There is a lot in the news today about privacy, cyber, AI, and ChatGPT. Everyone is concerned about our networks, our technical advantage or disadvantage; who is watching us and who is protecting us? That question is front and center for the military as they look to find and “keep” the best and the brightest when it comes to the new frontiers of space, AI and cyber. After all, our cyber defenders protect everything from land to sea to space. They are the first line of defense. The question is: how does the military attract and retain critical cyber talent? A recent U.S. Government Accountability Office (GAO) report sheds some light on the problem.
Our increasingly digitized and virtual world relies on a skilled and vigilant cyberforce to protect the very networks that allow our marines, sailors, airman, and soldiers to operate in a modern military. Without cyber defenders as our first line of defense against hackers, rogue actors, and other potential malevolent security threats, everything that runs on the systems that keep us safe is at risk. This is a primary concern for the military, who is charged with protecting the troops and the nation at the highest levels and for the highest stakes. The question is, once you find and train the cyber talent who maintains these systems, how do you keep them?
It seems that same question was front and center in a U.S. Senate report that accompanied the fiscal year 2022 National Defense Authorization Act. In that report, released in December, Congress asked the GAO to look into “recruiting and retention challenges” as well as minimum terms of military service for active-duty military cyber personnel.
One finding from the GAO report said that the lack of mandatory service commitments for military cyber personnel is allowing the Department of Defense (DoD) to lose talent to the private sector, since these trained individuals do not have an obligation to remain in the military after they have received their training. While the Department of Defense “must recruit and train a knowledgeable and skilled cyber workforce,” they face sometimes stiff competition from the private sector who are also keen to recruit and retain top talent.
It is also important to note the depth and intensity of the training that these highly skilled employees receive. According to one cyber officer, quoted in Military.com, "Those skill sets are extremely hard to come by." The cyber officer continued, "These trainings do have a fairly substantial washout rate, and so the reality is not only do you have a lengthy amount of time you put into these people, you also have a finite number of people, frankly, that have the skill set to complete the training."
One primary focus of the GAO report detailed what the U.S. Army Intelligence and Security Command refers to as Interactive On-Net Operator (ION) training. This highly valuable and very particular skill set relates to “network reconnaissance” and the use of analysis to identify cyber vulnerabilities. The U.S. Cyber Command identified this skill as critical to its plan to expand the cyber workforce substantially over the next five years. One concern highlighted in the report was that although the ION training may take three years and “cost the department hundreds of thousands of dollars – trained professionals may not remain in the military to use those skills for a significant time.” The money invested in training might not translate into long-term utilization of those learned skills and personnel retention for active-duty forces.
The retention issues persist across all military services, which, GAO noted, have “spent at least $160 million on cyber retention bonuses annually in fiscal years 2017 through 2021.”
According to the Army, however, these retention bonuses are cost-effective. Army Cyber Command officials told the GAO that money spent on retention bonuses is offset by the costs of recruitment and training to replace cyber personnel. The replacement cost for a service member in the 17C career field, or cyber operations specialist, who is certified to fill the interactive on-net operator role is about $400,000, while the retention bonus offered to a person with that training is $92,000 spread over six years, the report notes.
Retention of the right people remains critical. According to Army General Paul M. Nakasone, commander of U.S. Cyber Command (CYBERCOM) and the director of the National Security Agency, "It all starts with people, the men and women of U.S. Cyber Command working with NSA and partners here and abroad," he said. "We win with people." Defending the Department of Defense’s information systems and strengthening the nation’s ability to withstand and react to a cyber attack are some of the main focuses of United States Cyber Command.
These issues have become problematic just as CYBERCOM seeks to add more teams. Nakasone, who serves as both the commander of CYBERCOM and the director of the National Security Agency, said in testimony before the House Armed Services Committee in 2022 that he may not have enough teams. “We originally built the force in the department — 133 teams — that were dedicated to our Cyber Mission Force. The previous secretary of defense has approved a 14-team growth in the future years defense plan. We're going to grow five more teams this year.”
The general told lawmakers that may not be enough. He said there's an on-going study within the department to look at how many teams will really be needed. Also, he said, operations involving Ukraine are teaching CYBERCOM a lot about how it conducts operations, and that this will inform decisions going forward about how many teams the cyber mission force will need.
Research conducted by RAND found that retention of the cyber workforce in the military is a particular problem since the more skills and experience these cyber warriors gain, the more marketable they are and the less likely they are to stay within the force. Because of the education and training military cyber professionals receive on globally recognized standards, they can easily translate their military service experience to civilian careers. Unlike infantry soldiers, for example, the skills acquired on active duty by cyber soldiers are skills that directly correspond to civilian work roles, enabling soldiers to transition from military service into high-paying, competitive careers more easily than their infantry peers. The problem for DoD is how to incentivize its cyber workforce to stay on active duty and how it can compete with the broader US government and private sector to retain talent. In that 2022 congressional hearing, General Nakasone indicated that retention was one of his top priorities.
Overall, according to an internal and not publicly released survey of US Army Cyber Command’s cyber workforce in 2019, the top three factors that would encourage Army cyber personnel to stay in the military were the opportunity to focus on their mission (which they really enjoyed) without administrative distractions, greater time to build their tradecraft and receive additional training, and improved compensation and recognition for their work.
To be fair to the DoD and other sectors of the government, it is important to note that not all private sector cyber professionals – regardless of military experience - are happy and satisfied with their work or employers. In fact, they have concerns that are strikingly like their military counterparts: cyber professionals in the private sector cited career advancement, competitive compensation, and leadership’s commitment to cybersecurity as the top three factors affecting job satisfaction and their decisions to leave their organizations.
Realizing the issues, the DoD has embarked on a strategy to add thousands of cyber workers through recruitment, training and retaining the necessary talent to execute its cyber missions.
Last November, the DoD dropped the education requirements to open the market for candidates who have chosen through training, industry certifications, on-the-job training, or apprenticeship programs to attain qualified status. Several federal agencies have opened a new personnel system to augment their ability to recruit, develop and retain entry and expert-level cybersecurity professionals.
More recently, in March, it officially announced its DoD Cyber Workforce Strategy designed to provide a framework for how the agency will recruit and retain talent amid a global shortage that reaches hundreds of thousands of open jobs.
In a briefing with reporters, Mark Gorak, DoD chief information office’s principal director for resources and analysis, said DoD has “chosen to be bold” with the new strategy. The strategy outlines four “human capital pillars,” or broad goals: identifying workforce requirements, recruiting talent, developing talent to meet mission requirements, and retaining talent.
The DoD has an ambitious agenda, it must work to attract talent, retain that hard-to-find talent and work with other government agencies and the private sector in a cooperative fashion to find and harness the human capital needed to enact this ambitious program. The difference is that now, thanks to the recent GAO report, there are some true metrices that it can use to see if the program is working. The GAO report noted that The Navy and Air Force were able to staff their cyber career fields at more than 80%; the Army “improved,” rising above 80% in 2021; and the Marine Corps “generally did not exceed” 80%.
In Daniel Pink’s book, Drive, he suggests that employees are much more likely to stay with their employers if their jobs provide them with three things: autonomy, mastery, and purpose. This seems especially true with highly talented employees that work in cognitively challenging roles.
At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. The people who run our most sophisticated systems, the military, have continued to entrust us with training some of these specialized cyber warriors. For the military, for educators, for the private sector, we continue to evolve and develop solutions with “hands-on” training. The most effective training that is crucial to attracting and keeping the critically needed people who defend our systems. Our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. These tools and our virtual environment are perfect for a mobile, remote workforce. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!