[HN Gopher] The military is an impossible place for hackers, and...
___________________________________________________________________
The military is an impossible place for hackers, and what to do
about it (2018)
Author : NavinF
Score : 45 points
Date : 2024-10-13 19:42 UTC (2 hours ago)
(HTM) web link (warontherocks.com)
(TXT) w3m dump (warontherocks.com)
| cdwhite wrote:
| 2018, FWIW. I'd be curious to hear how (if) things are different
| now.
| alephnerd wrote:
| Pay has gotten better, plus the individual branches all have
| stronger CyberCorps now.
|
| That said, CyberCom still has issues because it's a unified
| command and not a branch, which means it has limited say and
| will always get overshadowed by individual branches and the
| NSA.
|
| Another interesting change is the rise of private sector
| players and public-private partnerships to help remediate the
| pay gap - this is what China and Russia did due to similar
| issues around renumeration, and most other NATO+ allies like
| Israel, UAE, Singapore, etc leverage this model.
|
| Anecdotally, outside of the NSA, it appears that most what I'd
| term "white collar lifers" within branches prefer Intel over
| Cyber because it's easier to learn due to less STEM, and a
| significant portion of those who do Cyber will tend to leave
| for private sector.
|
| That said, Cyber Reserves forces are fairly prominent now and
| probably the best way to remediate this gap.
|
| I'm biased, but imo, the US needs to adopt the Israeli model of
| public-private offensive security capabilities plus a strong
| reserves component, because the pay gap and the respect gap
| just won't be fixed due to internal intertia in the services.
| 9659 wrote:
| USAF now has Cyber Warrant Officers.
| dang wrote:
| Year added above. Thanks!
| evanjrowley wrote:
| It is important to learn from one's own mistakes, but if an
| institution is _too big to fail_ , then does it ever really
| learn?
| Terr_ wrote:
| If any entity _can 't_ fail, does it _need_ to learn? :p
|
| That said, some of it is a matter of perspective: To bacteria,
| individual humans are "too big to fail" in the same way
| geography is.
| spiritplumber wrote:
| TLDR: Copy the medic track model. Makes sense to me.
| hipadev23 wrote:
| The answer to every problem cited is simply pay. When there's
| unlimited DoD budget for Palantir or Anduril contracts compared
| to barely livable wage for enlisted personnel, it's a no-brainer
| why people go work for defense contractors instead.
|
| Enlisted or Officer, you'll not break $200k annual earnings until
| at least 20 years of experience and Lieutenant General or higher
| rank.
|
| NSA after a decade of experience you may approach 200k.
|
| Anduril starts entry-level at $200k.
| master_crab wrote:
| Yup. 95% pay. 5% antiquated culture.
|
| There are some aspects of the military culture that are a bit
| anachronistic, but it's minor compared to the pay and the
| career progression problems the military creates. It forces an
| up and out system where you can't continue doing what you're
| good at for increasing amounts of pay.
| generic92034 wrote:
| But is that not also a common issue with many IT companies?
| The technical career path is short and the higher levels on
| that path are already supposed to work more on powerpoints
| and meetings than on code.
| alephnerd wrote:
| 1. Palantir is a data store, and overstates it's "defense"
| credentials. A major defense customer they keep mentioning
| churned years ago. If Palantir is a cybersecurity company, then
| so is Salesforce.
|
| 2. Enlistees are bucketed based on rank and years within the
| service. It is almost impossible to make a case for Cyber
| Enlistees to get a separate payscale from other Enlistees
| because other enlistees can and do get pissed.
|
| A mix of public-private offensive security partnerships plus a
| strong reserves component for cybersecurity related roles is
| the best solution - this is what Israel does.
|
| Finally, CyberCom is a joint command, not a branch, so they are
| limited in comparison to what individual branches can do.
| master_crab wrote:
| Palantir has been overstating its benefits for decades at
| this point. Slick UI can't hide the almost minimal usefulness
| you get out of it (and even that minor utility requires an
| army of support engineers anyways)
| wildzzz wrote:
| You wouldn't want to make something that can stand on its
| own and actually get complete the mission. How would you
| afford an army of Agile developers with inflated salaries
| constantly churning out code that solves problems that
| don't exist? How could you possibly pay back the VCs that
| poured millions into your company without ripping off the
| American taxpayer? If a defense contractor's website
| doesn't immediately show you what they make or can
| articulate the services they actually provide, there's a
| good chance are they are scam artists and should be in
| prison.
