As the Army builds up a force to operate in its newest warfighting domain — cyber — it’s wrestling through a lot of tough questions. How big should the cyber force be? What’s the right mix of soldiers, civilians and contractors? And how does DoD need to change its legacy personnel systems to bring the best possible talent on board?
The military as a whole is in the process of building 133 cyber mission teams with responsibilities for offensive cyber operations, defensive cyber operations and operating DoD’s own networks. The Army will contribute 41 teams to that joint effort out of a cadre of soldiers it’s building under the auspices of Army Cyber Command, which formally stood up just three years ago.
But Lt. Gen. Edward Cardon, Army Cyber Command’s commander, said for now, it’s impossible to tell whether that force is too big or too small.
“Let’s get demonstrated capability out there, and then we’re going to find out things we know and don’t know and we can adapt our organizational structure,” he said. “I’m arguing within the Army that the entire cyber force should be re-looked at about once every two years. I think we’re on the inflection point of some pretty amazing technologies coming into the operational sphere. Just with cloud computing and the explosion of mobile devices, the rapid development on supervisory control and data acquisition systems. The impact of Mr. [Edward] Snowden and what’s that done to our community in terms of the insider threat. When you start putting all these things together and you try and predict out a couple years from now what size force we need, I’m not sure you can do that. What I do know is we gotta get the best people possible.”
Cardon said it’s taken a few years to get the Army’s initial set of cyber operators trained and ready, and he’s comfortable with the service’s current plans to build up its cyber force, which cover the time period up to 2017. But he said the Army needs to be willing to adapt those plans.
“I talk to our senior officials all the time about reexamining the force, having an acquisition strategy that operates inside a two-year cycle, and our current Army processes to manage capabilities in this domain, including human talent, aren’t capable of keeping up with this kind of speed,” he said. “I think we’re starting to see some movement in the area of institutional adaptation. There’s recognition of this.”
Easier path for reservists
One particular question surrounds the Army’s use of members of the National Guard and Reserve to perform cyber missions. Many of those members work in IT fields in their civilian jobs, and the military knows they’re a huge potential source of untapped talent for cyber missions. But Cardon said the elite cyber teams the Army’s trying to build aren’t particularly well-suited for part-time work.
“The level of training that some of these operators get requires continuous work on the network,” he said. “They complain about going away to the warrior leader course for four weeks, because things really evolve in four weeks and they feel very behind. So a 52-day training model is not going to work for this.”
Instead, Cardon said he’d like to see Army hiring systems changed so that those people can be brought on board as full-time Army civilians.
“There is some discussion on lateral entry, and how we would do that,” he said. “Are the Army civilian hiring processes good enough to get the super users out there? Probably not. We need a little different structure. And when I asked for a different structure, it’s like, ‘Well, we don’t have the legislative authority for that.’ OK, let’s ask. This is the kind of innovation we need. It’s not just technical innovations inside the cyber domain, it’s the institutional domain to build it.”
For active duty soldiers, Army cyber leaders say they are making progress toward training and retaining a skilled cyber workforce. Two years ago, the Army created its first occupational field for cyber specialists, but it’s still too early to tell whether those soldiers will be lured away to more lucrative jobs in private industry before the Army’s substantial investment in their training pays off.
Sergeant Maj. Rodney Harris, the senior enlisted adviser at Army Cyber Command, said he thinks many of his soldiers will take a comparatively smaller paycheck because the missions they perform in the military simply don’t exist in the commercial world. But he sees another problem — the current Army personnel system is set up to punish soldiers for specializing in network warfare and sticking with it.
“We have to help the Army understand that we have to look at cyber soldiers a little bit differently,” he said in an interview. “The Army has some programs that say if you stay in the same place for four to five years and you don’t get promoted, you’re probably going to be looked at for promotion stagnation and maybe get separated from the Army. And initially, that’s what’s happened. We’ve thrown some of our soldiers out because we require them to be in cyber for five to 10 years in order to be really effective. It’s exactly the opposite of what the Army thinks is right, but in terms of a cyber soldier, it’s 100 percent right. But the Army staff knows that now. Our resources command is looking really hard to make sure we take care of our cyber soldiers and the investment we’ve put in them.”
When it comes to recruiting the cyber workforce, Army leaders are quick to point out that much of the buildup that’s happened so far has come from within the Army, and many of the members were doing something completely different before they became cyber warriors.
“We’ve also used a number of different assessment models for initial entry,” said Col. Jennifer Buckner, commander of the 780th military intelligence brigade, the Army’s first large-scale unit dedicated to cyber. “We are agnostic in terms of (military occupational specialty) and rank, and those models have proven to be a pretty good start. But we’ve found that it’s as much art as it is science, and we’ve proven that we can take good people with no formal intelligence training, technical education or experience, and train them for cyber work. They can be really great in this domain, because if they are agile and adaptive leaders, they understand operating in a complex environment.”