The Pentagon in October revealed the details of a cyberbreach of the Defense Department’s travel system, which compromised the credit card information of more than 30,000 current and prospective Pentagon employees.
Ironically, this revelation came on the heels of a concerted Defense Department effort to both increase the security of its systems and onboard new employees for a skilled cyber workforce.
While defense networks have become increasingly digitized and more reliant on computer systems, those networks have also become more vulnerable to cyberthreats, especially from adversaries, such as China, Russia, Iran, and North Korea.
For example, the Trump administration blamed Russia for a series of cyberattacks targeting the U.S. power grid. China reportedly pulled off a major hardware hack that could leave several American companies compromised, including those crucial to our defense industry.
However, despite the increasing demand for robust cybersecurity in the Defense Department, U.S. Cyber Command is facing problems with personnel recruitment, talent management, and retention.
As the military’s headquarters for cyberoperations, personnel issues may affect the organization’s ability to combat an increasing array of threats.
The Senate Armed Services cybersecurity and personnel subcommittees recently held a joint hearing on the Pentagon’s cyberoperational readiness.
Sen. Thom Tillis, R-N.C., said that the United States maintains military dominance in every domain and that “aircraft carriers, stealth technology, and smart weapons” have given us a marked advantage at sea, in the air, and on land. But we do not have a similar technological edge in cyberspace.
Without a clear technical advantage over peer competitors such as China and Russia, Tillis noted that “[s]uccess in the cyber domain is uniquely reliant on highly qualified personnel.”
But the Pentagon has been suffering from retention issues in the cyber sector for a number of years. At the National Security Agency, top talent has been leaving in droves for opportunities in the private sector.
Ellison Anne Williams, a former National Security Agency employee, left in 2016 and started her own data-security company, Enveil. Many of Williams’ staff are also former agency employees. She says that “the agency is losing an amazing amount of its strongest technical talent, and to lose your best and brightest staff is a huge hit.”
NSA Deputy Director George Barnes, a 31-year veteran of the agency, also said, “Skilled personnel have always left the NSA, in particular to work for defense contractors that support its work. The big change these days is there’s a supply-demand imbalance between the outside and the inside.”
At September’s hearing, the subcommittees expressed worries that this imbalance could lead to problems for the U.S. Cyber Command, a newly elevated combatant command with a host of new responsibilities.
A manpower gap could mean the military’s cyber workforce isn’t up to the task, and that, at the moment, the reach of its mission exceeds its grasp.
Brig. Gen. Dennis Crall, principal deputy cyber adviser and senior military adviser for cyber policy, reiterated that one explanation for this personnel issue is stiff competition from the private sector.
He argues that tech businesses often offer hard-to-beat salaries and benefits and can onboard new people much faster than the sluggish government clearance process.
Essye Miller, the Pentagon’s principal deputy chief information officer, testified that last year the Defense Department saw “4,000 civilian cyber-related personnel losses” in the information technology, management, computer science, and engineering occupations.
While the current personnel problems create cause for concern, the military has implemented several new initiatives designed to fix the workforce problem, and several more are being developed.
These new programs offer incentives such as increased pay scales, streamlining the government clearance process, retention bonuses, and increased rates of direct commissioning from the private sector.
Crall has also recommended increasing a “very robust presence” on college and university campuses in order to create a pipeline from the pool of motivated, tech-savvy young people to Cyber Command.
There are also plans to “expand the throughput” of the Army’s cybertraining courses and to rework career path problems to ensure good employees don’t “pyramid out.”
Whatever solution Cyber Command finds, it cannot come soon enough. Everything from weapons systems to the electrical grid to personal employee information is potentially at risk.
Fixing its personnel problems is the next step in a long-term solution for continued cyber readiness, both offensive and defensive.
Only then will the U.S. be able to protect its own infrastructure and deter persistent cybersecurity threats from abroad.