| ericmay wrote:
| > Enlistees are bucketed based on rank and years within the
| service. It is almost impossible to make a case for Cyber
| Enlistees to get a separate payscale from other Enlistees
| because other enlistees can and do get pissed.
|
| I wonder if (and maybe this is already in practice), there's
| an opportunity for warrant officers in this context. In the
| United States Army where I enlisted, our helicopter pilots
| were mostly warrant officers and then you had the staff
| officers who would always try and get more flying time.
|
| The warrant officers were, I believe, paid less than the
| staff officers, but there's no reason to think the military
| can't provide additional pay. Retention and sign-on bonuses
| for expertly-trained cyber warfare and other compute-related
| activities warrant officers could be something to consider.
|
| Even as an enlisted soldier since I worked in aviation we'd
| get extra pay because of the odd shifts we worked which was
| supposed to make up for/supplement on-base meals. I may be
| remembering incorrectly but being airborne trained provided
| some extra money as well, though nominal.
|
| All that to say, if a W-1 is making $50,000 in base pay per
| year, if we wanted to we could just double that via retention
| and sign-on bonuses.
|
| Of course you might say, well sure but then you know you
| really aren't making as much as that engineer who is pulling
| $180,000/year + bonus/equity, and you're right, but in a
| similar vein I'd say yea and you can only fly an AH-64 in the
| military....
| alephnerd wrote:
| > I wonder if (and maybe this is already in practice),
| there's an opportunity for warrant officers in this context
| ... The warrant officers were, I believe, paid less than
| the staff officers, but there's no reason to think the
| military can't provide additional pay. Retention and sign-
| on bonuses for expertly-trained cyber warfare and other
| compute-related activities warrant officers could be
| something to consider.
|
| Already in practice, but a WO's salary can't compete with
| private sector pay.
|
| The Marines gives Cyber personnel an officer level, because
| the marines are very budget constrained so they don't have
| the money needed to send personnel to upskill, and wants to
| attract people who can hit the ground running.
|
| > Of course you might say, well sure but then you know you
| really aren't making as much as that engineer who is
| pulling $180,000/year + bonus/equity, and you're right, but
| in a similar vein I'd say yea and you can only fly an AH-64
| in the military....
|
| Yep! Imo, there will always be some attrition to the
| private sector due to the pay differential, but making
| Cyber roles reservist friendly solves this issue. (<--
| already starting to happen)
|
| Also giving the option to enlistees to upskill helps solve
| the human capital gap, plus builds their loyalty to their
| service and minimizes attrition to a certain extent. A
| dedicated Cyber ROTC might help as well, just like how the
| NSA has a similar program. (<-- slowly starting to happen
| depending on branch)
|
| Honestly, the best solution is to probably convert CyberCom
| into it's own branch, just like the USSF, because that at
| least allows Cyberwarfare to not be treated as an
| afterthought due to service/branch commitments. (<---
| probably not happening in the near future sadly).
| 2OEH8eoCRo0 wrote:
| I think that it's complicated. Military service always looks
| like a bad deal on paper yet my military service is probably
| what I'm most proud of. I think we are fixated on $ to an
| unhealthy degree.
|
| Where is Anduril getting that money? They're paid the same rate
| for govt contracts as everyone else no? Do they boost that with
| investor cash?
| alephnerd wrote:
| > Where is Anduril getting that money?
|
| A mix of VC funding, foreign defense sales, and private
| sector deals, because their products are dual use. Also, as a
| private company, they don't have the same kinds of
| expenditures that a service has (pensions, capex on infra,
| etc)
|
| > I think that it's complicated
|
| Yep! Esprit de corps does play a role in retention to a
| limited extent.
|
| Also, after this hearing happening in 2018, all the branches
| began pushing heavily for Cyber Reserves branches because
| it's the easiest way for them to remediate the skill and pay
| gap.
| arccy wrote:
| because the military can't retain talent, they pay through
| the nose for contractors who don't enforce their
| "standards"...
| bastawhiz wrote:
| Nobody is denying that many people find military service
| fulfilling. But certain roles have extremely limited talent
| pools. The odds that you'll find someone willing to take a
| position primarily for fulfillment when the starting salary
| for a contractor is double/triple/quadruple/quintuple what
| government offers, the public service role is immediately
| starting at a significant disadvantage.
