Preparing to Face Cyber Threats

Brent Chapman
Title
  • 0:00:01
  • David Gioe:
  • Today is December 18, 2014, and we’re here at the West Point Center for Oral History with Captain Brent Chapman. Welcome, Brent.
  • 0:00:09
  • CPT B. Chapman
  • Thank you. Good to be here.
  • 0:00:12
  • David Gioe:
  • Before we get started, could you please spell your last name for the transcriber?
  • 0:00:16
  • CPT B. Chapman
  • Sure. It’s Chapman, C-H-A-P-M-A-N.
  • 0:00:18
  • David Gioe:
  • Thank you very much. Well, let’s start at the beginning. Tell me a little bit about yourself, where you’re from.
  • 0:00:20
  • CPT B. Chapman
  • Sure. I was born in Georgetown, Guyana. It’s just a little country in South America, on the northern coast, in the early ’80s. Later on, my family and I immigrated to New York City, and so I spent my formative years in the city, going to school in the city. Graduated high school, tried college for a little bit, it didn’t work out, so I enlisted in the Army as a Signals Intelligence Analyst. It was my first opportunity to leave the New York bubble. I got to travel the world, see Oklahoma and Texas and strange places I never thought I’d be, so that was neat.
    And then I got a calling back to New York when I became a Cadet at West Point.
  • 0:01:00
  • David Gioe:
  • Can you just quickly tell us how you went from going to Oklahoma and Texas and other places to getting an appointment as a Cadet here at West Point?
  • 0:01:05
  • CPT B. Chapman
  • Sure. So I was assigned, I’d just gotten to my first duty station at the Medina Annex at Lackland Air Force Base as a Signals Intelligence Analyst, and began the conversation with the Admissions Department at West Point. And I found out that there was a component of the admissions effort focused on recruiting enlisted, so I said, “This is interesting.” I promised my mom I’d go back to college, and it worked out.
  • {0:01:35
  • David Gioe:
  • What is your current assignment now? Let’s fast forward a little bit.
  • 0:01:36
  • CPT B. Chapman
  • Sure. So I’m currently assigned as a Research Scientist with the Army Cyber Institute, and also as an instructor in the Department of Electrical Engineering and Computer Science.
  • 0:01:40
  • David Gioe:
  • Otherwise known as the EECS Department.
  • {0:01:42
  • CPT B. Chapman
  • The EECS Department.
  • 0:01:44
  • David Gioe:
  • What does it mean to be a Research Scientist at the Army Cyber Institute?
  • 0:01:43
  • CPT B. Chapman
  • So my particular area of focus is in education research, so I’m in the Education Research Division. But for me, it’s really a chance to well, really, get paid to do things I want to do. And so cyber has been a personal interest of mine for many years, before it was really called cyber or really given its title. Exploration, breaking things, hacking things, if you will, has always been a personal interest of mine, so now I get to find out ways to improve my techniques, but also package it up so that I can teach it to others, and so they can learn.
  • 0:02:24
  • David Gioe:
  • Okay, going back to West Point for a moment, I just want to take a few minutes to talk about your experience here and how that prepared you for your future—
  • 0:02:34
  • CPT B. Chapman
  • Sure.
  • 0:02:35
  • David Gioe:
  • Responsibilities. Let’s get the chronology right. What year did you graduate?
  • 0:02:38
  • CPT B. Chapman
  • So I’m a 2009 graduate.
  • 0:02:40
  • David Gioe:
  • Okay. And then over the time from your enlisted time up through your appointment, being a Cadet and then graduating in 2009, looking on the totality of that experience, how did the Cadet, and I guess even Junior Officer experience, prepare you for your current responsibilities at the ACI, or in general?
  • 0:03:02
  • CPT B. Chapman
  • So what’s interesting is that of course there wasn’t a Cyber when I was a Cadet, and certainly when I was enlisted. But when I arrived to West Point, and then later on to my Department as a Cadet, I was an IT major, one of the first IT majors here at West Point.
  • 0:03:18
  • David Gioe:
  • Information Technology.
  • 0:03:19
  • CPT B. Chapman
  • Information Technology, yep. We had received accreditation that year, and so it was sort of a very exciting time to be in the Department. And I was able to form really great relationships with some of the instructors and they have become mentors, folks that I keep in contact with to this day. And I noticed that they had the same level of enthusiasm about the subject as I did, which I thought was kind of unusual, that this old guy—this guy’s an Officer, you know—he’s as thrilled about this as I am.
