Cyber Village People

It takes all kinds to make the world go ’round…or a village to raise a firewall, or something like that. Yet when it comes to the training, equiping and deploying a government workforce for things-cyber, why, why can’t we stop stepping on our tricks?

There is almost certainly room for efficiency with regards to staffing IT positions in general. Every discrete entity will claim some form of “special-ness” but TCP/IP doesn’t discriminate based on Service or mission. The amount of customization and specialization needed in any given org doesn’t justify effectively replicating the same IT org over and over again.

Is every IT generalist going to ease into a CNO position just like that? Of course not. Training is in order, but if you want both a trained AND cleared workforce, this is really your only answer. The latter item is the true value of this proposal, because there is no shortage of people with CNO skills; there is simply a shortage of people who are either clear-able or willing to be cleared.

A more subtle factor in play, though I doubt it will be carried out effectively to any scale, is the injection of defensive thinking into the offensive world. The problem with the CND-CNE/A divide is that everyone specializes in their “thing” and thinks they know what the other side is all about, often forgetting that advances in both sides march ever onward. Everyone thinks the other guy has it easier than they do. Putting both sides in a room to battle over a specific security problem is like deciding who bats first; one hand over the other till someone clearly comes out on top. ‘If you did X, I would do Y. Well if you did Y then I would do Z.’ The end result – assuming everyone involved is a true expert – is that defenders realize they can’t stop a given attack and/or attackers realize they can’t get past a given defense.  I’ve seen it work, but only when everyone checks their attitude and parochialism at the door.

Good luck with that in the government bureaucracy.

Finally, I’m tired of hearing about few “world class” people we have on the roster, or that there is a number we can pin to “world class” talent period. Really? Who defines “world class?” The CIA? GCHQ? Guinness? Was there a census taken? Did we test everyone who claimed ‘1337 $killz?  What exactly would an order of magnitude increase in very-high-end talent provide us? If you put three engineers into a room and ask them to solve a problem did you know you’ll get five answers? Shouldn’t we be focusing _less_ on human resources and more on how we can make computers (which, oddly enough are really good at high-volume, high-speed, complex tasks) do more of the heavy lifting for us?