How about the NSA?
I wonder how their guys would do against these two teams, with all this crazy stuff like Stuxnet at their disposal...
The US military held a series of online war games to pit reservist hackers against its active-duty cyber-warriors – and the results weren't pretty for the latter, we're told. US Military hacking team "Have you tried turning it off and then on again?" "The active-duty team didn’t even know how they’d been attacked. They were …
I wonder how their guys would do against these two teams, with all this crazy stuff like Stuxnet at their disposal...
They'd compete but then they'd have to kill everyone.
The CIA would also compete but then they'd drone strike a school, no where near the competition.
I would imagine there is quite a disparity between the regulars and the reservists in terms of education and pay.
In addition, regular soldiers begin their training with discipline, standard operating procedures (SOPs) and do everything by the book, on the other hand the reservists have probably finished university and have achieved a great deal in their working lives by thinking outside the box.
Also the kind of guy that joins the military as a youngster is unlikely to be much of a nerd, having been in the British army I can tell you that few nerdy types last more than a week or two in basic training whereas someone who does make it to be a trained soldier and then goes on to become a techy is going to have had much less time to practice Nerdism particularly in his teens when most people do their best thinking.
On the gripping hand, if the IT bunker is overrun by hordes of fuzzy-wuzzies your average nerd is going to be rather less help in the grabbing a rifle and bayonet and getting stuck in department.
They don't like it up 'em Mr Mainwaring.
up vote for the 2 references.
The other point is, it is much easier to attack IT installations than it is to secure against such attacks.
We are currently certing a new product for security and the tools for attacking the network are plentiful, finding and plugging all the holes is another matter.
A valid point, but not critical, as the bases that the US troops operate from are very well defended indeed. That's if these higher-level tech staff need to be on the ground at all.
More important, I would have thought, is that the military absolutely want the people charged with maintaining the security of their system to be 100% loyal and willing to do what they are told. Last thing they want is a potential Edward Snowden on board.
Basic training in any armed force is based on stripping out the personality and implanting a compulsion to follow orders to the point where people would rather run at a gun-toting enemy than risk censure from their own side.
I reckon this process kind of stultifies creative thinking to a large degree.
On the hind leg, pot-smoking nerdites let loose and given free reign to humiliate the government's best are going to be well motivated and probably discarding more ideas than the army guys are even going to have.
Having worked for both regular and reserves, I can say there is not much difference in the training and expectations for the troops in the different commands. The point about outside experience is more pertinent. Really though, while it has been rightly mentioned that there is a huge difference between defense and offense, what is missing from the discussion as to how the military actually functions when it comes to IT. Most of it is handled by contractors who are told what to do and how to do it by someone, often a civilian, who probably is not very technically inclined and has to trust someone else, often someone who works for a competing contracting agency, for information on which a decision can be based. Yes, it makes good headlines to hear about the AR Red Team's victory and I am sure someone got a wonderful dressing down. Will it result in meaningful change (which is really the point of these exercises)? Who knows?
Maybe for British recruits. But one of the frequent complaints from the Russians is that studying US SOPs is useless because as soon as the guys get on the front lines they throw the book away.
Seriously, this just means Israelis are currently commandeering the sprinkler system of the general in charge from their secret Jewish location.
If you don't believe me, check the field manual!! :)
"Sir!, yes sir!! I have confirmation that the power strip is plugged into an operational 110 watt 13 amp outlet!! Shall I proceed?!"
A bit more like:
"Sir!, yes sir!! I have confirmation that power strip PSN 194-q73-xdlol49jz rev 1.022135 Aug 4 2014 is plugged into an operational 110 watt 13 amp outlet PSN 227-tp401dx257 rev 71.10937 Dec 12 2009 as per tech order AJBP- Electrical subsystems for computer systems general qpdll77291 rev Apr 21 2014 pages 231 thru 762, with installation ticket aj7-d and troubleshooting ticket pp4u2 properly filed in triplicate!!
Shall I proceed to tech order AJBP-annex 47 utilizing the on/off button of series 581 through series 1762 desktop computers rev May 3 2014 pages 112 through 976, SIR?!"
There, that looks about right for proper military protocol.
Thank Zeus I'm not the only one here who knows ohm's law :)
One: clearly, maintaining a full-time force to do this sort of work is a huge waste of resources. We don't have the expertise to train them, or the recruitment processes or the budget to attract the right kind of people. We should get the reservists to do this work instead, possibly rotating people into service for no more than one-month stints away from their regular jobs, so that they don't get marginalised to irrelevancy within their civilian work.
Or two: clearly, we need to massively upgrade our in-house military capabilities by paying more, expanding the pool of recruits, and buying newer, shinier kit and training for everyone. In short, we need to quadruple the current budget.
I wonder which way they'll go?