    And so that sort of got me thinking that maybe I could do something like this and make it a career, and maybe impact others in the same way as they did me. And that sort of started my love affair with teaching, teaching cyber specifically, and then hopefully getting back to West Point to do this before I go.
  • 0:04:04
  • David Gioe:
  • Before we get too far down the cyber path, how does being an Academy graduate impact your duties as an instructor? So in addition to ACI Research Scientist position, you’re also an instructor—now that you’re on the other side of that fence—
  • 0:04:25
  • CPT B. Chapman
  • Yeah.
  • 0:04:25
  • David Gioe:
  • What does that look like, and how has that molded you?
  • CPT B. Chapman
  • So it was a little strange. I had arrived in the summer for my assignment, and I still had that feeling in the pit of my stomach coming through the gate as I did when I was a Cadet, and I thought it would never go away. It’s gone away now, but with that in mind, I’ve noticed that in the classroom I can connect a little quicker with the students I’m teaching—freshmen primarily. And I see they’re sponges. They’re ready to soak up all the info I’ve got to fire at them. But they’re also scared. For many of them, this is the first time in the Army.
    What is this? What is this new experience, what is this new place? What is the Academy? So I like to take a break sometimes and just talk about what life is like as a Cadet, and say, “Hey, it’s okay. It’s good, you know? Things turn out.” ’Cause I was in that position not too long ago.
  • 0:05:15
  • David Gioe:
  • Although you’re a fairly recent graduate, I think it’s worth exploring your path from the time where you Commissioned to your current position here at the Army Cyber Institute.
  • 0:05:30
  • CPT B. Chapman
  • Okay.
  • 0:05:31
  • David Gioe:
  • Where did that path take you, what did it look like?
  • 0:05:38
  • CPT B. Chapman
  • So since I was, as I mentioned before, enlisted in Military Intelligence, but I didn’t want to Commission into the Military Intelligence Corps, so instead, I went Signal, figuring that I would get more of the technical experience. Get hands-on on switches and routers and all the technical things with the blinky lights. How true that was, I really—it’s not as true as I’d hoped, certainly. But the exposure with customers, with the war fighters, with those that we support, is something I didn’t anticipate getting, but has been so beneficial for me.
    To understand where these services, where our efforts are going, and how it’s impacting operations on a daily basis, so it was a very positive experience, one I didn’t expect to get going Signal. And eventually I became—I’m technically now still a Functional Area 24. I’m a Network Engineer, so I made the decision about a year and a half ago to just go Functional Area, which means that I do more of a technical job. I do a technical job more often than if I were just a regular Signal Officer.
  • 0:06:42
  • David Gioe:
  • Why don’t we skip ahead to talk about branch, and you mentioned that you branched Signal, but now the Army has stood up its own Cyber branch. What does that mean for you as a Signal Officer, and then also what does that mean for the Army or for the nation, you know, big-picture?
  • 0:07:00
  • CPT B. Chapman
  • Sure. So for me—I’ll start with me, it’ll be sort of easier to answer. I put in my request for a transfer to the new branch, so I’m waiting along with many others for a decision to be made. So I’m crossing my fingers, and I wanted to do cyber before it existed, and so the Cadets I get to mentor, for example. I live vicariously through them, and their enthusiasm coupled with mine, and then also coupled with the Army sort of momentum towards this new branch, I think is great and is what we need. At a time when the Army’s downsizing, it’s kind of tough to stay focused. But again, the Army’s realizing that cyber, you know, and it can be described in many different ways depending on who you’re talking to, should be a priority. So getting to the Army’s level, I’m thrilled and very pleased to see that the Army’s putting so much effort into making sure that we’re approaching it the right way. It seems that although we weren’t the first to get, to get after cyber, if you will, I think our slower, methodical approach is going to pay off. We, as in the Army’s, methodical approach is going to pay off, really identifying what requirements are, maybe seeing cyber in a different way than Senior Officers are used to—those are all very critical tasks and points that we need to address.
  • 0:08:20
  • David Gioe:
  • You mentioned to do cyber, but what does that mean to you, to do cyber?
  • 0:08:26
  • CPT B. Chapman
  • So it means so many things to the audience, so to the nation, to the Army. So to some it’s strictly the zeros and ones in our networks. To others, it may be there’s maybe some physical component to it, whether that physical component is power or the spectrum. For me personally, I think it’s all of it. I think it’s where zeros and ones meet, the physical world, because we have real threats in that area. I see industrial control systems, for example, all sit on a SCADA. That certainly is cyber, because although we’re not using kinetic means to deliver those actions, the results are very real and very physical. So for me, cyber is the zeros and ones, and exactly where it meets the physical world, and how IT services and IT infrastructure supports making things easier for us. And that’s all cyber to me.
  • 0:09:22
  • David Gioe:
  • What do you think your interface is between the cyber warrior and the conventional war fighter? Where do those domains meet, if indeed you think cyber domain is its own domain? Where do they overlap, or how do they overlap, if at all?
  • 0:09:
  • CPT B. Chapman
  • I think they overlap in sort of two areas. The first is that we use cyber, we use IT, if you will, as really the infrastructure to support all the things we do. These systems are built into our vehicles, our weapons systems, our communication systems, so in that sense cyber is very much tied in to what we do on a daily basis. But we could also use cyber as a means to deliver effects itself. In the same way that cannons and bullets achieve a certain physical affect, we can also use cyber to achieve a certain effect.
    And so we have on one hand cyber used as sort of a support, an infrastructure, and on the other, cyber used as the effect vehicle itself.
  • 0:10:27
  • David Gioe:
  • In the Cyber branch, which you mentioned that you’re hoping to re-branch, if that’s the right term—
  • 0:10:35
  • CPT B. Chapman
  • Sure.
  • 0:10:36
  • David Gioe:
  • What experiences have helped you to understand what your goal in that branch might be, or what have you learned in your career thus far that you want to bring to Cyber branch?
  • 0:10:47
  • CPT B. Chapman
  • So I think one of the most difficult aspects of cyber, whatever it is, is that for many Senior Commanders, there is just no real—there’s no full understanding of what can really be achieved. In many cases, some Commanders expect almost fantastic effects from our computer systems, and these are just not realistic. And so I hope to bring that level of realism, that technical background, the technical expertise, to really fully inform Senior Command, and so Senior decision-makers, on what’s really possible, and maybe make them aware of things that they didn’t think were possible.
    Things that may perhaps save some lives, reduce work, ease your way of doing things, in much the same way that IT is already doing.
  • 0:11:38
  • David Gioe:
  • Is it possible to give us an example of some of the fantastic things that there’s a perception that cyber can do? Sort of just flick a switch or press a button, then you have a desired end state?
  • 0:11:53
  • CPT B. Chapman
  • Well really, that’s exactly it. We have movies showing us that in three minutes on a keyboard, this super-elite hacker can take down an entire power grid. Although not completely out of the question that one can do this, it’s not happening in a matter of seconds, and it’s not that easy to get these people to begin with. And so it’s exciting to think about and it’s really sexy, but there’s a lot that goes on behind it in order to support what’s really possible.
  • 0:12:26
  • David Gioe:
  • How do you get across what’s truly possible to Senior leaders in the Army, or even broadly, in business or in government? How does that conversation take place, or what does that look like, between people with your skill set or who are in your branch, and then more Senior folks who might not be as familiar with on-network operations?
  • 0:12:55
  • CPT B. Chapman
  • So I think the ACI, you know, is actually doing a great job of that. In fact, one of the primary core functions of the ACI is outreach. And that’s outreach to communities in the Army, communities in academia, communities in industry. And by just very basically forming these connections and starting conversations, we build relationships where these things can happen, where these conversations and this sharing of ideas is happening.
    And that takes, of course, a bit of effort on everyone’s part, and a bit of interest, but what ACI’s doing is we’re facilitating these bridges being built, and it looks like it’s very successful so far.
  • 0:13:35
  • David Gioe:
  • Is there anything in that method or in that undertaking that young people, whether Cadets, or ROTC, or even JROTC, or young people generally, can they prepare themselves, either through, you know, some engagement with the ACI or some other similar type body, to prepare for a career in your field?
  • 0:14:58
  • CPT B. Chapman
  • So at West Point we have the Cyber Leader Development Program, and this is really just for the Cadets right now. And this is a framework that we’ve built to help identify interested Cadets, and really set them up for success in terms of making sure they take the right courses, they’re majoring in the right things. And this doesn’t necessarily have to be Computer Science or IT or Engineering. This can be Math, or it can be something in the Humanities. But making sure that they are in the right path, they’re taking the appropriate summer courses, the internships.
