19 May 2022

UNDERSTANDING—AND FIXING—THE ARMY’S CHALLENGE IN KEEPING CYBER TALENT

Chad Bates and Charlene Rose

Competition, mutual distrust, and glory combine to create Thomas Hobbes’s “state of nature,” a state of war with the tragic consequence that human life is “solitary, poor, nasty, brutish, and short.” The current competition for cyber talent among entities within the United States government and the private sector exhibits many Hobbesian characteristics as organizations engage in the grisly battle over scarce and precious resources. Despite the expressed support from government leaders for a whole-of-society cyber strategy to streamline lateral linkages across agencies and levels of government, the hypercompetitive war for cyber talent remains, creating an environment that is nasty and brutish—just like Hobbes’s state of nature. Of course, talent in any field is a scarce commodity worth competing for, but this small supply of cyber talent in the United States increases the severity of these attacks by limiting the options government and commercial organizations have in responding to and defending against this increasing onslaught of malicious attackers.

Success in cyberspace is not just about having the latest technology—the talented human beings that creatively use the technology to create effects in and through cyberspace are what provide the United States with its strategic advantage in cyberspace. However, the ongoing competition over cyber talent in the United States makes it extremely difficult for government and private sector organizations to sustain their competitive advantages because mature and experienced human capital is increasingly in short supply. Unfortunately, the talent competition puts mid-sized and smaller organizations, and the US government, at a disadvantage because they struggle to attract and retain the necessary talent to maintain a competitive advantage in cyberspace.

However, the human dimension is only a fraction of the strategy. To counter and defeat complex adversaries, who are increasingly sophisticated and multidimensional, the overall US cybersecurity strategy must leverage innovative technological solutions, maximize cyber human capital, and continuously evaluate and assess these threats with an evolving and dynamic strategy. While innovative technical solutions and evolving threat assessments receive considerable attention, cyber human capital efforts are inconsistent and challenging. Without properly skilled people to conduct threat assessments or to employ new technologies, cybersecurity efforts will remain mainly reactive and uncoordinated. To be effective, the United States must leverage its cyber talent across all sectors to meet evolving cybersecurity demands that are critical to actively enabling the National Cyber Strategy.

The Cyber State of Nature

Within the United States, there is a highly competitive talent marketplace for cyber professionals, giving talent a high level of control over where and how they work. To compete for this talent, the US government has had to partake in this marketplace. However, the mechanisms of government hiring and the inflexible pay and promotion cycles have exacerbated the cyber talent shortage within the governmental ranks. Organizations within the US government cyber ecosystem are engaged in cutthroat competition against one another for a limited pool of US citizens with the requisite skills, education, ability to acquire a government security clearance, and—most importantly—a desire to serve and defend the nation in cyberspace. In essence, the battle for cyber talent is like Hobbes’s state of nature: chaotic and anarchic.

What we can learn from Hobbes is that absent a social contract—between the governed and the governing—that legitimizes a sovereign power and the rule of law in exchange for personal guarantees of safety and protection, order will never be achieved. And while there is much to debate about Hobbes’s choice of an autocracy or monarchy as the ideal solution to the state of nature, he is still appreciated for identifying the benefits of a communal, centralized defense against foreign threats. For Hobbes, an anarchic world characterized by violence and chaos is susceptible to foreign aggression and takeover, and it is only when a central authority provides for the collective defense that safety is ensured. Alexander Hamilton reiterated in Federalist No. 8, “The perpetual menacings of danger oblige the government to be always prepared to repel it.” Taking Hobbes and Hamilton into account, the US government should be united in its effort to deter and defend against malicious cyber activity instead of getting distracted from this goal by leaving organizations to compete with one another for limited talent.

USCYBERCOM and Defending the Nation

Defending the Department of Defense’s information systems and strengthening the nation’s ability to withstand and react to a cyber attack are some of the main focuses of United States Cyber Command (USCYBERCOM). As an organization, USCYBERCOM leverages the talent of the service cyber commands’ capabilities to protect the nation’s critical systems and infrastructure, while also holding adversary assets at risk and imposing cost when necessary. These organizations also pull from the same pool of cyber talent as the rest of the government and private sector organizations. Overall, this makes recruitment into the cyber workforce difficult and retaining them even more challenging due to the market competition.

