Cyber Defense Review

Recent Articles

1 2 3 4 5 6 7 8

Cyber Aptitude Assessment: Finding the Next Generation of Enlisted Cyber Soldiers

November 16, 2015 — The Department of Defense (DoD), and the US Army, are rapidly expanding the positions and personnel to operate in the cyberspace domain, one of the five independent warfighting domains [1]. Recognizing the importance of integrating cyber operations throughout the Army led to the recent creation of a new cyber branch, the first new branch in decades. Filling these new positions with the best qualified personnel is not an easy task. The DoD Cyberspace Workforce Strategy of 2013 lays outs requirements to assess aptitude and qualifications, noting “not all successful cyberspace personnel will have a Science, Technology, Engineering and Math (STEM) background. Rather, a broad range of experiences can lead to a qualified cyberspace employee.” The Strategy directs developing aptitude assessment methods to identify individuals’ thinking and problem-solving abilities as tools for recruitment. Further, it directs DoD to evaluate the “availability or development” of assessment tools to identify military candidates for cyberspace positions [2]. This paper begins with a discussion of the issues surrounding aptitude assessment and continues by identifying several existing test instruments. It then identifies testing results and finishes with several recommendations for talent identification. MORE

Cyberspace and the Law of War

November 6, 2015 — The stated purpose of the Department of Defense (DoD) Law of War Manual is “to provide information on the law of war to DoD personnel responsible for implementing the law of war and executing military operations.”[1] Judge advocates are responsible for advising commanders regarding laws applicable to operations, but ultimately commanders are accountable for the consequences of their operations. At over 1,100 pages, the Manual is too detailed to be useful reading for commanders, who must be concerned with every aspect of the mission; the intended audience for the Manual is judge advocates. If DoD intended for the Manual to help judge advocates advise commanders regarding operations in cyberspace, however, it might have used more of the pages providing detailed discussions of realistic cyber issues. MORE

Senior Leader Vulnerabilities

October 30, 2015 — “Teenage kid hacks into the CIA directors email.” It sounds like a faux headline from a 1980s Matthew Broderick film. In the age of sophisticated Intrusion Detection Systems, and a billion-dollar cybersecurity industrial complex that is present to prevent such absurdities, one would hope that such taglines are only something that a Hollywood writer could drum up. MORE

Personal Lessons about Effective Cyber Policies and Strategies

October 30, 2015 — I recently retired from active duty after a 35 year career in the U.S. military, the past decade of which has been devoted to the sometimes mysterious cyber world. I would like to offer some insight into the personal lessons that I’ve learned during my experience helping stand up U.S. Cyber Command and while working cyber policies and strategies at the Pentagon. Although I’ve learned many lessons, the three that I’ve chosen to share in this article are, in my view, especially important for leaders in both the public and private sectors … because we are all becoming increasingly connected through modern information technology. This means we all share in the exploding opportunities as well as the escalating risks. Below are my top three lessons and I will attempt to add more context in subsequent paragraphs to help both government and industry leaders understand why all sectors of society should care about these key points: MORE

Our Data is Not Secure

October 28, 2015 — Our data is not secure. That is the attitude you should take when interacting with providers online or when providing data at a point of sale. We must take the position that important personal data will be compromised at some point and we should therefore be prepared to enact a plan to reduce our vulnerabilities from its loss. According to the 2015 Verizon data breach report, there were over 2100 confirmed data breaches (pg5). These malicious attacks are conducted against the full range of providers that we all interact with, to include health insurers, financial institutions, educational institutions, and specialty services. MORE

Book Review: Ghost Fleet – Scary, Accessible, Entertaining and Plausible – The Future Implications of Cyber Attacks

October 23, 2015 — Singer, P. W., and Cole, August. Ghost Fleet: A Novel of the Next World War. New York: Houghton Mifflin Harcourt Publishing Company, 2015, 416pp. When it comes to cyber Pearl Harbor metaphors, this book takes the cake. Providing a disturbingly realistic take on a connected future warfare scenario Singer and Cole immerse the reader into a world that lies just beyond the horizon. Their tale of interwoven fact and fiction is a quick and entertaining must read for all who would belittle the potential disruptive attributes of cyberspace and a networked way of war that has become increasingly pervasive from modern strategy and tactics down to acquisitions and manpower assessments. MORE

Army Vulnerability Response Program: A Critical Need in the Defense of our Nation

October 23, 2015 — Many major corporations have standing “bug bounty” programs that monetarily reward participants for identifying vulnerabilities in their products and responsibly disclosing the findings to the company. These programs help ensure vulnerabilities end up in the correct hands and lead to products that are more secure. In contrast, the Army does not have a central location for responsibly disclosing vulnerabilities found through daily use, much less a program that can permit active security assessments of networks or software solutions. Without a legal means to disclose vulnerabilities in Army software or networks, vulnerabilities are going unreported and unresolved. The critical necessity of an Army vulnerability response program will be highlighted throughout this paper as well as a proposed implementation to better defend our networks and sensitive information. MORE