    At West Point we call them AIADs, Advanced Individual Academic Development, and these are really internships at some of the places that West Point’s already very well connected into, some of the agencies. The NRO, the NSA, for example. And again, this is voluntary for the Cadets, and what we want to get is that it takes some effort on your part. The path is there, and we’re going to help facilitate that as much as possible, but it’s really about interest. And if they are interested, they take these internships, they major in the right things.
    They perhaps spend their summers or their free times doing something that their friends aren’t doing. Maybe they go to a few security conferences.
  • 0:15:09
  • David Gioe:
  • It seems logical that IT or STEM type majors would be either interested or involved or branch Cyber, but you threw the Humanities in there. To your mind, what could someone who’s majoring in the Humanities offer to the Cyber Mission Force?
  • 0:15:28
  • CPT B. Chapman
  • So many years, so maybe two decades ago, when computers were first coming on board as part of our culture, you really had to be a computer scientist to even use the thing. You had to understand how it worked to really get anything useful out of it. But nowadays computers are everywhere. They’re in fridges, they’re in phones, they’re in cars, and you know longer have to have a technical background or even an understanding to use these things. So this introduces many more interesting dynamic aspects to the whole world of computing, what is computing, because it’s so tied into so many different things. So I think it’s incredibly useful, for example, to have an economist, or someone who is focused in the social science things, looking at these problems that occur in cyber, because it brings a whole new perspective, a rather fresh perspective to these problems, tackling these problems. And coupled with the guys with a technical background, I think this more comprehensive approach produces better results.
  • 0:16:37
  • David Gioe:
  • It seems that you’re talking really about the accessibility of technology on a lower barrier to entry for others to understand. Is that a widely shared sentiment, or is there a sense that it’s really the hard engineering or hard sciences that are going to drive the branch forward?
  • 0:17:03}
  • CPT B. Chapman
  • Hmm. I’m not sure how widely shared the sentiment is, but from my experience in the ACI, for example, I think the ACI being a multidisciplinary organization shares that same approach to it. And don’t get me wrong, there are certain levels of technical understanding that certain jobs should have. An operator should have a very solid technical foundation. But someone who’s analyzing, perhaps, some type of activity doesn’t necessarily need to have that. So it may depend on the job, and I think there’s a space for just about every discipline in this very dynamic and new world of cyber.
  • 0:17:47
  • David Gioe:
  • In your experience, has there been a person or a mentor or an experience or an assignment that has shaped who you are, and what you think that you are bringing to the cyber domain wearing an Army uniform?
  • 0:18:10
  • CPT B. Chapman
  • So outside of the Army, when I was in middle school I had a lion teacher who would later become a close family friend that really opened my eyes to the fact that learning could be fun, and could be a lifelong thing. And for me, fortunately, that’s sort of rather early on, and so I think that love of learning, the love of the fact that she told me that I shouldn’t be afraid, or I shouldn’t be ashamed of the fact that I liked to break things and try to figure them out, really stuck with me. So that love of learning, that sort of embrace of my destructive hacker side, has really paid dividends for me.
    In the Army, I’ve had several mentors here at West Point, at the Military Academy, and they’ve really shaped my outlook tremendously. Those include the current Director of the Army Cyber Institute, Colonel Greg Conti, other individuals serving throughout the Cyber Mission Force. Lieutenant Colonel John Giordano, for example, taught me while I was a plebe in Freshman IT, and that was like the first sort of – he was the first real person I could reach out and grab, and say, “Hey, that’s a cyber guy.”
    It wasn’t cyber at the time, but he had a background in the Military Police and Transportation. I saw, hey, he’s led this very interesting life, but in the end of the day, at the end of the day, he’s doing what he loves to do, and I said, “Hey, maybe I could do the same thing.”
  • 0:19:39
  • David Gioe:
  • It seems that you’re talking about things that are cyber in nature before we were calling them cyber, so you’ve been tracking these things for a while now. How have your perspectives about the threats in particular, or the opportunities, that the cyber domain both affords in terms of opportunities, but also the threats that the cyber domain presents to us as Americans. How’s your thinking on this evolved over your time either in the Army, or even before that, as a Cadet?
