Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
EDITOR: MANAGER:
CONTACT:
contact.magazine@milcyber.org
****************************************************************************
ABOUT CYBER
****************************************************************************
****************************************************************************
FOR AUTHORS
****************************************************************************
****************************************************************************
THANKS
****************************************************************************
CYBER IS PRODUCED BY ITS VOLUNTEER STAFF WITH THE GENEROUS SUPPORT OF THE
ARMY TEAM AT ADOBE (TMCLAIN@ADOBE.COM), THE UPS STORE ON FT. BELVOIR
(STORE6274@THEUPSSTORE.COM), AND OTHERS. COVER IMAGE BY ARTIST, DAN NIX
(SENPHION@GMAIL.COM). THANK YOU TO THE MANY AUTHORS THAT HAVE SHARED THEIR
WORK WITH US, THE MCPA ADVISORS, AND THE THOUSAND STRONG MCPA TEAM! IF IN-
TERESTED IN JOINING THE CYBER STAFF, MAKING A SUBMISSION, OR PROVIDING OTHER
SUPPORT, PLEASE CONTACT US AT THE ADDRESS LISTED ABOVE.
****************************************************************************
2
Table of Contents
Note from the Founder.....1
Protecting the (Cyber) Homeland: The New Age of Cyber Terrorism and Why Force
Protection Needs to Embrace Cyberspace......4
FEATURE ARTICLE:
Personal Lessons about Effective Cyber Policies and Strategies....10
What You Should Understand about the Internet of Things (IoT).......18
Routers, Switches, Russians & Ditches: Cold War Hacker to Patriotic Silicon Valley
Executive......27
FEATURE ARTICLE
I recently retired from active duty after a 35 year career in the U.S. military, the past decade of
which has been devoted to the sometimes mysterious cyber world. Id like to offer some insight into the
personal lessons that Ive learned during my experience in helping to stand up U.S. Cyber Command and
while working cyber policies and strategies at the Pentagon. Although Ive learned many more lessons,
the three that Ive chosen to share in this article are, in my view, especially important for leaders in both
the public and private sectors because we are all becoming increasingly connected through modern
information technology. This means we all share in the exploding opportunities as well as the escalating
risks. Below are my top three lessons and I will attempt to add more context in subsequent paragraphs to
help both government and industry leaders understand why all sectors of society should care about these
key points:
2. The world is changing dramatically and so too must the balance between opportunity and risk in
the information technology decision-making environment.
3. As more nation-state militaries become involved in cyber operations, we must shine more light
on what they are doing and why, in order to set accurate expectations and prevent mistakes.
Lesson number one is about a real need for teamwork and effective partnerships. If I had to come
up with a motto for this lesson it would be, Make friends lots of friendsyoure gonna need them! If
you think you can go it alone in the cybersecurity business, think again. Many different organizations,
both public and private, have critical roles and responsibilities in the cybersecurity environment, but no
single organization has all the skills, talent, resources, capabilities, capacity or authority to act effectively
in isolation. It truly does take a team approach and strong partnerships to operate effectively. However,
creating trusted, credible partnerships requires significant dedication of time and energy from the leader-
ship of an organization. It doesnt happen overnight and must be continuously cultivated. I spent the big-
gest portion of my personal time as a cyber leader building teams and strengthening professional rela-
tionships with the leaders of other organizations who played an important role in our shared objectives. I
also invested a considerable amount of time trying to reduce the inevitable bureaucratic friction that peri-
odically pops up in the form of turf battles by using that trust that comes from strong personal leader-
ship bonds developed carefully over time. These turf battles usually arose because the relatively new
term cyber crosses so many legacy boundaries. In fact, its hard to find an organization these days that
doesnt think it has a key role to play when it comes to cyber. Sometimes this causes a clash of roles, re-
sponsibilities and equities. Good leaders figure out ways to navigate these rough waters.
1
I acknowledge the assistance of Clif Triplett, Managing Partner at SteelPointe Partners, in the development of this article. Clif is a dear old
friend, a 1980 West Point classmate, and a highly successful and well respected leader in the information technology field within industry. I
asked Clif to help me articulate my personal lessons in ways that would be most meaningful to leaders in the private sector, and Im ever
grateful for his insight and edits.
10
Within the Defense Department, one might characterize the types of partnerships we strove to
build using four categories, that I sometimes referred to as the four Is:
The first category was internal to the Department. If you want to be an effective member of any
team and not sit out the game on the bench you have to first build credible capabilities internal to
your own organization. In an organization as large and diverse as DoD, that meant creating a joint
culture that provided the Army, Navy, Air Force, Marine Corps and dozens of other DoD agencies
and unified commands with enough flexibility to address their individual, unique operational re-
quirements while at the same time recognizing a climate of shared operational opportunities and
risks. Establishing common joint operational objectives was key to keeping the teamwork strong
across traditionally competitive barriers. In an environment of diminishing resources it also just
plain made sense to reduce redundancy, eliminate waste and allow for everyone to share in a best
of breed dynamic. The considerable effort required to build our internal team was best memorial-
ized in DoDs initial strategy for operating in cyberspace in 2011. This original strategy was recently
updated in a new DoD Cyber Strategy which was unveiled publicly by Secretary of Defense Ash
Carter at Stanford University last April, 2015. Beyond these strategies, an implementation process
was put in place to routinely bring the broader team together, review progress, and identify issues
to be resolved. This process produced recommendations for senior DoD leaders to make decisions
and move forward in tangible ways to achieve the strategy goals and objectives.
During my time working cyber at the Pentagon we made a deliberate decision to begin to more clearly
explain what we are doing as a U.S. military, why we are doing it, and how we are exercising very careful
control over what we are doing as a responsible nation. In fact, it may surprise some to know that we in-
cluded nations such as China and Russia in this discussion, and I had the opportunity to participate directly
with my military counterparts. While more clarity and transparency
are needed, especially from the growing array of nations that are
building cyber forces in their militaries, there is also a need for some
balance in the decision about how much transparency is required.
After all, when you are in the business of the military you do not
want to give away an operational advantage. However, I believe
that we do need to talk more openly about what we do and you are
seeing a more open and transparent posture from DoD continuing
today. We are setting an example of how a responsible nations mili-
tary acts, and we expect others to follow this example. One very
practical benefit in being more clear and transparent is that you can
use military cyber capabilities more effectively in a deterrent role by
doing so, and I think we are just beginning to tackle that issue within
DoD and the U.S. government.
As I mentioned at the start, there are many more lessons that Ive learned over my tenure at the De-
fense Department. The three lessons that I share in this article are meant to help leaders in both the pub-
lic and private sectors focus their attention on those things that Ive seen make the biggest difference in
effective cyber policies and strategies:
1. Build trust and respect across your organization and with critical external partnerships, and con-
stantly cultivate them with great care and attention.
2. Prioritize efforts based upon an accurate assessment of todays risk, but dont ignore the opportuni-
ties that you may encounterthen apply a comprehensive approach (people, processes and technology)
with the human dimension as your top priority and technology prioritized and surgically applied toward
the organizations most vital functions.
3. Understand the limited (but vital) role that the military and other government agencies have as
part of a collective cyber security effort, and the resulting impact on your organizational responsibilities as
an effective member of the broader public/private partnership required for us to be successful together.
16
Retired U.S. Army Major General John A. Davis is the Vice President and Federal Chief Security Officer for
Palo Alto Networks, where he is responsible for expanding cybersecurity initiatives and global policy for
the international public sector and assisting governments around the world to successfully prevent cyber-
security attacks.
Prior to joining Palo Alto Networks, John served as the Senior Military Advisor for Cyber to the Under Sec-
retary of Defense for Policy and served as the Acting Deputy Assistant Secretary of Defense for Cyber Pol-
icy. Prior to this assignment, he served in multiple leadership positions in special operations, cyber, and
information operations. His military decorations include the Defense Superior Service Medal, Legion of
Merit, and the Bronze Star Medal.
John earned a Master of Strategic Studies from the U.S. Army War College, Master of Military Art and Sci-
ence from U.S. Army Command and General Staff College, and Bachelor of Science from U.S. Military
Academy at West Point. He also serves as an advisor of the MCPA.
17
So how do you protect yourself? You have options. Some may even save you money:
First, when purchasing an appliance, consider the features you need. Typically "smart" or "connected"
devices cost more than their non IoT version. If the smart features aren't overly compelling, skip them
and keep some extra money in your pocket.
Does the device still work without internet services enabled? If so, you may want to consider not con-
necting it to your network.
Does the device you're considering buying provide services you already have? There is a lot of overlap
in home IoT items. For instance, your smart TV may provide access to NetFlix, but so does your Roku
or ChromeCast. Do you need them both to provide that connectivity?
Before you buy, visit the vendor's website and read their user/privacy agreement so you understand
how they interpret their responsibilities to you as a consumer. What do they do with your data? Do
they re-sell it? If you are not comfortable with their privacy statement, you may want to reconsider
buying an IoT capable device from them.
19
22
25
26
28
29
While Joe Ritchie (a profoundly successful options trader) was calling in coordinates for air strikes on Tora
Bora in 2001, I was on the phone with guys in both Silicon Valley and Panjshir Valley (the people I met in
Denver years before) screaming at them to contact Mullah Omar and give up the qufar! (Bin Laden).
I have yet to meet an executive in Silicon Valley who could match the courage of Joe Ritchie, nor any who
would dare to get on the phone and take action that would put their lives in jeopardy in pursuit of truly
evil men. I have observed that too many leaders in Silicon Valley harbor a flawed pollyanna position,
viewing national boundaries and Cold War enmity as mostly things of the past. In my opinion, this is a
grave miscalculation. The leaders of the American technology industry can no longer sit on their hands
professing to be ambassadors of commerce to all nations and remain blind to the threat to our nations
treasure and safety.
It is this paradigm that motivates me to support efforts like the Military Cyber Professionals Association
(MCPA). Our young men and women of the military must remain relevant in protecting our constitutional
republic to the same level of seriousness that our Cold War generation was programmed to do. The bat-
tlespace is now multidimensional, and the enemy is no longer fully identifiable in uniforms. Asymmetric
warfare is underway within todays nexus of belligerent nation-states, terrorist organizations, drug car-
tels, street gangs, mercenary hackers, and lone wolves.
33
Mr. Harlow (right) recognized with the MCPA Order of Thor medal by
retired Admiral Route (left), President of the Naval Postgraduate School,
in Monterey, California, alongside leaders from the US military and academia.
Images courtesy of the author.
34
NetFuel, Inc. came on board as the first MCPA corporate sponsor, enabling initial
costs to be covered. They recently decided to support the MCPA Recognition Pro-
gram, which plays an important role in fueling volunteerism into K-12 STEM (science,
technology, engineering, and mathematics) education nation-wide and providing pro-
fessional development opportunities for the American military community.
Thor was selected as the symbol to adorn the MCPA recognition medals since this
mythological hero fought through the clouds as the god of thunder. The cloud is a
widely recognized symbol of cyberspace. Also, like cyberspace, his hammer has the
power to build and to destroy.
35
Mentoring Program
by Edward B. Rockower, Ph.D.
This is dedicated to Sam Abraham, my Mentor at General Dynamics.
When I was asked to write something about Mentoring for our Magazine I immediately agreed because I
not only have experience as a Mentor to others, but also as a Mentee. From both of those roles I feel Ive
benefited greatly. In addition, I helped develop the Mentoring Program for Operations Analysts at Lockheed
Martin and thus had exposure to many of the resources for other Mentoring programs inside, and outside, of
that corporation. Before writing this article I began a review and synthesis of my materials on mentoring. I
immediately remembered how important this topic is for our Association, hence should NOT be a fire and
forget discussion of mentoring that might only provide the intellectual bones of the subject. Rather, it
should begin an ongoing venue for providing the flesh of our own Mentoring Program.
The author (3d from the left) on team MCPA led by its founder
(2nd from the right) at Start-Up Weekend, Monterey Bay 2013.
36
Theres a famous saying when the student is ready the teacher will appear. You also see that para-
phrased as when the teacher is ready, the student will appear. To me, this emphasizes the symbiotic re-
lationship of the mentor with the mentee.
My first Mentor, Sam Abraham: when I completed my Ph.D. in Physics I was hired into the Operations Re-
search Department of General Dynamics, Fort Worth to work on the F-16 Program. Sam Abraham was as-
signed as my Mentor. I cannot emphasize enough how many lessons he taught me. So many times over
the years Ive followed his advice, or echoed it to others. Most times Im subliminally aware that Im
channeling Sam, having taken to heart the many engineering and life lessons he imparted to me, such as:
There are 2 kinds of people, technique oriented and problem oriented. You need to be the problem
oriented type.
Youre like a little boy with a new hammer. Every problem looks like a nail.
Sam taught me how to make effective slide presentations. As a result, I was selected to make presenta-
tions to the F-16 Program Office.
37
38
The Army's Warfighter Integrated Network-Tactical Tactical network defenders are challenged to re-
(WIN-T) system of systems forms the heart of the ceive support from organizations such as the Army
39
44
Cyber Talks is a semiannual, one-day conference hosted by the Army Cyber Institute (ACI). Each one-day
event highlights talks given by thought leaders and rising stars throughout the Cyber operations commu-
nity of interest, designed to foster creative solutions and build intellectual capital in cyber operations. In
June 2015, the ACI announced a Call for Presentations for the next Cyber Talks, which took place on Sep-
tember 22nd, 2015 in Lincoln Hall Auditorium on the campus of the National Defense University at Fort
Leslie J. McNair in Washington DC. As with previous Cyber Talks, the successful day ended with a social at
the Fort McNair Officers Club hosted by the National Capital Region Chapter (NCR) of the Military Cyber
Professionals Association (MCPA).
Cyber Talks was first conceived by LTG Edward Cardon, Commander of U.S. Army Cyber Command
(ARCYBER). He asked the ACI for help in organizing a TED Talks-like event focused on cyber operations
for ARCYBER personnel and the extended cyber operations community of interest. LTG Cardon envi-
sioned a day-long series of short, high-impact talks that highlight innovative ideas in cyber security to take
place at a location convenient to ARCYBER personnel. Reactions to the first two Cyber Talks events, held
in September 2014 and March 2015, were overwhelmingly positive.
Rock Stevens and Michael Weigand presenting at Cyber Talks, 22 Sept 2015.
Photo courtesy of ACI.
45
46
50
Thank you for the printing support!
UPS Store 6274, located at the Main Exchange on Ft. Belvoir
8651 JOHN J. KINGMAN ROAD, FORT BELVOIR, VA 22060, store6274@theupsstore.com, (703) 781-0269
51
52