A Leader’s Guide to Proper 25D Utilization

US Army Cyber Network Defenders (MOS 25D) are the most underutilized risk mitigation assets a commander has in his arsenal when it comes to operating in cyber space.  Proper 25D utilization places the cyber defense expert in a position to monitor all network and system activity on the upper TI for signs of intrusion or data exfiltration.

Many 25D’s are thrown into the COMSEC vault immediately because it is an easy fit.  Many have a TS-SCI clearance and many have the necessary COMSEC schools.  If they don’t have the school it is only 2 to 4 weeks of training.  A lot of vaults only require a secret clearance, too.

The problem is that putting a 25D into the COMSEC vault is a negligent waste of valuable skills.  The 25D has skills that extend well beyond the capabilities of the simple security measures currently in place.

The firewall is a common counter against using a 25D in a Cyber Network Defense (CND) position: “But we already have a firewall”.  Let’s examine it in a figurative example.

Firewalls are not a comprehensive security device

They are actually more of a false security blanket and can only filter traffic that flows through them.  The traffic between your Sharepoint server and the CPOF do not pass through the firewall.

A firewall is easy for a seasoned hacker to defeat.  (“Firewalking” is the technique.)  With the amount of security on the upper TI, a commander should only expect seasoned hackers to attack.  Let’s examine a firewall in common terms:

Firewalls explained in layman’s terms

Think of a firewall as an Entry Control Point for a Forward Operating Base.  The Soldiers manning the ECP have very specific instructions and they follow those instructions exactly as ordered.

For example, the guards only allow US military vehicles in or out.  As long as it is a US military vehicle it may come or go.  They don’t care what is inside, what time the vehicle passes through, or the destination.  If you were an enemy combatant, how quickly could you figure out the rules of the ECP, find yourself a US military vehicle, and drive through the ECP without being stopped?

That’s what a firewall does – it filters traffic based on specific rules.  Some are more advanced than others, but ultimately they follow the rules they are given exactly as ordered.

Your 25D is that seasoned Soldier at the ECP who knows exactly what to look for.  Before coming on shift he visits the S2 to get the latest threat briefing.  He knows what the enemy’s current TTP is.  He knows there are implied tasks with his duty position and will go above and beyond the posted orders for the ECP.  He cares about what is in the truck, why it is passing through when it is passing through, where it is coming from and where it is going.  He also knows how to instruct the other Soldiers what to look for, what to let through, and what shouldn’t get through.
He desires to run the best ECP possible.  He can also find that hidden note attached to the inside of the frame of the LMTV heading out of the gate to another FOB that the enemy insider threat is using to communicate with another insider threat on another FOB (covert channel is the technical term).

COMSEC Explained

Let’s explore COMSEC with the above figurative scenario.

COMSEC, in the above example would be broken down into a few components.  Imagine the trunk or cargo area of each vehicle is made out of material that would take 6.7e40 years (I’ll explain that number below) to break into without having the key to the padlock.  The padlock would take just as long to cut through.  It would also take just as long to pick the pad lock.  Each type of vehicle takes a different type of padlock.

A COMSEC account manager would be the person who issues the locks to the operators.  He doesn’t design the locks or do anything to them to enhance their protective capabilities.  He requests the locks he needs for the trucks that need the locks, he issues out the locks to the operators of those trucks, and he does the paperwork on the issuance and recovery of the locks.  That’s it.

Hopefully you can see why placing a 25D into a COMSEC position can be seen as a negligent waste of valuable skills.

A 25D’s entire purpose is information security

The 25D’s commitment to excellence doesn’t end at manning the ECP.  He also seeks out to identify and improve FOB defense in every way possible.  When he isn’t on ECP duty he is closely examining the perimeter security looking for problems or ways to improve the perimeter based on the latest threat intel.  He’s also inside the FOB looking for vulnerabilities that an insider threat could leverage.  He eats, sleeps, and breathes security.

When I say that last sentence, I absolutely mean it.  Most 25D Soldiers are eating breakfast while reading the latest cyber security news – who was attacked and how, the latest offense and defense trends, new exploits in the wild, and trending attack patterns over the past 24 hours.  Over lunch they look at the source code for a one-day-old exploit to figure out how it works.  Over dinner they are doing coursework for an online college for a bachelor’s degree in Cyber Security.  They never stop sharpening their spears of their craft.

