Thoughts on Military Service

I recently received an email which contained the following request:

I would be greatly appreciative of any response from you regarding how your experience with the military has enhanced your knowledge and careers in information security and any advice you may have to offer.

I was a cadet at the Air Force Academy from 1990-1994, and an active duty officer from 1994 to early 2001. I received my first formal training in security during military intelligence training in 1996. I started my first hands-on security work in 1998 at the Air Force CERT, using our ASIM sensors to detect and respond to intrusions. I met Sguil developer Bamm Visscher there. I left the Air Force when the personnel system decided it was time for me to "career broaden" out of the technical world and into another field. No thanks!

From my perspective, the Air Force is a good way to gain responsibility at a young age. It was quite an experience to be 27 and in charge of detecting intrusions across the whole Air Force. I liked the sense that what we did "mattered." Management supported our mission. In fact, current CIA Director General Michael Hayden commanded Air Intelligence Agency while I was assigned there, and he invented our information gain - exploit - defend - attack (GEDA) framework.

While in the Air Force I had a chance to deal with high-end intruders who were financed, trained, and determined. Failure was measured in lost sensitive information and potentially lives. When taken seriously, that reality drove adopting what worked and eliminating what didn't. I developed my thoughts on network security monitoring based on my Air Force experiences. I was also proud to serve with some of the most motivated and talented people I've ever met.