If CyberCom Can’t Beat Reservists, Why Not Split NSA?
ArmyTimes has a story about how CyberCommand service members took on a team of civilian reservists in a cyber war game last year, the civilians handed the active duty team their ass.
When the military’s top cyberwarriors gathered last year inside a secretive compound at Fort Meade, Maryland, for a classified war game exercise, a team of active-duty troops faced off against several teams of reservists.
And the active-duty team apparently took a beating.
“They were pretty much obliterated,” said one Capitol Hill staffer who attended the exercise. “The active-duty team didn’t even know how they’d been attacked.”
ArmyTimes uses the shellacking to raise questions about the mix between active duty and reservists CyberCommand should be using.
But it seems the exercise ought to also undermine one justification for keeping NSA’s Information Assurance Division, its spying, and CyberCommand unified.
One argument behind doing so is that’s the only way to make the appropriate measure of which vulnerabilities the government should sit on and exploit for their own spying and offensive capabilities, and which they should disclose and patch. The unified CyberCommander — first Keith Alexander and now Admiral Mike Rogers — are the only ones who can appropriately measure the trade-offs.
If the military hierarchy — and the article suggests the hierarchy is part of the problem — doesn’t serve the understanding of cyberwar very well, then how is the guy at the top of the hierarchy going to be best able to understand the trade-offs? If his subordinates don’t “even know they’d been attacked,” then how are they able to judge what exploits might be attackable?
Everything about this article, particularly the complementarity of the civilian and military skills it describes, suggests we’d be better served by having some who recognizes an attack as an attack in charge of keeping our networks safe.
In how many different ways can the NSA show that it is incompetent in signals intelligence before someone grasps that it is the very monster size of its budget and personnel relative to the task that is the problem. And the whole conception of the necessity for cyberwar. The notion of cyberwar is as seductive as that of nuclear weapons. But nuclear weapons turn out to be fundamentally useless as a means of policy unless you are the only one with nuclear weapons and you never use them. Otherwise, they are a threat in themselves (see John Oliver’s “Nuclear Weapons”) and a source of continued conflict (see Iran, North Korea). Likewise, the idea of cyberwar and exploits have so captured the imagination of a generation of programmers that the internet is slowly becoming unusable.
The fact that these offensive cyberwarriors fail against outsiders should give folks pause about the situation if the President ever decided that a cyberwar strategy was part of what was needed. Indeed, look at the blowback from StuxNet.
My question is who are the outsiders? Do they to work in our National Security State Protecting the Homeland from Terrorists? Not the same as Van Riper smashing Rumsfeld’s “winning” war game strategy in the summer of ’02 yet proving the Peter Principle as our government pays its employees salaries that pale in comparison to what Snowden was making working for Booz Allen doing the same thing he did for the CIA when he was on the governments payroll. Is the NSA’s outsourced dollars paying a better cyber hacker to work in Hawaii then to commute to Ft. Meade? Those cyber security “hackers for hire” can, as Snowden “alleged”, hack the President, just because. And there ain’t a damn thing the CIA can do about it.
No, no, no. These are government programs we’re talking about. The takeaway from the results of this test “war” is pretty simple: need to double the funding and dramatically expand the program. Can’t have a system that could be defeated, after all, so if it can be defeated that only means we haven’t hired enough consultants and thrown enough bodies at the problem.
Ah, the ‘mongol horde’ solution in project mismanagement.