Army Braces for A Culture Clash
The service must work to entice and keep the type of people who excel at cyber operations.
The U.S. Army and its Cyber Command are building momentum to create the institutional and operational structure required to conduct and support missions in the cyber domain. Now is the time to seriously address the challenges of attracting and retaining soldiers with the talent needed to take on the enemy. As Lt. Gen. Edward C. Cardon, USA, commanding general of Army Cyber Command, often states: Technology, as significant as it is in the rapidly changing face of warfare, will not be the deciding factor in who will dominate in this domain. It’s the people.
And today’s Army faces tremendous challenges in organizing, training and equipping them to operate in this dynamic new warfighting domain. The Army must re-evaluate how it recruits and keeps its cyber talent if it is to become the service of choice in the highly competitive cybersecurity community. How it employs its gifted cyberspace operators is critical, and equally important is how the Army helps future cyber leaders develop the required credibility.
Addressing these issues is difficult because the nascent domain has changed the traditional understanding of war and the way it is carried out. War no longer is adequately defined as forceful battles pursued by armed combatants at the behest of governments to gain and hold critical geographic terrain. Instead, war is a battle between many actors, waged to a significant degree in the cyber domain. A consensus exists that the global efforts of diverse actors, including nation-states and cyber terrorists, now have operationalized cyber warfare.
These efforts are becoming increasingly sophisticated. Gen. Mark A. Milley, USA, the 39th chief of staff of the Army, notes in a recent Association of the U.S. Army Green Book article: “The technologies that have historically enabled our overmatch are becoming increasingly available to our adversaries.”
Such significant warfare changes require new attitudes, strategies and doctrine development to let the Army successfully operate both on land and in cyberspace. In particular, the service must address four immediate personnel challenges to ensure the success of its cyber work force. It needs to understand the typical characteristics of its cyber talent; organize its operational structures to effectively employ this talent; create an environment that fosters innovation; and learn to lead these forces.
As the Army continues to generate its component of the Defense Department’s Cyber Mission Force—the effort to establish 133 cyber defense teams by 2018—it struggles to recruit and retain the skilled professionals necessary to build its teams. One frequently discussed issue is whether the Army must establish new standards or lower the current standards that are limiting the service’s ability to grow its population of cyber operators.
The Army should not lower its standards for such an important component of the force. Instead, the service should better define the most critical skills needed and spell out its specific plans to keep qualified soldiers, especially advanced tool developers and on-net operators. While other cyber team members are important, training soldiers for these two work roles requires added focus.
Harvard University’s chief technology officer, Jim Waldo, describes individuals with these skills as the top 2 percent of software and security specialists. He believes they are 10 to 100 times more effective in understanding and operating in cyberspace than average technologists. If the Army is going to be successful in the cyber domain, then these individuals represent the talent the service must recruit and train. And it must learn to lead these warriors if it expects to retain them.
One obstacle to retaining soldiers with these skill sets is that their personalities tend to defy conventional military cultural norms. They are seen as rule breakers driven by curiosity and seek to penetrate barriers rather than conform to any standard. They often despise meetings and argue against any concept that opposes their original ideas. Traditional Army leaders often fail to understand these nonconformists.
The Army also has failed to create an organizational culture that will retain its cyber talent. Parochial arguments and institutional policies can be a turnoff to these individuals. For example, the Army actually held up cyber operators’ selective re-enlistment bonuses for almost four months to debate who could be labeled a cyber operator. The service lost at least seven of its trained on-net operators during that delay.
Career stagnation can be a problem as well. The Army’s Qualitative Service Program (QSP) consists of a series of centralized board processes designed to select and retain the highest quality noncommissioned officers (NCOs) who display the greatest potential for continued service. Yet the Army lost one of its most highly qualified cyber analysts to this program because she had not been promoted or moved from her position in four years. Understanding her work role easily explains the requirement for extended stationing policy, and the limited number of senior positions in this career field accounts for a latent advancement cycle. Still, the service needs to find a way to satisfy anyone’s desire for professional growth.
