Here's a thought

[jks19714]

In some cases, there are government regulations involved.  We (CAP) do not have the training (generally), accreditation and security clearances to begin to do that job.  And insurance is becoming more of an issue.

Dream on.  You won't get past the guard at the front door in a lot of industries (I work in the electrical power utility business in data security and continuity of operations - coming on 35 years).

john

[abdsp51]

There are plenty of alphabet agencies out there to do what you are pitching.  Not to mention the number of legalities involved in conducting any type of audit for or on a govt agency.  And I'll bet you that the FBI knows who said party was since they have an entire section devoted to cyber issues.  Well out our purvue on many aspects.  We need to focus on our core missions and fix/update those.

[Flying Pig]

The things your suggesting have very good applications........  for individuals.  I don't see Cyber-anything as a mission CAP needs to be involved in. 

If we have members capable of those skills, there are plenty of places to use your skills.  I dont see our DHS missions expanding into computer forensics and cyber security, nor do I see CAP members conducting security training to corporations and government agencies. 

Security awareness at schools?  What school?   Good grief Charlie Brown.......I show up to high schools in a flight suit, wearing a gun and a badge,  a very masculine frame and a booming voice flying a turbine helicopter and I cant keep anyones attention!   (   ha...I said masculine frame)

Again....run with it.  I see validity and a niche for everyone of your reasons.  I just dont believe (based on my 20yrs in CAP) that CAP is the spring board for it.  But get a hold of your wings HS, IT and IG people and see where you can take it.

[Eclipse]

How are those issues *not* valuable to people outside of CAP - what about training members to go out to schools and do basic security awareness training at schools, or how about establishing a research "division" for a wing that specializes in identifying risks in the tools and processes that we have internally, or as a service provided to the air force to audit a defense contractor application or system? I could go on and on, and I think that the topics you highlighted here are all good candidates for a general security awareness training program but I completely disagree with the "solution searching for a problem" analysis - the problem is quite obviously already here, the decision is whether CAP decides to develop solutions to the existing problem.

External IT training is not a part of our our mission, or the USAF's.

And here's yet another idea - Cyber-Surveillance, Social Profiling, etc.  FWIW, the identification and eventual capture of Lulzsec Sabu was a direct result of a citizen using a clever combination of social profiling, digital-foorprint forensics, and a little creative trolling then silently releasing the information discovered on the internet for the FBI to find. He was not required to testify (as a matter of fact I highly doubt that the feds even know his identity) - with some proper training, CAP could have easily provided a similar service in a JO with the FBI or anyone else - or even as a CAP Specific Mission and simply provided the information to the authorities.

Surveillance is a Law Enforcement function.  We are not allowed to perform law enforcement functions, nor is the USAF.  The kinds of thing you're
suggesting would bring negative attention to us for no gain, not to mention the potential civil and criminal liabilities and penalties for illegally
investigating people without legal cause or warrant.

[lordmonar]

While I'll applaud your desire to expand our mission base.
Cyber Secuirty as an ongoing mission beyond just the education/awareness phase....is a lot to chew on.

There are a lot of hoops to jump through.

1) Who would our customers be?   That is...who would be calling for CAP to help secure their network.
2) Legal issues....as soon as you talk forensics...you are talking LE....which brings up Posse Commutatus...which would need to be worked out.
3) Time/effort.....being an on call computer security service would mean that we would have to have lot of people in each wing trained, willing and able to respond.
4) MONEY, MONEY, MONEY, MONEY.......starting up something like this and expanding it to a national leve will mean a lot of money.  Just providing your team with a simple lap top would cost (assuming 50 wings with 50 team members) $1.5M and that's for a low end $500 lap top!
5) Training, Training, Training!  Computer Security is not like SAR....SAR skills have not really changed since we started looking for lost planes....Compute Secuiryt is always changing....so not only will you have to initial training and constantly upgradeing that training....you are going to have manage that training (that is someone at NHQ constantly updateing the training as the subject field evolves)....that means more over head in keeping this mission up than we currently expend on our ES missions.
6) Secuirty Clearances.....even if we do some cheap ole local back ground checks....when we start asking customers to open their data centers to us.....WE HAVE TO DEAD SURE that we are not letting in any bad guys...that means money spent to really check out our people BEFORE the enter the training pipe line.

So.....like I said...it would be cool.  But I don't think it is really feasable.  By all means push it....maybe I'm totally wrong....If you think you can make it work.....do a white paper on it....find some local customers, field a test team....and see what happens. 

[Flying Pig]

^Id be interested to see the types of people we would recruit who show up wanting to get into the Cyber Surveillance specialty track? Mad boyfriends, scorned house wives......   "Hello, I want to join and get into surveillance.  Ummmm, can I start in the next hour while my wife is still at work?"

