Information Warfare: Better Sorry Than Safe

Archives

February 13, 2013:   U.S. Cyber Command (USCYBERCOM) has been operational for two years now and it is encountering some serious problems in recruiting people qualified to deal with the enemy (skilled hackers attacking American networks for whatever reason). People in the software and Internet security business have been telling Cyber Command leaders that they will have to change the way they recruit if they want to get qualified people. That means hiring hackers who lived on the dark side (criminal hacking) at one point or another. Such recruits would not pass the screening usually given to potential government employees who would be handling, and protecting, classified information and critical Internet systems. Few government officials are willing to bend the rules, mainly because no one wants to be responsible for some rogue hacker who got hired without the usual screening. It’s safer to go by the book and use that for your defense when the inadequate recruiting effort leads to a major Cyber War disaster.

Cyber Command is headquartered in Fort Meade (outside Washington, DC), most of the manpower, and capabilities, come from the Cyber War operations the military services have already established. Within Cyber Command there are some smaller organizations that coordinate Cyber War activities among the services, as well as with other branches of the government and commercial organizations that are involved in network security. At the moment Cyber Command wants to expand its core staff from 900 to 4,900 in the next five years. Twenty percent of those new people will be civilians, including a number of software specialists sufficiently skilled to quickly recognize skillful intrusions into American networks and quickly develop countermeasures. That kind of talent is not only expensive but those who possess often have work histories that don’t pass the normal screening. These are the personnel Cyber Command is having a difficult time recruiting.

The big problems are not only recruiting hackers (technical personnel who can deal with the bad-guy hackers out there) but also managing them. The problem is one of culture and economics. The military is a strict hierarchy that does not, at least in peacetime, reward creativity. Troops with good technical skills can make more money, and get hassled less, in a similar civilian job. The military is aware of these problems, but it is slow going trying to fix them.

There have been efforts to fix things. Five years ago, the new U.S. Air For Cyber Command asked for some leeway in recruiting standards and military lifestyle, in order to get the kind of airmen they needed. In a word, the air force wanted geeks, and many of the recruits being sought could not pass the physical fitness test or tolerate the usual military discipline. The more expensive (and increasingly unaffordable) alternative was hiring Internet engineers and hackers as civilian contractors. The air force has, in the meantime, raised its standards for physical fitness, making it more difficult for out-of-shape geeks to get in. But the air force has noted that some hackers are late bloomers. Since air force recruits are the brightest and best educated of all the services, it's been decided to try and identify and train Internet techs from among the new airmen, and then attempt to keep them in for more than one four-year enlistment.

Actually, most military personnel these days could just as well be civilians. Armies have always had civilians along, to perform support functions. The historical term is "camp followers." In times past the ratio of civilians to soldiers was often much higher, something like eight civilians for every one soldier. Only the most disciplined armies (like the ancient Romans at their peak) kept the ratio closer to one to one. But when conscript armies became common in the 19th century, it was suddenly cheaper to replace many of those civilians with conscripts (who were paid a nominal wage). Now that armies are going all-volunteer, it's gone back to the old days, where it's cheaper to have civilians perform a lot of support jobs. This is a trend that's been going on in the American armed forces even before conscription was eliminated in the early 1970s. The effort to recruit more Internet geeks will end up gathering up more camp followers, who will stay "in the camp" to do their job and never need venture into a combat zone where the warriors are working. But the competition from the civilian economy for these highly skilled support personnel is something the ancients didn't have to worry about.

All current Cyber War operations are dependent on contract workers (civilians) for their top technical talent. There is always a shortage of these people, partly because they have to be capable of getting a security clearance. A lot of otherwise qualified technical personnel won't even apply for these Department of Defense jobs because a background check might reveal earlier hacking misadventures they would rather keep secret. Meanwhile, the Department of Defense has assembled a growing group of civilian Cyber War volunteers. Not all have security clearances but in the event of a national Cyber War crisis, that would be less of an issue.

Cyber Command remains partly blinded because it does not have sufficiently skilled people at the heart of their operation who could quickly detect, evaluate, and quickly organize responses to major hacker attacks. At the moment, the most knowledgeable people are working elsewhere (software firms, usually) and have to be asked to help out and are usually nowhere near Cyber Command headquarters.