Recently, @ONCD solicited ideas for building a larger, more diverse cyber talent pool. A friend and I submitted a response. I want to tweet the gist here, and share some insights about the state of national cyber defense that might surprise you. 🧵 whitehouse.gov/oncd/briefing-room/2022/10/03/office-of-the-national-cyber-director-requests-your-insight-and-expertise-on-cyber-workforce-training-and-education/
The crux of our proposal: make huge investments in the Armed Forces to recruit and develop uniformed members into systems and network engineers. The Service is traditionally very representative of American demographics as a whole, across racial and class lines.
(Gender diversity is not as strong. But it's stronger than the cyber industry, with 72% men vs 78%.)
On top of being diverse, the Armed Forces are often the first responders to cyber attacks on military and civilian infrastructure. It might seem odd, but when a hospital network is breached or a city is attacked by ransomware, who shows up? A @USNationalGuard unit in BDUs.
So, the Armed Forces--diverse and deeply enmeshed in our national cyber capability--NEEDS to be a talent factory for cyber. And not "let me audit your system for FISMA compliance" talent, but rather "I'm comfortable working with the Linux kernel" talent.
Unfortunately, uniformed cyber is nowhere near that good right now. We imagine the American soldier to be impeccably outfitted with slick armor, exquisitely trained to be absolutely dominant. This is because DoD has refined its warfighting and training doctrine over decades
But cyber? Cyber is new. We are still figuring out how to do it. But instead of putting the necessary time into breeding great soldiers, we're just treating it like old fashioned warfare. You know how long the Army spends training its new cyber people? 9 months.
Another difference between cyber and kinetic warfare: our elite combat units are extremely selective. They are the best of the best. But for cyber, there is no such upward mobility. So if you have amazing potential, your most likely career path is Cisco or Akamai, not Nerd SEALs.
This brain drain prevents us from improving our doctrine, which prevents us from attracting good talent. It's a bad cycle. The result is that our uniformed servicemembers, the first responders to military AND civilians cyber attacks, are woefully undertrained and underequipped.
Here are our suggestions:
1/3: Create a Cyber Force. Land warfare has the Army. Naval warfare has...the Navy. Every "domain" of warfare has its own branch, which allows that domain to thrive with its own doctrine, customs, training regimens, R&D budget, etc. Why not cyber?
This would allow us to start treating cyber like its own domain with its own doctrine, rather than an accessory to land warfare, which is how the Army treats it right now.
Another reason: The Secretary of each branch of the service has discretion over promotion practices. I don't need to explain why this matters for recruiting and retaining skills that are in very high demand.
2/3: Create a Cyber National Guard. Our National Guard--the people who show up at natural disasters and rescue you when you get lost hiking--are mostly made up of people with full-time civilian jobs elsewhere. That NG helicopter pilot flies a traffic helicopter during the week.
The corporate cyber world has lots of people who would absolutely put on a uniform part-time and go defend a regional power utility under attack. But right now, the NG is so poor at this that those talented people would be wasting their time.
A Cyber NG attached to the Cyber Force would benefit from the investments, recruitment practices, toolsets, and doctrine developed by the Force. This wouldn't happen overnight. It will take 10+ years. There are no shortcuts to excellence.
3/3: Use the Academy model as the entry point for uniformed cyber talent. West Point, USNA, and USAFA are excellent (free!) schools. If our national security needs lots of network and systems engineers, these schools ought to be the nation's leading producer of them.
Note that I didn't say "they should teach cyber!" "Teaching cyber" is like "teaching building inspection." Rather than starting from the point of protecting systems, we need to be training people how to *build* systems. That's where expertise begins. And besides....
...our Armed Forces don't just need cyber people. Uniformed units like @KesselRunAF are taking on much more active roles in developing and maintaining their own software code. How are they going to scale that? By recruiting sys&ntwk engineers out of college.
Again, this will take many years to bear fruit. But hey: we should have done this many years ago! /thread
Matthew Burton @matthewburton@mstdn.social
@matthewburton
I write a newsletter about making govt work better. Link👇. Here, it’s YIMBYism + national security. Past: CIO @CFPB; Russian C4I @DefenseIntel; @USEmbassyKyiv