Shortage of Skilled People Could Hamper Military’s Offensive Security Capabilities

MIAMI BEACH–The U.S. military has been attempting to build up the offensive cybersecurity capabilities in its various services for several years now, but is running into the same obstacles and challenges that private sector firms in the same space are: a shortage of skilled workers and not enough money to hire the ones who have the skills. Those deficits could portend a reevaluation in the way that the military handles cyber operations and who is involved in them.

MIAMI BEACH–The U.S. military has been attempting to build up the offensive cybersecurity capabilities in its various services for several years now, but is running into the same obstacles and challenges that private sector firms in the same space are: a shortage of skilled workers and not enough money to hire the ones who have the skills. Those deficits could portend a reevaluation in the way that the military handles cyber operations and who is involved in them.

The main problem facing the services such as the Navy and Air Force that conduct offensive cyber operations is that they are having a hard time finding people with the right education and skills. That’s a common problem in the private sector as well, and the military and enterprises often are competing for the same small pool of workers. That’s an issue for enterprises, but for the military, it’s a much larger problem.

“The gap between what the military needs and what the private sector is looking for has narrowed to about zero,” Chris Eagle, a senior lecturer in computer science at the Naval Postgraduate School, said during a keynote at the Infiltrate conference here Thursday. “It’s dire straits for everybody, including the military and the government contractors who need to eat at the government trough. You have a cannibalization problem because everyone needs the same talent.”

The group of available security experts who have experience in offensive operations in not large, and the subset of that group that is willing to go work for the military or government for much less than what they could make in the private sector is even smaller. Eagle, whose program at NPS helps educate the Navy folks involved in information warfare, said that the government budget crisis and the disparity in pay between enterprises and the government and military is making it difficult to build the kind of force that the military needs.

“The challenge is to get these kids into government service,” he said. MIlitary security

The other avenue available for building a large, capable cyber force is to develop and educate existing military personnel. That’s what Eagle does at NPS, but he said it’s difficult in some cases to get enough students for his program when the government is not approving larger budgets for the military.

“I have seen no evidence that the Navy is interested in educating large numbers of its work force [in cybersecurity] and then using that training. The only thing the military can do is somehow increase the number of people assigned to cyber jobs by reducing the number of people assigned to other tasks,” he said. “It’s a zero-sum game for the military.”

Eagle said this state of affairs is made worse by the fact that the curriculum that he is able to teach budding military security experts is not necessarily the one he’d like to teach. Budget problems have led to a reduction in the number of courses he can offer, cutting 25 percent of the curriculum.

“We’re still required to teach a lot of non-curriculum stuff,” he said. “Even though cyber is becoming increasingly important for the Navy, it’s possible that the grads we’re pumping out today are less capable than the ones we produced five years ago.”

All of the pressures on the military to find, educate ad deploy capable information warfare workers could lead to a situation in which the government turns to the private sector for help, rather than competing against it for talent.

“The services need to set realistic expectations for their cyber forces,” he said. “That may include the need to bring in civilians. If the talent is residing in the private sector, you’re probably going to have to look at tying that civilian work force to the military.”

That’s a contentious subject, particularly when you’re talking about the possibility of civilians having the ability to deploy offensive cyberwar tools. Eagle said there are legal issues that need to be addressed there and that a further problem is the overlap between the people who develop offensive tools and the ones who have the ability to deploy them. In the past, that was never a problem with conventional weapons. Defense contractors were not in the business of actually flying fighter jets; they simply built them.

“It’s increasingly likely that the people called upon to deploy a capability and the ones called upon to develop it are one and the same,” Eagle said. “The problem is that only uniformed personnel are allowed to pull a trigger. The people who develop these capabilities don’t necessarily have the authority to deploy them.”

 

Suggested articles

Discussion

  • Conrad Constantine on

    The government might as well say "We're going to create 5000 new doctors next year!". Creating good DFIR/Pentesting Folks just isn't something that can be done in a year - believe me, I usually don't see people's true talent emerge until they've had at least 2 years on the job, and the range of experience with the 'non-security' stuff you need to know, I don't see people getting that down until around the 5 year mark at the least. Plus, the kind of mindset that loves this sort of thing, tends to produce a natural dislike for authority - the US military is going to have a hard time appealing to people's desire to defend their nation as it is - getting folks that are interested in going on the offensive - whole different kettle of psychopaths there.

    Defensive work is tough, and you can't just apply the call-center quantity-over-quality model to it and expect to get any kind of meaningfully effective result.

    Still, as I've said before, to chastise people on my own teams for when I catch them doing stuff in a follow-the-procedure-exactly manner - "The Marine Corps does not want robots - the Marine Corp wants Killers" - with the right environment in these units, with enough special high intensity training deal out to these 'cyber-recruits' - at least they'll have enoufh manpower to distribute the grunt work out and take some load off of the handful of truly smart people the military has working for them in this area. 

    To wrap this up :you inevitably have to face the disconnect that the most talented people in this field are largely the same people that recoil at the concept of working for a national military - not necessarily through any convictions of pacifism, but from the concept of having to give up personal freedoms when signing up to the military. The idea of having a job you can't just walk away from isn't something that most folks in this business would find acceptable.

  • Anonymous on

    Guess they should have thought long ago about quality and quantity of immigration instead of just quantity, but those running things saw a advantage to keep themselves on top by flooding the rest of the country with poorer quality people. The damage is already done and only going to get worst, implosion is inevitable. Long live the Bundy's.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.