Big Data and Cybersecurity

September 15, 2015 — Cyberspace and cybersecurity contain numerous problems in search of novel approaches able to facilitate dynamic, results driven solution sets. Big Data if examined from a complex, multi-disciplinary perspective offers a range of potential advantages to cyber offense and defense for public and private sector entities ranging from small businesses to the national security community. This post, in brief, highlights the foundations of a research push in its infancy to assess the application of big data for national cybersecurity. While the focus is national cybersecurity writ-large, the lessons to be learned are likely to be impactful to organizations and individuals as the economics and applications of big data for cybersecurity become increasingly affordable. MORE

Notes on Military Doctrine for Cyberspace Operations in the United States, 1992-2014

August 27, 2015 — As our present theory is to destroy ‘personnel,’ so should our new theory be to destroy ‘command,’ not after the enemy’s personnel has been disorganised, but before it has been attacked, so that it may be found in a state of complete disorganisation when attacked. -JFC Fuller, “Plan 1919” [1] Doctrine ranks among those words that may be more used than understood. In essence, doctrine constitutes the customary way of applying established rules in varying cases. “Custom” might imply a certain lack of flexibility in dealing with the uncommon or the unforeseen, of course, but it also carries positive aspects. It prepares one with a set of basic analytical tools, and leaves room for improvisation when necessary. Improvisation is the watchword; it is what a military establishment does when confronted with a new rival or technology that disrupts not only settled doctrine but the very assumptions underlying concepts of force and power. MORE

New Tools, New Vulnerabilities: The Emerging Cyber-Terrorism Dyad

August 27, 2015 — It is this paper’s contention that as terrorist organizations have grown in geographical reach and influence, so too have they grown in the sophistication of their operations, especially in terms of technology. The exploitation of cyberspace has arguably become the latest force multiplier utilized by terrorist groups in pursuit of various objectives, including (i) carrying out elaborate ideological propaganda campaigns; (ii) radicalization and recruitment of new followers; and (iii) educating recruits on topics ranging from data mining to the use of explosives. Perhaps most significantly, terrorist organizations have increasingly made use of cyberspace in launching attacks on their enemies. Many analysts are quick to point out that to date, such cyberattacks have been unsophisticated and relatively ineffective. While they have been useful in disrupting online domains, they have done little in terms of inflicting actual casualties. A counter argument can be made, however, that focusing primarily on the casualties directly inflicted by cyberattacks conducted by foreign terrorist organizations greatly oversimplifies the issue. Specifically, it ignores the effects wrought by the individuals recruited and trained via cyberspace. The technical knowledge passed on to them with respect to planning and executing attacks has undoubtedly allowed terrorist groups to conduct far more wide-ranging, elaborate and brutally efficient strikes. Cyberspace is therefore not simply a medium through which to communicate and express ideas, but a tool whose effectiveness is limited only by the breadth of creativity of its users, particularly in military applications. MORE

1 2 3 4 5 6 7 8

Comment Disclaimer

If you wish to comment on any of the posted articles, please use the comment box provided below the individual article. The Army Cyber Institute (ACI) reserves the right to modify this policy at any time.

This is a moderated forum. This means that all articles are subject to review. In addition, we expect that the participants will treat each other, as well as our agency and our employees, with respect. We will not post and will remove any comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to others or similar content. We will not post and will remove comments that are spam, clearly "off topic", promote services or products, infringe on copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will not be posted and will be removed. The ACI and the ACI alone will make a determination as to which comments will be posted and/or removed. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of the individuals using the Cyber Defense Review site. These references are not intended to reflect the opinion of the ACI, the Army, the Department of Defense (DoD), its officers, or employees concerning the significance, priority, or the importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying ACI, Army, or DoD endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behavior or sexual assault will be reported to the appropriate authorities. This forum is not:
- To be used to report criminal activity. If you have information for law enforcement, please contact your local police agency.
- Do not submit unsolicited proposals or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
- This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

The ACI does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. The ACI may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. The ACI does not endorse, support, or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on the Cyber Defense Review website. 

Members of the media are asked to send questions to the public affairs office through normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted and may be removed at the discretion of the ACI. We recognize that the web is a 24x7 medium and your comments are welcome at any time. However, given the need to manage federal resources, moderating, posting, and removal of comments will occur during normal business hours Monday through Friday. Comments submitted after hours or on weekends will be reviewed and posted or removed as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic". This means that comments will be reviewed and posted only as it related to the topic that is being discussed within the blog post and "off-topic" posts may be removed. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the ACI, the Department of the Army, the Department of Defense, or the Federal Government.