Air Force Cyber Mission Success Depends on Cultural Change
As the U.S. Air Force develops its computer security forces, it finds itself caught in a web of ineffective policies and generational conflict. The arrival of people who have grown up in the information age exacerbates the 21st-century generation gap. Fortunately, a clear understanding of the root causes of problems illuminates sound models that can be evaluated and adopted to support the success of Air Force cyber.
The service has seen a mass exodus of talented cyber professionals over the past few years. Many leave because they are frustrated with Air Force cyber’s constraints and flawed policies. Although not typically the driving factor, pay for industry jobs is often better, further encouraging departure.
Those who do stay struggle to effect change. Often, they advocate good ideas, and their opinions are supported by peers and leadership, but generally people who can enact change cannot be identified. Ideas are floated from office to office, and seldom is action taken to resolve mission needs. The common policy modus operandi is a shortsighted checkbox mentality to appease leadership rather than to stop broken processes and evaluate where policies and procedures do not make sense or are barriers to mission needs.
At the heart of the military’s problems in cyber is culture. A careful look at effective cyber organizations, including an evaluation of how U.S. agencies can mimic their cultures, must be the first step in solving problems.
One Air Force cyber leader, Joy M. Kaczor, states, “With the introduction of the cyberspace domain, the Air Force culture must evolve to truly embrace cyberspace operations and integrate it into the full spectrum of operations.” Another leader, Capt. Robert M. Lee, USAF, states the U.S. Air Force cyber community is failing for a fundamental reason—the community does not exist (SIGNAL Magazine, November 2013, page 56, “The Failing …”). Kaczor and Capt. Lee identified the following: Few professionals within the military understand cyber technically. More fundamentally, they do not understand the culture.
Lt. Col. William D. Wunderle, USA, goes into great detail about the importance of understanding culture in his study, “Through the Lens of Cultural Awareness.” Col. Wunderle’s focus is on errors made from cultural ignorance in past U.S. military engagements. He states, “A lack of cultural awareness among American forces has led to an increase in animosity among many Iraqis and contributed to a negative image of the U.S.” This can be said of any party’s cultural ignorance toward another.
Similarly, Air Force leadership has not understood the culture of cyber, in large part because cyber is a completely different paradigm with a completely different culture. Cyber professionals think differently, learn differently, follow authority better with atypical motivations and expect an unparalleled level of autonomy. For Air Force cyber to succeed, significant changes need to be made culturally, executively and in training to draw the right people at both technical and leadership levels.
Misunderstanding this culture has had a wide range of consequences on everything from hiring to training and assigning job roles. One Air Force cyber unit touted as successful was given the task to grow more units like its own. Funding and staffing were more than doubled, and a spree of civilian hiring took place. This led to large disparities between requisite skills and new hires’ backgrounds. The newly hired civilians were not interviewed; although their resumes looked great, many struggled to perform with technical proficiency a year later.
Capt. Lee states that through its actions, the Air Force has shown it considers cyber skills all the same, with the separation being described as offense, defense or intelligence. This lack of specialization, functional separation and training investment adds confusion that will hamper the mission (SIGNAL Magazine, February 2015, “Saving the Air Force Cyber Community”).
New hires come from a variety of backgrounds, and some comment, “I don’t understand or care about cyber … it’s just a job.” In the flying community, this attitude might get someone killed, yet cyber, unfortunately, has neither adopted the culture to weed out these people nor cultivated the interest of the right people. What Air Force cyber has done under the guidance of the Air Force Space Command is implement strict hard-line training policies with little margin to pass examinations and a checkbox mentality geared to the lowest skilled denominator, appeasing policy and leadership. Mission qualification criteria is mind-numbingly detailed but technically simple. Test rigor derived from specific processes bears little impact on operations, and test criteria disqualify many cyber operators.
Along with numerous instances of subjectivity in rating candidates’ skill sets are test development problems that lead to unnecessary failures.
Because of these continued problems, many subject-matter experts have left. In one cyber unit, over the past four years, 80 percent of its top cyber operators separated when able. Some left for better pay. According to a former top cybersecurity expert at NASA who now works at Google, the typical starting salary for a comparable job in private industry is about $155,000—the maximum he could make working for the federal government.
However, the underlying problem is less apparent. The younger generations that embrace cyber culture already are everything the government is not: fast-moving, restless for change and entrepreneurial. Many cyber technical personnel tire of dealing with frivolous processes and policies that impact their ability to work and consume most of their time. It’s only natural that they might entertain other options. One federal employment survey found that at many offices, half the staff members think of leaving.
The growing federal cyber work force has more nontechnical than technical members who have extensive federal backgrounds and are well-versed in writing policy and doctrine. They churn out vast amounts of documentation, ensuring job security, but produce wordy, complex policies that create technical and operational barriers and further drive away talent. Many people within top cyber units agree that the system is broken. But they also offer a resounding statement: This is the government. Did you expect it to work or be any better?
