Army pushes recruiting and retaining cyber talent

Despite the Army’s cyber forces becoming fully operationalized at the end of September 2017, the service is still exploring ways in which it can recruit and retain talent to compete with private industry and academia.

Katie Moussouris, the CEO of Luta Security who wrote the first bug bounty program for the Department of Defense, said the department needed to look for “rule-following rule-breakers” among its ranks and give these individuals the opportunity to integrate within existing networks in the service. In other words, people who would be willing to work within the bounds given by the Pentagon, but also those who would actively try to test those boundaries without fear of repercussion.

During a panel at the Army’s International Conference of Cyber Conflict, participants said they Department of Defense was capable of instituting these reforms, but they also recognized that in comparison to some other countries, the U.S. was well behind. Alan Paller, the founder and director of SANS Institute, a cybersecurity training organization, said that while the U.S. might dominate the battlefield when it came to weapons, countries such as China and Russia had either outspent or dedicated far more time to training individuals in these types of operations over the past few decades. In particular, he cited reporting by Brian Krebs on the pipeline Russian students were a part of starting at the age of seven.

Paller said these other countries had learned three things the U.S. was still grasping: those joining a cyber force needed to have an understanding of the underlying systems in addition to the software itself, the overarching programs in charge of those cyber forces needed to better recognize who is and isn’t capable of succeeding in the field, and more programs should reach out to more people at an early age in order to engage students on the subject.

Col. Paul Stanton, commander of the Army’s Cyber Protection Brigade, translated these into real terms he worked with. “If you don’t understand how systems are connected, then you can’t defend that network and you’re not useful to me on a cyber protection team.” However, he also cited as a strength of the Army is that it developed leaders who were capable of pulling together a team towards a common mission. As long as it continued developing the technical expertise within its ranks, he was confident soldiers could do the rest.

Towards the end of the discussion, an audience member asked when they might expect these changes to take place. Paller was confident that within 36 months, the country could develop the manpower to bring cyber-literate individuals into the fields which most required that expertise. But, he said, the real problem was removing those who just won’t get it.