  • 0:20:16
  • CPT B. Chapman
  • So clearly, more folks are connected to the networks, connected to each other now as there are more devices that are connected. Computers are getting faster. So this presents all types of challenges, but what I found, and reinforced now that I’m instructing, is that education is the number—should be a priority for those with very technical backgrounds, and those not, who are just users. In fact, many folks using just don’t know the simple ways they can protect themselves. How easy it is to have data taken from you.
    So by starting with education, we can branch out to more advanced aspects in using or defending yourself in terms of the cyber threat. But it starts with education, I think, so then in my class with the freshmen, I get them nice and early. We spend a whole block of instruction time on cyber, and I introduce them to—I open their eyes into what’s possible.
  • 0:21:15
  • David Gioe:
  • What does that look like when the bulb finally goes on for a freshman?
  • 0:21:20
  • CPT B. Chapman
  • Well, it’s a great feeling. Personally, I like to introduce—I begin with perhaps some pieces, some clips from the news, and I say, “You’re hearing about these breaches and you’re hearing about all these destructive things. But hey, look how easy it is to protect yourself. Watch out for these signs. Watch out for these attempts to get your information.” And once they see, either through demonstration or through a lecture, how easy it is, you can sort of—they feel more confident themselves to take that next step.
    I have a phone, I know how to use it at the very basic level, but if I change these settings, I’m that much more protected. And from there, they can sort of branch out on their own and get into it as much as they like.
  • 0:22:00
  • David Gioe:
  • How do you then scale that from, you know, IT 105, the freshman course, to the United States Army?
  • 0:22:03
  • CPT B. Chapman
  • Well, that’s a challenge, right? It’s really tricky. You have folks in the Army, soldiers, are not just—they’re not all from the same generation, so you can’t approach it the same way. We as advisers and as educators, for not only the Academy but for the Army, we have to be aware of everyone’s background, where they’re all coming from. We have Senior leaders who didn’t have computers, didn’t have a computer in their pocket in the form of a phone. We have Junior Privates who knew nothing about connectivity.
    So it’s a more difficult job for us, but it’s one that we embrace, and we have to be more creative. Sure, there’s certain tests and thresholds that they should meet, but to really get those points home, I think we have to be creative in the way we approach it—and I’ve seen some pretty effective things going on so far.
  • 0:23:00
  • David Gioe:
  • If you were in charge of the Cyber branch, and you could wave a wand and pick whoever you wanted, what sort of mix would you choose between digital natives and people who you’re referencing who don’t always remember having a computer or a smartphone in their pocket?
  • 0:23:15
  • CPT B. Chapman
  • I think that regardless of the accessibility of IT and all these products, I think that someone who loves learning something new all the time, and really goes out of their way to do it, is who I’m going after, because they’ll be able to pick a new technique up rather quickly because they’re interested in seeing how these things work. So I always love engaging with folks who do things, who do cyber, or do exploration, or do hacking on the side, because it’s a personal interest, because they sort of share the mindset that they really want to understand how this works. And they want to perhaps bend the rules of the system and see what happens, see how the system reacts, and see what they can get away with. And in doing so and in learning about these things, they can better protect themselves from adversaries who want to use it for darker purposes.
  • 0:24:09
  • David Gioe:
  • Let’s talk about those. Let’s talk about adversaries and darker purposes, and also the mission of Cyber branch in the U.S. Army for our purposes. How do you envision the Army using cyberspace in the future, either in an offensive or a defensive capability?
  • 0:24:31
  • CPT B. Chapman
  • So let’s see—the Army’s sort of been doing cyber for a while under different names. But I think what we’ll see, and what I hope to see, is that we improve our defensive posture, because again, we’re seeing more connectivity, more folks willing to do us harm. So I think our first priority should be to improve our defensive posture, and that’s a tough job. Offensive is kind of easy—we can score all the time—but trying to react to someone attacking us, understanding what they’re doing, first of all, having the skill set to react, and then actually defending is a really tough job.
    And I’m happy to see with this new Cyber branch and the creation of the Cyber Protection Team, for example, that the Army’s taking a real hard focus in establishing places and people whose sole responsibility is going to be this defense. So I think our priority should remain in this sort of this active defense, if you will. Not just sitting back and relying on some settings to do the job, but really taking a look at our networks and seeing what’s going on, understanding it from a technical point of view, and then take action to both prevent it, and then to make sure it doesn’t happen again.
  • 0:25:52
  • David Gioe:
  • It seems that cyber operations are one realm that the Army is decidedly either fearful of or acting against. Not just nation-states, but organized criminal networks and other things that we don’t maybe envision the Army taking a hard look at. Can you talk about some of the differences in the threat between a nation-state or a terrorist group or organized criminal group, and how can the Army prepare itself to deal with the myriad of threats that are coming at it?
  • 0:26:30
  • CPT B. Chapman
  • Well, I think that one very effective way that we at the ACI try to help the Army deal with this problem is through our partnerships. So the Army, so the Cyber domain is shared. Industry shares this domain. You know my mom and dad share in this domain. And the Army, we’re working in the same areas, so we all share the same interest in protecting it, whether it’s for defense purposes, whether it’s for industrial purposes, the economy, recreation. So by getting everyone involved, and not just saying, “Hey, it’s just the Army’s problem,” everyone should be concerned because it’s everyone’s shared resource.
    Yes, the Army, we have the training and the manpower behind it, and we’re certainly doing our part. But I think establishing these partnerships and sharing best practices with the titans in industry, for example, is the right way to go, because they have talented folks, too.
  • 0:27:31
  • David Gioe:
  • What does partnership look like? What does a best practice look like for someone watching this interview, if they want to know what a best practice would be, or an example of government or the army partnering with industry, can you explain what that looks like?
  • 0:27:50
  • CPT B. Chapman
  • Sure. I mean a partnership can be as basic as the Chief Security Officer of an organization meeting with perhaps a Commander, a Cyber Commander, and talking about, “Hey, how do you react to breaches on your network? How do you react to threats? How do you react to insider threats?” And really, the behavior and the mechanisms are quite similar. The networks are protected for different reasons, and the networks are there to facilitate folks doing something, and the ways we react to threats on the network are very much the same.
    So, by sharing, really, TTPs, techniques on how one would react to this type of reaction, this type of breach, or this type of threat, and just maybe sharing the manuals. “Hey, what software do you use? How do you configure your appliances on the network?” It can be as simple as that.
  • 0:28:44
  • David Gioe:
  • Is that one way that we can help in terms of partnership, we can help improve cyber security? And if so, are there other things along those lines that we either as a state or as an Army, should be doing to continue to improve cyber operation or cyber security or cyber effectiveness?
  • 0:29:11
  • CPT B. Chapman
  • So to sort of reference the previous point about education, that’s also something else that we share in our efforts with those in industry, is that often, quite often the users on the networks are—they don’t have a technical background necessarily. You can’t assume that, and in many cases, they are sort of that weakest link. And so the Army has a certain approach to it in that you have users of all backgrounds, and so does industry, so perhaps sharing techniques on how you educate—what type of training should folks go through to even get on the network, things like that, tend to be effective.
    And put us in a better posture to stop these cyber threats before they even get a chance to develop into something more dangerous.
  • 0:29:59
  • David Gioe:
  • I think you’ve hinted at this a couple times, but just to make it explicit, can you explain some of the ways in which cyber operations might differ from a conventional operation? When we think of conventional warfare there’s certain things that come to mind. How is cyber different and what makes cyber operations distinct from when people think of the Army conducting an operation? What’s different? What’s distinctive?
  • 0:30:25
  • CPT B. Chapman
  • So I like to think of the analogy of sort of a chess board. In conventional warfare, you have your side and the opponent’s side, and you know what the battlefield looks like. It’s well-delineated, and you know civilians don’t come onto the battlefield. You don’t have other players playing in your chess game, for example. Often, you can see the enemy as he moves around the battlefield, maneuvers into a position to get some advantage over you, perhaps. And then you have some time to therefore think about your move, and what you’re going to do, and perhaps a few moves ahead. But in cyber it’s a little different.
    You don’t have a standard sized chess board. In fact, you don’t know how large the board is. In fact, you might not even be able to see the opponent’s players—there’s a fog over it. There are other players in the game. You have civilians, right, in the cyber space. I mean we have those in infrastructure, you have educators, you have academia. So you’re blindfold, and you have to make this determination of where was that shot fired from? Well, I don’t know, because I can’ t see what the enemy even has, so it’s tricky, and how do we get over it?
    We improve ourselves from a technical point of view, and be prepared for the unknown. It’s easy to say—it’s very, very difficult to achieve
  • 0:31:58
  • David Gioe:
  • It seems that you can’t really pull a war plan off of the shelf and address a contingency—
  • 0:32:00
  • CPT B. Chapman
  • Yeah.
  • 0:32:01
  • David Gioe:
  • Because you don’t know—
  • 0:32:03
  • CPT B. Chapman
  • Exactly.
  • 0:32:04
  • David Gioe:
  • What that would be, so how do you prepare? You talked about intelligence a little bit. How can you prepare for a key terrain when the terrain can move, or be different, or change? What does the planning process look like in order to stay one step ahead in the chess analogy?
  • CPT B. Chapman
  • Well, I think it’s again, if I were in charge and I wanted to recruit cyber guys, that’s what I would look for: folks who are flexible, and folks who think outside the box, and folks who don’t necessarily go into an engagement with a plan and stuck on that plan. Sort of a Beowulf, if you will. They are ready to be flexible, they’re ready to adjust when they have to, because they know that their plan isn’t going to survive that first contact, especially in the cyber world, and they need to have something else in mind. And just know that they’re going to have to change what they’re doing, and then perhaps also have that technical background to know what’s really possible.
  • 0:33:10
  • David Gioe:
  • How do you do that? How do you, in the Army culture that emphasizes momentum, and taking the initiative, it seems like you’re describing something that’s sort of reactive, and may be uncomfortable for Army soldiers that want to go out and seize the initiative, or seize that key terrain. You’ve described a reactive type process. Does that mean we’re looking for new kinds of soldiers, or we’re looking for soldiers to think differently?
  • 0:33:49
  • CPT B. Chapman
  • I don’t necessarily think that it’s reactive. In many cases we do find ourselves in a reactive posture, which is hopefully something that we get out of. But we want soldiers who do think differently. And does it go against the existing culture of the Army?I think to some degree it does, because in the military, you have clearly delineated everything, right? You have a uniform, you have a place to be, you have formations. And that’s not to say that somebody who is free-thinking and sort of thinks outside the box can’t fit in there.
    But often you find that it’s not as easy to find those types of personalities and folks with those skill sets in the Army, unfortunately. So I think that the Army needs to perhaps make it clear and really focus their efforts on identifying, in whatever way, individuals like that, because those I think will be the most successful.
  • 0:34:40
  • David Gioe:
  • Unfortunately, the Army’s not alone. You’ve got the other branches of the service alongside, who are also creating their own cyber forces, even if they’re not called branches. What do you see as the future of the Joint Cyber Force? What does joint-ness look like in the cyber realm?
  • 0:35:05
  • CPT B. Chapman
  • I think Joint is good. Diversity is good. Diversity of thought is good, and diversity of background, and diversity of studies, as I mentioned before. This interdisciplinary approach to it seems to work best, and I think sort of the joint approach might be similar, having this holistic point of view, very comprehensive point of view, and identifying what cyber really is to begin with, what the threats are, and how perhaps we should approach these is good.
    Especially when you’re coming from branches who are used to only dealing with a threat in a certain way, whether it’s Navy, Air Force, or Army. Having this joint approach is an excellent way to go, and perhaps it might be the future of how we see cyber.
  • 0:35:46
  • David Gioe:
  • Speaking of the future, what are the most relevant trends in the cyber domain, if you’re looking out maybe even one year or five years, ten years, or even a generation? What do you see coming down the pike in the cyber domain that we need to position ourselves for now?
  • 0:36:10
  • CPT B. Chapman
  • Well, in terms of the threat, I guess there are two things that sort of keep me up at night. The first is a threat to our industrial system. I mean we use IT to make our lives easier—hopefully, right? And so with having everything so connected, that introduces all types of problems in terms of our industrial systems—our water systems, our power systems, our traffic systems—so any type of exploitation of those systems could really bring this very immediate, very high-impact results.
    So I think we should, knowing that we want to keep this standard of living as high as it is, we should protect these systems that rely so heavily on IT, and we should make that a priority. So that’s sort of my number one concern, and that’s a concern now, and I think it’ll be a concern over the next five to ten years. My second concern is sort of more of a long play. It would be a very systematic undermining of our financial system.
    I think that’s part of the reason why ACI, for example, partners so much with the financial world, is that we have the same—of course we’re in the same domain, but we also have the same concerns and the same interest in protecting our system. So if an adversary were to undermine our financial system, in the long-term it could really have effects, not only in the financial world, but nationwide, to include our defense.
  • 0:37:35
  • David Gioe:
  • The Commander of U.S. Cyber Command, Admiral Mike Rogers, I think just said something very similar to what you did in terms of national traumatic event caused by something originating in the cyber domain, but that has real-world implications. He said, “Not if, but when that happens.” There’s a lot of debate about how big the threat is vs. how likely it is to happen, and the scale of impact, and how do we prioritize resources to deal with that? Where do you come down on that, that debate—sort of alarmist, or realist—where do you see yourself?
  • 0:38:22
  • CPT B. Chapman
  • Well, it’s part of, again, why education is so important. I mean we shouldn’t be afraid to the point where we’re not living our lives and getting things done. But we should be educated and knowing what’s really possible. And you know one would be surprised at how simple it is to protect, you know, on a certain level, protect yourself from a certain type of cyber threat. But this collective approach to it, if everyone does his part, I think will make our overall posture so much better. So I would say that we shouldn’t be afraid.
    I mean technology is there to help us. But we should take care to educate ourselves to what’s really possible, and to know that it’s out there, the threats are out there, and take steps accordingly to mitigate those.
  • 0:39:10
  • David Gioe:
  • You’ve briefly referenced the internet of things, and how interconnected everything is. Are there any parallels that we can take for the U.S. Army as a network of soldiers, or every soldier a sensor, or some of these other buzzwords? It seems that one day your refrigerator will talk to your toaster, and it’ll talk to your smartphone. What about from an Army perspective—is there an analogous view of the Army as a networked body, and if so, what does that look like?
  • 0:39:45
  • CPT B. Chapman
  • So the internet of things is kind of an interesting concept to me. I don’t know if I think it’s necessary. I don’t think it’s necessary to have everything connected, because what benefit does that really bring you in the course of your day, to have your toaster connected? So in a similar light, does it make sense to have every soldier connected, or does it make sense to have only the Platoon Leader or the Commander connected? We still need those leadership skills. We still need that interface, and I think we should embrace it.
    We should use IT to the point where it’s making money for us, but I don’t think it’s necessary to force it down to every level if it’s not really bringing us any distinct advantage, ’cause I don’t necessarily think that’s the case. I think it’s still important to have people interfacing with people, and doing things the traditional way on the battlefield, and you know, in real life.
  • 0:40:37
  • David Gioe:
  • Where do you see yourself going professionally? You’ve had a time as an enlisted soldier, now time as a Cadet, and then time as a Junior Officer. With the creation of the Cyber branch, and the Army’s willingness to be flexible and meet new challenges in this way, how do you fit into it?
  • 0:41:02
  • CPT B. Chapman
  • Yeah, so one of my—so what’s kept me in the Army is that the Army’s sort of put me where I want to go, where I’ve requested to go, and gave me the jobs that I wanted throughout my career. And I think that—excuse me—I think that as long as this continues to happen, I’ll stay in. What I have been very pleased about is that when I first Commissioned, I saw some potential areas for frustration in terms of well, there not being a job or branch or domain that I was really interested in, so I picked something pretty close to it.
    But now that the Army’s sort of opened up this new branch and really put some significant resources behind it, I’m pretty happy in where the Army’s going, and I feel like I’m privileged to be a part of it. So I’m pretty excited to stay on board and see how it develops over the next foreseeable future.
  • 0:41:55
  • David Gioe:
  • Captain Brent Chapman, thank you very much for your time
  • 0:41:57
  • CPT B. Chapman
  • All right—thank you.
  • 0:42:00 End of Audio

DESCRIPTION

CPT Brent Chapman is assigned to the Army Cyber Institute and the West Point Department of Electrical Engineering and Computer Science. Here, he addresses the emergence of cyber as a warfare domain, and the importance of remaining innovative and agile in an ever-changing operational environment.

VIDEO DETAILS

topics Cyber Security and Warfare
interviewer Davie Gioe
date 18 December 2014

BIOGRAPHICAL DETAILS

name Brent Chapman
institution USMA
graduation year 2009
service Army
unit Army Cyber Institute
specialty Cyber
service dates 2003
RELATED VIDEOS