The Defense Department plans to boost the ranks of cybersecurity professionals, increasing cyber staff at U.S. Cyber Command by more than five times to some 4,900 employees, according to a recent report in The Washington Post.
The staff-up involves three tiers of cyber pros: Those to protect critical infrastructure, protection forces designed to safeguard DoD’s own networks and “combat mission forces,” which will provide offensive cyber capabilities.
But DoD’s plan is daunting in more ways than one. The job qualifications and skills needed for the kinds of positions the Pentagon wants are rare and often require years of training and hands-on experience. And even if DoD looks outside the confines of the Pentagon to fill these roles, it’s not entirely clear where the new cyber pros would come from.
“This isn’t a discussion about lots of new money,” said Alan Paller, director of research for the SANS Institute in an interview on the Federal Drive with Tom Temin and Emily Kopp. “It’s a discussion about people and skills.”
When Cybercom was first stood up three years ago, the command hoped to staff up with some 3,000 cyber professionals from each of the military services, Paller said. But the services “literally laughed,” he said. They couldn’t even provide 300 personnel members.
One of the reasons why cyber personnel can be elusive is because of the highly technical nature of the job, Paller said. Cyber pros need to be capable of protecting DoD networks, have a deep understanding of cyber threats, the ability to write code, and be proficient at analyzing network traffic for possible intrusions and software for possible flaws and vulnerabilities.
‘Huge shift’ in training?
Paller said DoD’s announcement signals a “huge shift” in training expectations and how DoD defines a cybersecurity expert.
“You can’t just take anybody and make them into a cyber person,” Paller said. “There’s a certain way the brain works that allows you to look at systems from the flaw perspective rather than from the functional perspective. So the real key is … to have a talent search among all the existing workers to find the people who have these skills.”
Paller said it appears DoD is ramping up its training to essentially grow its own cyber professionals as opposed to looking outside the organization.
“They’re not able to hire them; the contractors can’t find them either,” Paller said. “So they can build this talent within. And it’s a huge effort. And I don’t mean hugely expensive. It may be that as well. But sometimes there are just things that are hard to do. And this is really hard to do.”
If the Pentagon did decide to hire from outside the government, that would bring with it its own set of problems, according to Ron Marks, senior fellow for George Washington University’s Homeland Security Policy Institute.
“The kind of guys you might want to recruit for this are not necessarily the ones you’re going to get through the clearance process so easily, which under the best of circumstances takes six months to a year,” Marks said in an interview on In Depth with Francis Rose.
“You have a pot of people out there who are perfectly capable of hacking and engaging in that kind of activity,” he added. But they may not easily pass the security-clearance process at the top-secret level.
Those factors mean it will probably be difficult for the Pentagon to build up its cyber force quickly, Marks said.
“It’s going to be hard a hard slog,” Marks said, even if Cyber Command plans to implement its personnel goals over a number of years.
The latest cyber build-up at DoD follows a number of recent moves by agencies seeking to staff up their cyber-operations shops.
Earlier this month, the Air Force announced it would hire an additional 1,000 cyber professionals to keep up with potential cyber rivals, such as Iran.
In November, an internal Homeland Security Department advisory committee recommended the department hire 600 cyber experts.