Last Updated on November 27, 2018 by Dave Farquhar
I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.
For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.
Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.
I also know about this training that Snowden put on his resume.A decree came down in the 2007-2008 timeframe that anyone touching a Department of Defense system would have appropriate certifications, including security certifications. So a systems administrator will have, at minimum, CompTIA Security+. An accreditor will have, at minimum, (ISC)² CAP. Those in advanced security roles will have something like ISACA CISM or (ISC)² CISSP. The EC-Council’s Certified Ethical Hacker (CEH) certification cuts across those requirements. If a job calls for something a little better than CAP but not quite CISSP, it will require CAP plus CEH. If a job calls for something a little better than CISSP, it will require CISSP plus CEH. Perhaps there are even some jobs that require Security+ plus CEH.
Since the DoD requires these certifications and training is time-consuming and expensive, the DoD contracted with Carnegie-Mellon University to create a computer-based training program. Any service member, whether enlisted or officer, is eligible. So are DoD civilians, and so are contractors. When I had six months to get my CISSP, I enrolled, and I participated in their CISSP course. I went in to work early or stayed late, and ate lunch at my desk while I watched the training.
The training alone wasn’t enough to pass the test, but between the training, reading the official big green book, reading the occasional chapter in other books, and taking a 300-question practice test every night for three months, I passed the test, and I handed in my test with a pretty high degree of confidence that I’d passed it. I never understood Bell-LaPadula from reading the book, but the diagram that instructor Joe Mays drew on the whiteboard in the video made it click immediately. That was good. I don’t remember anymore if I had a Bell-LaPadula question on my test, but if I did, I got it right.
I’ve never mentioned the training on a resume. Never. I’ve mentioned it in interviews, but only when people ask me about 2005, when I moved from the private sector into the government sector. I said I received training that I never would have received in the private sector, and I’m grateful for that. I didn’t study at Carnegie-Mellon because I wasn’t at Carnegie-Mellon, but the DoD brought Carnegie-Mellon to me.
But that’s it. It’s training. It’s available to tens of thousands of other people. And while I thought it was very good training and it had some prestigious names attached to it, it’s what you make of it. If you’re just watching the video to say you watched the video, you probably won’t get much from it.
The CEH training was open to me. I’m sure I looked at a lecture or two, out of curiosity, just like I viewed a few A+ and Network+ lectures here and there. But I don’t take certification tests for fun, so I didn’t pursue it. Instead, I watched a few lectures if I thought I might learn something that would help me do my job better, regardless of what certification was attached to it. I didn’t even bother to turn them in to (ISC)² to count toward the continuing professional education that my certification requires.
If Snowden mentioned that training on his resume, as Cnet is reporting, then that could mean a couple of things. It could mean he got CEH, but had a thin resume needed to mention that training to round it out. Or it could mean he never passed CEH, and perhaps never took the test, but he took the training.
I guess that’s where my world differs from Snowden’s. Nobody I’ve ever interviewed with cared much about what training I’ve received. I’ve only ever brought it up to make a different point. Some are more interested in my certifications than others. What everyone wants to know is what I can do for them.
There’s a lot more that I could write about Snowden, and maybe I will. But by and large, I’m not impressed with the guy. This isn’t the only thing that’s perfectly ordinary in the DoD world that he’s spun to make sound bigger and grander than it is, and that makes me question his motives and honesty, if nothing else.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.