VnutZ Domain
Copyright © 1996 - 2025 [Matthew Vea] - All Rights Reserved

2024-02-29
Featured Article

AVENGERCON VIII Keynote

[index] [163 page views]
Tagged As: army, cyber, and hacking

In 2024, my West Point classmate threw me under the bus to be the keynote speaker for the Army's AVENGERCON VIII. It was an interesting opportunity for me to cross my civilian and military experiences in the cyber domain particularly to be a voice for the Soldiers to speak at the senior leadership. Unfortunately, their leadership was remarkably absent from the event but the message got out anyway.

AVENGERCON began small in 2016 and slowly grew in size over the years from a conference room, to the McGill Training Center auditorium, to the Georgia Cyber Innovation & Training Center in Augusta. The greatest part of the event is that it is NOT focused on showcasing for leadership or having seniors grandstand about their paper accomplishments. AVENGERCON is meant to be run by Soldiers, for peer Soldiers, to share tradecraft amongst each other. I first attended AVENGERCON III myself and am glad to now be part of its history.

Photo by: Steven Stover
https://www.dvidshub.net/image/8265428/avengercon-viii-keynote-speaker

I'll include most of, but not the full transcript of my keynote here - some bits shall remain only the memories of those who were present. The TLDR version, as a combination of the opening by COL Stephen Hamilton and my comments, is our current cyber force is being lead by individuals without actual cyber experience. Everywhere else in our Army, we demand leaders to lead from the front, understand their Soldiers' work roles, and have operational experience in their craft. Yet somehow, in the decade the Army's cyber branch has existed, we have managed to do exactly NOT that. A summary article on army.mil captured the essence well:

“Basically, in about ten more years, there won’t be any excuse for any of these leadership, senior positions to be filled by someone else, never been an operator, never been an analyst, or never been an developer. Do the math, a second lieutenant operator in 2015, that first round, by 2033, (Soldier) should be an 0-6. Same with the NCO side. (Soldier) should be a sergeant major, a command sergeant major.”

Keynote Introduction

Let's talk about our 17-series cyber branch. It still feels new, but our branch is about a decade old at this point. In that time, we've made some great strides doing the classic military thing - man, train, and equip. But there's something irking in the shadows that we really need to address. To this day, there still exists a stark divide that has created an animosity between the senior folks and the junior folks - henceforth let's call it staffers and doers.

I know that's a strange way to start a keynote - on what feels like a negative. The resources to fix that gap and truly prosecute our mission is essentially here today at AVENGERCON. But it can't happen if we keep our heads in the sand and pretend the gap between leadership and practitioners is not an issue. I'm going to lay the cards on the table so we can all finally be honest with ourselves and take responsibility for fixing it.

Let's look at a simple, yet fundamentally accepted, example of the Army fielding a new capability. When the Army started the Airborne, we didn't just jump the Soldiers. The leaders jumped. The staff jumped. Everyone jumped. The mission didn't work if the planners didn't have firsthand experience themselves. It was critical to mission success that everyone had a common set of competencies and training from the lowest E1 through the unit Commanders and their staff.

In cyber, we didn't do that - what happened?

Cyber Branch History

How did our branch come to be? There were a lot of people involved across the enterprise in the branch's origin with varying levels of impact and everyone knows a different piece of the puzzle. Here are the parts I know about.

  • There were lots of whitepapers advocating for the cyber branch long before it happened - two of note were published in 2009 and 2010 by COLs Conti (first head of the Army Cyber Institute) and Easterly (who your history should identify as a founder of the unit).
  • In 2012, GEN Odierno hinted to West Point (a post-decisional / pre-announcement) to standup of the ACC (now the ACI which officially happened in 2014).
  • By 2013, the Office of the Chief of Military Intelligence asked the ACI to identify a pool of cyber-skilled cadets to pilot placing into cyber operations on graduation.
  • Seeing the writing on the wall, the ACI published "Professionalizing the Army's Cyber Officer Force" which proposed some interesting COAs for the foundation of the branch. (full pdf here)
    • skill based accessions following an SF-style model
    • a career track like doctors to remain hands-on-keyboard for 20 years without interruption for PME, KD roles or Command
    • Doctors do it. Lawyers do it. The Band does it.

I'd like to comment on this report some … when I knew my former roommate, [then] MAJ Todd Arnold was going to be a contributing author, I told him "don't you dare make suggestions on cyber unless you've seen it" and sponsored him down for a summer to develop code and watch agency operations. That first paper incorporated those experiences and interviews with Soldiers from the early days of 780th.