Actually, yes. Cyber culture expects to be able to fix it.
Recent research reflects the consequences of a culture that refuses to evolve: Young talent, and motivation, withers. A study of young federal employees from fiscal years 2009-13 showed that work force age demographics are shifting rapidly. The number of federal employees under age 30 is dropping precipitously, from 11.4 percent of the work force to 8.5 percent.
The solution is to fix the root cause—culture. This can be accomplished with the three-tiered approach outlined by career analyst Daniel H. Pink, the best-selling author of Drive: The Surprising Truth About What Motivates Us. The three components Air Force cyber requires to be successful are autonomy, mastery and purpose.
Air Force cyber needs to provide autonomy via a laboratorylike environment. Cyber operators should have direct access and full authority to bring about change and train on equipment to hone skills. Also, Air Force cyber’s leadership model must allow decision making at the lowest level appropriate. Higher leadership would request end products or deliverables, giving authority to unit leadership for decision making to train and direct operations.
Skill mastery is accomplished by allowing time to train and research, with unfettered access to information on the Internet. For a sense of purpose, these operators need a tangible and finite goal. This can be achieved through competitions that drive deeper levels of learning and higher performance.
Unit and leadership models must be redefined. Four successful models already developed would improve the operational and strategic goals of Air Force cyber.
First, cyber needs to be quick, lean and efficient, clearly focused and organized for success, with leadership as smart and as knowledgeable as operators—similar to Special Operations Command (SOCOM). SOCOM is “unique because it can act as a supporting or supported command, and it has its own budget authority and program objective memorandum,” says Paulette M. Risher in a National Defense University publication. The SOCOM model enables leadership to determine precise and efficient policies and processes, stripping away restrictive and unsuitable policies that impede cyber. Capt. Lee and other cyber experts recommend the SOCOM model of well-trained focus areas within units.
Second, a new educational model and accessions pipeline needs to be adopted. This would be similar to the model for medical corps doctors. By necessity, most successful cyber organizations expect all operators to be highly skilled. The Air Force has defined cyber by depicting the elite, most technically proficient security experts who, when all else fails, come to save the day. However, it places any computer information technology person within these units. This problem reinforces the Air Force’s need to reconsider its cyber training pipeline and align more closely with the rigor of medical corps doctors. The medical equivalent of the current Air Force cyber pipeline would be taking newly appointed military members, sending them through six months of anatomy study and then expecting them to be proficient at performing surgery.
The third model for Air Force cyber would be to align work roles with industry best practices. The military neither develops operating systems nor fabricates central processing units that compete with Microsoft or Intel, so defining new and unique job roles in cyber should be no different than that nonconflicting approach. Successful cyber organizations are adept at defining and executing work roles. Air Force cyber could borrow from companies such as Mandiant, which successfully identified and captured forensically the infiltration of a nation-state actor. It could model training and job functions after Mandiant for forensics roles—what the Air Force calls “hunt” or even more recently changed to defensive counterinfiltration. Continual name changes to military job roles are common, but they only strengthen the argument that leaders do not understand cyber. This implies a greater focus on doctrine rather than the right people and capabilities.
Lastly, the fourth model for success in cyber is a training model mirroring Olympic athletes and Navy SEALs. It has been said that a championship requires not only outstanding athletic ability and long-term training progression, but also peak performance at the right time. The same goes for cyber. Industry cyber operators have the skills and aptitude to present at Black Hat information security conventions. They depict their training and effort as always honing abilities further, similar to Olympians or Navy SEALs. Air Force cyber needs to follow this training model by removing distractions such as additional duties and inefficient human resources processes placed on its technical operators.
Either leadership continues down a path where talent, motivation and technical skills wane, or it realizes these problems and takes action based on the advice of the nation’s successful cyber professionals.
Maj. John Chezem, USAFR, is a cyberwarfare operations officer. The views expressed here are his alone and do not represent the views or opinions of the U.S. government, the Defense Department or the Air Force.
Comment
I too..
I too work in this field and feel this paper truly hits on key points.
Air Force Cyber Mission Success Depends on Cultural Change
Spot on - hope this is a wake up call to leadership
Everyone has an opinion....
Love how people can make assertions and get published, but I'd love to see some references of people who agree with these stark realizations. This Author is making a lot of great suggestions but citing no studies that support positions. It is easy to say things that lots of people will agree with, but agreement doesn't mean it is the right thing to do. See Rioting in Ferguson last year. A lot people agreed to do it, but it was far from right.
