Recently, you’ve seen me posting some blogs about wanting to join the military. My chances are slim to zero, but all of you need to stay tuned. While it may not be me, there is a wave coming that you all need to pay attention to.
Let me explain something. Information and cyber warfare are a REAL thing. Recently, cyber was declared the fifth arena of warfare to join land, sea, air, and space. In 2010 or so, US Cybercom was stood up. I’ve been essentially working under them as a contractor since about that time, give or take. I’m not one of those clandestine Snowden folks – my job is not that exciting. However, there are elements of my job that are very relevant to the conversation. For years, I worked as someone who works to “harden” systems.
For example, I try to tell people I am a glorified security guard in IT. To make an analogy, imagine you are a security guard of a giant warehouse with 6 million windows. Your job is to ensure the windows are closed to make sure no cyber ninjas can get in the windows. Additionally, you work to patrol the perimeter, maintain the cameras, build tools to automate your job, etc. This is in the defensive realm of cyber. Being very, very good at this will probably stop 99.99% of would-be attackers. You have multiple layers of defense, and you maintain cutting-edge enterprise-level tools to ensure compliance to standards.
This career is one of so many in IT security. There are the badge makers, the paper pushers, the tool folks, the incident handlers, the forensic people, the penetration testers, the list goes on.
Now that I’ve discussed a little background, I wanted to talk to you about how these folks can help our military.
For the past 80 years or so, our militaries have had direct commissions for personnel such as doctors, lawyers, chaplains, engineers, and most recently, cyber techs. The latter is a relatively new concept. I’m seeing how branches of the services have programs for cyber now, but mostly these are to get young officers and train them for extended periods of time to grow them into cyber warriors. This can be highly effective with your Air Force Academy and West Point graduates over the course of 5-10 years.
However, at issue, is the skills gap and getting top-level personnel, immediately.
For example, if you had 500 lawyers in your JAG and needed 3,000 – you would simply try to direct commission more of them. Trying to get personnel to go to college, then law school, then hopefully passing the bar could be seven years. Doctors perhaps 8. Senior level IT ninjas? 8-10 years. The problem is IT is so big and vast of a discipline, it takes a lot of years working in big organizations using a lot of tools to connect the dots to understand enterprise-level IT and how it all works like a finely tuned machine.
Of issue, the thought is you can just train someone in 6 months to run a tool. Yes, you can. But that person then does not have an appreciation of the other 38 IT disciplines at virtually any level. You can then teach someone to program. But what does that help if the person has no idea what to do with the tools that can affect an enterprise?
Moving forward, let’s discuss information warfare, and why it’s a big deal – today.
Back in Vietnam, they dropped a lot of “dumb” bombs. “Bombs away!”. I used to play a video game on intellivision as a kid called “B52 Bomber”. You’d basically fly over targets and drop them in anticipation of hitting a target.
With Desert Storm, we all started seeing smart bombs, laser guided bombs, and stealth bombers who deceive radar. Some things you may not have heard about:
- Radar replay. If you are able to “hack” an enemy’s systems, you can record radar information over a period of time, then play it back. Then, you fly in your entire air attack and the enemy is blind. I read somewhere that this was in effect for the Iraq invasion. I also read the Israelis did this to the Syrians when bombing suspected nuclear facilities.
- DoS and DDoS attacks. The Russians apparently were good at this and in 2007/2008 with Estonia and Georgia, took down banks and emergency services. So when Russia rolled in to Georgia in 2008, no one could alert anyone because emergency services were down. Can you imagine that? A tank rolling down your street and your instinct is to dial 911. And it’s down. They also crippled Estonian banks for days. If you want to attack the US, you can’t defeat our tanks and 20 aircraft carriers – you go after our critical infrastructure and monetary systems.
- Satellites. What about an enemy shooting down our satellites? Jamming? Hacking? How are satellites used within the defense sectors, and how are we protecting those assets? How can they be exploited? When we are using $1 million smart bombs to take out a hut in a desert, our entire system is based off of our ability to coordinate information technology in conjunction with satellites.
- Psy Ops – one thing I read also was that in 2003 or so, we hacked Iraq’s “secret” IT network, similar to our “SIPRNet”. From here, we then sent emails to all of their highest ranking generals and colonels to give up, and gave them instructions on how to surrender. Imagine sitting there at work reading emails one day and you get this shit that an attack is coming in the next week, and here are the 5 things you can do to NOT DIE.
Furthermore, our entire military is highly dependent on information systems to work correctly. Often, the military relies on civilian and contract personnel to help with these missions. But what happens when you have some highly capable civilian and contract personnel who could help out the military on that side of things?
Up until this past year, you were to be of a specific age, then go through boot camps or OCS or the like to get in the military at the lowest ranks, then spend 8-12 years to try and work your way up the ranks. While this might work for 99% of all military jobs, this is not necessarily the best way to get top IT talent in your ranks. So, recently, they changed some things up to increase the ranks people can come in at, dialed back the ages, and allowed for more direct commissioning. It’s still in its infancy, and I can tell you – if this is opened up further after their trials, you might have some serious, serious individuals trying to serve their country.
I want you to really think about how people can attack America today. Unfortunately, there are endless possibilities which are part of the reason our defense budget is $700 billion. But I want you to REALLY think about it. How do you attack us, effectively?
- We bring in $4 trillion in tax revenue, $700 billion goes to our defense budget
- We are highly dependent on electronics for everything, and rarely use cash today.
- Our country is highly dependent on social media and this can highly influence a vast majority of our voting populations
- Our companies are highly dependent on computing tools to be efficient in work.
What’s of interest is we’ve been being attacked in the cyber realm for the last 10-15 years and many of you don’t know about it. At issue, is more tanks cannot solve this problem. Tanks are nowadays an “analog” solution to this digital problem. Most serious, is attribution is the problem in information warfare. Consider the following:
- China had attacked us for propriety information for the last 15 years. An operation called “Shady RAT” showed that China had used the power of their government to infiltrate US companies and steal our intellectual property. This, in turn, creates cheaper competition to our American products and thus harms our country’s tax base. This could lead to big companies losing billions, which then may have them laying off hundreds of thousands of employees or closing. Slowly, this erodes the tax base over years and creates massive deficits to which – the US borrows more money from China. China has lent money to tons of countries lately, and when they can’t pay, China will then leverage this for properties or trade. Check out their moves with the new and improved “Silk Road” and their movements into Africa. all the while, China denies it has any involvement with these thefts. And we can’t prove it, and even if we could, there’s nothing we can do about it other than – invading them? Sanctions? electronic warfare retribution?
- Destabilize our political systems. While many of you on the left think that Donald Trump conspired with the Russians to steal an election, the same number of people on the right feel Hillary Clinton worked with Fusion GPS (Russian) to create a fake dossier to then frame Trump. Unfortunately, the biggest win here is Russia playing to both bases to destabilize our political systems. Get this – if the Supreme Court nomination process was delayed until you could review 300,000 documents, it’s quite possible the delay would go until January. If Democrats took over the House and Senate, two things could happen: 1) They could refuse to even let the Supreme Court nominee get to the floor for vote. This would mean with 2 years left, the president would be unable to appoint his nominee. 2) The democrats could continue the impeach/removal process based off of suspicions of Russian Collusion. 3) If both 1 and 2 happened, it would be roughly the equivalent of a Coup D’Etat orchestrated by the Russians 3-4 years earlier. If Hillary won, they spin up the Fusion GPS narrative to take her down. This is part of information warfare folks. Russian shell companies have created ways to influence our people using platforms like Facebook as the delivery method.
- ISIS recruits using the internet. They have been successful using the internet for propaganda. I believe we are now in this business of creating fake places online to then understand who the hell has interest in this and get them before they join.
How are we vulnerable?
- Everything we do in this country is based off of electricity and trust. If you destabilize our power grid, destabilize our stock market, and destabilize the information from “trusted sources”, you then have a good shot at damaging our democracy
- We are highly dependent on successful stock markets and tax money to pay for our military. If you can affect tax revenues, this can either have a country like ours spending less on military spending and/or have us borrowing more from countries like China.
- News. It is no secret that a lot of our news outlets lean heavily to the left. Years ago, the news was more un-biased and personal commentary on news was much more rare. While the stories leaned left, the personnel tried to keep the appearance of being un-biased. Today, if you read just about any news outlets, not only are the stories heavily to the left, but the wording also is chosen to portray heavily left leanings. I strongly believe that other countries have seen these biases and this has led to more of the “fake news” (on both sides) that is used to split our country up more. While our president may have issues (to some), our news agencies have zero issues running any form of salacious story with the end goal to be death by a million pin pricks. Other countries like Russia have been exploiting our heavily left leaning folk with red meat and fake stories to foment a form of revolution. I have often thought of our news as the “Fourth branch of government”. Our free press is essentially another check and balance on the government. But, the government should also be able to check and balance them. I’m not talking about censoring the press – I’m talking about when stories of national defense come in to play – that attribution MUST be attributed.
- Our companies. We have very large multibillion dollar companies that might spend the bare minimum on cyber security. They have to show profits to their stakeholders. If they bring in $50 billion with revenues, what do they care about $100 million being stolen? So – I’ve seen this first hand – private companies spend the absolute bare minimum on cyber-related initiatives because it is seen as somewhat of a nuisance cost. The problem is this: these massive companies risk losing their intellectual property, competitive edge, and customers when/if breaches are discovered. The bigger problem is many of these companies have no idea they are breached. This is a 10-20 year war on our private industry – launched by other country’s nation-state resources. So, you might have a building in China with 700 hackers focused on taking down parts of our top 50 companies in the world. This is their military mission over the next 20 years. And you have Steve an Bob in IT responsible for security a $50 billion company with a budget of $3 million. Think about what happens one day when our top 50 companies are hit with a cyber attack simultaneously. Think about how that will be a digital D-Day. What happens to our banking….our stock market…our 401ks….our tax revenues? Tanks, jets, and bombs cannot help that fight.
What I’m trying to say is that the warfare of the next 50 years has nothing to do with tanks. It has to do with protecting our digital assets, electronics, and our democracy as we know it. I have seen articles where we are so desperately needing “cyber warriors”. Well…..many of us are ready to step up and answer the call – but you might have some age limits in place, and you might worry about my 2 mile time more than is necessary for me to help defend your top 50 companies.
I’d suggest our military’s next “big move” is an initiative to assist our large companies with defense. You do not understand this one concept: Apple is not protected by the DoD. Yet every country in the world is attacking them daily to get their intellectual property, talent, and trying to destabilize them. and Amazon. And Walmart. And Exxon. And every other company that has cash.
Of most issue is attribution. Countries will just say things like, “oh, it was rogue hackers that have nothing to do with us”, yet they will not turn them over to us for prosecution.
What if we KNEW someone was attacking us? What do we do about it? Sanctions? Bombs? Trade barriers? Our policies aren’t even created to deal with this shit yet.
So – if you own a company, who is protecting you? Steve and Bob? How do you even know they have a clue what they are doing? Can you even trust they know if you have been hacked? Why isn’t someone doing something to help protect you?
Last thing: I believe this can be a difference maker to KEEPING companies in the United States. Allow US-based companies to “opt in” to being protected by the US Department of Defense. Once doing so, they can be put in a DMZ of sorts and their servers be protected behind firewalls and tools. Personnel can be screened at a higher level. They might get access to better tools, security technical guidelines to harden their systems, and perhaps access to immediate help in detecting attacks. Currently, if you feel there is an attack, perhaps you report it to the FBI. How long until they show up? How long is their investigation? How long until someone can be prosecuted? How long until they (if at all) are extradited? What will a breach do to your stock price, if reported? With DoD immediate assistance with a hotline, a team can immediately review logs, cease traffic from addresses, or better yet – perform offensive operations against the suspected target. Think about that. Someone from x country is attacking you in a highly sophisticated manner and stealing your information. A call to the bat phone reveals the location of where it’s coming from. DoD then neutralizes the threat within 25 minutes.
No enemy can create enough tanks to beat us on the war field. They cannot outspend us on tech. They can:
- Steal our tech
- Steal our money
- Target the source of our wealth (companies)
- Target the source of our operations (electricity)
- Target the source of our free market system (democracy)
Most of you don’t realize this, but we’ve been at war with much of the world for the last 15 years in a shadow cyber war and more tanks aren’t the answer. The answer is information/cyber warfare, and we simply don’t have the time to wait a decade to grow our ranks organically. I don’t think may age being 1 year over the limit or 2 mile run time being 3 minutes slower than the minimum time really has anything to do with my capabilities in this arena. Yet that is still the thinking of today.