As you know, the enemy’s TTP changes daily.  The same goes for our adversaries in cyber space – new emerging threats and exploits appear daily.  These exploits appear daily and are often posted publicly on the Internet for all to see and use for free.  Each new exploit requires a unique defensive measure.

If your unit is relying on a firewall for defense here are some questions you should ask your S6 section:

  • When was the last time the firewall rules were adjusted to defend against the daily emerging threats and exploits?
  • When was the last time the firewall logs were actually closely examined to see if they were actually stopping unwanted traffic?
  • What measures are in place to detect insider threat activity that may not even traverse the firewall (exfiltration via printed documents, burned DVDs, pictures taken of screens, etc)?

If you have nobody working CND (25D, 255S) my bet is that you won’t get a confident answer to any of those questions.

A 25D’s home is not in the COMSEC vault

Soldiers can become proficient with the LCMS/KMI with just 2 weeks of training.  The COMSEC vault operations take another 2 weeks of training.  Overall being a CAM or ACAM is very simple and requires little technical skill.

To put it bluntly, encryption works and everybody knows that, even the enemy.  The level of encryption we use practically cannot be defeated.  If you had 2,000 petaFLOPS (the fastest super computer today does about 93 petaFLOPS) it would take 67,000,000,000,000,000,000,000,000,000,000,000,000,000 years (6.7e40) to exhaust the key space of the encryption we use.  The universe has only been around 14,000,000,000 years (1.4e10), for a sense of scale.

The enemy isn’t going to attack our encryption and if they do then we’ve already won.  They are instead going to attack our information and systems at points where it isn’t encrypted.  The 25D needs to be operating in that portion of the network.

Since COMSEC positions need very little training or technical knowledge, there is no point in putting a 25D into the slot – it would be a waste of talent.  COMSEC is a full time position and therefor a 25D cannot perform both duties effectively.  If a 25D is in that slot, then every effort needs to be made to move the Soldier to Cyber Network Defense.

A 25D’s primary purpose is to reduce risk

Think about the sensitive information stored and transmitted on your upper TI.  How bad would that be if the enemy got their hands on a single OPORD before the mission?

  • What would be the increased risk of loss of life?
  • How would that investigation look like?
  • What measures did you take to defend your network?

Not all cyber attacks can be stopped but many can be.  Sensitive information transmitted and stored on computers or disks puts lives at risk.  Is your organization doing all that it possibly can to defend your sensitive information?

A 25D performs several tasks in CND:

  • Identifies vulnerabilities and risks associated with those vulnerabilities.
  • Develops a plan to mitigate the risks by remediation of the vulnerability or mitigating the exposure to those vulnerabilities.
  • Monitors defense mechanisms and improves as necessary.

The bottom line is that a 25D is constantly improving your organization’s cyber defense posture.

Why do we need 25D’s suddenly?

The fact is we’ve always needed someone trained and proficient in information security.  Within the past 10 years, other countries have stood up “cyber armies”, which China reportedly having 50-100,000 cyber warriors ready to conduct operations in cyber space.  Organizations like the Taliban, Al-Qaeda, and even ISIS have cyber elements, such as ISIS’s “Syrian Electronic Army” that serve as cyber warriors.

It’s also no secret that operations in cyber space are considerably less expensive than an actual ground deployment of combat power.  Additionally, the cost of entry to go toe-to-toe in cyberspace is considerably low.  A small team of hackers that are properly prepared and trained can infiltrate the information systems of superpowers.  This has enabled smaller nations and organizations to divert focus from ground combat to cyber space operations.  These operations can include cyber attacks, reconnaissance, propaganda, and even recruiting.

The need to have dedicated people devoted to defending our information systems has never been greater.  You can no longer rely on the excuse of “We’ve only seen cyber attacks during NTC rotations.”  Your organization needs to be ready for any cyber attack that may come its way.  That’s exactly what the 25D is to your organization.  Don’t underutilize their talent and let it go to waste.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.