False assertions in Model one, SOCOM is still required to follow all the polices, regulations, public law and bureaucracy every other Command in the DoD has to deal with. They are not unique of special. USSTRATCOM can is both Supporting/Supported depending on the mission and that is why Cyber was postured under USSTRATCOM as Strategic mission. The set polices for the domains they are responsible for to create well-trained focus areas within units. Space and Nuclear forces are very unique and well trained in the areas they are responsible for. Cyber as domain is still new, and what is needed to be well trained in Cyber is still be hashed out. This domain will be in development for the next 7 to 10 years before normalization is to occur.
Arguments against model 2. There is huge difference between medical officers and cyber professionals and it is the war fighting aspect. Medical officers don't engage adversary forces, they also take 8-12 years to develop a signal licensed person. I can get licensed cyber professionals in 3 year of rigorous training, but doing that in the context of the military unit develops the warrior ethos need to engage and enemy at any time and any place. Until you acknowledge Cyber as a war fighting domain and stop treating like IT environment where have different experience levels in users and admins, the training will always be substandard.
Model three....I missed the model here....but the only people who have changed work role names has been the Air Force trying to make a legacy capability follow what USCYBERCOM has published as their work roles. The Air Force will continue to struggle with the adapting legacy capability until they are fully aligned to the published signed guidance of USCYBERCOM. The Sub Unified command responsible for directing Operations in USCYBERCOM.
Arguments against Model four, The problem with Navy Seal or Olympic Style training for Cyber is that Olympians and Navy Seals train for specific missions at specific times. Defense Cyber is a round the clock mission. You need to be have a breadth of knowledge, and adaptable tactics to respond to events that can happen at times and places not of our choosing. The Olympics happen every years, seal teams deploy for missions 3 or 4 or 5 times year. They spend the rest of their time training for the environments they will encounter during their next mission. If you want to bring in your A team 3, 4, or 5 times a year than you will leave a large portion of you Cyber domain exposed and vulnerable the rest of the time.
SOCOM Model
In response to the SOCOM model. SOCOM does have unique AUTHORITIES to create organizations and structures that are more efficient because leadership fought for them. That is what the author is referring too. I believe the SOCOM model, while not perfect, is an effective model to make organizations more innovative and effective. It is an operational command the does more then train and equip. It also has a very solid culture. I would ask people to read "My Share of the Task" and "Team of Teams" by Stanley McChrystal to see how they restructured to go after threats in Iraq and Afghanistan. Truly innovative.
Absolutely Spot on
Maj Chezem hits on a number of extremely valid points in this article and the AF would do well to take notice. As he says in the article, the rank and file have been saying these things for years, but turning the battleship of bureaucracy and higher-headquarters is causing us to be significantly behind our adversaries.
As a current drill-status ANG officer (with AD and reserve experience) and a "real world" Risk Management Director, I have a great opportunity to observe both sides of the proverbial cyber-coin. In the private sector, we have the ability to rapidly adapt to the changing threat and eliminate it from client networks by changing our response actions in real time with relatively few limitations. Conversely, limits to TTPs, Tool Sets and response approval from HHQ or mission owners slows the military "Cyber-OODA loop" to a veritable crawl.
When it comes to cyber professionals in private industry, we have the ability to quickly interview, hire and train (if necessary) cyber professionals who see information security as their calling and vocation, not just their AFSC. Private industry can have a new employee interviewed, hired and onsite in 30 days or less if they have the appropriate attitude/aptitude/skills, longer if they need additional training. But to get an airman onboard and operational takes well over a year, probably more: bootcamp, AFSC training and required upgrades, weapons system training, MQT, et cetera... We face the same issue in the guard where onboarding even experienced professionals can take in upwards of a year before we're able to put them "on mission" - particularly since we have to balance "real jobs" and their AF career.
Even if you compare it to pilot training, cyber still comes up short. A pilot, once trained to fly, arrives at his/her new unit 90% of the way to FMQ and needs maybe 30 days on airframe before they're mission capable - not so with cyber. A pipelined cyber operator still needs a ton of keyboard/weapons system time before we are even authorized to put them on mission.
The AF would do well to 1) assess for aptitude and attitude before hire, 2) after hire, use a "CLEP test" to allow candidates to quickly show proficiency in mission areas, and customize training to individual aptitude and future unit needs (yes it drives cost...we're losing the battle), 3) Seek "mission usefulness" over "fully mission qualified". Getting cyber operators on keyboards is the only way they'll get experience. When partnered with a trainer, the airman will no doubt be fully trained in half the time on the aspects of their specific mission area.
Bottom line, Cyber is a domain not constrained by physical limitations; adversaries are only limited by the extent of their own technical capabilities - it is no-doubt the definition of Asymmetric Warfare. We must adapt and get out of the old-guard structure of Org structures, CONOPS, OPLANS, training and accessions pipelines. To win, the Air Force absolutely needs a culture-change in how we train and equip our operational cyber personnel.
Comments