Attacks and Vulnerabilities
Malware, Phishing & Ransomware
News
Reports
Threat Landscape

FDD study reveals gaps in US military’s cyber talent recruitment and retention, calls for reforms

March 26, 2024
FDD study reveals gaps in US military's cyber talent recruitment and retention, calls for reforms

The Foundation for Defense of Democracies (FDD) published a study highlighting a mismatch in the U.S. military’s failure to recruit, train, promote, and retain talented cyber warriors. This comes as the Army, Navy, Air Force, and Marines each run their own recruitment, training, and promotion systems instead of having a single pipeline for talent. The FDD study highlighted that the result is a shortage of qualified personnel in the U.S. Cyber Command (CYBERCOM), responsible for both the offensive and defensive aspects of military cyber operations. 

Evidently, America’s cyber force generation system is clearly broken. Fixing it demands nothing less than the establishment of an independent cyber service.

“The inefficient division of labor between the Army, Navy, Air Force, and Marine Corps prevents the generation of a cyber force ready to carry out its mission. Recruitment suffers because cyber operations are not a top priority for any of the services, and incentives for new recruits vary wildly,” Dr. Erica Lonergan and RADM (Ret.) Mark Montgomery, wrote in a Monday post for the FDD. “The services do not coordinate to ensure that trainees acquire a consistent set of skills or that their skills correspond to the roles they will ultimately fulfill at CYBERCOM.”

They also identified that promotion systems often hold back skilled cyber personnel because the systems were designed to evaluate service members who operate on land, at sea, or in the air, not in cyberspace. Retention rates for qualified personnel are low because of inconsistent policies, institutional cultures that do not value cyber expertise, and insufficient opportunities for advanced training.

The study conducted by the research institute that focuses on national security and foreign policy noted that ​​an initial budget for the Cyber Force would be approximately $16.5 billion, a fraction of the hundred-billion-dollar budgets of the Army, Navy, and Air Force. “This estimate includes DoD’s current allocation for the cyberspace activities budget ($13.5 billion), minus the cybersecurity investments from the services ($511 million),” it added. 

The budget estimate also includes the resources currently carved out for CYBERCOM under EBC (about $2.9 billion), the military personnel funds ($624.25 million), and training resources. An apt comparison is a budget for the Space Force, for which the Department of Defense (DoD) requested $30 billion for FY 2024.

The Cyber Force would consolidate the acquisition process specifically for operational capabilities. It should not, however, become the IT and communications service provider for the services, a role that would distract it from operational priorities, the FDD study mentioned. Creating a Cyber Force would also benefit the NSA. A quarter of the NSA’s workforce comprises active-duty military units, currently provided by the services. However, these units are not held accountable for successfully serving the NSA’s mission. With a Cyber Force focused on delivering well-trained cyber personnel, the NSA would, in turn, receive more, high-quality, human resources.

The FDD study highlights that resolving these issues requires creating a new independent armed service — a U.S. Cyber Force — alongside the Army, Navy, Air Force, Marine Corps, and Space Force. There is ample precedent for this approach; battlefield evolutions led to the establishment of the Air Force in 1947 and the Space Force in 2019. 

It also detailed that an independent cyber-service would naturally prioritize the creation of a uniform approach to recruitment, training, promotion, and retention of qualified personnel whose skills correspond to CYBERCOM’s needs. In addition to a single, dedicated cyber training and development schoolhouse, an independent service could establish a cyber war college for advanced research and training, akin to the Army War College and its peers. Without the responsibility for procuring planes, tanks, or ships, a Cyber Force could also prioritize the rapid acquisition of new cyber warfare systems.

The FDD study said that the Cyber Force need not be large. An examination of existing cyber billets suggests it would initially comprise about 10,000 personnel but might grow over time. As the Space Force has shown, a smaller service can be more selective and agile in recruiting skilled personnel.

Some military experts have proposed alternative approaches to addressing the U.S. military’s cyber personnel shortage, but each has major shortcomings. For example, some argue that CYBERCOM should become more like the U.S. Special Operations Command, in which each service provides elite personnel uniquely trained for the land, sea, and air domains. But that model makes little sense for cyberspace since there are no cyber functions specific to the other warfighting domains. 

However, the FDD study pointed out that others argue that CYBERCOM should assume responsibility for manning, training, and equipping cyber forces in addition to employing them on the virtual battlefield. “But this approach would break with 40 years of precedent and would overwhelm CYBERCOM’s leadership, which is already dual-hatted with the National Security Agency, an arrangement that serves U.S. national security well,” it added.

Currently, the study identified that service members arrive at CYBERCOM with skill sets that are not only inconsistent but also insufficient to fulfill their basic work roles. This problem stems from each of the services not only using different names for their cyber operators but also training them differently — without CYBERCOM’s needs in mind.

For example, when an Air Force cyber operations officer, a Navy cyber warfare engineer, and a Marine Corps cyber operations officer complete their initial entry training, they lack a common skill set such as knowledge of specific operating systems or exploits. And none are qualified to serve in any of CYBERCOM’s basic work roles upon arrival.

It was not until February last year that the Navy began using a separate designation for its cyber warfare officers, in alignment with how the other services treat their cyber operations experts. While the Army and Air Force generally enable personnel to devote their careers to cyber roles, the Navy had been grouping cyber officers with intelligence and information warfare officers, hampering their ability to develop expertise.

The services train cyber personnel at service-specific training centers. Army centers include the Army Cyber School’s Virtual Training Area, the U.S. Army Cyber Center of Excellence, and the Fort Eisenhower Signal Training Site. Air Force personnel train at the Air Force Cybersecurity University and the Cyberspace Technical Center of Excellence. The Navy has the Naval Information Warfare Training Center and the Naval Postgraduate School Center Cybersecurity and Cyber Operations. Finally, there is the Marine Corps Air/Ground Combat Center in California.

Furthermore, the FDD study disclosed that there is no system or method to track individuals with cyber skills as they transition to and from the services and CYBERCOM. “This means a service member may enter with initial training for a cyber-related career field but could be moved to a non-cyber career track during one of these transitions. Such reassignments stem from the reality that the services understandably prioritize their unique needs and missions, which may not allow for individual personnel to stay on a cyber-specific track for the duration of their career.”

In conclusion, the FDD study said that the solution is to create an independent, uniform Cyber Force. “While many experts have long called for the creation of an independent Cyber Force, policymakers should especially listen to the voices of those servicemembers with direct, extensive operational experience. The numerous first-hand accounts highlighted in this monograph offer a compelling testament to the need for an independent service for cyberspace,” it added.

The U.S. faces a critical opportunity to reorganize, reallocate resources, and enhance sustainable cyber force readiness. Despite efforts by the U.S. military, the issue remains unresolved. It is imperative that Congress takes action to establish a new independent service to address this pressing need.

Last July, the FDD identified that the U.S. government conducts partner cyber capacity-building programs across multiple federal departments, including the Departments of State, Justice, Energy, Homeland Security, Treasury, and Defense and the intelligence community. At the time, it said that these programs help allies and partners build cyber resilience, develop national cyber strategies, prosecute cyber criminals, and evict malicious cyber hackers from critical networks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation