While recent news stories herald the previously undisclosed offensive cyber capabilities of the U.S., buried deep within recent congressional legislation is an admission that the Pentagon is actually understaffed when it comes to offensive cyber operations.
In its version of the defense authorization bill for fiscal 2013, the Senate Armed Services Committee included a provision that would require the Pentagon to consolidate its network activities to free up personnel who could be reassigned to U.S. Cyber Command’s offensive missions.
In a May 24 summary of the bill, lawmakers note the plan is needed because offensive missions are understaffed.
Sources said one of the primary targets being discussed is the U.S. Defense Information Systems Agency (DISA), which in one proposal would be stripped of its cyber defense workforce and left as only a service provider. The manpower created by the move would then be used to help with other pressing cyber needs, including Cyber Command’s offensive mission.
“The Pentagon’s staffing needs are probably very indicative of what we need nationally,” Rep. Jim Langevin, D-R.I., said. “We just don’t have enough people to fill all of the needs in cyber that exist currently.”
Langevin serves as the ranking member on the House Armed Services emerging threats and capabilities subcommittee, which, along with its Senate counterpart, provides oversight of the Pentagon’s cyber activities.
Citing a CIA statistic, Langevin said, “We only have about a thousand people that can operate at world-class levels in cyberspace. What we need is more like 20,000 or 30,000 people.”
To fill the offensive cyber personnel gap, the Senate panel recommends DoD reduce and consolidate networks, thereby requiring fewer people to defend them.
Army Gen. Keith Alexander, head of U.S. Cyber Command, has said publicly how difficult it is to defend today’s multiple networks, and the 15,000 subnetworks, each with their own security barriers.
While Alexander has never publicly acknowledged understaffing, instead discussing the desire to have more manpower in the future, a Cyber Command spokesman did not deny that the command’s offensive operations are in need of experts.
“Gen. Alexander has indicated that it is going to take time for us to generate the force, and he is optimistic that we will get the forces that we need,” the spokesman said.
“One of the challenges is finding and holding the people that we need to do this mission,” the spokesman said. “We have to recruit, train and retain a cyber cadre that will give us the ability to operate effectively in cyberspace for the long term and across the full spectrum of cyber operations. Some of the training programs run for 18 months; even if we hired a hundred or a thousand more people today, it would still take time to get them operationally ready.”
The report accompanying the Senate bill notes that Alexander has also testified that personnel within Cyber Command are overwhelmingly allocated to network management and defense.
“A small percentage of the workforce attends to the command’s offensive missions and responsibilities,” the report says.
Alexander and others in the Pentagon “agree that both issues could be at least partially rectified by dramatically reducing the number of separate network enclaves in the [Defense] Department, which should yield significant manpower savings, and re-train and reassign that manpower to supporting offensive missions,” the Senate report says.
But experts cast doubt on the logic of taking personnel dedicated to network defense and applying them to an offensive mission.
“Whoever wrote that has no idea what he’s talking about; it’s like comparing chihuahuas and pit bulls,” a cyber expert said.
The problem the experts point to is that offensive operations require not only a different skill set but also a different mindset. Defensive specialists are required to focus on anomalies, hunting for any footprints left behind by an intruder. Offensive specialists are a creative group, focusing on imaginative techniques to take advantage of underlying system vulnerabilities.
While both groups must have knowledge of network operations, the difference in underlying attitudes means that transferring someone from one to the other is difficult.
“They can’t look at things like a standard systems administrator would,” said Ed
Skoudis, an instructor with the SANS Institute, a company in Bethesda, Md., that specializes in cybersecurity training.
Skoudis has spent more than a decade training teams of simulated cyber attackers, known as red teams. “Their job is to try to get around things, to look for the holes, to say, ‘What are the deviations from the norm?’”
The underlying need for cyber talent, however, is undisputed. A drive down Interstate 95 on the U.S. Eastern Seaboard inevitably yields sightings of multiple billboards listing job openings. The radio will assault the driver with a combination of openings and cyber educational opportunities.
It’s an issue that, regardless of the solution, is being taken seriously by Cyber Command, the command spokesman said. “Gen. Alexander has indicated on a number of occasions that one of the critical imperatives for USCYBERCOM is to build the capability of our cyber workforce.”