim.”

True, but you know who I never heard of back then? Paul Nakasone. You know who I did know? Dusty Rhodes (not the other one). “Who?” you ask. Exactly. Then Captain Jay Healey could have been a Colonel by now. Then Lt. Commander Bill Peyton a Rear Admiral. Then Major Marc Sachs a Lieutenant General. My man Bob Gourley could have been an Admiral and running US Fleet Cyber Command by now, but you know what the Navy decided not to do to one of the pioneering officers in the cyber field? Make him a Captain. We’re not lacking in talent, we’re lacking in talent management.

We have been training, equipping, and staffing for the cyber mission – in fits and starts – for over two decades, and yet the cyber career field is still a newborn. To put things into perspective, the Army Air Corps went from biplanes to the B-29 Super Fortress and nascent jet fighters between the ~20 years of its formation and the end of WWII. Moore’s Law indeed.

The various service schoolhouses can turn out 1,000 cyber lieutenants and ensigns a year, but there are still only a handful of flag officer billets for service-level and national-level command in the field. To be successful as warfighters in the information age, we have to ensure that “cyber” is an element within every career field. As odd as this sounds, we can’t treat technology, the use thereof, and the associated risks and threats to same, as something special. Everyone has to know something about it. Everyone has to be responsible for it to some degree. Every commander at every level in every career field needs to know what cyber can do for them (and if they’re not careful what it can do to them and their ability to execute the mission).

Success is a constellation, not a supernova.

“Cyber MAD” is a Bad Idea. Really Bad.

I don’t know how many times I have to say this, but nothing screams “legacy future” like trying to shoe-horn cold-war thinking into “cyber.” This latest attempt doesn’t disappoint (or maybe it does, depending on how you look at it) because it completely miss two key points:

  1. Cyberspace is not meat-space;
  2. Digital weapons are nothing like atomic ones.

Yes, like the nuclear arms race, it is in fact more expensive to defend yourself than it is to attack someone. Generally speaking. Its OK to paint with a broad brush on this point because so many entities online are so woefully inadequate when it comes to defense that we forget that there are actually some who are quite hard and expensive to attack. Any serious colored-hat who is being honest will tell you that they deal with more than their fair share of unknowns and ‘unknown unknowns’ when going after any given target.

But unlike malicious actions in cyberspace, there is no parsing nuclear war. You’re nuked, or you’re not. Cyber-espionage, cyber-crime, cyber-attack…all indistinguishable in all technically meaningful ways. Each has a different intent, which we are left to speculate about after-the-fact. In the other scenario, no one is around to speculate why a battalion of Reds turned their keys and pushed their buttons.

Attacker identity is indeed important whether you’re viewing a potential conflict through nuclear or digital lenses, but you know what excuse doesn’t work in the nuclear scenario? “It wasn’t me.”

Um, IR burn says it was…

There is no such equivalent in cyberspace. You can get close – real close – given sufficient data and time, but there will be no Colin Powell-at-the-UN-moment in response to a cyber threat because “it wasn’t me” is a perfectly acceptable excuse.

But we have data.

You can fabricate data

You know what you can’t fabricate? Fallout.

All of this, ALL OF THIS, is completely pointless because if some adversary had both the will and the wherewithal to attack and destroy our and just our critical infrastructure and national security/defense capabilities via cyber means…what are we meant to strike back with? Who are those who happen to be left unscathed supposed to determine who struck first? I was not a Missileer, but I’m fairly certain you can’t conduct granular digital attribution from the bottom of an ICBM silo.

What is the point of worrying about destruction anyway? Who wants that? The criminals? No, there is too much money to be made keeping systems up and careless people online. The spies? No, there is too much data to harvest and destruction might actually make collection hard. Crazy-bent-on-global-domination types? This is where I invoke the “Movie Plot Threat” clause. If the scenario you need to make your theory work in cyberspace is indistinguishable from a James Bond script, you can’t be taken seriously.

MAD for cyberspace is a bad idea because its completely academic and does nothing to advance the cause of safety or security online (the countdown to someone calling me “anti-intellectual” for pointing out this imperial nudity starts in 5, 4, 3….). MAD, cyber deterrence, all this old think is completely useless in any practical sense. You know why MAD and all those related ideas worked in the 60s? Because they dealt with the world and the problem in front of them as it was, not how they wished it to be.

