Guns, Archery, and Pentesting
After nearly 200 years of being king of the battlefield, in the early 1600s England and much of the Western world moved away from relying on the bow and arrow and transitioned to using guns. With hindsight, this seems like an obvious choice— until you actually look at the weaponry at the time. Guns during this initial era were so bad, that you had more of a chance of hurting yourself then you did another person with them. Militaries would line up in rows, fairly close, standing up and down, taking turns loading and shooting because of how inefficient these weapons were. Even after over 100 years into their use, in 1779 George Washington would claim “the average rifleman couldn’t hit a man beyond 180 yards.” In short, guns kind of sucked for a long time.
In contrast, bows and arrows were deadly flexible with a variety of uses. They had proven themselves time and time again in battle. Unlike with rifles you could: carry a fairly large supply of arrows quickly, shoot from a horse, hit targets at close range or long distance (depending on the bow) with high degrees of accuracy. Your ability to wage war was not nearly so constrained which gave you great tactical advantages. * At the time, the bow was just clearly superior weapon.
So why is it that guns became such a dominate force in the West? Why did we make the jump, despite the clear limitations and weaknesses? The answer, or at least one major factor in it, is pretty simple. We ran out of talent.
Archery is a highly technical art. To be able to leverage the bow to its full potential, you need a large investment of time. At one point, it was a law for all citizens in England to know how to use one. Add to that shooting with mobility, horseback riding, etc. the average time to get someone qualified and reliable is an investment of years. Lining people up in a row and shooting a gun, on the other hand, takes only a fraction of that time. For good or bad, we had no solution that scaled to meet the demands of war and so we moved onto something that did.
Fast forward 400+ years, and we are facing a talent-shortage in our industry today. When I first started as a pentester nearly a decade+ ago, there was a blog post by a security firm loosely titled “Want to be a security pro? Do something else for 10 years.” The thinking of the time was that if you wanted to be among the upper echelon of folks who called themselves l33t, you had to have already spent a life in IT (software, network, electrical, etc.). If you look at how we evolved as an industry, that sentiment was rampant throughout most of the early parts of the 2000s. I don’t think that it was intended to be exclusive, but it did set a very high bar to entry. Some skills required you to have access to lots of technical materials and maybe even live in specific places with communities you could learn from. It wasn’t an industry; it was a hobby and a passion. We were archers who were into archery.
In truth, I think some aspects of those days are behind us… and it is likely a good thing. With the advances of tooling, educational systems, monetary investments (aka: jobs), and a much more open community— we can finally take the next step away from elitism (founded or not) and focus on the practical. A model based on being elite always fails at scale— because it doesn’t scale. I mean, statistically speaking it doesn’t even work that way. If everyone was elite, then they’d be average… so you’d need like eliter and most-elitestests?
What was the mistake of archery? I think it revolved around MVPs. No, not most valuable players, but more like— minimum viable products. IF we accept that mastery takes time, and we aren’t willing to reduce quality— we need a system that produces viable/competent people that work within a system to solve the problem. In other words, we need to put people to use in the field sooner and get them the experiences they need to grow into more advanced and mature roles as time allows.
So what are good examples of that? Yet again, I’d point back at the US military. They effectively bring in people of very diverse backgrounds ranging from highly trained to absolutely nothing, and they find a way to get them to work. Modern armies are not filled with a bunch of hyper elite seal team 1000s w/ blackop cyber ninjas. In terms of ratios, the army is filled with average people (aka: heroes) doing very specific things in order to support a larger ecosystem/goal of the protection of a nation. There is basically the equivalent of a harry potter sorting hat that aligns individuals to interests based on capabilities and they go off and train. Boot camp (core fitness/mentality), B school (specific training to do work), then off to their jobs (to get experience). While I cannot say I’ve been through that process myself— it produces results, and it does it relatively quickly.
Just as practitioners we need to find ways to produce specialists who can grow into generalists— industry itself needs to move away from the idea that every cyber security pro is going to be Mudge (basically the Rambo of cybersecurity). He is fantastic, don’t get me wrong, but so were dinosaurs. From personal experience, it is a very short list of people who can: do an engagement and have great highly impactful findings, understand the tech stacks in question well enough to sit with developers and craft solutions, meet with policy makers to identify SDLC problems that created the bug, and then go sit in the C-suite and explain it all in a way that makes sense.
Being a very focused specialist capable of solving one part in a bigger problem is not a bad thing. It is likely the only way we will ever meet the demands and needs that we face. If we don’t collectively figure out how to train the next generation to come in and handle their bite sized pieces of the problem well, we are in for a world of hurt. We also can’t expect them to be everything to everyone or “you aren’t useful.” Stuff like that is just thinly veiled gatekeeping. But what do I know, maybe we could stand in lines taking turns loading and shooting cyber bullets at the bad guys for the next 100+ years?
* Even claims of impact of the arrow in contrast to armor have largely been disproven as the different types of bows in use were actually very powerful depending on geography