Buried deep within recent congressional legislation is a contention that the Pentagon is seriously understaffed when it comes to offensive cyber operations.
The Senate’s version of the 2013 defense authorization bill includes a provision that would require the Pentagon to consolidate its network activities to free up personnel who could be reassigned to U.S. Cyber Command’s offensive missions.
Lawmakers said in their summary of the bill that the plan is needed because offensive missions are understaffed.
One idea for finding the manpower involves stripping the Defense Information Systems Agency of its cyber defense workforce, cyber experts said.
Some experts questioned the logic of taking personnel dedicated to network defense and applying them to an offensive mission.
“Whoever wrote that has no idea what he’s talking about. It’s like comparing Chihuahuas and pit bulls,” one cyber expert said.
The problem is that offensive operations require not only a different skill set but also a different mindset. Defensive specialists hunt for footprints left behind by cyber intruders. Offensive specialists must use creativity to figure out how to take advantage of someone else’s underlying system vulnerabilities.
While both groups must have knowledge of network operations, the difference in attitudes means that transferring someone from one to the other is difficult.
“They can’t look at things like a standard systems administrator would,” said Ed Skoudis, an instructor with the SANS Institute, a company in Bethesda, Md., that specializes in cybersecurity training.
Skoudis has spent more than a decade training teams of simulated cyber attackers, known as red teams.
“Their job is to try to get around things, to look for the holes, to say, ‘What are the deviations from the norm?’”
One lawmaker said the staffing problem is not limited to the military.
“The Pentagon’s staffing needs are probably very indicative of what we need nationally,” Rep. Jim Langevin, D-R.I., said. “We just don’t have enough people to fill all of the needs in cyber that exist currently.”
Langevin is the top Democrat on the House Armed Services emerging threats and capabilities subcommittee.
Citing a CIA statistic, Langevin said, “We only have about a thousand people that can operate at world-class levels in cyberspace. What we need is more like 20,000 or 30,000 people.”
In the offensive cyber realm, the Senate Armed Services Committee wants the Defense Department to reduce and consolidate networks so that fewer people would be needed to defend them.
A spokesman for Gen. Keith Alexander, the director of the National Security Agency and head of Cyber Command, concurred that there is a desire for more staffing “across the full spectrum of cyber operations.” The spokesman said Alexander “has indicated that it is going to take time for us to generate the force, and he is optimistic that we will get the forces that we need.
“One of the challenges is finding and holding the people that we need to do this mission. ... Some of the training programs run for 18 months. Even if we hired a hundred or a thousand more people today, it would still take time to get them operationally ready,” the spokesman said.
The report accompanying the Senate bill notes that Alexander has testified that personnel within Cyber Command are overwhelmingly allocated to network management and defense. Alexander and others in the Pentagon “agree that both issues could be at least partially rectified by dramatically reducing the number of separate network enclaves in the [Defense] Department, which should yield significant manpower savings, and retrain and reassign that manpower to supporting offensive missions,” the Senate report says.