[Dailydave] The Pentagon Staffs up

Mon Jan 28 15:24:01 EST 2013

It seems to me the Pentagon should consider following a USSOCOM/JSOC model towards Cyber. For example, instead of trying to 'be more effective' by just growing the number of Cyber Command billets, focus instead on creating and deploying small teams of cyber operators who work together on specific offensive or defensive missions.  In my opinion nation-state level cyber is (and will remain) a specialty domain due to it’s extreme technical nature across a breadth of disciplines. To be truly effective (in either offense or defense) you need small, cohesive teams who offensively and defensively simultaneously, and up and down the stack. Once the mission is achieved, these tiger teams move on to the next mission, and the Command backfills with (easier-to-hire) technical staff to hold down the fort.

	-irby

On Jan 28, 2013, at 11:20 AM, Dave Aitel wrote:

> http://www.nytimes.com/2013/01/28/us/pentagon-to-beef-up-cybersecurity-force-to-counter-attacks.html?_r=0
> 
> Notably, they don't do all this staffing actually AT the Pentagon, where they'd get to fight every contractor already trying to staff up, and where people would get to enjoy the traffic. :>
> 
> As part of the expansion, officials said the Pentagon was planning three different forces under Cyber Command: “national mission forces” to protect computer systems that support the nation’s power grid and critical infrastructure; “combat mission forces” to plan and execute attacks on adversaries; and “cyber protection forces” to secure the Pentagon’s computer systems.
> 
> It's interesting they're building a team to secure critical infrastructure before the groundwork has been laid legislatively to use that team. 
> 
> Also - everyone focuses on "how to recruit X number of people", but forgets that the Government doesn't really need huge farms of rock star hackers and in fact, they prefer not to have them. Good technologists who can work in a team are eminently findable and much more valuable. 
> 
> Realistically, their problem is more managerial than technical. This is a young field, and it's hard to find people who have the security experience and management know-how (and actually want to do management). Your basic Java program manager can't hack it (pun intended).
> 
> But without that, you're going to be building the tools you need today, rather than the tools you'll need tomorrow. It's a fatal flaw in most cases. Literally, in this case.
> 
> -dave
> 
> -- 
> INFILTRATE - the world's best offensive information security conference.
> April 2013 in Miami Beach
> www.infiltratecon.com
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130128/a6926b5e/attachment.html>