Operations // Careers & People
8/21/2014
12:00 PM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hacker Or Military? Best Of Both In Cyber Security

How radically different approaches play out across the security industry.

Three things happened to me before BlackHat 2014 to bring the entire NSA / Edward Snowden drama back to the forefront. The media reminded us of the one-year anniversary of the original Snowden leaks. At the same time, I saw newly retired General Keith Alexander deliver a keynote at the Gartner Security and Privacy Summit where he provided an in-depth post-NSA speech, benefiting from several months of civilian life under his belt.

In June, I also hiked to the summit of Mount Snowdon in North Wales after speaking at AppSec EU in Cambridge, UK. The spelling is different, but I could not help but loop “Snowden/Snowdon” in my mind a thousand times on the way up and down the mountain. I could only shake my head…

Much has been written about the Snowden affair, including some of my own thoughts about the impact on the security community. I also had some tongue-in-cheek fun at Black Hat 2013, when General Alexander delivered his memorable speech. Black Hat 2013 showed me how differently members of the security community reacted to General Alexander: A third of the way through the General’s speech, the ex-hacker sitting next to me, dressed in jeans and a black t-shirt with a clever security quote, stood up and shouted “Bulls$*#!” He effectively scared the aforementioned expletive out of me and sent all eyes our way.

General Keith Alexander at Black Hat 2013
General Keith Alexander at Black Hat 2013

I’m an ex-Air Force intel officer who was fortunate enough to serve in the original Air Force Computer Emergency Center in the mid-90s. I have known that there is a difference between ex-military and ex-hackers. Yet for my entire security career, I’ve worked very closely with friends who have come up via the other side of the house. I learned there was a difference when I attended my first DEF CON in the late 90s with an ex-hacker consultant friend. He knew everybody there; I knew no one. In 2000, the DEF CON crowd loved it when I was “spotted” and dragged on stage to be interrogated by Priest.

How are ex-military and ex-hackers different? For starters, security guys with a military background are more likely to have a “traditional career.” This typically includes a degree from a four-year university, a series of jobs with certifications, and formal recognition that one would expect from a military person.

Hackers might have an opaque history, particularly for some, before they turned 18 (I learned a long time ago not to probe). They have handles, the military guys don’t. They learned in informal and unstructured ways, but are likely to be more technical than their ex-military counterparts. They largely disdain security certifications, and rarely do you see them making special efforts to test for the CISSP exam. If they do become a CISSP, they likely won’t put it on their business cards, if they have them (ex-military guys always do).

Vive la différence!
Never bound by constraints, a hacker’s approach to security testing is more likely to be spontaneous and free flowing. The classic penetration test is a prime example reflecting this hacker ethos. There are many ways to get to root access, and penetration testing is unconcerned with how you get there, as long as you get there.

Military guys, on the other hand, are likely more comfortable with traditional risk assessments that attempt to methodically capture all obvious risks. This follows more of a checklist-mentality with objectives, formalized testing methodology, and up-front training of consultants for consistent results. These two approaches play out across the industry; the sophisticated security person knows they both have their place and knows the difference between the two.

Military security guys have held the highest clearances and believe the world is a dangerous place full of bad people who do not like us. Hence, the benefit of the doubt for NSA is given, for example. They might view the world through a good-guy/bad-guy lens, and feel less comfortable with talking to gray- or black-hatters who actually might have great threat information about zero days or the security of their own organizations.

Ex-hackers, however, have no problem engaging members of the underground community. They were once part of that community, in certain instances. So hackers are likely to have access to information that ex-military security folks don’t have.

There are countless examples of the differences between security guys from the hacker and military worlds. And, yes, generalization are still generalizations. At conferences like Black Hat, DEF CON, and B-Sides we see these characteristics in stark contrast. However, a savvy security practitioner understands that while there may be differences, we can put them to work on behalf of our organizations and, most importantly, the greater good.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/26/2014 | 8:02:26 AM
Re: generalizations (& broken stereotypes)
My guess is that your experience @atdre is not so out of the ordinary -- which is what (from an outsider's point of view) makes the people in this industry so fascinating.
atdre
50%
50%
atdre,
User Rank: Apprentice
8/25/2014 | 6:10:51 PM
generalizations
Broken every single one of your stereotypes except the college one, although I have ex-hacker colleagues that even defy that one. Wouldn't label myself as a non-military type (even though I've never been in any military) and wouldn't label myself as an ex-hacker type (even though many of my colleagues who are ex hackers would classify me as such).

