A new report from the Presidential Commission on Enhancing National Cybersecurity calls for national workforce programs to train 100,000 cyber practitioners by 2020 and a national cybersecuirty apprenticeship program to train 50,000 more.
It’s the latest in a series of reports and recommendations pressing the federal government to combat the vast shortage of cyber talent in the public and private sectors.
But actually recruiting and training cyber experts remains a challenging, confusing and sometimes confounding problem. Just days before report’s release, a panel of experts drilled down on those challenges at the annual Interservice/Industry Training, Simulation and Education Conference (I/ITSEC).
Diana Banks, deputy assistant secretary of defense for force education and training
“What we really should be thinking about with cyber is a pipeline,” said Diana Banks, deputy assistant secretary of defense for force education and training. “It is a trainable skill.”
Indeed, the federal government has taken an unusually long-range view on developing such a pipeline. The National Security Agency (NSA) funds GenCyber summer camps for middle and high school students – and their teachers – in more than 30 states and the District of Columbia. The camps supported more than 4,000 students and 900 teachers last summer. Held on university campuses, sessions last a week or two and are designed with the express intent to spark an interest in computer science, cyber security and ethical hacking early in students’ academic development.
Similarly, both the Pentagon and the Department of Homeland Security have programs geared towards, attracting college students.
But while the presidential commission report acknowledges the essential value of such efforts, the near-term needs for cyber skills are growing faster than current pipelines can deliver.
“The economic and national security of the United States cannot wait a decade or longer for initiatives in primary and secondary education to bear fruit,” the report states. “Closing the gap in the near term will require a national surge that increases the workforce and provides a structure for on-the-job training to ensure that the current workforce has the right skill set.”
Maj. Gen. Stephen Fogarty, chief of staff at U.S. Cyber Command
The military services are already in a race to train thousands of troops with cyber skills and to keep up with growing internal demand from military commanders, said Maj. Gen. Stephen Fogarty, chief of staff at U.S. Cyber Command. The more field commanders learn about what they can do with cyber effects, the greater their demand for practitioners in front-line units. (Commanders, in fact, are often unaware of the full extent of the cyber skills they can bring to bear, because classification levels typically keep that information from them – a procedural and administrative hurdle Fogarty and other officials acknowledge needs to be addressed.)
Fogarty said the Army is finding success recruiting young people to the field. “They’re willing to join the military to get a skill and we’re going to invest a significant amount of effort to make them into very, very good cyber operators,” he said. “How do we actually attract professionals into government service? For initial entry, my carrot is: I will train you. We have soldiers, sailors, airman and Marines who have college degrees and who want to enlist.” He said the Army’s first Cyber Officer Leader Course also attracted a high-quality cohort: “I had an MIT grad, I had a Harvard grad, I had graduates of West Point’s Cyber Leadership Development Program, and the rest of the students were graduates of some of the best universities in the United States.”
So the issue isn’t that the military can’t compete. Rather, it’s that attrition and growing demand even among the military services themselves means the goal posts are moving even as the Defense Department gets deeper into the game.
“We will not be able to fill all our requirements with active duty military,” Fogarty said. Government civilians, contractor talent and the National Guard and Reserve will be critical to augmenting military capacity. Guard and Reserve members, in particular, give the military access to the best of both worlds. “Some of those individuals work in the industry every day and they bring a lot of maturity and experience to us,” Fogarty says.
NSA’s Cyber School
Grant Wagner, distinguished chair at the National Cryptologic School at NSA, said his agency is working with the military services and DHS to develop a consistent curriculum and a productive talent pipeline. It’s important, he said, “that we’re teaching the same thing – that the universities hear the same message from across the government. That this is the set of skills that we need.”
The government incentivizes universities to follow that model by providing scholarships and guaranteed employment after graduation. “That gives us a broad base of foundational skills and nationwide production.”
The agency is also identifying “key universities,” he said, and working with them through its Centers for Academic Excellence programs across the academic spectrum. “There’s a Center for Academic Excellence in every community, so there’s one for the two-year colleges and for folks who are coming out of high school or changing careers.” There are also four-year programs and another set of programs for advanced degrees.
“Altogether, I’ve got about 216 universities across the nation that I’m working with in one way or another,” he said. “They’re sharing among themselves on what sort of classes are working and what sort of training experiences are working in terms of appealing to the students.”
That pipeline is only the beginning, Wagner said. “Once they’re at the agency, now I have to train them with the special skills necessary to complete their training.” NSA has hands-on laboratory training and platform training today. “But that’s not going to get us where we need to be in the coming years.”
NSA is developing “a set of initiatives that are going to make us much more content agile,” Wagner continued. “In this field, there’s something new every week, and the stuff you did last year is only about half right [today]. We have to be student centered and keep them up to date without taking too much time away from mission, and I have to do that in a very scalable, global structure.”
The agency is also adjusting to a changing world in which it can no longer count on hiring young staff and keeping them for their entire careers. Increasingly, the agency must hire mid-career talent as well, which makes continuous staff assessment more important now than in the past. “I have to have a new set of assessment tools that aren’t onerous on the student and don’t take time away from mission, but still give me an idea of the sorts of training these people need to get back in the groove.”
