Military strategy and training changes with every conflict and governmental paradigm shift. The only publication that has maintained relevance in the last 2500 years, is Sun Tzu’s The Art of War. I read this book only after I finished my military career, while I was studying for my degree in Counter-Terrorism, and only then could I relate back to my military service and understand why I was trained that way. Sun Tzu only talks about training once in the thirteen chapters but it is a chapter worth reading, “Victory goes to the army who has better trained officers and men [and women]”.
While in theory this seems very simple, in practice it is extremely difficult because it’s impossible to judge how well trained an enemy is prior to facing them in battle. So, when I joined an elite combat unit 16 years ago, I trained for an entire year before ever seeing real combat. Each day of training was harder than the last, and each day felt like it was the worst day of my life. Breaking down the soldiers physically and mentally, pushing them to limits that people shouldn’t be able to reach, is so that combat is never as difficult as training. Now why aren’t our cyber warriors training the same way?
Soldiers like me are not going to be the front-line fighters in the next wars. The next wars will be fought and won by our cyber warriors, and they need to be battle ready. Too much of the cyber security training is done in classrooms, with table-top exercises and multiple-choice tests to follow. Every CISSP might understand what a ransomware attack is, but they don’t all know how to protect against one. This needs to change. The new wave of cyber warriors needs continuous simulation training, with real cyber-attacks, more difficult than Petya or WannaCry. Once they have successfully defended against these attacks, only then will the real deal look easy.
It is critical that any cyber security training provides an authentic experience. Because of rapid changes, training must be agile and responsive. Live simulation exercises attempt to replicate the experience and go beyond classroom lectures. Nothing better prepares cybersecurity operators to identify, isolate, remove, and recover from a cybersecurity attack than total immersive training in a cyber range. These exercises provide a relevant, integrated, Live-Virtual-Constructive (LVC) cyber range environment for demonstration, training, exercising, tool development, and testing full-spectrum cyberspace capabilities. And this type of training needs to be an ongoing process. The enemy is not going to stop, so neither should the training.
Every few months in combat my team was pulled off the line for a few days’ rest, and then a few weeks of training. However, this training was unlike our previous training. Different officers, from different units, would come in with new training regiments. The same approach needs to be taken with the cyber warriors. The cyber security training scenarios need to be changed from training to training, and the cyber warriors need to continuously update their training every few months. The attackers are finding new vulnerabilities, we need to find new ways to defend.
It is an unfortunate sentiment that sometimes all you need to keep your network safe is to just be harder to hack then the next, but many times hackers are just looking for the easy target. Be the victor whose cyber army has better trained officers and men [and women].