It wasn't exactly what the Army wanted to hear so they published a second paper in 2014 meant to be less controversial in hopes of greater acceptance. For the NCOs present in the room, please understand the recommendations towards officers wasn't a sleight against you. This was long before cyber assignment incentive pay and the idea at the time was the only way the Army could remotely come close to competing with industry was an officer salary with BAH.

  • March of 2014, HRC created a cyber branch for talent management.
  • By November of 2014, the 17 series branch became real.
  • Three years later in 2017, Reservists were allowed to become 17 series.

The first round of VTIP selection took place a month later in December 2014 where 300 officers were assessed by a panel from primarily nominative means, requiring a 4187 and a GOs recommendation. That first year was extremely selective, attempting to follow the paradigm that members of our branch would be extremely technical in nature with experience performing the mission. 300 may seem like a lot, but a lot of vacancies remained - in fact, not a single O6 billet was filled. In DoD - when billets are allocated by force management - they have to be filled or they're taken back under the premise that "I guess you didn't need these after all." So the following VTIP rounds were far more relaxed in their acceptance standard. Some may remember a test that wasn't bad for what it was except that one could easily Google the answers at home. Perhaps it was more telling who could not get 17? Soldiers in the Reserves weren't offered the branch until 2017 and the first round went only to the defensive ARCOG (now ARCPB). Other cyber-savvy Soldiers from units like the CYBERCOM Army Reserve Element or the SIGINT-ers lurking around the MIRC were not eligible to apply for an additional year.

USAR is overly fascinated with the ARCPB

Now it's really interesting to think about those numbers. Did we suddenly have 300 IONs, CCDs, and EAs that first year? No … we had a lot of staff. We hadn't even converted the existing 35Qs. I'm speculating, but I doubt GEN Odierno and GEN Alexander originally sat around thinking - "You know what would make a really effective cyber force against our adversaries - a huge staff." Half a decade after the 17s inception, in SEP 2019, GEN Nakasone pushed a memo directing a focus on what he called the "Unit of Action" - EAs and IONs - because the CMF couldn't do anything without them especially with their shortage and propensity to fail out of the program.

Real Cyber Work Roles

So who were we selecting back then? Bear in mind that before the 17 branch, before 780th existed, and before CYBERCOM instantiated, the only folks in the Army doing this mission were members of 744th Army Network Warfare Battalion (ANWB). In terms of practitioners, there were basically two large handfuls of Soldiers as IONs, a smattering of EAs, and an even smaller amount of developers. Amongst that set were essentially zero officers, no master sergeants or sergeants major … which means, basically no active component leaders had any practical hands-on-keyboard experience doing this mission beyond administrative roles or, and let's call it what it was, "standing next to someone that was doing it."

Root of the Problem

This is where the animosity began. When CYBERCOM stood up, just like I mentioned before, the billets needed to be filled. There wasn't a cyber corps to pull from so the Army populated their quota with a lot of field artillery and other combat arms personnel. Some might argue the pyramid rank structure in those branches were also a forcing function in terms of transfers. That's not to say there wasn't any technical talent. Outside of 744th, there were diamonds amongst Functional Area 24 MOS (now 26A) and the 351 and 251 series warrants. But how did Field Artillery get such representation? Literally the spoken justification was, "Field Artillery understands targeting and that's what a lot of this job is." There's definitely truth to that in the J3 staff. But a PowerPoint slide deck of targets doesn't get you access into Donovian SCADA or brick Krasnovian telecommunications. We all know what happened as a result of this approach. For the next five years, every meeting literally began with "I'm just a dumb infantry guy" or "I'm just a dumb sub driver" or "I'm just a dumb pilot" and they all made the "I just learned cyber wasn't spelled with an S" joke. They all failed to realize the absolute insult statements like that had on the functional hackers.

Let's reverse it for a moment to really realize what happened here. In an older life, I was an S6 for 3-7 Infantry in Iraq. If I were suddenly put in Command of an Infantry BN (as a 25A non-Ranger/non-EIB) and opened with "Woah fellas - I'm just a nerd and learned the infantry wasn't full of crying infants so I'll let you do all the dangerous stuff," I would've been crucified by the BDE CDR but more importantly would have absolutely zero respect from the unit Soldiers. A not insignificant population of those original staffers were perceived by the doers as treating their cyber profession as a laughable joke beneath their former tough guy days - just something to do until retirement.