|
| Besides hiring talent, it carries through to career
| advancement and development (which plays heavily into
| personal fulfillment!) which on turn affects retention. If
| you're thinking of starting a family and settling down, being
| able to have more flexibility and significantly more money is
| a highly attractive option.
| neodymiumphish wrote:
| Agreed! I left the Air Force with 12 years of service, 4 SANS
| certs, certification as a federal law enforcement officer, and
| experience working against APTs. At the time I left, I was
| getting less than $80k in compensation (excluding healthcare,
| cause I don't know how to account for that), and accepted the
| first job offered ($103k). Left that less than a year later for
| a job paying $140k plus bonuses, and now I'm in an even better
| spot 2 years later. The military can't compete unless they
| change how they pay their service members.
| hed wrote:
| Did you get BAH? In high CoL areas like DC metro the housing
| allowance is like an extra 33k, tax free.
| renewiltord wrote:
| Anduril fires people. That's why the government can give
| Anduril money. The government can't do things that Anduril can.
| michaelt wrote:
| The pay is part of the equation, absolutely.
|
| But in my experience, there comes a point where people start
| saying "OK, now I'm earning $x00,000 I'm rich enough to afford
| some luxuries, what luxuries would most improve my life?" and
| it turns out things like "not being on call" are kinda popular.
|
| I'm not sure there's _any_ reasonable amount of money that
| would make me want to go to a boot camp and get hazed by a
| bunch of jocks.
|
| So they might need pay _and_ fixes to the culture.
| dctoedt wrote:
| CyberCommand might be able to do something like the Navy nuclear-
| propulsion program: Enlisted "nukes" get enlistment bonuses and
| (if they "re-up" after their initial six-year enlistment) fairly-
| decent "STAR" reenlistment bonuses.
|
| https://www.navytimes.com/news/your-navy/2023/06/23/big-enli...
|
| https://www.mynavyhr.navy.mil/Portals/55/Career/ECM/Nuclear/...
| alephnerd wrote:
| CyberCom is a command, not a branch. Individual branches have
| leeway to make those compensation changes. A unified command
| can only provide some additional monies.
|
| That said, individual branches absolutely are doing that, and
| have started doing that after the 2018 hearing referenced in
| the article above.
| Terr_ wrote:
| > To add insult to injury, tool developers often perform
| technical due diligence for capabilities procured from
| contractors. These capabilities typically mirror the capabilities
| that talented tool developers create on a quarterly basis, and
| the government will pay multiples of a developer's annual salary
| for them. Nowhere else in the military is its economic rent so
| clear to the servicemember.
|
| As someone who feels more like a thing-builder than a thief-
| saboteur, this description is definitely off-putting.
| Throw38394955 wrote:
| > Servicemembers are forced to uphold certain unwavering
| standards, including grooming, height and weight, and physical
| fitness. These standards further limit an already limited group
| of technical talent: The intersection of people who can run a
| 15-minute two mile and dissect a Windows kernel memory dump is
| vanishingly small.
|
| Not all service members are required to maintain those standards.
| Women in army can keep long hair, have lower physical
| requirements and can wear different uniforms. They also get
| better accommodation. And are treated better (someone actually
| cares when they complain).
|
| Just give men the same priviliges! And some protection from
| bullying would be also nice!
| neilv wrote:
| > _The intersection of people who can run a 15-minute two mile
| and dissect a Windows kernel memory dump is vanishingly small._
|
| When I was doing consulting computer stuff for aviation
| safety[1], I used to joke to myself that I had _The Right
| Stuff_... for sitting on my butt, typing on a computer.
|
| But I never voiced that joke in the presence of clients or
| partner organizations. Where some of the personnel were actual
| fighter pilots, and who knows what else.
|
| [1] Incidentally, that might be the work I'm most proud of being
| a part of. I'm not disrespecting government work at all. I only
| pivoted from Federal technical consulting, back to tech industry
| startups, because of performing like a FAANG ~L7 for years, yet
| still not being able to afford a condo in my HCOLA. (And, just
| when I'd finally verbally negotiated a big chunk of work that
| would've fixed the money problem, a perfect storm of bad luck
| ruined that.)
___________________________________________________________________
(page generated 2024-10-13 22:00 UTC)