The Defense Department is piloting its first-ever set of standardized curriculum for cyber warriors amid an effort to make sure the military treats cyber skills as seriously as it does its other critical disciplines.
Planning for the new joint training approach is centered at the Defense Information Systems Agency, but involves participants from across the military.
Henry Sienkiewicz, DISA’s vice chief information assurance executive, said the objective is to train military members in the cyber field on standard sets of foundational cybersecurity skills that cross the boundaries of the individual military services, rather than just teaching them how to do one specific job at one time for one branch of the military.
“We’re trying to converge the efforts so that we have an end state that fully supports the Joint Information Environment, so that we’re able to have cyber platoons that are trained in a standard methodology, a standard way of behaving, so that we can use them in multiple ways,” he told a gathering at AFCEA’s Northern Virginia chapter Friday in Vienna, Va. “We want to make sure that they’re all operationally focused and that there’s a curriculum behind that. It doesn’t do us any good to train someone up to be a watch officer and then move them into another environment where they’re totally non-useful.” The cyber training program still is getting off the ground, but DoD envisions that it’ll eventually include curricula for several dozen distinct roles for career cyber specialists in the military.
“We are part of the federal government, but we clearly know that there are work roles inside the DoD that have no correlation to what NIST is doing. There is not much of a need inside the NIST framework for the attack and exploit side of the workforce, and we have that,” he said. “But we’re trying to adhere to (the NICE framework) as best we can so that when we have a federal employee, that employee can move from agency to agency and we know they’ve got a common training reference that goes across the entire environment.”
Dedicated time to study
Sienkiewicz said DoD also wants to standardize and institutionalize the process it uses for training cyber professionals. Rather than telling cyber experts to fit training into their day-to-day schedules, DISA envisions a process that works similarly to the way the military handles readiness in other fields. Forces would be cycled out of their day jobs periodically so they’d have dedicated time to study and train.
“We’ve all suffered through the idea of retraining our workforces and dropping new equipment in without taking into account the manpower and time cycles that are necessary to inject new training inside the environment. But if you look at our in-the-field compatriots in the military services, they already understand how to do that,” he said. “You cycle units through, you get them in a reset mode, you get them ready, and you put them available for the force structure. We’ve got to be able to do that inside the cyber domain, and we’ve got to be able to track it.”
And once DoD can track the cybersecurity readiness of its forces, it also could tell who’s up to snuff and who’s not. Sienkiewicz predicts commanders soon will be held accountable for the cyber readiness of their forces in a way they’ve never been before.
“You’ll know we’re serious if you start seeing flag officers getting cited on (fitness reports) or being removed from command if they’re not ready,” he said. “I suspect that day is coming along quicker than most people would expect. Until we see that readiness cycle and the troops really understanding how important this is, we really won’t achieve the necessary ends.”