14 June 2018

THE DEATH OF THE CYBER GENERALIST

By Patrick Bell and Jan Kallberg 

DoD will continue to struggle to develop and employ effective cyber capabilities if it continues putting old wine in new bottles – applying a bad personnel model to the cyber force. The Department of Defense (DoD) must abandon its “up-or-out” promotion model for cyber forces. It should let competent officers hold their positions longer. Applying the outdated Defense Officer Personnel Management Act’s (DOPMA) staffing model to the cyber force is foolish, and makes it difficult to keep experienced, technically-proficient cyber officers in the military. DOPMA’s prescribed career paths entail officers’ attendance at a variety of schools, with several rotations through geographical areas and work domains. In the process, domain-specific knowledge that would allow officers to lead and understand the impact of their various choices in a technically complex and ever-changing environment evaporates. In a world of increasing complexity, shortened windows of opportunity to act, and constantly-changing technical environments, the generalist leaders that the DOPMA system yields may doom the military’s cyber force to failure.

While conventional forces consistently prepare for war, cyber forces are continuously engaged in cyber war. Therefore, rotating cyber officers through assignments according to a staffing model designed for a pre-email world reduces readiness and increases risks. Allowing one individual to hold a position for five or more years will significantly-improve operational readiness. Exempting the cyber force from mandatory positional and geographic moves will help build and maintain a more effective future force and will reduce a factor leading to attrition in combination with differences in pay for skilled cyber personnel compared to the civilian market.

Senator John McCain described the old model as an outdated, “overly rigid system that is increasingly unable to cope with the demands of the modern force.” He said DOPMA was designed “to turn every officer into the military’s next general,” and pointed out that “not every officer wants or needs to be a general.” While the Senator’s comments referenced DOPMA’s impact on pilot shortages, it negatively affects the cyber force too.

The current approach to officer development seeks to create general managers, a concept that became popular in the early twentieth century. Best embodied by the “Taylorism” approach to “scientific management,” general managers lead supervisors of teams of specialist personnel who perform tasks that are both easy to understand and to monitor. General managers usually get to this level through an up-or-out promotion system. Thus, the general managers understand a wide range of productive activities, with a deeper understanding from personal experience working at lower levels in one or more specialized areas. Essential to building and maintaining understanding is that the skills and knowledge underlying production tasks do not change frequently.

Although general management as an approach to leadership works well in many work environments, it is wholly unsuited to cyber operations, in which knowledge is perishable, and activities are arcane and often invisible to anyone but the experts. Officers who are military generalists cannot be technically-aware enough to lead cyber operations, and would therefore may become irrelevant, deferring judgment to subordinates who have the necessary skills.

The question is, what is more important: maintaining an Industrial Age, Taylorism-inspired staffing model or mission success? Are we ready to risk cyber defeat because of an institutional path dependency or would we be better off adapting to modern needs by providing relevant leadership in a critical domain?
Abandon up-or-out for cyber

The priority strategic goal of the 2015 Department of Defense Cyber Strategy is, “build and maintain ready forces and capabilities to conduct cyberspace operations.” Those forces include leaders who must be not only technically-competent, but also long-experienced in a rapidly-changing field. While the military is frequently cited as falling victim to the Peter Principle, nowhere is the danger of promoting leaders beyond their range of competence more pronounced than in cyber operations. Cyber leaders face increasing speeds of execution and greater technical complexities inside decreasing reaction times, to make consequential decisions. If they are inexperienced, technically-unaware, or unable to grasp the complexities at a system level and lack understanding of the networked structures engaged they face, they will essentially be irrelevant, forced to turn to subordinates who have the cyber skills they lack.