USCYBERCOM leverages many tools and unique infrastructure to meet its mission, but it prioritizes cyber talent because a skilled workforce ready to respond and defend the nation in cyberspace is often the limiting factor of operations. China is on track to produce double the number of high-end STEM graduates the United States does by 2025, and could arguably produce the same ratio of qualified cyber professionals in a single year. Additionally, the 2020 Homeland Threat Assessment highlights how China is actively recruiting outside talent and seeking foreign actors to support China’s objectives in cyberspace. It is employing aggressive tactics to grow and diversify China’s capabilities in cyber-related fields beyond its organic workforce, and the United States should be concerned.

To counter China’s growing cyber capacity and other foreign threats, the 2018 Department of Defense Cyber Strategy established a proactive approach to homeland defense in cyberspace. USCYBERCOM’s strategy of defending forward is designed to halt malicious cyber campaigns that threaten US military superiority by intercepting and halting cyber threats and “by strengthening the cybersecurity of systems and networks that support DoD missions.” Defending forward shifts USCYBERCOM’s posture from a defensive one to the offensive and moves the point of conflict closer to adversarial networks. Doing so meets the intent of USCYBERCOM’s commander, General Paul Nakasone, who envisions a persistent cyber force that imposes greater costs on adversaries and their decision calculus. To achieve US national security goals, the strategy of defending forward and persistent engagement implies that USCYBERCOM needs to maintain a mature, experienced, and capable cyber workforce nested within the broader US cybersecurity ecosystem.

US Cyber Talent: An Army Snapshot

Despite the universal shortage of cyber talent, the Army does attract highly qualified personnel. In internal Army analysis that hasn’t been publicly released (and research supported by RAND), the Army has identified that within its cyber operations specialty, 23 percent of Army enlistees possess a bachelor’s degree and 35 percent achieve scores in or above the 93rd percentile on the Armed Forces Qualification Test. Additionally, the average age for new cyber recruits is twenty-three, far older than the traditional eighteen-year-old enlistees that join right out of high school. For the officer corps, commissioning as a cyber operations officer is extremely competitive, with nearly 7,500 individuals competing for roughly 120 annual available cyber slots. To augment this process, the Army has successfully been accepting direct commissions for over five years, which has proven Army Cyber Command’s ability to bring in highly experienced and advanced degree–holding professionals at higher ranks.

All potential candidates for cyber operations positions take assessments and undergo extensive interviews to assess their skill sets and abilities. Upon selection, the entry level and professional military education required after assessing as a cyber operations enlistee or officer is lengthy and rigorous. Those assessed as most qualified are given the opportunity to attend additional schooling and training to become interactive operators, or Army hackers. These students end up receiving around $500,000 in specialized education over the course of nearly three years. However, the challenge for the Army after educating and training this highly effective cyber workforce is retaining them beyond their mandatory service commitments.

The Understaffed US Cyber Workforce

According to Cyber Seek—a project supported by the National Initiative for Cybersecurity Education, a program of the National Institute of Standards and Technology in the US Department of Commerce—the total employed cybersecurity workforce in the United States consists of a little over a million people. Currently, there are nearly six hundred thousand vacant positions (public and private organizations), a figure estimated to grow significantly through 2025. Overall vacancies in the US government are not publicly available—a search on USAJOBS for roles within data or IT will show over ten thousand results, but only 480 for cyber. From a recent Government Accounting Office report, this is because many governmental organizations have yet to properly label their positions based on updated guidance. Overall, the competition for qualified cyber personnel is extremely high and should be a shared burden across US government organizations and better coordinated with the private sector throughout the United States.

Research conducted by RAND found that retention of the cyber workforce in the military is a particular problem since the more skills and experience these cyber warriors gain, the more marketable they are and the less likely they are to stay within the force. Because of the education and training military cyber professionals receive on globally recognized standards, they can easily translate their military service experience to civilian careers. Unlike infantry soldiers, for example, the skills acquired on active duty by cyber soldiers are skills that directly correspond to civilian work roles, enabling soldiers to transition from military service into high-paying, competitive careers more easily than their infantry peers. The problem for DoD is how to incentivize its cyber workforce to stay on active duty and how it can compete with the broader US government and private sector to retain talent. General Nakasone indicated that retention was one of his top priorities for USCYBERCOM in a recent congressional hearing.

Why is the Army’s Cyber Talent Leaving?

