Cyber Command Expanding Five Fold
Cyber Command will find great opportunities but face significant challenges as it expands from 900 cyber warriors to nearly 5000. Its predecessor started with just 25 people in 1998. So in one sense, this increase represents continuity, just another in a series of expansions. But the size of the increase, and the addition of a new mission, is likely to change the nature of US cyber power forever.
While information is still scarce, with the story just broken by Ellen Nakashima at the Washington Post, this blog will analyze what we know so far, focusing first on what these new hires will do and second the problems created by this hiring bubble.
The DoD plan calls for adding a new mission while bolstering two old ones:
- “National Mission Forces,” a new counteroffensive mission to disrupt attacks incoming to private sector critical infrastructure such as power plants and electrical grids.
- “Combat Mission Forces” to help combat commanders execute offensive operations. These regionally focused teams would likely support Pacific Command, for example, with cyber planning for North Korean contingencies.
- “Cyber Protection Forces” to fortify DoD’s own networks as straightforward extension of their traditional missions of old-school information assurance and computer network defense.
The last two missions are simply expansions of traditional DoD missions and will generate only a few comments. The only real downside here is that the more offensive cyber capability the DoD has, the more willing it may be to use it, especially when covert actions and shadow wars are the in vogue.
The “national mission” however is new, as it seeks to disrupt or even pre-empt attacks on US infrastructure by taking actions in foreign networks – getting your hands in the face of their quarterback or sacking him, rather than covering their receivers.
According to Nakashima’s report, they would not operate in US networks, unless asked by civilian authorities such as the FBI or Department of Homeland Security. Though there are pitfalls, this could be a promising development. As I have previously mentioned, “In cyber conflict, the private sector is usually (in military terminology) the ’supported command‘ not the ’supporting command.’ They are the targets, the ones fighting in the trenches every day, and they need more help.” The idea for a national mission team demonstrates the administration and military are listening to these kinds of ideas.
Still, this new mission will need a lot of policy focus to implement, including a shift of the supported command from government to the private sector. For example, DoD will now need a process through which the private sector “call for fires” to disrupt the worst inbound attacks in a comparable way to how an infantry platoon under attack would request artillery or airstrikes. Already, it seems US banks are asking for such help as they face a concerted denial-of-service attack from Iranian proxies. Requests would probably need to be routed through at least DHS (and probably other departments, such as Treasury for the finance sector, as well) which promises to be a complicated, lengthy process overseen by bountiful bureaucrats and risk-averse lawyers. While DoD is treating Cyber Command’s rules of engagement as a generally settled matter, issues will certainly arise, as they always do, when rules of engagement meet active conflicts with innovative adversaries.
In addition to these mission-related issues, DoD will unfortunately struggle to find and integrate so many new cyber personnel. The problems the department faces today are very similar to those of decades past and a lack of trained workforce has been a major limiter. Then-defense secretary Robert Gates said several years ago that the DoD was “desperately short of people who have the capabilities (defensive and offensive cybersecurity war skills) in all the Services.”
Over the long term, the addition of 4,000 cyber warriors should drastically improve DoD’s capability, especially if some are permanently stationed in other commands. But in any field, especially one as booming as cyber, finding and hiring that many people will be challenging. To start with, DoD is unlikely to be able to simply create 4,000 new positions since the number of uniformed service men and women is strictly capped. DoD and the Services will likely have to negotiate where to cut and how many will be allotted to which Services, each of which have additional cyber hiring priorities, from securing the networks of the fleet afloat or ensuring the Air Tasking Orders are disseminated without disruptions.
Even after when the manpower billets are found, it is an unfortunate truth that we just do not have enough IT-savvy graduates. As I noted in my first ever blog,
A Defense Science Board report found in 2001 that “Recruiting is difficult when colleges and universities are only producing enough IT graduates to fill half of the growing annual requirement” … But ten years on, the Navy still worries about an “expected 11.2 percent shortfall industry-wide … which means there will be almost 98,000 fewer IT graduates than needed.”
The small population of potentially hirable people is reduced even more as Cyber Command (which tends to borrow HR policies from the secretive NSA) requires high level security clearances and polygraph tests for much of their workforce, requirements which will trim the numbers of those willing or able to comply.
DoD has also never been good at training its IT and cyber forces. Even back in 1999, a DoD study team realized a truth that still haunts the department today: the military lacks “a consistent capability … to provide initial skill training to all members of the [cybersecurity] workforce, much less continuing training to maintain currency with the rapidly changing technology.”
In the near term, DoD is likely to kick fast-track hiring into overdrive and overtax its schoolhouses. It will be a boontime for over-priced, over-promising consultants, a situation where anyone with any “cyber” on their resume will more than ever call themselves a cyber ninja to land a juicy GS-14 job.
Worst of all, and most overlooked, is the effect on the rest of government. As the CYBERCOM expansion hauls in new candidates, few talented cyber hires will be left for DHS and other civilian agencies. The long debate about whether DHS or DoD should own the US cyber mission may be settled by default if DHS is starved of talent by a rapid military vacuuming of the available recruits.
The effect on private-sector hiring will be more subtle. Some smaller companies may find it harder to lure talent, but the largest private sector firms (like GE or Goldman Sachs) can still offer far larger salaries.
In five years though, after the new generation has grown bored with long hours and lower pay, they will percolate to drastically improve private sector security, create new security companies, and feed the next wave of cyber innovation in America, just as their predecessors did a few years after the first cyber commands.
Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict, and competition on Twitter @Jason_Healey.