I wholeheartedly agree that we need to do more and do more differently in order to make cyberspace a safer and more secure environment. I don’t know anyone who argues otherwise. I’m even willing to bet there is a period of history that would provide a meaningful analog to the problems we face today, but the Cold War isn’t it.

underrattelser – US style

Ralph Peters’ latest report on improvements in MI. Money graph:

Appropriate technologies can help us – but no database or collection
system is a substitute for seasoned human judgment. The key task in
intelligence is understanding the enemy. Machines do many things, but they still don’t register flesh-and-blood relationships, self-sacrifice or fanaticism.

Underrattelser: Improvement from below (how Swedes describe MI) covered at John Robb’s site.

 

Inside Dope

Don’t know this particular person, but I know his brothers and sisters and their song remains the same (courtesy of Small Wars Journal):

Morale has become bad enough in the Iraq office that DIA has
had to drop the requirement for analysts who deploy to Iraq work in the
office after they return. In the last several months, the office has
experienced an exodus of many of its veteran analysts. The office
remains critically undermanned and short of computers. Analysts have
begun to apply for jobs with local county police departments.

You need to read the whole thing.

I’ve said it before but it is always nice to have corroboration: The longer we tolerate industrial-age processes and cold-war mindsets in the IC, the faster it slides towards irrelevance.

Open Source Reform

Thanks to John for pointing this out:

Gen. David H. Petraeus, the new U.S. commander in Iraq, is assembling a small band of warrior-intellectuals — including a quirky Australian anthropologist, a Princeton economist who is the son of a former U.S. attorney general and a military expert on the Vietnam War sharply critical of its top commanders — in an eleventh-hour effort to reverse the downward trend in the Iraq war.

Army officers tend to refer to the group as “Petraeus guys.” They are smart colonels who have been noticed by Petraeus, and who make up one of the most selective clubs in the world: military officers with doctorates from top-flight universities and combat experience in Iraq.

…and this:

Since it appears that I pissed off the “new” establishment when I pointed out that much of his new thinking paralleled my own earlier work.

…which reminded me of an old peeve of mine: external eggs-perts. Seniors love to call in consultants to solve problems. They never bother to ask those actually working the job because how in the world could any kind of original thinking reside in-house? Where do those consultants go for their answers? There is always an academic study or two referenced in the final report but usually the list of suggestions is generated from the feedback that Alice and Bob provided when the eggs-perts came slinking through the workplace to do their survey. Usually the recommended changes aren’t put into practice because they negatively impact the role/power/authority of the people who commissioned the study in the first place (or they’re twisted to argue for a bigger rice bowl) but that’s just another argument for staying in-house in the first place: you save money twice.

There are many wells to tap when you’re looking for solutions and they don’t call come with big price tags and require MBAs (or Ph.D.s) to discover. For Petraeus, that his advisors are war-vet Colonels is gravy; he could have gotten equally good results by tapping a couple of smart young Captains (and SSGs) who were familiar with the GG/Zen/5GW/tdaxp universe. The added bonus being that the youngsters have at least another decade of military life in them – prepping them for leadership gigs in the “long” part of the “long war” – while most of the Colonels will have (Ret) after their names before long.

I understand that busy Seniors don’t have time to do their own research, but in this day and age if they’re not tapping expertise in-house – and exhausting all the open sources of ideas they can – then calling in outsiders who are going to charge for something that is free is waste, fraud and abuse.

Sword, double-edged, one-each

Bloody hell:

Google is talking with military agencies in Iraq after learning that terrorists attacking British bases in Basra appear to have been using aerial footage from Google Earth to pinpoint strikes … Among documents seized in raids on insurgents’ homes were printouts from photos taken from Google Earth that show the location of buildings, tents, latrines and lightly armored vehicles…

[…]

Royal Green Jackets soldiers based at Basra Palace base said they would consider suing Google if they were injured in any attacks in which Google Earth aerial shots were used.

That this is old news and of concern to militaries worldwide is little comfort to the RGJ troopers but that’s a tough break in the information age. I laughed at the idea of soldiers suing those who may have facilitated attacks, but then remembered that they let kooky things like that go on in the EU. Good luck with that, mate.

There was a time, when I was trying to work Iraqi sand out of my own crevasses, that Google Earth caliber imagery would have been pretty darn handy, because you’d have been hard pressed to get national-level assets to give you pictures with that kind of quality in a timely fashion. In the age of backpack UAVs I wonder if that is still the case. The skeptic in my thinks it probably is, in which case having access to Google Earth means units on the ground don’t have to rely on dated military maps and too-late satellite snapshots to get an aerial view of the AO that they can mash up with any first-hand info they gather on the ground. Borders, hidden alleys, safe houses, etc., etc.

Turn-about being fair play and all . . .