While the Pentagon is developing cyber arsenals, it is struggling to staff the newly operational Cyber Command and supporting service cyber organizations that will deploy against adversaries overseas.
If current cyber conflicts are any guide, future operations likely will require more than technical know-how -- they also could be just as reliant on the physical prowess of covert and clandestine operators capable of inserting computer code into networks at secure facilities. For example, the U.S.-Israeli-engineered Stuxnet computer virus that reportedly seized Iranian nuclear centrifuges was inserted manually through a jump drive, rather than propagated over the Internet from a safe location.
How the Pentagon will find enough brawny brains is a question some observers are raising.
The answer partly lies in the way the Pentagon has chosen to incorporate Cyber Command, which directs cyber-offense operations, into the existing commands worldwide. The military services each has their own cyber units composed of thousands of troops, civilian personnel and contractors. The plan is for cyber specialists serving the Air Force, Army, Marines and Navy to coordinate with Cyber Command headquarters in Maryland on executing operations abroad, according to Gen. Keith Alexander, head of the command.
“Gen. Alexander has said that one of the critical imperatives is to build the capability of our cyber workforce, especially in the service cyber elements, which are essential to the accomplishment of our mission of supporting the combatant commands and national requirements,” Cyber Command spokesman Col. Rivers J. Johnson Jr. told Nextgov.
Even if the Pentagon had enough skilled recruits now, he said, it would not be able to deploy them immediately due to training inconsistencies in the fields of information assurance and ethical hacking.
“A key aspect of this is to train as a joint organization so the standards are the same throughout the command,” Johnson said. “We are pushing on the services to go faster, but there are limits. Since some of the training programs run for 18 months, even if we hired a hundred or a thousand more people today it would still take time to get them operationally ready.”
Ideally, Defense officials say, they would like to see outstanding candidates graduating from diverse institutions, such as the Air Force Institute of Technology at Wright-Patterson Air Force Base in Ohio or the University of Utah, a Pentagon-designated cyber academic center of excellence. “Whether we do our cyber training at one school or at multiple schools, the training will have to be executed to one standard,” Johnson said.
Civilian agencies, the private sector and the Defense Department already are fighting each other to recruit talent from an inadequate pool of cybersecurity professionals, irrespective of their physical qualifications for uniformed military service.
Amassing troops whose fingers are as dexterous as their legs may be difficult, cyberwar analysts say.
Johnson agrees the competition for cyber professionals presents a hurdle, but says the command stands ready to vie for them using, among other incentives, special rewards for newcomers and experienced cyberwarriors alike.
“One of the challenges is finding and holding the people that we need to do this mission. We have to recruit, train and retain a cyber cadre that will give us the ability to operate effectively in cyberspace for the long term,” he said. “Gen. Alexander has indicated that it is going to take time for us to generate the force and he is optimistic that we will get the forces that we need.”
The possible job incentives Alexander has discussed include additional pay, such as the bonuses pilots or nuclear officers receive, as well as opportunities for advanced degrees and education, Johnson said. The Navy can pay as much as $30,000 to sign up new nuclear officers and kick in up to $22,000 extra per year for commissioned nuclear officers. Military aviators can earn a $125 to $840 bonus a month, depending on the number of years they have served.
Some former military members note the Pentagon has successfully resolved similar human resources predicaments before, for example, in launching the Defense Department’s outerspace and Navy cruise missile missions.
“I don’t see any of this as being new,” said Dale Meyerrose, the intelligence community’s former chief information officer. Defense may look to duplicate the structural setup of the Joint Functional Component Command for Space, which, like Cyber Command is part of the U.S. Strategic Command. Headquartered in California, the space command works with a staff of only 240 to protect U.S. satellites, monitor adversaries’ space assets and support geographic combatant commands worldwide. “You know there are only so many space guys to go around,” he said.
What’s novel is the weapon of choice. “The bureaucratic process models are there,” said Meyerrose, who also is a retired Air Force major general and now serves as a private consultant. “You just have to figure out where the variances are from previous patterns that we use.”
Besides, the old stereotype of a skinny computer nerd stuck to a seat is a bit outdated, some former military officials say.
“You’ll find that there are a growing number of military and civilian people who are both physically strong and computer strong – and, in fact, I know some of those people,” said Gen. Harry Raduege, former director of the Defense Information Systems Agency. “And you wouldn’t want to mess with these people on either of these fronts.”
Raduege, currently chairman of the Deloitte Center for Cyber Innovation, added “You can’t even assume that these computer whizzes would be deployed forward.”
Physical strength might not be an issue for computer raids transmitted through networks. In those situations cyber troops could be stationed stateside or at supporting combatant commands and maybe physically disabled as long as they have the requisite mental skills.
“It’s a canard that you’ve got to have somebody who can run two miles in under eight minutes to be a cyberwarrior,” Meyerrose said. “I think that is an old way of thinking.”
The recently discovered Flame spyware likely is being spread to computers throughout the Middle East from afar, according to Kaspersky Lab, which identified the virus.
“You won’t need to have coders. If that’s the case, it’s just a matter of specialized training for a special operations soldier,” said Jeffrey Carr, a cybersecurity consultant and author of Inside Cyber Warfare (O’Reilly Media, 2009). “They don’t need to be a computer engineer.”
Unleashing on-site cyber strikes, however, may take extra preparation. But similar feats have been performed before, Meyerrose said. All planning and targeting for Tomahawk land attack missiles, no matter where in the sea they are deployed and fired, is done from a single location on the East Coast, he said.
Tomahawk loaders, munitions technicians and pilots are forward deployed on Navy vessels, “but the relatively few and highly specialized mission planners and targeteers centrally support all geographic combatant commanders from the continental United States,” Meyerrose said.
And besides, the most physically threatening situations are always left to combat forces, note other former military officers.
“Countering more sophisticated threats is the responsibility of those with more advanced skills such as infantrymen and others,” said retired Maj. Gen. Charles Dunlap, who served as deputy judge advocate general of the Air Force before joining the faculty of Duke University Law School. “The military has something of a division of labor in that the infantryman expects the cyber geek, so to speak, to protect him from cyber threats, while the infantryman himself is responsible for defending his cyber comrades from other more traditional physical threats.”