Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
DoD building cyber workforce of the future
Wednesday - 9/19/2012, 3:47am EDT
Two years ago, U.S. Cyber Command was brand new. President Barack Obama ordered its creation to coordinate and synchronize the cyber activities of all the military services, including recruiting a top-notch workforce.
As Gen. Keith Alexander, the then-new commander of CYBERCOM told a House hearing in September 2010, recruiting that workforce was one challenge. Holding onto it in the face of the much higher salaries the private sector could offer was another.
|Why the DoD cyber workforce was rated effective|
Reason #1: Air Force turns cyber into a career
Reason #2: DoD praises success of cyber teams that combine both attack and defend capabilities under a single commander
Reason #3: Gen. Alexander defines which national cyberspace missions belong to each of the four DoD branches, helping to define cyber workforce skills and abilities
(More primary source material available on The Obama Impact Resource Page)
"We're getting a lot of good folks," he told the House Armed Services Committee. "It's a privilege and honor to see the people we're getting. The question is how we retain them."
But two years into the military's workforce buildup, cyber commanders say their initial fears that cyber warriors would give up their military jobs in pursuit of bigger paychecks have turned out to be mostly a non-issue.
"We've exceeded my expectations, to be honest," Vice Adm. Michael Rogers, the commander of the Navy's Fleet Cyber Command told a subcommittee of the same Congressional panel almost two years later. "I think the thing that's surprised and heartened me the most is that increasingly these men and women view themselves as warriors. While our civilian counterparts offer a lot of opportunities, one thing they don't offer is the ability to be a warrior. The workforce really seems to crystalize around that idea."
For these and other reasons, Federal News Radio has rated the Obama administration as effective in creating a DoD cyber workforce of the future. The rating is part of our special week-long multimedia series, The Obama Impact: Evaluating the Last Four Years.
Rethinking strategies to recruit, retain
Lt. Gen. Michael Basla, who just took over as the Air Force's chief information officer, said his service had a similar experience.
"We've made it an operational domain. It's a warfighting domain. The folks involved in that understand that and want to be part of the fight," Basla said in an interview with Federal News Radio. "I have talked to warfighters like our fighter pilots, and they talk about having both kinetic and nonkinetic options for each of their targets. When you get that kind of mindset, the troops in the field who are providing this cyber capability get pretty excited. We haven't had any retention problems that I've seen."
Gen. Keith Alexander, commander of CYBERCOM
Knowing they can't compete with the private sector on salary, the military services have calibrated their cyber recruiting and training strategies to emphasize benefits that don't show up in black-and-white on a leave and earnings statement, like training opportunities and operational experiences they can't find with industry.
"The money's better on the outside. Got it. But when you're working with the right authorities here, you can do a lot of things that will get you put in jail on the civilian side," Skip Runyan, the technical director for the Air Force's 39th Information Operations Squadron told Federal News Radio in a recent interview. "In the Air Force model, we've trained a lot of pilots that end up working for the airline industry. So there's always going to be a draw to the private sector, but a lot of those pilots we've trained have also gone on to be four-star generals. We're looking for that same career progression for our cyber officers and enlisted personnel."
Changes in oversight and governance from the Pentagon have helped with the workforce effort, according to Alan Paller, research director at the SANS Institute. He said up until about a year ago, the headquarters element of the Defense Department focused on exactly the wrong evaluation criteria for recruiting and maintaining its cyber workforce: compliance with certification and accreditation paperwork rather than real-world warfighter capability.
"The people they highlighted were people with what we call soft skills. Good writing. Good talking. Everything except actually being able to secure a computer," he said.
Requiring technical skills
After what Paller characterized as a behind-the-scenes battle between the Pentagon and on-the-ground cyber warfighters in U.S. Cyber Command and the military branches, that paradigm changed.
"Then they went ahead and did it right," he said. "The Air Force really is in the lead, but the Navy is right there with them and now the Army is catching up, and they're all focused on mission-critical skills. When you take the best military training right now, you get really technical, hands-on, hard-nosed skills. The headquarters people have discovered after a lot of feedback from the field that they had been doing it wrong. They're now looking at measuring proficiency instead of book learning, and I'm very impressed."
While the military services all have their own specific training responsibilities and missions-for cyber warriors, Alexander, the head of Cyber Command, has also emphasized the need for joint training so that when cyber warriors are tasked with a mission they're all trained to the same standards regardless of the uniform they wear.
While joint training exists today, the Defense Information Systems Agency is building on it in a relatively new effort guided by the National Initiative for Cyberspace Education.
"Our vision is to help to establish a very robust cybersecurity workforce development and certification program that will help prepare DoD cyber warriors to operate and defend our networks in an increasingly threat-based environment," said Henry Sienkiewicz, DISA's vice chief information assurance executive. "As we move the Department of Defense into a joint information environment, that whole environment needs to be able to be supported by consistent, repeatable behaviors. There are going to be service-specific attributes, and we clearly know that. The services are doing a great job on training their cyber workforce. We just know that DISA and our cyber partners, including the National Defense University, have really important roles in helping to augment that training and setting some of those standards."
The operational training framework will be organized around 42 specific roles in the DoD workforce. The first focus is on members of the Defense workforce who are specifically tasked with computer network defense, said Roger Greenwell, DISA's director of field security operations.
"And as we look at the various roles that an individual would play, we're making determinations about what's the appropriate training, what's the knowledge, what's the ability of each person in those specific roles, and we're working toward the development of more modularized training," he said. "That training can then be leveraged across each specific role, or in some cases, a training module may be more appropriate to different roles entirely."
Alexander has told Congress and public forums that another top workforce priority is to better integrate the capabilities of the offensive and defensive sides of the military's cyber workforce.
A numbers problem
And even though retention challenges have been less troublesome than initially feared and the military has begun to build effective training frameworks, DoD still is struggling to recruit and train the sheer volume of qualified cyber warriors it believes it needs.
"At present, we are critically short of the skills and the skilled people we as a command and a nation require to manage our networks and protect U.S. interests in cyberspace," Alexander told the Senate Armed Services Committee in March.
Paller agreed that while the quality and organization of the training pipelines have been significantly improved in recent years, the bandwidth of that pipeline is still far too small.
"Full understanding of this has come about just in the last six months," he said. "When it became public that the United States had been behind Stuxnet, it became acceptable for other nations to [use similar weapons]. And we're much, much more vulnerable than other nations are. Iran's centrifuges weren't connected to the Internet, but no matter what you hear, our power systems and a number of other things are connected to the Internet."
Top-notch cyber threat "hunters" and "tool builders" still are in short supply, Paller said.
"We probably have fewer than 800 of them in the entire country. China probably has 40,000 of them."
Basla, the Air Force CIO, said because his service faces fiscal constraints, it has to make tough decisions about personnel, it's important to zealously guard the elite cyber professionals it's built up so far.
That hasn't always happened, he said.
"In some force shaping measures over the past few years, we had to reduce our end strength, and we did it across-the-board without paying attention to the different capabilities that the airmen represented," he said. "It was a fair way to do it, I'll say that, but we didn't have the fidelity we needed to say, 'Hey, we've only got a handful of folks with this kind of skill. We need to protect them.'"
More from the special report, The Obama Impact: Evaluating the Last Four Years