Wednesday, January 22, 2014

Can Elite Combat Teams Teach Cyber Security Teams Anything Useful?

For the last three Suits and Spooks events I've invited retired and former Navy SEALs to speak about which of their skills and training might transfer over to cyber security engineers. After all, they're both in the business of engaging adversaries albeit under very different conditions and rules of engagement, and I know that lots of security engineers are military veterans or have held civilian jobs with the DOD. So the panel's concept made a lot of sense to me. So far, though, it has met with mixed reactions among attendees for a few reasons:

  • Some attendees have trouble relating to what they're hearing for a variety of different reasons
  • Some are looking to apply only the tactical takedown of a target and finding a way to do something similar to a foreign hacker
  • Some wonder why I only have the Navy Special Warfare guys represented (see my answer to that below)

Yesterday's panel, with the addition of an active duty operational SOFer helped me understand the problem better. Here are a few of my observations about why this process of extrapolating useful ideas from one discipline to another may be problematic:

  1. SOFers have a known target to attack. It's rarely that black and white for cyber security folks.
  2. SOFers have very well-defined Rules of Engagement (ROE). We have an out-dated CFAA and no clear-cut policies or understanding on where to draw the line between passive defense and active defense.
  3. SOFers are elite, highly trained individuals who have overcome obstacles that would stop 99% of the rest of us because quitting is not in their DNA. In Cyber, while we have much different obstacles albeit quite difficult ones, I see more and more engineers rationalizing why they can't do something instead of working the problem in different ways until they're successful. 
  4. SOFers know better than to offer excuses or rationalizations about why they can't accomplish their objective. InfoSec folks, ...? Enough said.
  5. SOFers understand the importance of a team, and each man's primary concern is to keep his teammate alive. Cyber security engineers may work together but I doubt that very many believe that their primary mission is to support their colleagues by keeping them motivated, enthusiastic, and always in the fight. Correct me if I'm wrong on that.
Personally, I feel quite lucky to have been able to meet former Team guys who are now doing amazing things related to cyber security like Mike Janke and Vic Hyder who co-founded Silent Circle; David Howe at Civitas Group; and "Woody" who will soon retire after 20 yrs of service and is so eager and passionate about finding a way to embark on a new career in cyber security. 

I feel lucky because they and other Team guys who are personal friends like Rob DuBois and Thomas Dzieran have taught me the importance of (1) developing an iron-hard mental attitude to never quit in the face of difficulty; (2) not to accept or make excuses about why I can't achieve something; (3) the critical importance of building a team of like-minded people; and (4) the equally critical importance of not associating with those who dispute the validity of 1, 2, and 3. 

And please note my use of "SOFer". While my examples all come from the Navy, that's only because those are the guys I happen to know. I haven't met anyone from Delta, SAS, or any other Special Operations Forces units. However, if you come from those units or know ones who do,  please ask them if they'd be interested in participating at a future Suits and Spooks event. I'd love to include them.

No comments:

Post a Comment