Unless the army has suddenly learned how to train 'fun' then I don't think they will ever be able to match a civilian who is interested in such things to the degree where they become expert.
Echo Mirage ftw
Seriously, the army is recruiting from a totally different talent pool.
Towards the army team
The army just got reamed!
The winners are now on a watch list.
Am I the only person that imagined real hackers taking on the puppets from team america here?
Puppet Commander: God help us, Intelligence tells us that we're under attack! The enemy are sending in roflcopters...man the AA guns.
Puppet hacker: I watched CSI last night, they wrote a visual basic app to trace their IP address. Im on it...SIR!
Puppet Commander: Send an order to the engine room. We need more firewall ASAP. Pile it up high team and let it burn brightly. I want the enemy to see it. Change the alert bulb to red!
Puppet engineer: Aye sir!
Puppet Commander: *lights cigar and sips brandy* Ive got them right where I want them.
Puppet hacker: A strange message has appeared with a cryptic message on my screen. It wants to know what the fox says?
Puppet Commander: Run the message through Intelligence immediately.
Puppet SIGINT: Sir, it would appear the fox says pa pa pa pa pa-p pow.
Puppet Commander: If what you say is true, then we're all going to die.
Meanwhile at the legion of doom...
Hacker 1: lol they have vnc with no password.
Hacker 2: rofl inorite im already on and typing messages in notepad and ive changed the desktop to a jolly roger. Lmao!
Hacker 1: *yawn* lets play some Quake this is lame.
The current operating concept is that to be a good defender, you need to be a good attacker. While that sounds right, not sure there is any evidence it is right.
The role of defender is actually a lot more structured and a lot more disciplined than the role of an attacker and there is little or no evidence that taking time to be trained up to do attack (as opposed to understanding how attacks are done/happen) takes away to much time from learning to configure networks, secure applications, monitor for anomalous behavior, etc...
There are so many ways to attack a network that it is very unlikely that anyone can know them all and, frankly, the attacker only needs one success while the defender can stop thousands of attacks but fails if there is one discovered vulnerability that is exploited. Spending a lot of time learning exotic attack methods won't help if the attacks are coming in on mundane paths you didn't think were important.
"There are so many ways to attack a network that it is very unlikely that anyone can know them all and, frankly, the attacker only needs one success while the defender can stop thousands of attacks but fails if there is one discovered vulnerability that is exploited."
And that is why my sympathy goes out to Infosec! It's a thankless job that will eventually land you in the doghouse even if you were 99.999% correct.
If you don't know the myriad of ways that something can be taken down and, more importantly, the principals of how those ways work, then you will never understand how to put up a defense. Period.
Yes, there are lots of ways to configure networks and "secure" applications. There are even plenty of industry "standards" for what you should do. What's lacking are people who understand WHY those standards exist. If you know WHY, then you can make an informed decision on how to lock things down while understanding the areas that are just completely missed.
"The best defense is a good offense" has always been a crock. Defense is hard. Any juvenilie delinquent can wreck something. It takes self-discipline, commitment and maturity to make something safe against destruction. If DoD wants to continue with an "offense-first" approach, maybe they need to change their name from the "Defense" back to the "War" Department. Give the "cyber defense" role, along with all the (100's of billions of $ in) funding for it, to a civilian agency like NIST in the Commerce Department that can recruit the most effective resources from academia and the ranks of seasoned private industry IT (vendors like MS or ORCL need not apply -- we need operators, not snake-oil sales people) to meet the real challenges we face, instead of a trumped-up "wargame" that the kids still couldn't win.
Tell me, if "Any juvenilie delinquent can wreck something" then why does the term 'Penetration Testing' even exist? Why do private firms hire PenTest firms to probe their security for them, and suggest ways to plug the holes they found?
One of the most basic forms of security testing has always been breaking in, whether that be digital systems or physical. Try PenTesting your own house. Step outside, and try to break in to your own house. Put yourself in the shoes of the attacker.
It reveals obvious oversights that might not've been so obvious from the defender's shoes. It will keep you from doing silly things like buying new expensive locks for your doors, when you discover your son/daughter's window regularly remains cracked and is easy to open and slip thru.
Or buying a 'spensive new firewall when your VPN's Anonymous account was never turned off and still authenticates.
What the world needs is a good operating system with no vulnerabilities and no exploits.
There's that provably correct microkernel that just got released into open-source recently; perhaps it's a start...
This happens pretty often. The Guard and Reserves generally have people with a decade or more of experience and a similar amount of time working with each other. They are up against a Regular workforce that moves every two years and is highly tilted to inexperienced newbies and careerists. What happens is that the reservists usually win the first year's competition and then the Regulars' brass rejiggers the playing field to favor the Regulars.
You know, like Blackwater. Where is it written that those in cyber-warfare need to be in uniform?