It's important to live in both of these worlds for all of the spectrums of these personality types. We do have a common operational picture and a common enemy after all. I'd like to hear about more people like myself who break stereotypes almost categorically.

So the question remains... who will make the better leader? My bet is not on the current Whitehouse cyber czar or Jeff Moss. The best leader in cyber will be an Eisenhower, and his or her trusted advisors will be younger Scot Terbans and Ali-Reza Anghaies.
aws0513
50%
50%
aws0513,
User Rank: Moderator
8/21/2014 | 2:48:35 PM
Re: Both sides of the fence
In my experiences, friction can happen regardless of background.

I have seen ex-military who simply did not get along with each other.

I have also see professional civilians that just didn't understand that there was no I in team and didn't get along with anyone...  at all!

If there were any common source of friction betwen ex-military and non-ex-military, it would be where planning efforts runs into innovation and creativity. 

Military doctrine almost always requires that planning take place at all time for all missions as much as possible.  Planning is central to classic strategic and tactical efforts with the goal of completion of a mission while mitigating loss and optimizing results with limited resources.

Creativity on the other hand requires the "blank sheet of endless paper" mentality where the only plan, if there is one, is to accomplish some kind of a goal.  Even the goal can be nebulus in that the creativity could be along the lines of "let us see what happens when we do this."  For military thinking, this is not a common practice unless it is encapsulated in a safe and predictable shell.  When working with tools and resources that can kill people, this is not a bad thing!

When both mindsets do come together with a common goal and genuine respect and understanding of the strengths and weaknesses of both sides of the fence, the results can be quite brilliant.  Example: DARPA.

 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
8/21/2014 | 2:20:46 PM
Re: Both sides of the fence
Seems to me that there is complementar skill set between hacker spontaneity and military discipline. But that it could cause some friction at times. True? 

 

 

 
aws0513
100%
0%
aws0513,
User Rank: Moderator
8/21/2014 | 1:22:03 PM
Culture differences are good.
A few years ago, I was engaged in a Red Team project that involved several professional pen testers.  If I recall, there were 9 people on the team.  It was a dream job for me because I had been given a chance to be on this team.  The team lead was more of a project manager with a background in pen testing.  A very organized and talented individual I would work for anyday.  Heck, the entire team was awesome.

One day, the team lead scheduled a meeting for us to get together to discuss some details of the project we were currently focused on.  The time of the meeting was at 1300 hrs (1PM for you non-ex-military types).

Four others and myself showed up 5 to 15 minutes early.

The team lead showed up about 2 minutes before the meeting start.  Pleasantly pleased to see some of the team there before he was.

The rest of the team showed up later...  anywhere from 10 to 30 minutes later.  The team lead said little other than "glad you could make it" and "we were just talking about...".  No facial expressions or body language of any negative sense was given.

The meeting progressed for awhile, some planning issues resolved, and everything moving along in the discussions.  We began to run close on time for the room we were in.

As the meeting was wrapping up, the team lead diverged from the discussion for a few moments.

He asked for hands in the air for those in the room who were ex-military.  All of us early birds raised our hands.  The other guys smirked a little. 
The team lead then said that if anyone is late, it was highly recommended they bring coffees or donuts for everyone. 
The smirks disappeared. 
It was obvious he was not pleased with the late shows.  He was smiling, but his countenance was not.

Nobody was late to any of his meetings again.  As I recall, the team lead also always brought donuts to the meetings regardless of his timing.  Always mixed variety, always first come, first serve on selection.

The team lead was not prior military, but he was the boss.
Big career hint regardless of background: Always never have your boss waiting on you.
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
8/21/2014 | 12:57:52 PM
Both sides of the fence
Great article.  I think many people forget that when it comes to IT security, there are definitely different approaches when it comes to how folks become involved in the community.  And with that, you clearly illustrate why we need both types of security folks, traditional, formally-learned and those who are more self-taught.  Unfortunately, in a lot of areas, these two types have strong stereotypes and those from the hacker community still have a bit of a "bad guy" type of image associated with them, despite their high desireability in the security industry.  Will these stereotypes change? Probably not, but hopefully articles like this will help illustrate why both sides are legitimate sources for security expertise.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.