SAN DIEGO — Saddled with budget cuts and prospects of a smaller force, the military services must find ways to build a specialized cyber force equipped to juggle rising threats from attacks on defense networks, several senior U.S. officers told a defense conference Wednesday.
Bad timing is partly to blame. Coast Guard Rear Adm. Marshall B. Lytle III, head of the U.S. Coast Guard Cyber Command, noted a downswing in the budget, as well as sequestration cuts, happened just as the services were building up their cyber capabilities and cyber forces designed to counter the growing threats and vulnerabilities to networks.
“We recognized that cyber is taking more and more of a life of its own,” Lytle, assistant commandant for C4IT, said during a panel discussion on gaps and seams in cyber security on the first day of West 2016 conference, cosponsored by the U.S. Naval Institute and AFCEA International. “We are giving (cyber) more and more emphasis and more and more focus…, but our resources pool has not grown. In fact, the resources pool in the Coast Guard has shrunk in recent years.”
The Coast Guard established a task force several months ago to look at how it should change and incorporate cyber into its structure and mission sets, “and not treat it as a separate thing we have to deal with,” he said. A report is expected by August. The Coast Guard’s overall human capital strategy, released in January, defines the cyber workforce, training and skill sets needed, Lytle said.
The services are in the process of developing clearer strategy and vision for their respective cyber forces. “Human capital strategy has to be informed by strategy,” Vice Adm. Jan E. Tighe, who commands 10th Fleet and U.S. Fleet Cyber Command. But “today we’ve taken skill sets, and in some cases stretched them really thin across multiple different types of roles.” The Navy needs to look at manning, rating and NEC or naval enlisted classification sets. “We definitely have our work to do there,” she added, noting the commander of Naval Information Forces “will have a huge role in developing that strategy, informed by operations.”
Much discussion among top leaders centers on “what does it mean to build that cyber warrior, not only today but for the future?” Brig. Gen. Dennis Crall, the Marine Corps’ chief information Officer and C4 Director, told the audience. “We’ve got to have the right workforce to get there.”
But as they grow their forces, the services face tough competition to recruit and retain cyber warriors. The Marine Corps is short in some skill sets, Crall said, and “this becomes more of the Hunger Games for us.” Marines compete with the other military services as well as the federal agencies like NSA, and it has to select the right people rather than just go after anyone with certain credentials to fill mission-critical skills and billets. “You need to tailor your retention plan around those high-demand/low-density people. Making that identification is something that we are still doing,” he said.
The Marine Corps is taking a serious look at the training pipeline and ways to recruit and retain skilled Marines as well as its civilian workers, “and keep that talent pool where we need them,” Crall said. But “it’s not clear to me, in looking at our own enterprise, that we are investing in the right people in the right places at the right time.”
Rob Foster, the Department of Navy’s chief information officer, said “we have to figure out how to recruit people on a higher cycle rate, we have to think about how we can reward those people on the compensation side, and we have to retain them.”
One audience member, a former Navy cyber inspection team member, said sailors well-versed in cyber security in undermanned crews often are pulled in many different directions and simply don’t have time to do every task their job demands. Some opt to leave the service. With only a portion of the cyber force focused on defensive operations, Tighe responded, “we have to get after how to manage the force in a way that allows us to take advantage of their expertise and is more deliberate than what we have today, for both the operation of our network and the defense of our network.”
Adding to the stress is tight budgets strain the funding available to train and educate the cyber force. A common thinking and practice is “keeping our folks on mission is some of the best training we have for them. In some cases, it doesn’t go far enough,” Tighe said. The Navy needs more of a “persistent training environment that allows new and different kinds of threats that go beyond what operators are dealing with on a daily basis.” The command is looking at how it can provide that training environment, although it may not yet provide the higher level of expertise and skill of, say, a nuclear-trained force.
“It took us a long time to get to where we are in the nuclear world,” noted Vice Adm. Ted Branch, director of naval intelligence and deputy chief of naval operations for information dominance, N2/N6.
For the Coast Guard, “a first step is we’ve got to get the force defined, so we can support career paths and keep them interested, so when they get the skill set they stay in that skill set, and continue to use it,” Lytle said. “Someone could go cradle-to-grave in their career within that area, maybe honing their skills over time as they move up within the chain.” Exercises such as Cyber Guard let them to “train as they fight” on a more regular basis, he said, but “we’re not quite there yet.”
Panel members agreed that cyber must become part of training exercises and professional military education. “We have to change that culture,” Lytle said. The Coast Guard is looking to include some type of cyber training at every accession point and commanding officer classes, he said, and U.S. Coast Guard Academy students get a week’s worth of cyber training during their junior summer “just so they can understand what it is”
Much like knowing how to plot a search pattern or identify sea states, “we have to have some set of a basic understanding of cyber, too, so every time they plan an operation, every time they… work joint, they understand that cyber is a consideration” along with other warfare domains, Lytle said. “Every training event ought to have a little cyber flavor.”