What Is Not A 17

And what kinds of things happened because of leadership without experience (to be clear, the bulk of these examples are 5-10 years old and do not reflect your present leadership). I hope enough time has passed that we can laugh at these now:

  • An officer argued with the planners about the difficulty of locating the target in cyberspace. Dude literally grabbed a map and pointed at a building, "What do you mean you can't find him? He's right there!"
  • Officers held a panel to help define the old 35Q MOS using one of my E7 ANWB developers (with many years of experience) to learn about what skillsets and training were required of him to perform the job. At the conclusion of the interviews, the E7 was not granted 35Q because he "was not qualified" to do what he's been doing and transferred from the job to do a regular MI job in Korea.
  • An officer argued about techniques for creating the popular "cone of silence" around a target city. He asked if we could "move the undersea cable from one city to another so the Internet would flow out where we wanted it to and be denied to the target" and then accused everyone of not supporting the miltiary when told that's not how undersea cables work.
  • Shortly after a James Bond movie, an officer submitted a requirement for a capability exactly like what was depicted in the film.
  • An officer held a town hall and told all of the developers they were easily replaceable.

I can't begin to describe how many leaders underestimate the level of effort to gain initial access to a target. That problem was definitely a side-effect of how CMT 100 and CMT 101 were pivoted to 780th by carrying a legacy project based on years of development which made a lot of staffers just believe that was a matter of course. Not appreciating the difficulty of access lead to the all too often situation where teams were pivoted off projects, letting good accesses languish, only to the try getting them back. This behavior and mindset is clearly evident at national table-top exercises where the general officers just state, "let's hack this" and the white cell grants it like less than 90 days was enough to break into anything.

  • In response to a crisis event, after conducting a briefing on response actions, an officer opened the floor to questions specifically to continue fleshing out the COA. One audience member, aware of the situation and capabilities raised a hand to provide information and was told to sit down as he didn't have enough rank to know anything. Four days later that individual briefed again as his civilian self and the other officer's superior told him to redo everything per the civilian's COA - which became the de facto TTP for the next two years.
  • An officer insisted their zero-to-hero developers were capable of immediate integration into a professional development shop. These folks were showing up with a mere 9 weeks of task/condition/standard training on java and python having never programmed before and were expected to perform on a level with world class exploit developers.
  • An officer requested a SCADA SME from CYBERCOM and turned down the provided Reservist "because he wanted an expert." Had the officer spoken to the Reservist, he would have quickly learned the individual was an professional SCADA pentester in his day job. It even turned out that Reservist was a SANS instructor and previously trained many of that team's Soldiers in the past explicitly on SCADA.
  • An entire staff was fired for its expenditure of money when its inability to actually levy development was unveiled. Multiple millions were spent on requirements with nothing more specific than words like "64 bit tools" or even worse, just a coverterm only. Or even worse still nothing but a stated compartment that nobody present even knew what was.
  • An officer continued to repeatedly provide exercise data, literally with the words "EXERCISE EXERCISE EXERCISE" printed largely in red across the top of the documents, as a response to an RFI (Request For Information) to the CYBERCOM J3F OPT (Operational Planning Team) attempting to build a targeting deck for a time sensitive crisis action.
  • An officer that became known as "Rusty Wire Guy" proposed the creation of a tool that would corrode the Internet cables leading to the target. Not only that, but the corrosion could be controlled such that it could influence the bit traffic in order to turn web browsing activity into malware. I admit - it was one of the more creative terrible Good Idea Fairies I'd ever heard and I give him props for trying.
  • A whole slew of officers with zero cyber capability experience let alone any development experience staffed the development requirements for a foundational tool set. A CDROM was placed in my hands stating - here's delivered tool X. I asked, "How was this made?" only to learn the developers made a thing with no provided standards against which to integrate for user interface, deployment, data ingestion, usage cognizance, etc. They were buying one-off, proof of concepts that looked flashy that were entirely unusable.
  • An officer continued to insist on the deployment of a tool against the OPSEC concerns of multiple senior operators. He continued to shop around until he found a junior operator he could force to employ it. The entire tool framework was burned shortly after due to forensics on that deployment and never reconstituted.
  • An officer received COA recommendations on the employment of a working tool (that was supposed to be used for this mission) to meet an operational requirement. Instead, he opted to go against all recommendations to use an Army version of the tool (which was neither compatible or had any developed features yet). After a year, the entire mission requirement transpired without any support for that requirement. Perhaps worse is that no other leadership even noticed the gap?

It's like none of these guys ever learned the most fundamental lesson of being a Platoon Leader. Trust the experience of your Platoon Sergeant and First Sergeant. Sure rank matters for the ultimate authority to make a final decision and carry the responsibility of those actions - but it does not absolve us to ignore the experience of those doing the mission. Yet those early cyber leaders time and time again ignored the voices of the small subset of personnel that ever had practical, hands-on-keyboard experience with the job.

Who Do You Trust For Cyber Branch Decisions

Roadmap to Repair

So this sounds pretty awful and like I mentioned earlier, really feels like a huge downer for a keynote. The message here isn't that we're a terrible branch. Like I said earlier, we can't grow unless we're honest with ourselves about the mistakes we've made. Staffers - you need to know the doers still perceive you like this. Doers - you need to … professionally … be more involved than just hiding in dark ops rooms away from it all. How do we fix this going forward?

The first fix is for the staffers. When most of these anecdotes happened, most of us were still majors or junior NCOs. But to fix the reputation of senior cyber leadership, we do have to recognize and acknowledge our predecessors left an incredibly sour experience to the operational element of our branch and we inherit that stigma. Whether it was us or not - it is us now. The O5/O6 year groups right now are a gap filler between the original generation and the next generation. The time spent as CMT/NMT leads or Mission Commanders and OPT leads is certainly significantly more experience than cyber has ever previously had in its leaders. But it's not enough. Just remember, a Ranger Regiment would never accept leadership whose experience lacked a Ranger tab, failed to get an EIB or even worse made a claim like "I was the S6 for the Infantry once - that makes me about equal to an 11A." My challenge to staffers is presence. Get away from your desks and staff meetings to spend time with the doers. Then take the context you've learned with them and use your rank to effectively push back against the good-idea-fairies.

The second fix is for the doers. At a GLOBALHUNTER tabletop exercise many years ago, a lieutenant aptly summarized your fix with a very blunt truth, "we need all the old guys to retire so we can replace them." She wasn't wrong. But you'll never have the leaders you want if you don't stay in long enough to become them. In about 10 more years, there will not be an excuse for our senior leaders and staff to have never been devs, EAs, or IONs. A 2LT ION from 2015 should be an O5 or O6 by 2033. Likewise for First Sergeants and Sergeants Major. By the 2030s, nobody should be populating the school house, command positions, G2/J2 support, G3/J3 staff positions, etc. who have never been a keyboard monkey at least once. My challenge to doers is not to quit the Army. Some of you … will have to give up the keyboard to take those roles. The rest of you who stay on-keyboard … have to work on those communication skills. A lot of staffers in CUBs and status meetings really do just parrot what you say - which means the support your issue gets is only as good as they can repeat it.

The third fix is recognizing, and fixing, how the Reserves support cyber. There are already a lot of former IONs, EAs, and devs in the Reserves but I would wager from experience watching the USCC Army Reserve Element, the ARCPB, and other integrated folks that less than 5 are being used to match their qualification. Other than the IMA spots here at 780th, despite what USAR thinks (back to the none of them have ever done the job so they don't know what they don't know), there are not official positions or mission for them. That only changes with a demand signal from the active component. For the past 14 years, I've been asked, "if I join USAR when I ETS can I do X, Y, or Z" and I honestly reply no. So to the doers - I know you'll ETS - and you'll move on to defend the nation from the corporate side which is good. But DoD will continue to lose all of you entirely if the Reserves don't offer a reason to stay. That's on me - I was going to retire this fall but decided to stay in and try again working the force management, requirements, etc. to leave behind the unit I wished I could have served in.

USAR failing its 17-series Soldiers

The last fix is literally what you're doing now - forums like AVENGERCON - everyone should support keeping events like these going. The peers you're learning from today will be the professional cyber network you need in 20 years. Folks in this room or from this unit will become Commanders, Sergeants Major, ARCYBER G3s, CYBERCOM J3s, IC liaisons, force management, TRADOC/school-house advisors, heck - there is probably a future GO here that will be levying requirements. And the technical trust and respect factor you build amongst each other here leads to a future where you "know a guy for that" when cyber problems come up - and that'll be the folks you see presenting, winning CTFs, or coming up with novel solutions to your project targets.

Wrap Up

My vision is a branch with vertical trust and respect. I've had feet in both buckets working as a contract/civilian doer and being part of the military staffers. From that perspective, I've heard the complaints of both sides and I've also witness the obliviousness from both sides. Today I've exposed the festering respect problem that underlies our branch and I hope all parties share in the belief its fixable. But it's effort from everyone at all levels, not just pointing fingers and saying "it's them" who have to adapt.



More site content that might interest you:

Healing Power of Swearing
Sometimes you just have to yell out F*CK to feel good.

Pattern Analysis of the MegaMillions Lottery
Pattern Analysis of the PowerBall Lottery
Try your hand at fate and use the site's continuously updating statistical analysis of the MegaMillions and PowerBall lotteries to choose "smarter" number. Remember, you don't have to win the jackpot to win money from the lottery!

Ephemeral Bulletin Boards
Tired of social media sites mining all your data? Try a private, auto-deleting message bulletin board.

paypal coinbase marcus