Cyber warfare: Could a near total lack of specific technical and strategic education related to cyber security in the advanced education received by US Military commanders be addressed by collaboration with private industry, or only by military educational programs?

There's this core dichotomy in "cyber warfare" very similar to that found in previous generations describing "military intelligence" as an oxymoron. The military officer corp selects for rules-oriented, service minded individuals who will put their country, their command staff, and the welfare of their unit above all else. The hacker ethos is very different. It's anti-structure, anti-rule, highly individualistic, and very ego driven. It is not possible, in the US anyway, to have global elite level exploit and penetration experts as officers in the military. I was going to soften this with an "except for..." and decided to let it stand as-is, since I couldn't come up with any situation in which it would be true. That's not to say that there aren't highly competent individuals involved with the US military endeavors. Just that they're not "the best". Cyberwarfare must first be about offense, then defense.  If you like breaking (or breaking into) shit, you typically don't have the discipline necessary to do so in a structured environment. And if you can't think like a bad guy, you definitely can't foresee all the ways in which you'll need to defend against them. Unfortunately, the same applies to Corporate America. With the exception of the occasional hacker who maintains a normal facade during the day and has an "evil hacker dood" persona on his own time, you won't find top-tier talent working at the corporate level. And those guys are very rare, very quite, completely unknown for their skills in their day job environment (and in fact may exhibit gross ineptitude to further mask themselves) and would NEVER volunteer for such. Thus a private/military partnership, however attractive it may seem, will result in a marriage of mediocrity - not the desired result. We need *something* . I just don't have any idea what it is. As I wrote this, I thought of http://en.wikipedia.org/wiki/Ken_Kennedy_%28computer_scientist%29 who was one of my advisers in grad school. Ken was a demolitions expert in Vietnam. They took a really bright guy in the officer corps with a math/engineering background, sent him to school to learn more about structural integrity, sent him to school to learn where to place explosives to cause structures to lose integrity, sent him to school to teach him how to surreptitiously place said explosives and exit before detonating them. They did NOT take a guy with a gallon of diesel and a 20 lb bag of fertilizer who said "I likes to make big booms!" and turn him into an officer. That's how the military is approaching cyberwarfare. It works for bombs, not so much for rootkits.

I'm pretty much in alignment with Stan's characterization, but I wanted to chime in to the effect that there are a few examples of novel approaches to public/private collaboration that seem to have merit. I have generally been on the private sector side when the government has come for advice about what the education might include. There are examples of companies that decided to build platforms useful for specialized network operations that would normally only be built over the course of years - after the government specified requirements, put it out for bid, and then built by some integrator primarily interested in maximizing the number of people they could add to the project, as opposed to a self-sufficient feature-rich commercial product. Instead, the company said "we think we know what we would want to use, and we're going to build it"  then sold it, essentially as commercial software, to the USG. Another person trying to address this question is Riley Repko. He did an interesting talk on this very issue at DEF CON 18. He tried an experiment within the U.S. DoD where he involved the hacker community in a structured way to contribute suggestions during an exercise/war game. From the sound of it, he demonstrated access to some credible and non-traditional capabilities, with cycle times far shorter than what it normally takes to retain specialized consultants. You can see a video about it at: Another example of engaging non-traditional performers was DARPA's Cyber Fast Track program.  It was admittedly somewhat later stage than the majority of DARPA's technical development activities, but the end result was creating a manageable process for many performers who were not "the usual suspects" (and who would not normally have ever waded through the normal solicitation and bid process) to provide proofs-of-concept that addressed some real-world problems. They were able to bring people under contract in weeks instead of months. Several of these performers spun companies out of the research they did. A catalog of some results from this program may be found here: http://www.darpa.mil/opencatalog/CFT.html

I think the best way to increase military officers knowledge is through partnerships with the the private sector. An educational program won't simple suffice, officers need real life hands on experience with cyber  security and its threats. Cyber warfare is happening all around us, we jut don't realize it. Having leaders in our military who fully understand the importance of cyber security is incredibly necessary. Private sector partnerships are better for learning than just an education program.