It is not yet known if the recent U.S.–China agreement to limit cyber espionage is a meaningful step toward a more secure cyberspace. Without broader reaching, enforceable, and verifiable agreements coupled with a history of compliance, the Internet remains a near lawless and ungoverned battleground. Militaries around the world continue to stockpile cyber weapons and conduct reconnaissance on potential targets. The U.S. is no different and cyber is one of the highest priorities for the Defense Department: even in the age of austerity, U.S. Cyber Command’s budget will double and personnel count will increase to 6,200. While some may laud the expansion of CYBERCOM and other U.S. government entities involved with cybersecurity, before we spend all of this money, we should pause and ask: Will all of these people and funding actually make us better at prosecuting cyber war and defending against cyber attacks?
Unfortunately, the fanciest security system in the world is useless if you don’t lock your front door. All of the investment and talented personnel in the world won’t be of much help if the U.S. government can’t do the basic blocking and tackling such as data encryption and network authentication that is required for cyber defense. The seemingly numerous cyber security breaches, from the 23 million background investigation records exfiltrated during the Office of Personnel Management breach to reports that Russian hackers penetrated Joint Staff email systems, clearly indicates a systemic U.S. government failure to protect its information.
As long as individuals are susceptible to basic social engineering tactics, such as credential theft through “phishing,” and federal agencies with sensitive information such as the IRS can’t answer the simple question of how many servers are on their network, no amount of people or technology will make our networks safer. Adopting better cyber safety practices and making employees internalize them so they become second nature ensures we’re crawling properly before attempting to walk in cyberspace. One thing is for certain, something must change and the current government standard of a yearly archaic half-hour “information awareness” training is just not enough to get people to truly practice safe cyber behavior.
Going beyond the basics, attracting talented programmers, developers, and cybersecurity professionals to work for the U.S. government, particularly the Defense Department, in any capacity has been a noted challenge. Even when new government professionals are brought into the system, the lure of moving to the private sector for double the salary and tech sector perks means that the proposed recruiting bump by the Defense Department is only a temporary band-aid on attrition.
But is this a story purely about incentives? Will paying government hackers and programmers handsomely stem the flow of boots out the door? The simple truth is that it will not. DoD and other agencies should focus less on trying to throw more people at the problem and instead focus more on ensuring that it utilizes and motivates its forces as efficiently as possible. For example, current thinking is mired in the antiquated concept that money is the be-all-end-all motivator; it is better to instead focus on the psychologically intrinsic aspects of motivation rather than the financial ones. Think of intrinsic motivation as three elements, autonomy, mastery, and purpose, according to Daniel Pink’s summation of 40 years of psychological research. Putting purpose up front, service in defense of the nation, and giving these employees and service members the chance to grow under top-quality supervision is the best way to ensure that we have the best cyber corps going forward. This is something that private-sector jobs focused on financial gain simply do not address. How can building the next version of Farmville even compare? Naturally, there are limits to how far intrinsic motivation can go, so salaries should be at least seem “fair” after taking the patriotism discount. But if agency managers think that focusing on compensation will solve all of their problems, they are missing the motivational forest for the trees.
Another critical component that needs attention is making the military, federal and state governments smarter, faster, and more flexible in setting up personnel policies to make it easier for talent to get into needed positions of service, move laterally within government, and grow professionally. This is imperative as internet technology is pervasive and found across all aspects of government and unless cybersecurity talent is distributed across all agencies and organizations. The most comprehensive programs for recruitment and retention are concentrated at CYBERCOM and the NSA, which perpetuate “islands of cyber excellence” that could “leave non-security departments and agencies potentially vulnerable if they are unable to hire scarce talent,” according to Peter Liebert, co-director of the Truman National Security Project cyber expert group and former DoD senior cyber policy analyst.
The U.S. government is moving forward; however, much more can be done. For example, the military is only now enticing college students to sign up for cyber-specific ROTC initiatives, targeting a group that is increasingly graduating with enormous debt loads. New private sector outreach efforts like the new Silicon Valley office Defense Initiative Unit-Experimentalare being extended to cities high in talented human capital and burgeoning tech sectors such as Austin, Pittsburgh, Baltimore, and Philadelphia. This gives DoD the ability to reach college grads with technical abilities who might otherwise have never considered military or government service.
Beefing up the Reserve and National Guard role in cyber defense is another promising plan that should be expanded to allow the military to tap into a technical base that represents the best of both worlds: private-sector opportunities and training while performing a mission vital to the nation’s defense.
Finally, it isn’t enough to focus on the tactical pursuit of line-level personnel, cyber is a strategic challenge as well. The utilization of cyber capabilities as a strategic tool is just as important as writing the latest hacking program. As P.W. Singer and Allan Friedman point out, existing cyber doctrine that emphasizes the superiority of offensive is inadequate because offensives can be both counterproductive and unpredictable and defense is not as weak as assumed. Thinking more clearly about the strategic and tactical use of cyber requires getting past the mantra of “offense rules” and also requires aligning recruitment goals. Right now recruitment is focused somewhat on quality but mostly on quantity. Unfortunately, a great hacker with technological creativity can outperform a thousand mediocre ones, because the mediocre ones will likely all arrive at similar conclusions while the standout ones will come up with novel solutions. The criticality of the internet to both daily life and defense operations mandates that we at least try to get the best people on board and have an employment strategy to match these talents.