The cyber guys I work with in LE are ALWAYS going to updated training almost monthly to keep up with changing technology and strategies.  And that training AINT cheap!

krnlpanick:
"Our usefullness is only limited by our own imaginations and reservations."

Well, and the law, the USAF, the constitution.......

[flyingscotsman]

I do, however, see a real opportunity for CAP to take advantage of the interest in this topic that the CP program has generated to help educate it's members on basic InfoSec principles they can use in their CAP work and personal lives. This would tie in nicely with OpSec. A few examples would be:

Risk mitigation strategies for social media
Wireless network security concepts
Email safety (phishing, attachments, spam reduction/prevention)
Overview of proper firewall & anti-virus use
Password security (uniqueness, changing them, secure tools to keep track of them, keeping them private, etc.)

How are those issues *not* valuable to people outside of CAP - what about training members to go out to schools and do basic security awareness training at schools, or how about establishing a research "division" for a wing that specializes in identifying risks in the tools and processes that we have internally, or as a service provided to the air force to audit a defense contractor application or system? I could go on and on, and I think that the topics you highlighted here are all good candidates for a general security awareness training program but I completely disagree with the "solution searching for a problem" analysis - the problem is quite obviously already here, the decision is whether CAP decides to develop solutions to the existing problem.

And here's yet another idea - Cyber-Surveillance, Social Profiling, etc.  FWIW, the identification and eventual capture of Lulzsec Sabu was a direct result of a citizen using a clever combination of social profiling, digital-foorprint forensics, and a little creative trolling then silently releasing the information discovered on the internet for the FBI to find. He was not required to testify (as a matter of fact I highly doubt that the feds even know his identity) - with some proper training, CAP could have easily provided a similar service in a JO with the FBI or anyone else - or even as a CAP Specific Mission and simply provided the information to the authorities.

Our usefullness is only limited by our own imaginations and reservations.

Don't you think that CAP has enough of a problem with self-inflicted scope-creep to be adding yet another "mission" to it's portfolio? What you bring up here is interesting to me personally, I have a soft spot for this kind of stuff (I have a grad degree in Information Security), but this isn't close enough to be a natural extension of one of our existing missions that we already pretty spotty on executing sometimes. This isn't a core competency for us. Sure you might have a small number of like-minded members who would be interested in playing cyber-warrior, but there are other industry associations/organizations out there that those individuals could get involved in that a better focused on the areas that comprise "cyber-security" as you put it. There are plenty of organizations that provide educational materials and volunteers to speak to schools, business, etc. on the subjects I've outlined and more, but I'm not saying CAP couldn't do that eventually.

All this blue-sky talk of cyber "surveillance", social profiling, etc., what's the point of making this a CAP-wide mission as opposed to you acting as a private individual? I'm not a lawyer, but surveillance has some legal consequences, which I'm sure would be challenging given our on/off aux status. As others have stated here, we could be dragged in to testify in court, possibly years down the road. What sort of liability protections would we have personally or at the organizational level for our new "mission?" What would our status be in relation to the Posse Comitatus Act?

Now, internally to CAP, as a business leader (and we're a non-profit business after all) I would be somewhat turned off by the idea of developing a cyber-army of volunteers to protect my organizations critical information systems, however well-meaning those volunteers may be. It's the old problem again, you get what you pay for. Now I'm not involved at the NHQ level, and there may very well be volunteers already assisting paid employees with this work, but I'm sure they are small trusted group.

It's too much of a niche...and we have too many of those as it is.

[Extremepredjudice]

4) MONEY, MONEY, MONEY, MONEY.......starting up something like this and expanding it to a national leve will mean a lot of money.  Just providing your team with a simple lap top would cost (assuming 50 wings with 50 team members) $1.5M and that's for a low end $500 lap top!

I believe you mean $39,720,000 for the smallest clean room in each wing. That is what you will need for computer forensics work.


Plus the other equipment, and on going costs such as dry ice, bunny suits, filters, etc. Probably a million + a year to operate.

[Eclipse]

krnlpanick:
"Our usefullness is only limited by our own imaginations and reservations."

Looks great on a T-Shirt, not so simple in practice.

[bosshawk]

Any way that we can turn this into a uniform discussion?

[johnnyb47]

Any way that we can turn this into a uniform discussion?

What would the Cyber Security patch look like?
I vote for a Black Shield with neon-green Mtn Dew Bottle and a pack of cheetos.

In the not too distant future I can see us delving into basic computing and basic programming as part of our AE mission.

[krnlpanick]

I believe you mean $39,720,000 for the smallest clean room in each wing. That is what you will need for computer forensics work.

Plus the other equipment, and on going costs such as dry ice, bunny suits, filters, etc. Probably a million + a year to operate.