Overall, according to an internal and not publicly released survey of US Army Cyber Command’s cyber workforce in 2019, the top three factors that would encourage Army cyber personnel to stay in the military were the opportunity to focus on their mission (which they really enjoyed) without administrative distractions, greater time to build their tradecraft and receive additional training, and improved compensation and recognition for their work. Their responses indicate that the military’s mission resonates with service members and their civilian counterparts, and this is one of the reasons they joined the service. The survey also indicates that a factor in their decision to leave after their contracts or service obligations expired was their inability to focus on the mission or tradecraft (i.e., time spent on keyboard) due to the constant distractions from administrative requirements. This is difficult for a force that has an extremely high operational tempo and is constantly on mission.

Respondents indicated a desire for more opportunities and time to build mastery, like improving tradecraft and learning new skills; time to take advantage of professional development opportunities; time to tinker with mission-related projects and to develop innovative approaches to mission-related problems; and time to attend conferences and training to expand their knowledge and networks. This also included a desire for clear and concise career and professional development plans that demonstrate the Army’s willingness to invest in their progression and development throughout their careers. As indicated above, a challenge to providing these opportunities is the high operational tempo of cyber missions for personnel that are fully qualified in their work roles and experts in their fields, since mission requirements have a higher priority for time than self-improvement initiatives. Therefore, finding a more appropriate balance between mission requirements and personal development is critical for cyber personnel moving forward because it will build a better workforce and provide opportunities to decompress and grow outside the demanding cyberspace environment they constantly work within.

Compensation and recognition also play a role in Army retention numbers. Respondents leaving the Army were, in many cases, leaving for higher paid work roles in the private sector. Additionally, recognition for work well done, innovation and research, and obtaining new skills is typically rewarded with a bonus, an award, or a raise in the private sector. Unfortunately, this is usually unavailable in the Army due to the egalitarian human resources restrictions and the limited capacity to provide bonuses outside reenlistment or specific skill compensation packages. While the Army is leveraging many tools to partially mitigate the differences in compensation packages with the private sector, survey responses indicate that despite loving the mission, they thought they have better job opportunities and compensation out of uniform.

Finally, an underlying concern indicated in several questions by respondents is autonomy. The military structure is inflexible and despite finding purpose in their work, the survey indicates that soldiers want more say in their careers and life. Family stability and quality of life are important to all service members but for the cyber workforce, it presented as a major factor in the respondents’ choice to leave the military. Researchers have found that highly skilled and educated people increasingly marry other highly skilled and educated people, making the military model of permanent change of station moves every three years, on average, a unique hardship for those in two-career households. Even though Congress passed the “Military Spouse Employment Act of 2018,” the opportunities for spouses guaranteed under the law are mostly low-skilled jobs that require a high school education. Therefore family-centric quality of life concerns remain a top reason that respondents cited in their decisions to leave military service.

It is important to note that not all private sector cyber professionals are happy and satisfied with their work or employers. In fact, they have concerns that are strikingly similar to their military counterparts: cyber professionals in the private sector cited career advancement, competitive compensation, and leadership’s commitment to cybersecurity as the top three factors affecting job satisfaction and their decisions to leave their organizations. The 2019–20 Nelson Frank Salary Survey also found career development and compensation as the top two reasons for job dissatisfaction among cyber professionals. Another survey, LinkedIn’s 2018 Workforce Learning Report, found 94 percent of personnel would choose to stay at a company longer if it continuously invested in their career development. And finally, the 2020–21 Nelson Frank Survey found that personnel considered leaving their current employers if there was a lack of career and promotional prospects or a low salary or earnings potential. Workers also cited a desire for new challenges as a reason for leaving their current or past employers. When employees had their needs met, it led to increased motivation, job satisfaction, and sense of being valued. Ultimately, the result of happy and engaged employees is intuitive: lower turnover rates and better productivity.

What Can the Army and the Rest of the DoD Do?

In Daniel Pink’s book, Drive, he suggests that employees are much more likely to stay with their employers if their jobs provide them with three things: autonomy, mastery, and purpose. This is especially true with highly talented employees that work in cognitively challenging roles. Autonomy is important because it signifies trust in employees’ ability to effectively manage their time to meet mission needs and desired outcomes. Mastery, and the resources to achieve mastery in their fields, is important to employees because it indicates employers’ willingness to invest in their employees and their professional development. Finally, purpose is like mission, and when the purpose of work is successfully communicated to employees, they can apply meaning to their own work, allowing them to understand how their contributions impact overall mission accomplishment. For DoD to compete for cyber talent, it should seek to provide autonomy, mastery, and purpose for its cyber warriors.

No comments: