At a time when the Pentagon arguably is losing a battle with industry for top tech talent, the Army is offering companies the resumes of its best cyberwarriors.
It’s just one strategy U.S. organizations are trying out to deal with a workforce challenge as persistent as the cyber threat.
This week, in Colorado Springs, eight universities, eight industry employers and various federal agencies will gather to formalize the Army Reserve’s Cyber Private Public Partnership, or Cyber P3.
“Those soldiers see, in some cases, the big dollars in industry and they transition off the active force,” Lt. Col. Scott Nelson, the Cyber P3 program manager, told Nextgov.
Among the many questions the initiative aims to address is “how do we retain the investment the Army made in that soldier” and, at the same time, “allow them to get a really good job with our industry partners?”
Two soldiers already have landed jobs at Lockheed Martin and a national security-related firm through Cyber P3, which launched in February.
Part of the effort involves creating equivalent military and university cyber training programs, hence the meeting of the minds in Colorado Springs, home to program participant University of Colorado.
Cyber P3 aims not only to make sure bodies are on hand in the event of a critical network emergency, but ensure their brains are attuned to the military’s unique needs.
In particular, the Army wants reservists to be qualified to squelch evolving “advanced persistent threats,” such as, for instance, alleged Russian hackers who have been able to hide their footsteps inside the State Department network since last fall.
“U.S. critical infrastructure and military operations are specifically at risk from Advanced Persistent Threats (nation-states, nonstate actors, terrorists and criminal networks),” states an April 15 Cyber P3 strategic vision. “The current DOD and Army school systems do not yet provide the through-put or advanced skills required” for the Army reserve.”
The initiative is designed to pump out 3,500 to 5,000 Army reserve soldiers. So far, 21 private employers have signed up to transition service members into civilian careers at Citibank, Microsoft, Fox Entertainment and Chevron, among other companies.
“Across the board, we see on a daily basis we don’t have enough cybersecurity professionals to fill the current openings let alone the future openings,” said Nelson, who began his cyber career in the Army National Guard in 1998. “This country is only getting more and more reliant on cyber capabilities.”
That includes the growing spate of commercial appliances connected to the Internet of Things, “and those will all become vulnerabilities,” he said.
Earlier this week, the Pentagon’s principal cyber adviser Eric Rosenbach said preparations are underway for up to 2,000 reserve and National Guard personnel Defensewide to support surge forces in the event of a catastrophic cyberattack.
Cutting-edge competency is important for any professional, but especially for cybersecurity workers, who face new hacker tricks almost every day.
“Surge rosters do require active management,” then Homeland Security Deputy Secretary Jane Holl Lute said in 2012. “It’s not something where you type up a page and throw it in the drawer. People’s skills have to be current.”
That year, a federal advisory council recommended the buildout of a Homeland Security reserve team of cyber specialists from across government and industry.
Nelson called Cyber P3 a “starting point” that could become a model for other agencies to address competing interests among companies, government and the cyber whizzes.
At least once a month, a new study emerges saying the composition of the cyber workforce is a mismatch for the cyber threat level.
The 2015 (ISC)2 Global Information Security Workforce survey, released Thursday, found that 62 percent of organizations worldwide had too few information security professionals, an increase over 56 percent in 2013.
The Army estimates that cyber professional vacancies in the government, alone, number around 40,000.
Each military service is moving to establish a cyber reserve component, with the Air Force being the furthest along. For example, by 2013, the Maryland Air National Guard had a volunteer network warfare squad to respond to military network intrusions. At the time, the Estonian ambassador likened the Air Force’s program to her country’s longstanding civilian cyber reserve.
Referred to as a “white-hatted hacker organization” by Estonian President Toomas Hendrik Ilves in 2011, the Estonia version comprises IT professionals from banks, insurance companies and other private businesses who want to do something “defense-related” during the evenings or on weekends.
The U.S. Army’s Cyber P3 seems to be taking a page out of the same playbook to address similar attacks. Russia allegedly shut down Estonia’s Internet access for weeks in 2007, prompting the formation of the Baltic state’s plainclothes cyber brigade.
“We’re looking at how do we marry up cyber soldiers with their civilian career,” like a reservist doctor in private practice, Nelson said. “If they do that on a full-time basis and they are immersed in cybersecurity on their civilian job, they are going to be very perceptive cyber soldiers.”