Future wars may not be fought with boots on the ground or missile-firing drones. Rather, they may be waged through eyes on the screen and fingers on the keyboard. Rick Adams reports on some challenges of finding and developing cyberwarriors.
World War III may not be your grandfather’s or father’s war, and the soldiers who fight it may well be ponytailed geeks with earrings – male and female. The closest they may get to camo is a t-shirt with an obscene in-your-face meme. Little wonder that the traditional military services have to try new techniques to recruit young people who can fight with bytes instead of bullets. Even tough physical fitness requirements may be abandoned to accommodate skinny wimps and overweight hackers who are prized mostly for their mental agility.
Indeed, the Allied victory in WWII owes much to the brilliant mind of Alan Turing, who developed a computing machine with a measure of artificial intelligence to crack the Nazis’ Enigma code (along with several thousand ‘Bletchleyette’ female code analysts). And whether you regard him as a hero or traitor, undeniably Edward Snowden revealed the extent to which Western governments are spying on other governments, corporations, and individuals in today’s increasingly interconnected digital world.
Almost daily we read about computer security breaches. Some are pranks, like reprogramming electronic road signs in San Francisco to read: “Godzilla Attack – Turn Back!” Many are targeted at banks and financial services; last summer hackers gained access to JPMorgan Chase information on 83 million households and small businesses, and more than 65 million Home Depot credit card accounts were compromised. Target retail stores, Anthem healthcare insurance, Sony movies, Las Vegas’ Sands Hotel slot machines, British Airways frequent flyer accounts, Google, Microsoft, schools, political parties … the list of organizations not hacked is getting shorter than the list who have been.
But the highest-stakes hacks are aimed at governments and infrastructure. A 2008 pipeline explosion in Turkey is blamed on Russia-based cyberterrorists. The recent nationwide electrical blackout in that country may also have been nefarious rather than accidental. The US and Israel are believed to be behind the Stuxnet ‘worm’ that wreaked havoc on Iran’s nuclear centrifuges. The group Anonymous has threatened Israel’s electronic grid. China, North Korea, and even ISIS are frequently credited (or blamed) with hack attacks large and small. Indeed, it seems just about every government is either spying on or actively interfering with the computing systems of just about every other government.
Even your personal computer may have been used, without your knowledge of course, as a ‘bot’ in a denial-of-service attack through malware it picked up via an innocent-appearing website or email you clicked on.
Berni Reiter, a pioneer in the field of object-oriented programming tools and advanced database management architectures, said part of the challenge of defending against cyber threats is that too many people, including vendors, have physical access to sensitive data files. “Access to backup files is one of the easiest ways to harvest usernames and passwords, and once you have those you can gain entry to the system.”
She also believes most software in use today – everything from fighter aircraft fly-by-wire controls to government healthcare websites – “uses too many lines of code. It’s been cobbled together over several decades without a lot of discipline. Everything is spaghetti-wired. Every person who touches the code creates a potential source of failure. It’s like a 100,000-page book; good luck figuring out the problem.” Reiter told MS&T “less than one percent of programming code is clean and tight.”
Reiter suggests the complexity of most software enables “back doors” to be easily inserted. “No one will ever find it.”
Michael Gilmore, the Pentagon’s director of operational test and evaluation, said recently that in each of 14 major assessments last year, at least one military mission was found to have “a high risk of cyber attacks.” Among the problems: publication of passwords on suppliers’ websites and regular loss of intellectual property data.
Reiter’s advice is to modernize software development tools and simplify software. Furthermore, she believes that to expand the skills base of potential programmers software development skills should be taught as early as the high school level, along with the traditional ‘three R’s’.
Recruiting White Hats
You only need to look at budget requests to recognize what is important to military strategists. And this year, cybersecurity leaped up the priority list. The budget for the US Cyber Command, which is only five years old, rose from less than $200 million a year ago to $562 million in FY15, and is tracking toward the $1 billion range within the next few years. Across all US military services, President Barack Obama’s cyberfunding will exceed $5 billion in the 2016 budget request.
A big part of the Pentagon’s focus is on recruiting 3,000 new IT specialists as part of a 6,200-strong cyberforce. It’s not as simple as promising college funding through the GI Bill. The military and government agencies are competing for premier college-educated talent with Silicon Valley companies, where the pay is much better and the perks more appealing to Generation Y.
“We need to give serious consideration to how … to combine the technical expertise of the ‘Google’ generation with more traditional military skills,” said LtGen Robert Brown, commander of the US Army Combined Arms Center at Fort Leavenworth, Kansas. “They grew up on Google and wear ponytails. We need to look at ways to bring them into the Army without necessarily going through the same training procedures as our combat troops.”
Even the super-secret National Security Agency (NSA) has lost some of its recruiting luster. One prime potential candidate said, “When I was a senior in high school I thought I would end up working for a defense contractor or the NSA itself." But revelation of the NSA's tactics, including vacuuming data on American citizens, changed his mind: "I can't see myself working there, partially because of these moral reasons."
