In a memorandum sent to Deputy Defense Secretary Ashton Carter in late 2012, two dozen experts, including uniformed members of all three major branches of the military, expressed concern that a series of requirements, many of which were put in place in August 2004 under DoD Directive 8570, was hampering the agency. (AFP)
WASHINGTON — The Defense Department wants to hire thousands of new cyber experts to create a large force of skilled cyber warriors. But first, it has to address concerns about the experts the agency already has.
Many of those tasked with protecting networks — key cogs in the U.S. national security infrastructure — are undertrained and unqualified, creating dangerous vulnerabilities, experts both in and out of government are saying.
Agency officials said they were aware of the concerns and are rewriting all policy related to qualifications and certifications to make sure that the impending boom in cyber hiring puts capable experts in critical positions.
The concerns center on a series of requirements, many of which were put in place in August 2004 under DoD Directive 8570. The directive mandates that information assurance (IA) experts — those in a variety of primarily cyber defense positions — receive specific certifications. Those certifications, created by organizations outside DoD, are coming under fire as failing to test the capability of defenders.
One source indicated that an earlier, more difficult certification that required hands-on instruction was considered and then rejected when the directive was being finalized in favor of certifications that wouldn’t require the training.
And because limitations in funding mean resources are allocated almost exclusively toward academic-based certifications, experts said that critical members of the cybersecurity work force are being put in important positions unprepared to do their jobs because money is not being spent on hands-on training.
“The current requirements aren’t turning out people who are prepared,” said Jeff Moulton, a senior cyber researcher at the Georgia Tech Research Institute. “The school of hard knocks can teach quite a few lessons, but at DoD that can cost people’s lives. Book training is simply not enough.”
In a memorandum sent to Deputy Defense Secretary Ashton Carter in late 2012, two dozen experts, including uniformed members of all three major branches of the military, expressed concern that DoD 8570 was hampering the agency. The names of the experts were not included in the memo, sent by an outside organization, because of concerns that they might suffer retribution for going around the chain of command and speaking out in a document sent directly to Carter.
“One of the biggest threats to the DoD networks is the inability of DoD security professionals to secure the networks,” a U.S. Army chief warrant officer assigned to U.S. Army Cyber was quoted as saying. “Many of these security professionals have the required certifications but no understanding how to truly secure the DoD networks and make poor decisions resulting in vulnerable networks.”
Others focused on the lack of hands-on training required, resulting in broad certifications that are required for many jobs but are not specific to any of them.
“How on earth can anyone truly believe that one certification can ensure that you have mastered the deep technical skills to be an intrusion analyst, infrastructure support, incident responder, auditor and manager?” the memorandum quoted a U.S. Army major. “Those are 5 different technical jobs and should require 5 different certifications.”
In a joint interview with Deputy Chief Information Officer for Cybersecurity Richard Hale, DoD Chief Information Officer Teri Takai said the agency is aware of the concerns.
“We have never said that our policies and procedures, as it relates to IA certification and qualification, are completely up to date,” she said. “One of our challenges is that it takes a while for us to update our policies.”
Although Takai and Hale were not in their current positions when the original 8570 was issued, Takai said disagreement over the merit of certain external certifications is common.
“All the certification and qualification vendors that are out there don’t see eye to eye,” Takai said. “They believe theirs is best, better than anybody else’s, and secondly many of them have training that goes with that, so now they don’t become actually impartial in the way that they look at their certifications because there is a training component that is a business proposition for them.”
Part of what makes the process of standardizing certifications difficult is that government has a hard time moving at the pace of cyber, where concepts and technology can be outdated in a matter of months. Although 8570 has seen some updates since 2004, it’s still largely composed of concepts developed nearly a decade ago, a relative eon compared to the pace of technology.
While acknowledging that the agency can always improve its training approaches, Takai said some of those concerned may not recognize what is being done to fix the problem.
“I worry that some of the folks that are speaking up may not necessarily be aware of all of the actions that are happening here,” she said. “You know how big we are, and actions that we take at a senior level don’t always trickle down as fast as folks would like to see them on the ground. I’m not sure that’s purely a cybersecurity issue.”
Among the efforts underway is a complete redo of the certification policy designed to create job specific requirements.
“We’re rewriting essentially all of the cyber workforce policy, so we are going to have an overarching cyber workforce policy that will include all of the cyber skills including cyber defenders, cyber attackers, malware analysts, all that stuff,” Hale said. “Then we will rewrite specific manuals underneath each.”
Hale said the goal is to have the new overarching policy in place by the end of the fiscal year. Drafts of several of the job-specific qualifications could be circulated within the year as well. The requirements will still employ outside certifications, as they are viewed as better at keeping up with changing needs, but some basic certifications will be put in place at the service academies for low-level requirements.
And while the policy will help with new hires once it’s in place, DoD is also looking to reevaluate those already in positions to make sure they’re adequately trained.
“Richard is working with them [U.S. Cyber Command] on how they even take the workforce that they have today and make sure that there’s uniformity in the training,” Takai said.
Figuring out the right kinds of qualifications and certifications quickly is vitally important, as DoD is finalizing plans to increase the cyber workforce by thousands of people, making the need for adequate training policies all the more acute.
Since the administration is pushing to put people in place as soon as possible, and the cyber workforce policy will take some time, Takai and Hale said they’re looking to implement new ideas ahead of the formalization of the policy.
“We’re not waiting on this,” Hale said. “What we’re doing is using the initial plus-up to force us to much more quickly write down what the jobs are, what the qualification standards are. Even before those become policy, or we publish a manual, we will be using those.”
One of the areas that has been accused of lacking is hands-on time requirements. Requirements to reach information assurance technical (IAT) job levels 1-3, levels that can place cyber workers in critical positions to defend the DoD network, call for only experience with some hacking, but no job-specific practice.
“Our certification was designed to ensure that managers had a broad base of knowledge about many different domains,” one of the designers of a certification required under 8570 was quoted as saying in the memo to Carter. “Yet our certification ended up as IAT 3. It was never designed for that purpose and now I have frustrated customers because they don’t think our certification is good.”
It’s that kind of improperly employed certification that is hurting the force, said Alan Paller, director of research at the SANS Institute.
“Right now we are spending huge amounts on training people as ‘frequent flyers’ — people who can talk about security but could not find the infection in a computer even if the economic well-being of the nation depends on it, which it does,” Paller said. “Scenario-based training — like that for pilots and doctors — works.”
Hale said hands-on experience is receiving a high priority in the new policy.
“Depending on the job, experientially based training and on-the-job experience are essential,” he said. “We absolutely believe that.”
Complicating the entire endeavor are the budgetary constraints that DoD finds itself under. Takai and Hale said they have been assured that cybersecurity spending will be protected in future budgets. But if training dollars remain flat, and the force increases tremendously, the ability to provide hands-on training for many people might be difficult.
“Yes, in fact, we’re concerned about those same things, but we’re trying to put the steps in place to try to keep it as organized as we can,” Takai said.
But the problem is less about finding the money, and more about understanding what it takes to make an effective cyber expert, Moulton said.
“It’s all good to throw money at a problem, but it never solves the problem,” he said. “We need to make sure that we make smart investments and right investments.”