Why you can’t decide (And what to do about it)
May 27, 2016
Commentary: The rapidly changing digital world can leave tech executives feeling overwhelmed when they're faced with charting the course of their company's cybersecurity strategy.
Dan Verton served as FedScoop's Editorial Director from 2013 until August 2015. A veteran technology journalist with 20 years of experience coveri...
The Defense Department is circulating a draft workforce strategy for meeting Defense Secretary Chuck Hagel's recently announced plans to grow the military's cadre of cyber-warriors to more than 6,000 by 2016.
But numbers tell only part of the story. The real issue, experts say, is whether the Pentagon can build the quality force it needs given the nation's falling competitiveness in science, technology, engineering and mathematics education.
In his first major speech on cyber-policy, delivered March 28 at the retirement ceremony of former National Security Agency Director Gen. Keith Alexander, Hagel said DOD "is on its way to building a modern cyber-force of really true and tremendous professionals."
Hagel said the future force would be supported through U.S. Cyber Command and would be integrated throughout DOD's major combatant commands around the world. According to Pentagon budget planning documents, by 2016 the new cyber force will consist of 40 mission teams, 25 direct support teams, and 68 protection teams.
"DOD will grow the cyberspace workforce by reassigning non-cyber military billets to staff the new teams," states the department's budget priorities and choices planning document, published in April 2013. "This step reflects our need to accept risk in other military mission areas to close the cyber gap. More DOD civilians and contractors will also be assigned to provide support for the cyber effort."
"To accomplish this goal, we are recruiting talent from everywhere," Hagel said. "But we're also encouraging people already here in the military, in DOD, to develop their cyber skills." But to retain the type of talent DOD will need "we must build rewarding, long-term cyber-career paths," Hagel added.
But ensuring such a force has the technical talent needed to keep DOD ahead of potential adversaries in cyberspace may be easier said than done. The nation remains virtually incapacitated by a shortage of highly qualified STEM graduates and a large percentage of high school students who are not prepared for college-level STEM programs.
In 2013, only 44 percent of high school graduates were deemed ready for college-level math, according to the National Math and Science Initiative. In addition, NMSI studies show 38 percent of U.S. college students who study a STEM discipline do not graduate with a STEM degree.
In interviews with FedScoop, several senior national security professionals— including a senior intelligence agency official and a senior executive at a major defense contractor — characterized the situation in STEM education as a "national crisis."
Retired Navy Adm. Jamie Barnett, a partner with Venable LLP's cybersecurity practice, once served as the principal investigator at the Potomac Institute for Policy Studies on a project sponsored by the Defense Advanced Projects Agency to investigate the reasons why the U.S. does not produce more computer science majors. According to Barnett, if students are not performing at the right level in math by eighth or ninth grade, it's hard for them catch up and reach the level required for the tough, complex cyber-engineering jobs today.
"The need for outstanding cybersecurity skills is pressurizing traditional education," Barnett said. "Those students who are not doing well in subjects like the humanities and English, but excel at math, science and computer languages are starting to find opportunities, sometimes without degrees or traditional educational paths. While we cannot back away from the concept of well-rounded students, opening up avenues for non-traditional approaches may be one way to address the need for a larger pool" of job candidates, Barnett said.
Mike Gelles, director of Deloitte Consulting LLP, told FedScoop that DOD is in a good position and may be able to reach the goal set by Hagel because of the large number of personnel it already has assigned to the cyber-mission. In addition, the military has a powerful recruiting organization in place that most government agencies and many private companies do not have, he said.
Although Hagel is the first defense secretary to define the cyber-capability at 6,000 personnel, Gelles said that is likely not a new-hire goal for the department. "If he meant DOD was going to recruit 6,000 new hires in two years, that would be a very aggressive strategy," Gelles said.
But some in Congress this week expressed concern about the Pentagon's strategy to expand its cyber-forces through structural changes. Although the department continues to grow the number of military personnel assigned to cyber-missions, "the capacity for training in a realistic environment has not kept pace," according to a markup of the 2015 National Defense Authorization Act, released April 29 by the House subcommittee on Intelligence, Emerging Threats and Capabilities.
"The committee is concerned that those challenges have not been addressed and that the department is unable to come to resolution on how best to provide adequate management and support for such capabilities," the subcommittee analysis stated.
Another major problem appears to be the lack of visibility into what cyber-forces already actually exist. The Pentagon is basing its strategy on a data call that went out to each of the services, requiring detailed information on the number, organization and specialties of their cyber-forces. But the last cyber-workforce strategy, developed in 2011, was unable to accurately determine the size of the military's cyber-workforce because of variations in how work was defined, according to an audit by the Government Accountability Office.
Those problems continue to raise alarms on Capitol Hill. The Air Force, for example, has dispersed its cyber-workforce across so many different program areas and operational environments that lawmakers find it difficult to understand the service's "breadth and depth of investment" in its cyber-workforce.
"Disaggregating the cyber-workforce across multiple expenditure centers and projects in such a manner not only makes understanding the entirety of the cyber investment more difficult, it generates greater risk for suboptimizing the cyber-workforce, increased unintentional redundancy in tasking, and challenges in managing operational roles and responsibilities," the subcommittee stated in its markup of the Defense Authorization bill.
The first priority for the Pentagon should be to "optimize" its training, education and organization for its current cyber force, Gelles said. Then it can develop a workforce strategy based on a mix of recruitment of new personnel, training from within the ranks and contractor support, he said.
In an email to FedScoop, Lt. Gen. Harry D. Raduege, chairman of the Deloitte Center for Cyber Innovation and a former director of the Defense Information Systems Agency, characterized the need for a cyber-workforce strategy as a "national-level priority," but said there are signs things are improving.
"One of the quickest to respond has been the University of Maryland University College where five cyber-related degree programs and courses have been developed over the past four years," Raduege said. "Already, UMUC has produced more than 1,000 cybersecurity graduates with about 6,000 more currently enrolled."
"What’s needed now is further commitment across both the public and private sectors to meet this critical national-level call for a larger cyber-workforce," Raduege said. Follow @DanielVerton