The NSA needs 1,600 recruits, but they must be US citizens. At Johns Hopkins University, though, a leading breeding ground, its Information Security Institute produced 31 masters degree last year, only five of them Americans.
“If I have to choose between hiring a university-educated CompSci grad or an IT specialist strong in sysadmin, networking, or programming, I will pick the IT specialist every time,” says Jeff Schilling, chief security officer at Firehost, a San Francisco-based secure cloud computing host. A retired colonel, Schilling was formerly responsible for the US Army Cyber Command’s global security operations center.
He says the shortage of cybersecurity professionals, estimated at 200,000 unfilled jobs across government and industry, is due in part because many senior-level executives “don’t have a basic understanding of what to look for in cybersecurity talent. Compounding the problem is that most professional education paths, in colleges and universities, can’t provide the experience-based training required.”
Schilling advocates integrating cybersecurity into all computer science and undergraduate engineering programs. He also promotes re-establishing the master-apprentice framework first popularized by guilds in the middle ages. He said forensic consultants in Firehost’s mentoring program “were doing advanced work within 6-8 months.”
Computer coding has been inserted into the IT curriculum in UK schools for the first time this year. Thales chief cybersecurity consultant Andy Settle, calls this “a fundamental step in helping to foster niche computer science and engineering skills needed to combat the next generation of cybersecurity threats.”
There aren’t yet enough to meet the demand for savvy cyberspecialists, but a few innovative training schemes are being developed.
The military cyber community now has role in a counterpart to the US Air Force’s famous Red Flag exercises. Known as Bold Alligator, the objective of last year’s scenario was to send Marines on a simulated crisis response in hostile territory. But before they could launch the mission, the cyber and electronic warfare specialists first had to figure out where, when, and how the enemy was expected to attack.
The Office of Naval Research (ONR) devised a “virtual criminal cell” whose goal was to purchase a strategic weapon system and use it to target ships off the coast of Virginia and North Carolina. A unit at Camp Lejeune, North Carolina, used various devices to mimic email exchanges, cell phone calls, and radio communications by the crime cell – all of which were buried in a flood of electronic information much like any modern city.
In the past, cyber specialists trained by sifting through communications from a single source. In the new, more realistic scenario, communications could even be affected by weather conditions or building line-of-sight barriers. Some information didn’t reach Marine commanders in time. Other information was missed entirely.
ONR also used Bold Alligator to test a new Google Glass-like head-up display for ground troops. The augmented reality glasses, based on the R-6 System by Osterhout Design Group (ODG), are capable of displaying data signals intelligence, photographic images, health monitoring sensors, even facial recognition programs.
ONR will use the Tactical Cyber Range concept to help develop cyber doctrine, as well as training and readiness manuals. They also plan the range as modular, portable, and wireless so it can be installed for any training unit.
Israel’s Elbit Systems has provided a cybersecurity simulator to Singapore Technologies Electronics to help civil agency individuals and groups learn how to locate, prevent, and respond to cyber attacks. The simulator is also in use with some of Elbit’s military customers. “The cyber threat on infrastructures is constantly increasing, with significant potential impacts” said Yair Cohen, Elbit Intelligence and Cyber Solutions leader. The CyberShield training system exposes trainees to simulated security breaches injected into real-world information traffic simulations.
Appealing to the gamer persona of young computer wizards, international security firm PGI, which operates Cyber Academy in the UK, has staged a series of cyber threat analysis challenge competitions in collaboration with government and military personnel. There’s a category for amateur cyber defenders, chosen from six months of assessment, who are given actual industry sleuthing tools to investigate crime scene technology. Participants in a ‘masterclass’ are drawn from companies such as Lockheed Martin and Airbus Group, as well as the UK’s NSA equivalent, Government Communications Headquarters (GCHQ).
The State of Michigan’s cyber-security training department, known as Cyber Range, runs real-life exercises in an “embattled” virtual town known as Alphaville, which consists of more than 100 machines operating across a network of 4,000 miles of fiber optics and a 10 Gb per second backbone provided by the non-profit Merit Network. Alphaville presents varying levels of security commonly found in real-world cities, including a public library, school system, an electric company with vulnerable supervisory control and data acquisition (SCADA) systems, and a police station. A team led by former CIO of the National Defense University, Dr. William Adams, built the classroom environment and live test bed with the goal of certifying candidates to Committee on National Security Systems (CNSS) standards.
Somewhere in New Jersey, a model town of 15,000 people, living in two square meters (they’re apparently very small people) faces a blackout by hackers attempting to break the local power grid. CyberCity has its own military base, train station, hospital, school, bank, café, media, internet service provider, a mock social network called FaceSpace, and the targeted power utility.
CyberCity is the brainchild of Ed Skoudis, who has been inducted into the Military Cyber Professionals Association's “Order of Thor.” Skoudis’ CounterHack company wanted to demonstrate kinetic impact in the normally insulated and sterile environment of electronic operators. “Stuff moves. Stuff could break. People could get hurt,” Skoudis says. “It might look to some people like a toy or game,” Skoudis admits, “but cyberwarriors will learn from it.”