The up-or-out system develops generalists by rotating leaders through a labyrinth of assignments and professional development schools designed to yield leadership expertise. For the cyber force to develop, it must train and retain highly-skilled leaders who specialize in cyber warfare itself. The civilian world employs mature and seasoned cyber leaders, with technical competence in cybersecurity, the ability to judge quickly, and the capacity to see through the digital fog of war to grasp the bigger picture. It does not follow an up-or-out model because corporations cannot afford to take risks or bear losses resulting from cyber-attacks. Even other government agencies do not follow the military’s model; for example, the Securities and Exchange Commission does not permit such jeopardy with other people’s money. The military’s approach to cyber personnel is akin to a hospital staffed by general practitioners who must rotate through different specialties such as cardiology and oncology every two to three years.

One of the cyber field’s most respected thought leaders, Dan Geer, argues that the era of cyber generalists (if there ever was one) has ended and that the rate of technological change warrants specialization. To its credit, DoD created U.S. Cyber Command and elevated it to the unified combatant command level. “Each branch of the military services has come to the conclusion that cyber is a mission set that requires dedicated expertise over time,” according to Navy Admiral Michael S. Rogers, U.S. Cybercom’s former commander. However, the DoD will continue to struggle to develop and employ effective cyber capabilities if it continues putting old wine in new bottles – applying a bad personnel model to the cyber force.

In the cyber domain, operational approval authority frequently lies with the President, the Secretary of Defense, or a geographic combatant commander. Cyberspace is itself unique and four characteristics make cyber conflict especially challenging: the lack of object permanence, limited measures of effectiveness, computational speed of execution, and anonymity. Within cyberspace, nodes, networks, and communication links can change, mix, and disappear, like a bubbling digital kaleidoscope. Processes remain valid over time, but most of the domain-specific knowledge quickly becomes obsolete, if it is not maintained and married with experience. Accordingly, cyber preparedness requires not only forensic skill but also sustained field time.

A lack of object permanence within cyberspace undermines traditional maneuver thinking. The inability to assess battle damage – of friend or foe – impedes feedback to decision-makers. The increased velocity of engagements reduces time to assess and respond, and can quickly compound errors leading to cascading effects. The cyber combat environment does not permit full awareness of the battlespace. There is also great uncertainty of the actual events unfolding, and decisions have to be made based on judgment, using the combined experience of the unit. There is a limited time to act at critical junctures. Experience supports fast decision making and ability to align the efforts of the organization with the mission.

The United States risks losing its competitive edge in cyber thanks to an obsolete model which feeds inexperienced leaders into a technically-complex apparatus…

Finally, network-based anonymity increases the risk of cyber friendly fire incidents and of unanticipated escalations, which could spill into other domains and mitigate both initiative and restraint.

Military command, control, computers, communication, and intelligence (C4I) follow the steps of observing, orienting, deciding, and acting (OODA), as described by John Boyd in the 1960s. Thousands of officers are trained every year for a structured environment which feeds the so-called “OODA-loop,” by creating deliverables to help leaders make well-informed decisions. In cyber, these structured flows can be lacking or less obvious. This creates a serious risk if inexperienced leaders make spurious assessments based on fragments of reality. They may therefore forfeit decisions to subordinate subject matter experts, who may or may not be experts. This all-too-frequent occurrence translates not only into failed leadership, but also into a failed leader development model. The United States risks losing its competitive edge in cyber thanks to an obsolete model which feeds inexperienced leaders into a technically-complex apparatus, one which operates in a space that is still developing, and which is not well-understood, at a juncture when technical failures can quickly become major national security risks

The up-or-out personnel model also wastes valuable resources. When service-members with highly-valued private sector skills are offered undesirable military assignments, they are more likely to leave the military. This is especially true for those with 15-plus years of service, who can retire as young as their mid-30s, right when they are most marketable for lateral entry into a second career.

It is worth noting that its newness and specialization makes the cyber force less reliant on the traditional “warrior caste” to fill its ranks. Because of the unique opportunities and authorities for cyber warriors, “the mission attracts most” of DoD’s top cyber talent, according to General Paul Nakasone, Commander of U.S. Cyber Command. However, policies to retain infantry officers, who also have unique responsibilities and authorities, may not be sufficient to keep elite computer programmers and hackers in uniform. Their skills transfer more easily to corporate America.

The DOPMA model exacerbates an existing shortage of experienced, mature, and able cyber officers. It continuously develops expertise and infrequently employs it. Requesting exceptions to DOPMA would go a long way towards letting “nerds be nerds” to paraphrase Chris Lynch, director of Defense Digital Service. For the military as a whole, cyber superiority does not come from how much money is spent; it comes from how well duties and tasks can be performed. In cyber, the up-or-out model costs too much to justify itself.
An alternative approach

We can look to other nations for different and successful models of personnel management. Numerous nations use personnel systems based on the regimental model, which empowers unit leaders to choose the best team for the mission. In it, most officers do not rotate to other units during their early careers. For example, infantry officers begin their careers as platoon leaders, get promoted to battalion headquarters, and only become company commanders after 10 to 15 years of service. Compared to DOPMA, the regimental system puts less pressure on officers to move up quickly and lowers their threat of involuntary separation for not doing so. Retention is systematically more highly-prioritized. The regimental system also develops early and mid-career officers into experts in their fields, instead of generalists.

The Falklands War of 1982 demonstrates how the British regimental system offered a significant leadership advantage over the Argentinians’ industrial leader staffing model in harsh conditions of great uncertainty. The Argentinian Army assigned its officers to units based on quantifiable metrics, using a centrally-controlled rotation system such as the U.S. Army’s Taylorism-inspired model. The British regimental model, however, created the unit cohesion, trust, and expertise needed to succeed.

Adopting a strict regimental model across the cyber force would be unrealistic, but there are lessons and elements of it that can be applied to improve existing processes. One is that there is no disgrace in being a specialist/expert officer as a warfighter. 

There is no instant fix or replacement for the DOPMA model, but we want to raise awareness of the risks and costs of the current talent management approach. At a minimum, DoD should grant specific exceptions to DOPMA for the cyber force, similar to those made for military lawyers and doctors. 

Military Taylorism, the scientific management model that drives DOPMA, is a misfit in cyber, where leaders are not interchangeable. The Army has a long history of scientific managementand optimizing officers, resources, and tasks through a quantified, systematic approach. Yet in cyber, this path dependency can be a liability and a vulnerability, in a field where technological advantages are short-lived or nonexistent. It demands technical experts as leaders and as subordinates.

Technically-competent cyber commanders who are empowered to choose their own teams would be better able to assess the strengths and weaknesses in them and to adjust accordingly. Giving them such license would require reconciling the present conflict between administrative and operational control over these officers. Operational commanders should have the most influence on their people’s career trajectories.

Lengthening assignments to provide cyber officers stability could allow them to recruit or develop the skills needed for their specific missions, but DoD’s model does not allow most commanders such input regarding their subordinates. Its approach only works for interchangeable personnel. When specialized skills are required, however, a regimental model encourages better recruiting and a deeper commitment to specialized development. The service-member can master a skill set and contribute it to the mission for a sustained period.

Conclusion

Empowering the cyber force to allow operational unit commanders – not a personnel command or a Congressional act – to dictate manning decisions will improve America’s cyber forces’ readiness and expertise. The current assignment model hands our adversaries an advantage by weakening our defenses. It is time to address this vulnerability. Granting the cyber force exceptions from DOPMA will make DoD more responsive to cyber threats, will increase the experience of its cyberwarriors, and will reduce the rotation-based turnover which encourages skilled practitioners to leave the military. Generalists have their place, but in cyber, specialists need to keep the pace.

Patrick Bell is a Major in the US Army, and Jan Kallberg is an Assistant Professor at the United States Military Academy. Both are Research Scientists at Army Cyber Institute at West Point. The views expressed in this article are those of the authors and do not necessarily reflect those of the Army Cyber Institute at West Point, United States Military Academy, U.S. Army War College, U.S. Army, or Department of Defense.

No comments: