Tuesday, August 24, 2010

Recruiting "Hackers"

We'll leave aside the whole issue of nomenclature - the hackers/crackers dichotomy - and just get to the meat of the problem.  The DoD, the entire U.S. government really, is in desperate need from experts in information security - the folks commonly known as hackers.  That need led to the creation of CYBERCOM to act as the nation's defensive bulwark against computerized intrusion and to develop some sort of offensive capability.  To attract young people with the right skills, the DoD sponsors competitions to find and develop potential recruits.

All that is fine.  The problem is that the military doesn't really get how to recruit and retain the people it needs.  Adam Weinstein points this problem out, but at the same time manages to minimize the problem by bringing Private Bradley Manning into his argument.  Manning is a good example of poor screening for security clearances, but not exactly a paragon of computing virtuosity.  Unless I've missed something critical, my 86 year-old grandmother has all the skills (but none of the desire) Manning needed.  He isn't so much an example of a "cyber-savvy intel weenie", but the traditionally dangerous disaffected insider.

Both Weinstein and West Point researcher Lt. Col. Gregory Conti miss the point when they address the problem of recruiting and retaining infosec capable geeks.  Weinstein argues that you have to show potential recruits that CYBERCOM is doing good things for the world as opposed to promoting death and destruction, while Conti argues that the DoD just needs to be ubercool to attract and keep "hackers".  Both arguments show that neither Weinstein or Conti (or the DoD) get the culture of the people they need (or think they need, which is a whole different story).

18 year-old Michael Coppola illustrates the problem to a small degree.  He rejected the idea of enlisted because he associates the military lifestyle with regimentation and lack of creativity.  While Conti argues that the culture of CYBERCOM is still malleable, I don't buy it.  The US Army just ordered Special Forces troops in Afghanistan without ongoing interactions with Afghans to shave their beards despite knowing that facial hair is an important cultural tool in that environment - a fact we've known since the Templars grew beards and cut their hair to gain the respect of their Muslim neighbors. 

That was a thousand years ago.

So we're supposed to expect that the DoD will allow a creative and libertarian culture at CYBERCOM, when the Special Forces guys in combat have to shave?  That's a joke, right?  Do these people even know what kind of tools CYBERCOM needs?  Look at the difficulty Weinstein reports at getting terminals that could access Facebook, and then tell me that CYBERCOM will provide its recruits with the unfettered access to the Internet they need to find new exploits in the wild, develop their own, and test them out.  Is that a realistic expectation when it seems like the approach is to make it seem like a cool job for young men?

In my old career as a Systems Administrator, I knew a few guys with the types of skills and a desire to serve in the military (they couldn't due to health issues) and appreciation of the military culture.  Most of the folks that the DoD would want to recruit, though, are interested in hierarchical organizations, want the freedom to dress as they want, wear their hair however they feel, work flexible hours, and expect to not only modify their machines at will, but to have free run of networks and the Internet.  That's a large part of the reason they want to work for companies like Google.  Maybe one percent of the potential "hackers" the DoD tries to recruit are likely to fit the bill.

I'm not even convinced by the numbers they say they need.  Does DoD really need 10-30,000 of them?  Or do they need a few hundred exceptional folks and a whole bunch of homegrown guys like me - who aren't coders, but are smart, interested, and determined to both secure and penetrate networks given the opportunity, time, and the tools.  Think of it this way - how many guys like Michael Jordan, Magic Johnson, and Larry Bird does a basketball team need?  You need both stars and role players to win the championship.  To me, you need some brilliant guys, along with some guys who are good to get the infosec job done.  Just like in team sports. 

The Dream Team is not what DoD needs, just guys who can get the job done.

No comments:

Post a Comment