Faced with mounting cyber threats and a shortage of skilled soldiers, the U.S. military needs to consider wide-ranging changes in everything from recruiting to grooming and compensation to attract and retain men and women with information security skills, a panel of military and civilian experts said on Wednesday.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
The changes reflect the military’s dawning awareness that norms and longstanding policies governing military service may be impeding the recruitment of cyber warriors, while fighting in cyber space requires a different approach to finding and keeping warriors than traditional warfare.
Among the changes the military may have to consider is dialing back its signature uniform ‘clean cut’ look, said Major Thomas Love, the Exercise and Training Branch Chief at the National Guard’s J36 Cyberspace Operations. That may help attract and retain budding cyber security talent who favor adventurous hair colors and piercings over buzz cuts.
“We may need to turn the military mindset a little bit away from everyone looking the same way,” he said. “We still need that discipline, but those are things we’re going to have to consider.”
Love was speaking as part of a panel of government and military experts in a seminar hosted by the Advanced Cyber Security Center and the Army National Guard. The event took place alongside the Cyber Yankee Training Exercise, which featured Army National Guard Cyber Network Defense teams from across New England working during a simulated domestic cyber attack. The event was held at the Massachusetts Regional Training Institute in Bourne, Massachusetts on Cape Cod.
Asked by noted security researcher Chris Roberts (@sidragon1) whether he could keep his long, dyed blue beard as an Army cyber warrior, Colonel Bill Zana, the Commander of the 91st Cyber Brigade responded by asking Roberts if he “would be willing to dye it green?” The military, he added, would be more than happy to have a security expert of Roberts’ stature in its ranks.
But grooming requirements are a small matter compared with policies and procedures, from education to recruiting to service requirements, that were established in an era of kinetic warfare to develop entirely different kinds of soldiers. Those play a much bigger part in discouraging would-be cyber warriors from service, the panelists agreed.
“The center of gravity for military cyber is talent management, not equipment or resources,” said Zana. “And we’re at the front end of where we’re just grasping the scope of the problem.”
Todd Boudreau of the Department of the Army Civilian Cyber School said that the military also needs to look for and cultivate soldiers capable of higher order thinking that is needed to address cyber threats. The goal of cyber warriors isn’t simply to understand and execute orders, but to be able to create new knowledge by synthesizing many different types of information.
“This isn’t about teaching someone the ABCs. It’s about going to a much higher level,” he said.
Col. George Haynes, the Deputy Chief of Staff for Information Management and Senior Cyber Operations Officer at the 24th Air Force Air National Guard said efforts to identify and recruit men and women with a talent for cyber operations needs to start early – even as early as primary school.
Military service including the team work, sense of mission and interesting assignments are potent draws for would-be cyber warriors trapped in corporate office parks. But the military needs to make it easier for cyber warriors to be flexible: moving back and forth between private sector work and active duty, he said. The military might even need to consider mission-specific deployments, with top talent being pulled from private sector jobs in short order to respond to an emergency and then allowed to return, as opposed to the current system of months-long active duty deployments.
The National Guard, 80% of which are part-time soldiers, is proving to be a valuable asset on that score. Lt. Col. Woody Groton, the Chief Information Officer of the New Hampshire National Guard, said it has identified and pulled in Guardsmen and women with computer science and cyber security expertise and is now working with the US Army to train them to US Army cyber security standards.
But the military also needs to build in incentives and rewards for cyber mission work into recruiting, such as pay and low-interest loans for higher education, that are comparable to the financial and other rewards built into recruiting for kinetic warfare, Haynes said.
“I have E4s and E5s that have done heroic work in the cyber field, but we’re paying them at E5 with no loans,” he said, referring to the enlisted pay scale, which ranges from E-1 to E-9. “We need to empower them with all that they’re allowed to do under the law, but also take care of them better,” he said.
Judy Esquivel of the Army Cyber Institute said that allowing cyber warriors to work within highly efficient, lean private sector security teams, such as those in the financial services sector, could have a positive influence on military operations, where traditional hierarchies can create bloat and barriers to communication.
Roberts, who gained notoriety (and a visit from the FBI) for his research on the security of avionics systems, said that the military and National Guard were right to contemplate loosening their acceptance criteria to draw in more would-be cyber warriors.
Some of the most talented information security professionals may have run afoul of authorities at one time or another, he said, but might also be drawn to the mission and camaraderie that military service offers, he said.