DOD's long path to creating a cyber warrior workforce

When most all military officials talk about the cyber domain, they don’t focus so much on profound technological advancements and cutting-edge capabilities, but, rather, on the people.   

The Defense Department created U.S. Cyber Command in 2009 as a sub-unified service under the Strategic Command as a means of better enabling cyber operations. Within this structure, the force sought to build a Cyber Mission Force to fill the ranks in a variety of capacities as they relate to operations in cyberspace. The goal is to fill 133 teams consisting of 6,200 personnel with an operational capacity by 2018.

“By the end of 2016, all the teams will be in place and at initial operating capability. And by the end of 2018, we expect all those teams to be at full operational capability,” Air Force Lt. Gen. James McLaughlin, deputy commander of Cyber Command, told an audience at the Center for Strategic and International Studies in October. 

The 133 teams will consist of 68 cyber protection teams focused on DOD’s number one mission— defense of the network—13 national mission teams to help defend the nation’s critical infrastructure, 27 combat mission teams aligned with the combatant commanders and assist in their planning, and 25 support teams that can be called upon, with another 2,000 service members in the reserves. 

“2016 will also be a big year from us because it’s an inflection point for us,” Adm. Michael Rogers, commander of Cyber Command, told and audience at the Atlantic Council in January. The first few years of the organization’s short five-year history was spent on generating capacity and capability with the cyber mission force, he said. “In 2016, as I tell our team, you can tell we’re at the tipping point now. The capacity and capability is starting to come online. You look at some of the things we’ve done on the defensive side, you look at some of the things that we’re doing looking in terms of a broader spectrum of capability, and the hard work of the last few years is really starting to pay off.”  

Building the force

“We’re about half way through that build process right now. We have got to get it finished by September the 30^th of 2018, is our goal,” Rogers told an audience at the RSA conference this week. “When I look at the data—and I review this every quarter, I just looked at the data about two weeks ago—we’re right now postulating that if nothing changes, 93 percent of the force will be delivered on time. So I’ve got to figure out in the next two years how we’re going to get that remaining seven percent on time. Because the goal is 100 percent of those 6,200 individuals and 133 teams on station, fully trained, ready to operate in a very demanding environment, and to do that by 30 September 2018.” 

The build has been arduous, as the teams have had to carry out operations as they are built. “What’s happening right as we create them is we’re already using them,” Army Maj. Gen. Paul Nakasone, commander of the Cyber National Mission Force, said at CSIS.

Each service branch has a commitment to contribute to the overall 133 teams under their individual cyber divisions; 13 from the Marine Corps, 41 from the Army, 39 from the Air Force and 40 from the Navy. 

The Army currently has 33 of its 41 teams, an improvement from 2013, when the service only had two, while the Air Force bolstered its cyber mission force by roughly 40 percent last year.

The question of “manning” new cyber teams was a challenge. Robert Naething, deputy to the commanding general of the Fifth Army, offered anecdotal insight into the manning question as it pertains to the first cyber protection brigade being built at Fort Gordon, Ga., home of the Army Cyber Center of Excellence. “As we were looking at this manning, you typically bring a soldier in, you teach him how to be a tanker or something, but you say ‘no, this is a high level skill.’ So do we have to go out there and somehow recruit a bunch of Ph.Ds. out of MIT? Well, how do you do that, how do you pay for them, how do you keep them busy and what do you bring them in as?” he said at a webinar hosted by Defense One. “And so that was really not very tenable. So, as we were trying to figure out how do you man the Army cyber units, really the only immediate solution was to reach out to the Army to see the soldiers we already had…and try and build it initial capacity. And the phenomenon that took us off guard is, actually, there’s incredible capacity out there within our soldiers that we didn’t expect to find.”    

Attracting and training talent

The military has engaged in several initiatives to ensure that the new cyber mission force and the next generation’s cyber warriors are properly equipped. The services have taken to opening hackathons, exercises and cyber ranges for a variety of training and evaluation purposes. For instance, the Army announced last summer the establishment of a Cyber Battle Ground that will be open to all units and will reduce the time and costs of training cyber warriors. It provides a realistic environment for testing skills learned and reinforced in a classroom setting. 

Air Force and Army Reserve cadets in the Advanced Cyber Education program at the Air Force Institute of Technology last summer took part in a competitive hackfest described as the closest thing to hand-to-hand cyber combat. Participants were forced to think outside the box in competitions involving the construction and defense of enterprise networks while attacking opponents.

The Air Force has taken several steps toward attracting uniformed members into its cyber ranks.  According to a spokesperson with the 24^th Air Force, these programs include the “Stripes for Certification” program, which provides opportunities to enlist at higher grades when entering the service with cyber-related certifications, selective reenlistment bonus programs and the Cyberspace Warfare Operations career track for officers to provide qualified cyberspace officers proper growth opportunities.       

