It seems to me the Pentagon should consider following a USSOCOM/JSOC model
towards Cyber. For example, instead of trying to 'be more effective' by just
growing the number of Cyber Command billets, focus instead on creating and
deploying small teams of cyber operators who work together on specific
offensive or defensive missions. In my opinion nation-state level cyber is
(and will remain) a specialty domain due to it’s extreme technical nature
across a breadth of disciplines. To be truly effective (in either offense or
defense) you need small, cohesive teams who offensively and defensively
simultaneously, and up and down the stack. Once the mission is achieved, these
tiger teams move on to the next mission, and the Command backfills with
(easier-to-hire) technical staff to hold down the fort.
-irby
On Jan 28, 2013, at 11:20 AM, Dave Aitel wrote:
> http://www.nytimes.com/2013/01/28/us/pentagon-to-beef-up-cybersecurity-force-to-counter-attacks.html?_r=0
>
> Notably, they don't do all this staffing actually AT the Pentagon, where
> they'd get to fight every contractor already trying to staff up, and where
> people would get to enjoy the traffic. :>
>
> As part of the expansion, officials said the Pentagon was planning three
> different forces under Cyber Command: “national mission forces” to protect
> computer systems that support the nation’s power grid and critical
> infrastructure; “combat mission forces” to plan and execute attacks on
> adversaries; and “cyber protection forces” to secure the Pentagon’s computer
> systems.
>
> It's interesting they're building a team to secure critical infrastructure
> before the groundwork has been laid legislatively to use that team.
>
> Also - everyone focuses on "how to recruit X number of people", but forgets
> that the Government doesn't really need huge farms of rock star hackers and
> in fact, they prefer not to have them. Good technologists who can work in a
> team are eminently findable and much more valuable.
>
> Realistically, their problem is more managerial than technical. This is a
> young field, and it's hard to find people who have the security experience
> and management know-how (and actually want to do management). Your basic Java
> program manager can't hack it (pun intended).
>
> But without that, you're going to be building the tools you need today,
> rather than the tools you'll need tomorrow. It's a fatal flaw in most cases.
> Literally, in this case.
>
> -dave
>
> --
> INFILTRATE - the world's best offensive information security conference.
> April 2013 in Miami Beach
> www.infiltratecon.com
> _______________________________________________
> Dailydave mailing list
> [email protected]
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
[email protected]
https://lists.immunityinc.com/mailman/listinfo/dailydave