Yes, you need all those things if you A) happen to be living in the mid-late 1990's or B) are acting as a contractor to preserve original devices for LE. Not really even remotely close to what I was suggesting actually. I'm not talking about pulling fingerprints off of keyboard. Anymore, what generally happens is the OE is stored someplace as evidence, images of the hardware are made (by images I mean exact bit-by-bit copies are made onto virtual devices) and the entire image is shipped as a Virtual Machine to a contractor who performs analysis of the evidence and send a report back to the investigating agency - the forensics team for the investigating agency will then digest that report and incorporate the findings into evidence. Nothing is done with the OE except in very extreme circumstances to reduce the risk of destroying the evidence. There is a slim possibility that the contractor who performed the forensic analysis can be called by either the defense or prosecution team as an expert witness, but generally contracting organizations will have a specific person assigned to the expert role who testifies if the need arises. Please realize that, like many other aspects of forensics work - CSI is only a TV show. Real forensic scientists don't carry a gun and chase bad guys - they live in a lab and lion's share don't even work directly for the LE Agencies but rather a contractor to the agencies.

Regardless, this is not the type of forensics work I am talking about - there are many aspects to forensics work, some are investigation centered and the majority are research centered especially in the budding field of digital forensics.

Again, this was just one aspect of my suggestion - but appears to be the one that everyone is using as ammo for shooting the idea down which is fine. The reason I suggested it in the first place is because Forensics is now a part of CP and there is a national need for expertise in the field (which is *why* it is part of CP)

Really I'm just throwing ideas out at the wind here - if nothing else this thread has sparked some interesting conversation that had nothing to do with uniforms or hot sauce.

Now let's talk about what the official CAP Cyber Army Uniform looks like! I vote for all black vinyl with sunglasses and trench coats, like the Matrix (I Jest!)

[johnnyb47]

Any way that we can turn this into a uniform discussion?

What would the Cyber Security patch look like?
I vote for a Black Shield with neon-green Mtn Dew Bottle and a pack of cheetos.
Edit: Which leads me to believe there will be a run on BBDU's the second we establish a CYBER-Mission in CAP.

In the not too distant future I can see us delving into basic computing and basic programming as part of our AE mission.

[krnlpanick]

Any way that we can turn this into a uniform discussion?

hahah! Great minds..

[abdsp51]

And how is forensics now part of CP?

[tsrup]

And how is forensics now part of CP?

CP- CyberPatriot


There is a forensics portion of the competition at the national level. 

Some team from Brookings South Dakota took first that portion in the All Services division this year 




But on topic:

This is a terrible idea.  I can see the headline now:

"Suspected Child Molester Acquitted: CAP blamed for evidence mishandling"

the liability is too grave to even think about stepping into this arena. 

[Eclipse]

Forensics is not a "part of the CP" - it's part of an optional activity, and only in the most laboratory / academic sense.

We're shooting at the idea because it's not a good idea.

CAP needs to concentrate and stabilize it's core missions and competencies, not add things on like a Sears store trying for one last
grab at market share.

[abdsp51]

And how is forensics now part of CP?

CP- CyberPatriot


There is a forensics portion of the competition at the national level. 

Some team from Brookings South Dakota took first that portion in the All Services division this year 




But on topic:

This is a terrible idea.  I can see the headline now:

"Suspected Child Molester Acquitted: CAP blamed for evidence mishandling"

the liability is too grave to even think about stepping into this arena.

When I see CP I see cadet programs not cyber patriot.  The is not a very fiscally sound idea or practical to our chartered missions.

[krnlpanick]

FWIW CP == CyberPatriot, not Cadet Program in this case. Apologies for the confusion on the matter.

I think it is also about staying relevant in a changing world. We aren't in the WWII Era anymore, SAR as it has been for decades (at least as far as Air Ops is concerned) is changing. My suggestion is simply a means to remain a valuable asset as an organization. AE is an exciting mission, but I don't see us being too heavily involved in actual space programs outside of a purely theoretical and/or introductory role. As more time passes we lose relevance b/c our mission(s) do not reflect modern needs.

Cadet Programs is a viable mission and will always be relevant (IMHO)
Aerospace Education is viable, but as the industry continues to grow that relevance may drop off unless the mission is updated
Emergency Services is viable for some things, but losing viability in the SAR space due to updates to other areas in the industry (ie UAV)

Cyber is a really big area with no solid definition yet. There are plenty of areas where CAP can make an impact and not only provide a service in the industry but also help to develop the industry.  Regardless of whether it is Training and Education or Forensics R&D, Defense R&D or specialties therein.

Maybe Forensics is a bad idea, but it was a small part of a much larger idea that I suggested.

[N Harmon]

Civil Air Patrol already does cell phone and radar forensics in support of Search and Rescue.