>Do the military "cyberwarriors" even have local admin rights on their machines?
We don't, hell I don't even have access to some of the basic tools I need (i.e. version control)
>Hackers don't sign up for active duty military.
They do, I've met the smartest people I know in the military . The hacker types never stay though they either get kicked out because they don't want to put up with the bullshit or separate after their first enlistment and quadruple their salary.
Basically the problem with the military is that they won't (or can't) pay enough to retain any of the talent they have and are unwilling to compensate for the low salary by changing the "culture" they've developed over the last century.
> We don't, hell I don't even have access to some of the basic tools I need (i.e. version control)
Yap. Dealing with the military as a customer I have definitely have seen red tape that goes beyond reasonable for security and actually downright counter-productive (the steps needed to jump through to "secure" a box, many are wasteful, antiquated, yet some obvious ones are not mentioned.
There are things like "tcpdump must not be installed". So debugging is a pain, so then fine, I'll just use a python wrapper around libpcap then.
Some of the password policies are odd, don't remember exactly but requiring large passwords made of random gibberish instead of long pass phrases just make people write them posted notes and carrying them in their wallets.
'They have tools to listen to network traffic. But we told them not to. It's fine.'
'So... if they don't intercept network traffic, they were trustworthy and it wouldn't matter. But if they are not trustworthy... they can still sniff the traffic? Are you sure it's fine?'
'Yeah, every modern network is switched so there is nothing to sniff'
> Basically the problem with the military is that they won't (or can't) pay enough to retain any of the talent they have and are unwilling to compensate for the low salary by changing the "culture" they've developed over the last century.
These are all problems that are slowly working their way up the policy chains. E.g. RAND has put out a very good study on all this, http://www.rand.org/pubs/research_reports/RR430.html that discusses the challenges with public sector/military hiring (and retention).
It may yet have to come down to putting the effort heavily on the Reserves though, because for all the other things the military can change, I don't see culture as being one of them. Even the legendarily free-wheeling communities like submarines and fighter aviation deal with red tape and subsuming egos to the team.
>These are all problems that are slowly working their way up the policy chains.
It doesn't matter that the problems are working their way up the policy chains if they are only going to die when they get to the top. You yourself admitted that they are unlikely to change the culture, and we both know they aren't about to pay a competitive wage to the military. Unfortunately, that leaves us with things exactly the way they are now.
The military likes to talk about starting to take various issues seriously, yet it is an exceptionally rare occasion when they actually do.
In larger tech companies there's plenty of red tape, and some of the best software developers I've seen don't care a lot about ego. People I've heard talk about public sector work (never heard any talk about military software security work) complain more about cultures where there are too many incentives to focus on the narrow mission of your own organizational subunit, and little feeling of (or decision-making with a view towards) the overall goals of the broader organization.
Company red tape and military culture is nothing alike.
The most "conservative" company would have techies that don't meet any customers come in a suit, and those are almost extinct now.
In a military, depending on where you are and your rank, you could detention / penalties for not being shaved, not having your shoes shined, having a haircut that's too long by a few centimeters. You often can't take a week (or even a day) off without weeks notice unless it's an emergency. You could go to jail for disobeying a higher up.
And most importantly, if you signed up for (say) 3 years, you can't quit before those three years are up. Seriously, if you think corporate red tape is anything remotely like serving in the military - you need to revisit your idea of what the military is.
I've been in .mil and .com and with at will employment at least in the more regulated industries its the same outcomes. Whats really different is the formality level.
So if your .com boss decides to fire you for being a dirty hippie, you pretty much get walked out and that's it. More likely they would make up a bunch of B.S. to "prove" your inadequacy so they don't have to pay severance or unemployment claims.
In .mil its surprisingly similar but much more formal. UCMJ article 15 punishments, some written formal counseling, courtmartial trial, yes you can get downsized in the .mil by reorgs making your slot coincidentally happen to disappear, its all very complicated and ritualistic but basically does the same thing as .com.
You only go to jail in .mil if you more or less want to. There are always alternatives that are generally easier than "just say no". Its vaguely similar to .com life in that telling your boss "no" is much more likely to get you fired than explaining "yes, but ...". Along with the traditional homer simpson move of just go to work and retire in place or monkey wrench stuff.
One difference is transferring is much easier and much more uniform in .mil if you have a bad boss than in .com where that may range from no-problemo to impossible without a career death penalty being assessed but usually on average much harder in .com world.
I suspect you misunderstood what I wrote: The army can easily discharge you even if you signed up for 3 years, with a variety of ways. However, YOU cannot quit as easily. That's a world of difference.
And re:transferring - that's another thing that's different in the army; The army can transfer you to, say, Iraq, with a couple of days notice, without giving you the ability to refuse. Ever had anything like that happen in your .com days?
Many hackers / security researchers wouldn't mind working for the military but they don't have the desire to go through basic training and learn the things that will be unnecessary to their main job.
If I were to join the military right now wanting to work on computer systems, how long would it take before I'm actually preforming that role, or would they have to "break" me first? Hackers have no desire to do that when they can easily stay in the private sector and earn twice the pay and have a nice cushy office to work out of.
There should be some kind of alternate route to joining the military for officer and specialization roles (in my opinion of course, I am certainly interested to here if anyone has objections). Give me a few tests, an interview, a basic physical, a polygraph, and some IT training to get familiar with the systems and let me go to work. High pay isn't really an issue for me personally as long as I enjoy the work and am constantly learning or teaching.
Having access to that information is a huge responsibility. There have been spies at all ranks that have done large amounts of harm to the US military. It is absolutely necessary to lock down machines and have strict security checks over each other a logging of everything.
Yes. http://www.military.com/join-armed-forces/air-force-bmt-boot... How much of that is really necessary to be in IT security though? I'm sure it makes you a better person, but when you have highly skilled individuals and show them that kind of requirement, the majority of them would rather stay in the private sector.
The exception is if you have a specialized degree there is officers school for the branches, but basic training is still required, you will still be marching and be broken in, but after that will be more classrooms than physical activities.
Pilots especially must be physically fit. I've heard that leg strength is especially important so that you don't pass out at high g-forces. Drone pilots probably not so much, obviously.
The Reserve forces might be slightly less rigorous, but I'm not positive.
The cyber warfare stuff is mostly Army and Navy though as far as I know.
Agencies like the DHS are the ones that are really struggling to find IT talent. They have a huge amount of responsibility (security all non-military government infrastructure) and have a bad reputation currently (because of airport security staff).
I more or less agree just some minor clarifications/nitpicks
> Officers got through OTS not BMT
> Reserve physical requirements are the same as Active duty requirements
> The Air Force's cyber warfare career field is called 1B4[1]
My dad was a helicopter pilot for the marine corps for 20 years and flew in desert storm and Iraq in the early 2000s. Growing up he was always in insane physical shape and actively participated and taught in Crucible[0] trainings. Part of it was certainly the 'culture' that surrounds the squadrons, but one day I asked him why he stays in shape when in war he'd never had to stand up to do his job? He told me the only thing separating him from a 'grunt' (ground soldier) was his helicopter, which the enemy could take away in an instant. The moral was you always train for the worst possible situation (being grounded behind enemy lines) and hope for the best (never having to stand up).
I don't understand how the military cannot afford to compete with the private sector. This is where wars will be won now (or soon). It's pretty important to defend ourselves. And we have trillions of dollars...
Part of it is that the government doesn't want to, the other part of it is that the American people would shit their pants if they found out that a low-ranking Soldier was making 6 figures a year off of taxpayer money. People resent it when government employees make more money than they do. Also, in the Army, you make the same amount of money no matter what your job is. The people they used to have that were only qualified to do laundry 40 hours a week as a full-time job get paid the same amount of money as intelligence analysts and information technology specialists.
The NSA has no problem paying for top talent, but they do it by going through consulting firms. It's true that most Americans would shit their pants at 6 figure soldiers, but few military skills are so valued by the open market. As we're constantly told by the tech media, you should prefer five $200,000 people to ten $100,000 people, or—god forbid—50+ people writing PowerShell scripts for minimum wage.
>It's true that most Americans would shit their pants at 6 figure soldiers, but few military skills are so valued by the open market.
Infantrymen won't have marketable skills, but we are talking about military security analysts. These guys often do have skills equivalent to their civilian counterparts. You seem to be making the same assumption that many others in this thread have: that all Soldiers are infantrymen of less than average intelligence.
The link upthread of us shows that annual pay for federal cybersecurity professionals is about on par with industry [1], especially when considering geography/cost of living.
My surprise had more to do with learning that cyberwarefare reservists exist, let alone enlisted soldiers. (I'm not familiar with the military.)
>My surprise had more to do with learning that cyberwarefare reservists exist..
I can see how you would be surprised. It seems counter-intuitive, but its actually normal for reservists in technical fields to be better at their jobs than the military. The best example I can think of is the field of aviation. Many reserve pilots are commercial pilots that get to fly 1000s of hours each year. Their full-time military counterparts don't get to fly their fancy fighter jets very often, because its really expensive.
Doctors and pilots get paid reasonably well by the military (especially once training, liability, etc. is factored in). We could probably do something reasonable in infosec.
>Doctors and pilots get paid reasonably well by the military.
Doctors are officers. This means that they get paid much more than Soldiers, but its still a laughably low amount when you compare it to a civilian doctor's salary.
Pilots are also officers. Their salaries are closer to the civilian world, but they are still probably a little low.
I don't think the Army is about to convert tens of thousands of IT specialists and Intel analysts from enlisted Soldiers to commissioned officers. Even if they did, the majority of them would still be making well below market rate.
Even the officer ranks that pay competitively require 10-20 years of service. At that point you are going to have a salary that's comparable to a civilian security analyst with a couple years' experience.
The people I interacted with most were Healthcare Information Systems Officers (70D), who were generally O-2 to O-4. Given that they tended to be fairly early career and living in low cost areas of the country, with college paid, it was a pretty good deal for them.
I think flexibility is the real problem with military hiring, not absolute pay levels.
After allowances, they are making about 52-70k depending on which rank they hold. That's not bad for what they do, but if they were actual doctors it would be terrible.
Its also not a technical job in the traditional sense, 70Ds typically spend 8 years as a 70B (Even though a lot of them will be slotted as 70Ds much earlier than this) which is essentially a management position at a medical facility.
From the description of 70D, it could end up being a technical job depending on the particular assignment, but its more oriented towards healthcare management types.
Its not a bad deal at all if you are looking for a way to pay off your student loans.
if you're a military doctor not only do you save approximately $200k on the cost of your schooling you also far outearn civilian doctors over med school and residency. even top residency programs pay very little. until you make attending (or possibly fellow) you are probably making half of what your peers in the military are making. military doctors earn less for the last 4-6 years of their service but they more than makeup for it over the first 8-10
The base pay is the same, but don't they have all kinds of extra pay they can tack on for various reasons? There is combat pay, but I'm sure there must be more than that.
John is correct. There are different types of extra pay, but they don't have anything for tech related jobs.
The allowances in the Army are for things like jumping out of a plane, scuba diving, foreign languages, combat pay, etc.
The Army still has this attitude that if you aren't outside all day, running around yelling at people, then you must not be doing any work. I'm not sure if that will ever change.
You can get extra money for all kinds of things. Knowing another language, certain career fields (i.e. special forces and contracting) still have re-enlistment bonuses, etc. etc. None of the "cyber" career fields, in the Air Force at least, get any sort of extra money that I'm aware of.
But they would not be low ranking soldiers all IT professionals would have to start at officer level - I did work at one ex civil service tech company and our grades still had a mapping to military and civilservice ones.
>But they would not be low ranking soldiers all IT professionals would have to start at officer level.
Officer income is higher than Enlisted income, but it still starts at around 34k for a single person. Depending on where you live, its probably going to be about 46k for someone that's married. That's still pretty low for the type of people they are looking for.
The military lost the war with the private sector some time ago, and that's why "defence" spending is in the trillions.
My comment at https://news.ycombinator.com/item?id=8009579 applies again. The 'cyberwar' does not matter, or at least not in a way that threatens the existing power structure. To the extent that there are duelling hackers out there, they're operating in the financial realm, which is very far from the military and extremely resistant to being told what to do.
Besides, conventional war is over between major powers. There's colonial policing, guerilla warfare, secret ops -- and then straight up to nuclear exchanges. NATO's eastern border is Poland; Russia's western border is some way east of Donetsk; in the middle is an ugly unacknowledged skirmish using Ukraine as a buffer zone. The skirmish will continue unescalated because neither side can afford to stop the gas pipelines flowing through Ukraine.
(The Russian missile launcher was tracked by, among other things, geotagged selfies on Instagram posted by one of the operators. Does that count as "cyberwar"?)
I think this is a prime example of how pay scales recruiting policies are very difficult to apply across a multi million person organization. If you change the rules for cyber positions, you must consider changing them for all positions. Rank and pay scales are the same across any GS position and across military ranks at this point - perhaps we should think about paying those with key skills more money, but that argument is extremely tough to implement and get legislated.
Result: "Forget it, let's just hire some contractors."
>If you change the rules for cyber positions, you must consider changing them for all positions. Rank and pay scales are the same across any GS position and across military ranks at this point..
This isn't entirely true. Unlike the military pay scale, the GS pay scale does have ways to pay certain fields more money. Its not very much in most cases, but its there. IT jobs generally get you 10% more than other fields.
The only GS jobs I know of that get a substantial about of extra money are the Scientific and Medical jobs. There are special codes that allow them to add at least another 50k-100k to their income, depending on the specific type of position that they hold.
It's difficult to "opt out" of GS pay scales, and even then if you do you then have to follow different recruiting patterns and are subject to fairly strict guidelines. They do have special scales for special positions, but from what I understand that takes awhile to establish and still has strict guidelines. (http://apps.opm.gov/SpecialRates/2014/index.aspx)
Federal recruiting can be quite a minefield, which is a significant problem in fast-moving professions. According to this article the NSA don't opt out of the GS scale, but that's not to say they don't offer temporary positions with slightly different criteria: http://work.chron.com/nsa-pay-scale-16399.html
I'm unsure if it's different on the military side but typically that pay / Basic allowance for housing / etc is also clearly defined in advance.
The NSA doesn't opt out of pay scales -- all general employees follow the GS pay scale with GS 10 removed (GS 9 promotes to GS 11). For those with a degree in certain fields, they follow an increased pay scale but along the same grade. For instance, someone with an electrical engineering degree would follow the GE pay scale, which still has the same path (GE 9, 11-15) but makes something like 2-10k more per year.
The biggest difference, is that their promotion structure is split into two parts: there is a technical route to promotion and an administrative route. This means that you can either be good at being in charge of people and get promoted (administrative), or just be good at what you do (technical). It leads to interesting situations where a GS12 is put in charge of divisions comprising GS15 veterans of 20 years experience, but all in all it is by far the best government run organization I've worked for.
Ah I seem to remember an article that said they did probably wired or a similar publication getting the wrong end of the stick.
The UK scientific civil service has similar problems in that for generic management roles they are paid fairly well for high end technical skills not so much.
Even worse once you get into roles for the TLA's - it will end up like the 30's where the only people that the security services could recruit where those with private incomes or ex military on pensions.
>Do the military "cyberwarriors" even have local admin rights on their machines?
We don't, hell I don't even have access to some of the basic tools I need (i.e. version control)
>Hackers don't sign up for active duty military.
They do, I've met the smartest people I know in the military . The hacker types never stay though they either get kicked out because they don't want to put up with the bullshit or separate after their first enlistment and quadruple their salary.
Basically the problem with the military is that they won't (or can't) pay enough to retain any of the talent they have and are unwilling to compensate for the low salary by changing the "culture" they've developed over the last century.