MIAMI BEACH–The U.S. military has been attempting to build up the offensive cybersecurity capabilities in its various services for several years now, but is running into the same obstacles and challenges that private sector firms in the same space are: a shortage of skilled workers and not enough money to hire the ones who have the skills. Those deficits could portend a reevaluation in the way that the military handles cyber operations and who is involved in them.
The main problem facing the services such as the Navy and Air Force that conduct offensive cyber operations is that they are having a hard time finding people with the right education and skills. That’s a common problem in the private sector as well, and the military and enterprises often are competing for the same small pool of workers. That’s an issue for enterprises, but for the military, it’s a much larger problem.
“The gap between what the military needs and what the private sector is looking for has narrowed to about zero,” Chris Eagle, a senior lecturer in computer science at the Naval Postgraduate School, said during a keynote at the Infiltrate conference here Thursday. “It’s dire straits for everybody, including the military and the government contractors who need to eat at the government trough. You have a cannibalization problem because everyone needs the same talent.”
The group of available security experts who have experience in offensive operations in not large, and the subset of that group that is willing to go work for the military or government for much less than what they could make in the private sector is even smaller. Eagle, whose program at NPS helps educate the Navy folks involved in information warfare, said that the government budget crisis and the disparity in pay between enterprises and the government and military is making it difficult to build the kind of force that the military needs.
The other avenue available for building a large, capable cyber force is to develop and educate existing military personnel. That’s what Eagle does at NPS, but he said it’s difficult in some cases to get enough students for his program when the government is not approving larger budgets for the military.
“I have seen no evidence that the Navy is interested in educating large numbers of its work force [in cybersecurity] and then using that training. The only thing the military can do is somehow increase the number of people assigned to cyber jobs by reducing the number of people assigned to other tasks,” he said. “It’s a zero-sum game for the military.”
Eagle said this state of affairs is made worse by the fact that the curriculum that he is able to teach budding military security experts is not necessarily the one he’d like to teach. Budget problems have led to a reduction in the number of courses he can offer, cutting 25 percent of the curriculum.
“We’re still required to teach a lot of non-curriculum stuff,” he said. “Even though cyber is becoming increasingly important for the Navy, it’s possible that the grads we’re pumping out today are less capable than the ones we produced five years ago.”
All of the pressures on the military to find, educate ad deploy capable information warfare workers could lead to a situation in which the government turns to the private sector for help, rather than competing against it for talent.
“The services need to set realistic expectations for their cyber forces,” he said. “That may include the need to bring in civilians. If the talent is residing in the private sector, you’re probably going to have to look at tying that civilian work force to the military.”
That’s a contentious subject, particularly when you’re talking about the possibility of civilians having the ability to deploy offensive cyberwar tools. Eagle said there are legal issues that need to be addressed there and that a further problem is the overlap between the people who develop offensive tools and the ones who have the ability to deploy them. In the past, that was never a problem with conventional weapons. Defense contractors were not in the business of actually flying fighter jets; they simply built them.
“It’s increasingly likely that the people called upon to deploy a capability and the ones called upon to develop it are one and the same,” Eagle said. “The problem is that only uniformed personnel are allowed to pull a trigger. The people who develop these capabilities don’t necessarily have the authority to deploy them.”