While on active duty in the U.S. Army, I commanded soldiers whose job category was more of a profession than a trade. These elite personnel trained for years in post-graduate study specific to their field. Once their educational foundation was complete, the soldiers entered an apprenticeship to hone their on-the-job skills. That experience further reinforced their earlier training by pairing the trainee with an experienced practitioner who could offer practical guidance.
The career track of the soldiers described above may sound like a military surgeon or lawyer, but it is the training and work role of a Cyber Soldier. USCYBERCOMMAND hopes to cultivate 5,000 such Soldiers over the next two years. But is such rapid growth in so called “Cyber Warriors” possible?
The increased need to target malicious actors in cyberspace and defend critical infrastructure demands such growth in cyber personnel. Former Deputy Defense Secretary Williams Lynn summarizes in his comments:“Given the malicious actors that are out there and the development of the technology, in my mind, there’s little doubt that some adversary is going to attempt a significant cyber-attack on the United States at some point. The only question is whether we’re going to take the necessary steps like this one to deflect the impact of the attack in advance or . . . read about the steps we should have taken in some post-attack commission report.”
The mission of these new cyber fighters would be drastically different from “normal” information assurance operations conducted by the military. Cyber operations are far more advanced, incorporating various technical and analytical skill sets. To fight the top tier malicious actors, one needs elite, ethical hackers of their own.
Such individuals cannot be trained in the same way the military approaches most skill development. Under normal circumstances, a military service sends a new recruit through a 90-120 day “trade school” and they transition into their first assignment ready to do their job. Advanced cyber operations are not like that. While at my last assignment in the U.S. Army, I had the challenge of recruiting, training, and placing these high end cyber soldiers. It quickly became apparent to me that the initial training for these soldiers was measured in years, not weeks or months. In my four years assigned to this mission, we grew our elite force by only a few percent. In fact, the elite cyber force for the entire military is just a handful of people.
High-end cyber security analysts are grown though intense professional development, much like a physician. Both fields require a significant amount of formalized education – but when your education is finished you must still work under a master operator, (e.g. “attending doctor”) for on-the-job training. True cyber skill development means actually doing the job and acquiring experience. Cyber and medicine both have general certifications, but there are also specialties within the field (think Windows, UNIX, Routers vs. ENT, general surgery, cardiac). In both professions, people are encouraged to share their knowledge or craft, continue their education, publish papers, and attend conferences. Because of the specialized skill set and importance of the mission, our cyber soldiers must be trained with a similar level of intensity. In the commercial sphere, cyber professionals who do vulnerability assessments and penetration testing attain billing rates similar to other high-value professions.
Because of the immense amount of work it takes to master the cyber profession, it is tremendously difficult to raise 5,000 cyber soldiers so quickly. It would be akin to trying to increase the number of brain surgeons from about 35 to 2,000 in two years. The only way to accomplish either feat is to cut corners. In no other field does the military deploy specially trained professionals in such mass. In an infantry brigade of 4,000 soldiers there is only one field surgeon and one lawyer. Just having one specially trained individual can efficiently provide expertise for the entire unit. What USCYBERCOMMAND is trying to do with this personnel surge is essentially quintupling the number of surgeons in the military within 2 years. Remember it takes four years of medical school and 6 years of residency to get a surgeon who can operate unsupervised. Creating cyber operators that can stand toe-to-toe with state actors in cyber space requires a similar amount of training.
Cyber is not like training infantry; this is not a problem solved by sheer force of numbers. The specialized cyber skill set requires far more detailed and intense training in order for those cyber soldiers to operate effectively in a quickly evolving cyber battlefield. USCYBERCOMMAND has no foundation on which to train these new recruits. Currently the tight link with NSA allows USCYBERCOMMAND to siphon off technical skills sets – but should NSA be in charge of training all these people? Probably not.
A more effective solution would be hiring an elite “hacker” force of 100 or so people to tackle the most complex and important cyber warfare missions. The cyber community should then focus training and resources on building out the desired “cyber brain surgeons” in a realistic fashion. In the near to medium future, we cannot afford to spread our cyber expertise too thin over 5,000 new recruits in order without carefully weighing the necessary tradeoffs.
Post by: Bob Stasio, Director of Cyber Analysis at Praescient and a former cyber expert in the U.S. Military