The Air Force is also standing up a cyber proving ground, which was announced in October. A fresh factsheet published on the new Benjamin Foulois Cyber Proving Ground website depicts a center of “multi-disciplinary teams from the operational, acquisitions, intelligence, test, and developer communities to rapidly explore potential solutions to meet cyber operational needs” and “identify, enable, and accelerate implementation of innovative concepts and technologies to improve Air Force cyberspace operational capability.”

Simulated exercises, however, are going only so far. A recent report submitted to Congress concluded that cyber exercises did not include the full force of possible attacks. “Exercise authorities seldom permitted cyber attacks from being conducted to the full extent that an advanced adversary would likely employ during conflict, so actual data on the scope and duration of cyber attacks are limited,” the director of the Defense Department’s office of Operational Test & Evaluation discovered. The report concluded that combatant commanders’ reluctance to permit realistic cyber effects during training is due to requirements to achieve several other training objectives during exercises. The report recommended that combatant commanders make serious preparations to conduct critical missions in cyber-contested environments as well as perform periodic operational demonstrations involving operational units, network defenders and cyber protection team elements in order to ensure mission success.    

“[O]ne result of conducting the exercise with severe constraints on the opposing force’s cyber operations is that the brigade will not be training against a full-on cyber threat—and thus will get no practice operating in a severely compromised cyber environment,” Herb Lin, a cybersecurity expert at Stanford University’s Hoover Institution wrote in a blog post, regarding a recent exercise in Hawaii. “I can’t help but wonder: Would the cyber-induced collapse of expensive exercises motivate senior decision makers to pay more attention to operating in compromised battlefield environments?”

Ensuring the force is equipped with basic cyber hygiene is also a major priority. “If [DOD] gave you a weapon, you must ensure that that weapon is appropriately treated, appropriately used, always secured. That is pounded into our culture,” Rogers said recently at the Atlantic Council, comparing cyber hygiene to weapons training in the physical world. “You have constant responsibility of the security of that weapon…And you don’t ever forget that. We need to do the exact same thing in the cyber realm.” 

Even the most impenetrable network firewalls are susceptible to human error. “[T]he biggest weak links are the many operators that we have in that cyber domain that don’t exercise good cyber hygiene,” Adm. Paul Zukunft, commandant of the Coast Guard, said at CSIS. One click on a phishing email can send a flood of intruders into a network. 

Recruiting the next generation of cyber warriors

As the Cyber Mission Force gears up, other initiatives put forth by the Defense Department to train the next generation of cyber warriors have been in place for a few years. The strategy to recruit and train the next generation can be compared to the collegiate football pipeline. “We really have to start at middle school,” Gary Wang, Deputy Chief Information Officer of the Army said in September. College coaches “go down to the middle school, they knock on the parent’s house, they go, ‘Hey, your kid has potential to be the middle linebacker for blah blah blah’ and they kind of get them all excited … That’s the approach we have to take with our future cyber warriors.”

The National Security Agency has several such programs, given its decades of operation in signals intelligence and information assurance, as well as close proximity to the Cyber Command, with which they share the same director. The initiatives offered by the NSA include partnerships with colleges applying on-the-job training toward bachelor’s degrees and the National Centers of Academic Excellence for cyber operations. Also, the annual Cyber Defense Exercise pits students from the service academies against each other to build and defend networks against simulated intrusions.

NSA also has partnered with the National Science Foundation to create “GenCyber” summer camps at universities to expose middle school and high school aged students to cyber problem-solving. “You missed the boat if you’re waiting ‘til folks are coming out of college and think you’re going to turn them into a cyber warrior,” Wang said at a Defense Systems event in September. “Your best cyber warriors are already starting at age 11 and 12,” he said, adding that some school districts are mandating computer programming at the elementary school level.     

The Navy and Air Force have also gone to lengths to reach out to local communities assisting with cyber training and STEM programs for youth, such as the Navy “cyberthons" and the Air Force Association's “CyberPatriot” STEM initiative, described by an Air Force spokesperson as “Airmen mentor[ing] cyber teams as part of a nationwide competition involving nearly 20,000 high school, middle and elementary school students.” 

“Technology alone isn’t going to get us there. Don’t ever forget the human dimension in all of this.  It often gets overlooked to me,” Rogers told the audience at RSA. “And that human dimension goes from how do you build a workforce that’s agile and capable of working in this space, to how do you make sure your users are intelligent and smart and knowledgeable about the choices they make. But don’t ever forget the human dimension.”