The Pentagon may want thousands of new cyber experts added to its work force, but experts said the agency lacks any credible means of training that many recruits, and there aren’t enough already trained to meet the need.
Last week, several reports surfaced citing senior Pentagon officials who described the coalescing of a plan to add about 4,000 cyber experts to the agency’s payroll. The problem: The agency doesn’t have the schools in place to train that many people, the university system isn’t turning out enough experts who can get security clearances, and neither has developed a technique to identify those with the right mindset to be truly capable.
The outlines of the plan being kicked around the building entail forming a trio of groups: Cyber National Mission Forces, Cyber Combat Mission Forces and Cyber Protection Forces. The agency has settled on that arrangement of talent, but the specifics are still up in the air.
“While the basic cyber force structure model is clear, the implementation plan to achieve it is still being developed and is predecisional at this time,” a defense official said.
Several sources familiar with the discussion said the exact number needed is still being determined, and that the 4,000 figure is more “ballpark estimate” than policy. But the framework is running into problems because existing training programs won’t be able to generate anywhere near that many experts.
What’s worse, the Department of Defense isn’t the only employer looking for experts. Retaining talent will be difficult, and recruiting in an environment where skilled professionals can make multiple times a government salary in the private sector only complicates the problem.
“That’s absolutely not plausible,” said Richard Bejtlich, chief security officer at cybersecurity company Mandiant. “It would be tough to hire 400, let alone 4,000. On the supply side, those sorts of people that they’re looking to hire, you’d basically be picking them off from other organizations.”
Asked about the capacity question, the defense official said the agency is still working out the details, but that capacity is improving.
“As the decision for the expansion of cyber personnel is still predecisional, I will tell you that the training capacity continues to grow for cybersecurity personnel,” the official said.
The desire to increase the cyber force isn’t new. When U.S. Cyber Command, the DoD subunified command tasked with operations in cyberspace, was formed in 2009, its new commander, Gen. Keith Alexander, asked the services to come up with several thousand cyber experts apiece. While some experts have been trained, the numbers were never reached.
“This is, ‘Oh crap, we asked for it, they didn’t have it, now we better get them to get it,’” said Alan Paller, director of research at the SANS Institute. SANS trains many cyber professionals who go to work at government agencies and the public sector.
Paller said that as currently arranged, coming up with thousands of experts would not be achievable.
“The people are not there, and there is no pipeline yet,” he said.
But there is hope, as the issue is now getting attention.
“What happened in the last six months is that the right people figured out that if we don’t have the right people in place, we will lose,” Paller said. “It is a survival issue for the nation.”
Building a Pipeline
Experts say that a specific mindset is required for work in the cyber field, but no test has been developed that effectively spots such candidates in advance of training.
And the military, thus far, hasn’t evidenced much flexibility in accepting experts who might not fit the typical military mold.
“The types of people who would like to volunteer to help the country, they don’t fit the government’s model, not even at the guard level,” Bejtlich said. “They don’t want to give their lives to the government; they don’t want to be deployed.”
Now, several efforts in the pilot program stage are starting to pop up. One is a program designed to leverage the large number of returning veterans, and the nation’s community college system, to create two-year certificate programs that would help greatly increase training capacity.
The first of these CyberCenters is just getting started at Brookdale Community College in Lincroft, N.J. The program, being put together by the nonprofit Cyber Aces Foundation, is designed to pair roughly a year to 18 months of course work with six months of what the program calls a “residency” with a local company.
Those companies would help support the programs along with grants from the Department of Labor and funds from the GI Bill. The program is designed to target returning veterans, although others are welcome to apply.
The Brookdale pilot, still in its early stages, had roughly 500 applicants, including 100 veterans. A March competition among the applicants will select the final students for the program. The exact size of the first class has yet to be determined, but it will likely fall in the 10- to 25-student range, said David Brown, executive director of the Cyber Aces Foundation.
“I don’t think there’s any question about it that the capacity in the current educational system simply isn’t there,” Brown said.
Brown said the foundation is starting the pilot program to help expedite the development of a pipeline.
“If we leave it to DHS [Department of Homeland Security] and government, it’s going to take years to do, so let’s pilot it,” he said.
What differentiates the program from most university approaches is its shorter duration and its emphasis on practical experience. The six months spent in actual companies doing real work puts the students in a good position to be capable post graduation, Brown said.
“They need people who have heavy stick time experience,” he said “Many smart kids in programs get a lot of education, a lot of theory, but any stick time they get is on their own.”
And the commitment to get extensive experience sets apart those who will be successful.
“The key to understanding these people is they need 2,000 to 5,000 hours of time, and only a certain kind of person is willing to do that,” Paller said.
SANS is providing some of the funding for the CyberCenter program. “A pilot isn’t good because he’s smart,” Paller said. “He’s good because he’s smart and because he’s got 5,000 hours in a cockpit.”
Ideally, the CyberCenter approach would generate dozens of programs across the country, each contributing to a collective surge of capable cyber experts that could work for the government or the private sector.
The services have been mulling using a similar competition to help identify candidates for training, Paller said.
Finding the Right People
Whether it’s the services or an educational institution looking for candidates, identifying the right students is still guess-work.
“That is the hardest problem,” Paller said. “It isn’t discipline that you’re teaching, it’s that none of this seems to resonate with people who don’t have whatever that special brain is. If you’ve got the skill going in, the attrition rate is less than 12-15 percent. If you let anybody in, you’ll lose half at least, and that’s a waste given how few spots there are.”
The need for talent is widespread, with private companies, local authorities and a variety of federal agencies in need of experts to help defend networks. But DoD’s need is different because most of its work force needs to have clearances. And there’s a real risk that the agency, recognizing its need, will simply add people who aren’t truly capable, Bejtlich said.
“I don’t see cyber as a problem that is solved by mass,” Bejtlich said. “You can’t just throw more people at it. It’s much more akin to special operations, where you need the right people.”
Bejtlich said the push for increased numbers may be more politics than policy, as DoD tries to protect its budget.
“Especially in an era of declining budgets, if you can make a case for more people and make that land grab, people do it,” he said.
Paller said that in the past, DoD has reduced its requirements for experts, producing bad results.
“Everything depends on not dumbing it down,” he said. “DHS dumbed its hiring down, DoD dumbed its programs down. It’s so much easier to dumb it down and let the existing people have the jobs, than to build a pipeline to fill the jobs with the real talent.”