DoD’s Cyber Academy
Though NSA is the primary trainer for military cyber skills, beginning in 2019, the military services are supposed to take over that responsibility.
Frank DiGiovanni, DoD Director of Force Training
The Defense Department has experimented through a series of pilot training courses dubbed the Cyber Operations Academy Course (COAC), an initiative driven by DoD Director of Force Training Frank DiGiovanni. The course aims to develop a scalable model for teaching cyber skills to military members with varying levels of cyber knowledge. It turns them into operators in just six months, bypassing the conventional hierarchical approach that requires years of schooling culminating in a college degree.
John “Rigs” Rigney, co-founder and chief technology officer of Point3 Security, piloted the journeyman-apprentice approach DiGiovanni favors as the lead instructor in the COAC. A lifelong hacker and former NSA cyber operator, Rigney said there are really only two routes to recruiting cyber talent: Find such people or grow them yourself.
“I grew up in this world as a hacker,” Rigney said. “I broke into my first system when I was 8 and haven’t really stopped since. When I talk to people about recruiting, I find they’re looking in the wrong places. What I often see is they’re going to job sites like LinkedIn. I don’t know anyone who has these skills who is on LinkedIn. That’s just the wrong place. This is a culture. You do this because you’re obsessed with it.”
The problem, Rigney added, is reaching the right people: “A lot of the most talented [hackers] are simply unaware they can get well-paying jobs doing this kind of work.”
To find them, government and industry should sponsor more capture-the-flag cyber events to challenge hackers, either working alone or in teams, to outdo others, Rigney said. Such events are signature elements of hacker conferences like Def Con and provide the kind of challenge that brings hackers out into the open.
That answers part of the problem, but not everything. Many skilled hackers won’t qualify for military service – with its additional fitness requirements – or won’t want to put up with all of its other constraints. That’s why it’s also important to identify people who are already in the military who have the native talent to develop hacking skills.
Rigney said the COAC has proven that the military can train its own by developing an environment in which students discover the obsessive, addictive nature of computer hacking for themselves. The most successful students are self-learners who approach problems they’re given with a passionate, obsessive desire to find the answer, even if that means staying up all night.
“They’ve got to have that obsession,” Rigney said, noting that as a military course, though students are expected to show up at 8 a.m., he continued to get text messages and questions from them into the wee hours of the morning.
Most military cyber training doesn’t allow for that continued at-home experience – frustrating students, Rigney said. “Our training facilities and approaches don’t necessarily foster that kind of environment.”
Adding even more complexity to the cyber talent equation is the need for Command and Control of cyber-warriors.
“Although improving hacker skills is an important part of strengthening cyber defenses, those skills need to be combined with a disciplined focus on Tactics, Techniques and Procedures (TTP), just like any other weapons system”, said Stanley Tyliszczak, vice president of technology integration and chief engineer at General Dynamics Information Technology. “Hackers are technically very savvy, but their motivations aren’t necessarily the same as a determined adversary’s. Hackers can afford to be ad-hoc and define ‘mission success’ after the fact, based on results accomplished.
“In cyber warfare, we still need training on TTPs for how to employ and defend against cyber weapons – detailed analysis of things like risks, threats, vulnerabilities and targeting,” Tyliszczak continued. “We need cross-functional teams that understand different motivations – things like financial gain, economic disruption and political mischief as well as traditional espionage. We have to learn how to understand different threats and achieve specific results based on planned actions. It has to be a disciplined approach.”
Meeting the Numbers
Developing enough cyber talent that the work can be spread out and doesn’t overburden just a few is still a critical problem. Rigney praised the on-the-job learning experiences he enjoyed as an operator at NSA, but said most of the people he worked with left ended up leaving the government due to burnout.
“We’ve got to figure out a way to avoid burning these guys out,” he said. His solution: Find and “train much more of them.”
Maryland Air National Guard Capt. Matthew “Tux” Weiner, group weapons and tactics officer of the 275th Air Force Support Squadron, agreed with Rigney that identifying candidates with “that hacker mindset” is critical. A former master sergeant who stood up the initial cadre of the U.S. Air Force Cyber Warfare Operations Weapon Instructor Course, an elite course in cyber at Nellis Air Force Base, Weiner has first-hand experience with finding, training and retaining valuable cyber talent.
The service today starts with a notoriously challenging assessment test – “the smartest people I know take this assessment and don’t pass,” he said – and continues with rigorous training that weeds out half of the select few who qualify to attend. Successful operators combine military experience, intense level of effort and attention to detail to survive, Weiner said, working their way through foundational training, operational training and then professional development that takes them from apprentice to journeyman to master level operator.
Just training them to the point of operational readiness costs in excess of $250,000 per person, he said, in part because the washout and attrition rates are so high. The Air Force struggles in particular to hold on to its few master-level operators, he said.
Students need to be able to master networking, the UNIX and Windows operating systems, security and all the related protocols. “It isn’t just learning TCP/IP and network security,” Weiner said. “It’s wanting to go in there, understand security and break the system. It’s about having the mindset that you want to hack into something and break it.”
Once those people are trained and ready, it’s essential the services nurture them as valued assets, providing additional training, plenty of support and opportunities to grow. There’s no shortage of cyber work to be done. But there remains – and will for some time – a shortage of talent to get those jobs done.