Comprehending cyber’s work roles is not just an Army issue, but a shared challenge across the services as the Defense Department struggles to learn this new domain. The Army chose to create the 17-series branch and career field to address such institutional challenges, which also include how to organize the service’s cyberspace operators. Organizational structure and design in cyberspace operations, to a large degree, have been prescribed at the strategic level by U.S. Cyber Command and are similar across all the services. Because the preponderance of effort to establish the force is derived from the intelligence community, the employment of the force primarily is at the strategic level and therefore almost nonexistent as a deterrent to adversaries. Additionally, the design of teams, infrastructure, tools and command and control has been created and developed in a way that, by its nature, stifles innovation and allows little room for initiative. In short, the government has tried to structure an inherently unstructured and free-flowing domain.
Rigid organizational structures do not restrict potential adversaries. A quick study of the operations Russia conducted in Ukraine highlights some of the most visible flaws in U.S. cyber operating concepts. Russia artfully converged information operations, electronic warfare and network warfare in both digital and physical operations to win in Ukraine—with almost no visible presence. Conversely, the United States debates which actions are Title 50 of the U.S. Code versus Title 10 versus Title 40 and struggles to build a force around the traditional concepts of offense, defense and exploitation.
Additionally, how the Army defines defensive and offensive operations impacts the service’s employment of its cyberspace operational forces. Delineating between defensive and offensive operations has been described by Tim Willis, a security manager on the Google Chrome Security Team, as a fundamental flaw in the digital environment’s philosophy of operations. In a recent lecture, Willis presented an analogy describing what happened when an international agreement failed to take this flaw into account.
He cites as an example the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, established in 1996. The arrangement promoted transparency among the 41 participating states, including many former Warsaw Pact countries and the United States, in the transfers of conventional arms and dual-use goods and technologies. Problems arose in 2013 when the group added intrusive software to the list without considering the second- and third-order effects the addition would have on the Internet security community. The community argued that restrictions cannot be placed on offense without affecting defense because the tools and software, in terms of tactics, techniques and procedures, are basically the same.
The inextricable links between cyber offense and cyber defense create confusion, leading to upheavals for cyber organizations as they restructure. Today, they are designed to employ certain teams for offense, different teams for defense and still other teams for analysis and exploitation. The arrangement makes perfect sense if their only task was to expand on the mission of the National Security Agency and the intelligence community. It’s not, and the Army’s cyber organizational structure creates a culture of haves versus have-nots, with leaders giving little thought to the intelligence, equipment and tools needed to conduct deliberate defense in the pursuit, containment and defeat of advanced persistent threats.
To facilitate information sharing and synchronize cyberspace operations, the Army cyber force should mirror the structure of maneuver forces to conduct a full spectrum of combat actions. Commanders can then task-organize within their formations.
The Army also must re-emphasize innovation. Today’s cyber operator employment model not only limits the innovation and capabilities cyber operators can bring to the fight, but it also prevents any deterrence that could be gained by more aggressive responses to attacks and the show of force the United States could bring to this domain. The leading barrier to allowing more aggressive actions is the intelligence gain-loss ratio, or deconfliction of friendly battlespaces. The Army should organize to employ teams that support tactical operations at corps and below echelons while reducing the standard for gain-loss decisions. Investing in this capability and demonstrating it will foster buy-in from maneuver forces and deter actions by adversaries.
Fostering innovation even during training is critical. While the Army might not have lawful authority to conduct kinetic attacks against an adversary until the United States declares war, that should not prevent the service from training for them. By the same notion, failing to let soldiers develop the tools, access and infrastructure needed to achieve results at the tactical level, even while in training, restricts innovation and eventually will contribute to the loss of the most talented operators.
Ultimately, understanding and effectively employing cyberspace operators depends on leadership. Without a base knowledge of the technical aspects of cyber work force skills, traditional leaders cannot have meaningful conversations with these highly skilled operators. Many times, attempts to communicate result in a dialogue of technical jargon—possibly purposefully designed to minimize the attention span of, and time wasted by, an unskilled technocrat posing as a leader of technologists.
Only if the Army understands its top-tier cyber operators will it be able to support the initiatives and policies to lead them. Currently, Army leaders are constrained by their own experiences, and until a new generation replaces them, the service will continue to struggle with leading cyberspace operators.
Command Sgt. Maj. Rodney D. Harris, USA, is assigned to the U.S. Army Cyber Command and 2nd Army. The views expressed here are his alone and do not represent the views and opinions of the Defense Department or U.S. Army.