I like to see stuff that challenges common wisdom. The inimitable professor Gene Spafford of Purdue goes far against the grain in calling out the excitement of hacking competitions and red teams as counterproductive to training the next generation of security folks.
Gene starts with an analogy for how security folks would deal with a bunch of barns on fire:
We’re going to have a contest to find who can pass this pail of water the quickest. Yes, it is a small, leaky pail, but we have a lot of them, so that is what we’re going to use in the contest. The winners get to be closest to the flames and have a name tag that says “fire prevention specialist.”
He goes through another couple analogies to make the same point, that security folks seem to be holding competitions to show proficiency in stopping yesterday’s problems, but not enough time thinking about how to solve the root cause of the security issues: poor systems design.
First, in every case, a mix of short-sighted and ultimately stupid solutions are being undertaken. In each, there are large-scale efforts to address pressing problems that largely ignore fundamental, systemic weaknesses.
Second, there are a set of efforts putatively being made to increase the population of experts, but only with those who know how to address a current, limited problem set. Fancy titles, certificates, and seminars are used to promote these technicians. Meanwhile, longer-term expertise and solutions are being ignored because of the perceived urgency of the immediate problems and a lack of understanding of cost and risk.
Third, longer-term disaster is clearly coming in each case because of secondary problems and growth of the current threats.
That’s uplifting, right?
He does highlight a number of potential solutions, or at least things we should focus on to a greater degree, including:
Nationally, we are investing heavily in training and recruiting “cyber warriors” but pitifully little towards security engineers, forensic responders, and more. It is an investment in technicians, not in educated expertise.
We have a marketplace where we continue to buy poorly-constructed products then pay huge amounts for add-on security and managing response; meanwhile, we have knowledgeable users complaining that they can’t afford the up-front cost required to replace shoddy infrastructure with more robust items.
Rather than listen to experts, we let business and military interests drive the dialog.
We have well-meaning people who somehow think that “contests” are useful in resolving part of the problem
And to put a bow on the issues with contests:
Competitions require rapid response instead of careful design and deep thought – if anything, they discourage people who exhibit slow, considerate thinking – discourage them from the contests, and possibly from considering the field itself. If what is being promoted are competitions for the fastest hack on a WIntel platform, how is that going to encourage deep thinkers interested in architecture, algorithms, operating systems, cryptology, or more?
But there’s more…
So, the next time you hear some official talk about the need for “cyber warriors” or promoting some new “capture the flag” competition, ask yourself if you want to live in a world where the barns are always catching fire, the cars are always breaking down, nearly everyone eats fast food, and the major focus of “authorities” is attracting more young people to minimally skilled positions that perpetuate that situation…until everything falls apart. The next time you hear about some large government grant that happens to be within 100 miles of the granting agency’s headquarters or corporate support for a program of which the CEO is an alumnus but there is no history of excellence in the field, ask yourself why their support is skewed towards building more hot dog stands.
I think Gene brings up a number of good points in a very clear manner. I can see the other side of the equation as well, given that red team exercises are fun and give folks a feel for what it’s like to be under fire. But clearly there is a need for both quick twitch security folks (who can respond quickly under fire) and architects who can think deeply about difficult problems.
Reader interactions
One Reply to “Should the Red (Team) be dead?”
It isn’t clear why Gene believes that CTF contests have any correlation to professional red teams. A similar comparison would be hackathons to software engineering. In both cases you approach the problem differently and the participants learn a different set of skills. CTFs are not how real red teams operate or vice-versa.
On the demand for security engineers and forensics professionals – we absolutely need more of them, but these folks need to be familiar with what actual attacks look like and how they are carried out. In a perfect world, every security professional would have a background that included both attack and defense.