China [is] one of many nations taking advantage of the Internet to encourage, or even organize, patriotic Internet users to obtain hacking services. This enables the government to use (often informally) these thousands of hackers to attack targets (foreign or domestic.) These government organizations arrange training and mentoring to improve the skills of group members. Turkey has over 45,000 of hackers organized this way, Saudi Arabia has over 100,000, Iraq has over 40,000, Russia over 100,000 and China, over 400,000. While many of these Cyber Warriors are rank amateurs, even the least skilled can be given simple tasks. And out of their ranks will emerge more skilled hackers, who can do some real damage. These hacker militias have also led to the use of mercenary hacker groups, who will go looking for specific secrets, for a price. Chinese companies are apparently major users of such services, judging from the pattern of recent hacking activity, and the fact that Chinese firms don’t have to fear prosecution for using such methods.
The U.S. has one of the largest such informal militias, but there has been little government involvement. That is changing. The U.S. Department of Defense, increasingly under hacker attack, is now organizing to fight back, sort of. Taking a page from the corporate playbook, the Pentagon is sending off many of its programmers and Internet engineers to take classes in how to hack into the Pentagon. Not just the Pentagon, but any corporate, or private, network. It’s long been common for Internet security personnel to test their defenses by attacking them. Some “white hat hackers” (as opposed to the evil “black hat hackers”) made a very good living selling their attack skills, to reveal flaws, or confirm defenses. Seven years ago, this was standardized with the establishment of the EC (E Commerce Consultants) Council, which certified who were known and qualified white hat hackers. This made it easier for white hats to get work, and for companies to find qualified, and trustworthy, hackers to help with network security. Now the Department of Defense is paying to get members of its Internet security staff certified as white hats, or at least trained to be able to do what the black hats do, or recognize it. While many in the Department of Defense have been calling for a more attack-minded posture, when it comes to those who are constantly attacking Pentagon networks, the best that can be done right now is to train more insiders to think, and operate, like outsiders.
Sending a GS-11 dues paying member of the AFGE, AFL-CIO, off to hacker school ought to give them mad skilz, fer sure.
The Regulars recruit highly intelligent, physically fit, patriotic young people in to the Armed Forces. The recruiting standards are so high few young Americans can meet them. The stereotypical fat, dope-smoking, basement-dwelling script kiddie with Cheeto-stained fingers can’t be turned into a presentable facsimile of a soldier, sailor, airman or Marine in a reasonable amount of time in this all-volunteer Politically Correct era, and in this economy the Regulars’ ability to recruit credentialed IT professionals in to the Federal Civil Service is only as good as the budget the Republican Congress appropriates for them. That also impacts the Regular’s ability to hire Civilian Irregular Information Auxiliaries from Private Military Contractors.
Regular .gov/.mil information assurers/computer network defenders/information operators can’t be given enough autonomy from the bureaucracy to compete with all the cyber criminals and anti-American cyber patriots attacking our networks. The Bad Guys will always be more opportunistic, flexible, adaptable and imaginative than Regular Good Guys will ever be allowed to be.