In his forward to the U.S. Tenth Fleet’s Strategic Plan 2020-2025, Vice Admiral T. J. White stated that he is “certain the opening rounds of a 21st-century great power conflict, particularly one impacting the maritime domain, will be launched in the electromagnetic, space, or cyber domains.” The Navy currently relies on a small team of experts to extend its grasp into this new realm of armed conflict. This is not the right approach. What it needs instead is a core of naval professionals with the skills and tools to make risk-based decisions in offensive and defensive cyber conflict.
Developing this core will entail expanding the cyber warfare engineer career path and cyber warfare community in general, creating a new cyber training pipeline, and expanding recruiting at existing cyber security hubs. At the heart of any successful naval warfighting team is its professional and knowledgeable officer corps. For this reason, most of this discussion will focus on the ways in which the current system falls short in recruiting, developing, and retaining this subset. The concepts explored do not apply only to officer accessions and training and can be easily adapted for training enlisted operators who will be vital contributors in a future cyber conflict.
A Cyber Warfare Community
The Navy’s current policy and efforts regarding cyber warfare recruiting are encouraging but will require alterations to bring the force to the level necessary to face foreign threats. If the Navy considers cyber warfare a priority, it should foster a community that is not a derivative of intelligence or information warfare, but instead stands alone as a robust professional force capable of its own recruiting and training. If taken to its logical conclusion, this restructuring may even lead to designating cyber as a fully functional unrestricted line warfare community.
As cyber warfare is not a realm of conflict often associated with combat on the high seas, establishing it as a unique naval warfare community may seem extreme at first glance. But there is clear precedent for such a move. The Navy has proven adept at adopting new forms of warfare into its ranks as the battlefield evolves. A clear example is the evolution of underwater demolition teams (UDT), first used in special operations in World War II, Korea, and Vietnam, into today’s Navy SEALs. The shift in warfare from large-scale battles to small conflicts in the post–World War II era presented a challenge to which these UDTs and specialized amphibious forces were a perfect match. The success of these operations led to the official designation of the Sea Air and Land Teams in 1962 and, since that time, the SEALs have proven their utility and expertise time and again.
A similar shift is occurring in warfare today, one that will alter the small conflicts into rapid asymmetric engagements preceded by major cyber attacks. It could be that the outcome of conflict will be decided before the first kinetic shot is fired. Naval leaders clearly recognize this shift and in 2009 established the Tenth Fleet as Navy Cyber Command with the hope of providing “unfettered access to assure communication capabilities” in the new “pervasive, persistent, and adaptive domain” of cyberspace. Today’s Tenth Fleet has the mission to “plan, coordinate, integrate, synchronize, direct, and conduct the full spectrum of cyberspace operational activities.” To ensure success in this endeavor, it needs the best training, operators, and especially leaders it can get.
Modest Improvements Are Not Enough
As it stands, the Navy’s cyber program does not have the structure to support longevity within its ranks. When the cyber warfare engineer (CWE) designator was first created, it was a dead-end job meant to extract maximum usefulness from those who are already cyber security experts with minimal investment from the Navy. Cyber warfare engineers were and still are required to obtain a computer science or engineering-related degree from a university accredited by the National Security Agency (NSA). After serving in a CWE role for three years, officers were offered an undesirable choice: redesignate or leave the Navy. This scheme not only is less than ideal for matching talent to its appropriate role, but also incentivizes these personnel to seek opportunities outside the Navy. Luckily, efforts to support expanding the community have led the Navy to establish CWE O-4 to O-6 billets (control grade billets) in 2019. This change allows CWEs to promote above the rank of lieutenant and remain in the same community after initial tours.
If a closed cyber warfare community cannot be achieved, there is another avenue, albeit less effective, to producing quality officers with cyber expertise. The additional qualification designation (AQD) was created to “enhance billet and officer designator codes by identifying more specifically the qualifications required.” Including cyber in the AQD program would allow the Navy to leverage the talents and qualifications of personnel across multiple communities and incorporate them into the cyber community as needed. Personnel would continue to serve on ships and submarines for sea duty and would be assigned to cyber warfare commands for shore billets. However, at best the AQD system would help the Navy in transition to a more robust cyber warfare community with its own training pipeline.
If the cyber community were to expand beyond a small group of experts, it would become necessary to train officers and leaders in the techniques of cyber warfare. This would include a programming background focused on machine-level coding, networked systems, cryptography, and wireless networks, to name a few. Relying on individuals joining the Navy with high-level expertise in these fields is unrealistic, as these skills are highly sought after outside the military. Instead, the Navy should focus on identifying individuals with an aptitude for these skills and create an extensive training program that prepares leaders for the challenges they will face in cyber warfare.
While this appears daunting, the Navy has an existing program that is equivalent in many facets: The Naval Nuclear Propulsion Program (NNPP). The NNPP is the quintessential example of training to existing aptitude versus leveraging previously acquired skills. It also serves as a good model for how a Navy cyber warfare community might be structured.
A Real Cyber Warfare Training Program
The cyber warfare training program could start with a theoretical training on fundamentals of computer system architecture, programming, and networks, much like the nuclear program at first focuses on the physics, thermodynamics, and theory required to operate nuclear reactors. In the NNPP pipeline, students graduating from the initial theoretical training are then stationed at an operational reactor prototype. Applied to cyber, this construct would likely take the form of a fully equipped cyber laboratory. Students would engage in practical hands-on exercises where various classified defensive and offensive cyber capabilities could be used. The increased classification level would enable rapid adaptation of fundamental cyber knowledge in parallel with current techniques, exploits, and real-world examples.
Hands-on training would be best accomplished by dividing trainees into a “blue force, red force” construct. Those classing up in the practical training component would initially be assigned to the blue force, where they would focus heavily on network monitoring, cyber defense, and other network protection techniques and technologies. After mastering this section, they would graduate to the red force where they would be assigned to thwart the efforts of the blue force by engaging in cyberattack, network-penetration testing, and other offensive cyber efforts to gain access, disrupt service, and obtain desired data. To add an element of realism to training scenarios, operations might be expanded into a 24-hour cycle requiring balancing the two forces into rotating shifts. While this may be cumbersome depending on class size and instructor availability, it would accurately parallel real cyber operations which are not limited to a nine-to-five engagement cycle and prepare trainees for the challenges of 24-hour coverage.
The U.S. Naval Academy has made substantial progress with the creation of the Center for Cyber Securities Studies. This program includes the cyber operations major, which “favor(s) a breadth of topics over depth” when compared with computer science and information technology studies and promotes the “awareness of the politics, ethics, legalities of cyber operations, as well as what drives the social aspect of cyber operations.” One goal of pursuing such a course of study is a better opportunity to commission into the information warfare community, which now accepts physically qualified midshipmen eligible for all URL communities. This program is uniquely positioned to provide future cyber officer warriors with not only the technical skills, but also the geopolitical and ethical backgrounds that make for a well-rounded naval leader. However, the Naval Academy should not be the only place the cyber community turns to for competent and effective cyber officers.
Efforts to expand CWE and cyber community recruiting should include tapping the outstanding cyber security programs at U.S. colleges and universities. NSA accreditation identifies universities as centers for academic excellence (CAE). This accreditation is broken into CAE in Cyber Defense and CAE in Cyber Operations and comprises 150 and 21 institutions, respectively. While recruiting efforts could be increased at these institutions, the Navy already has Reserve Officer Training Corps (NROTC) units established at many of these schools. Of the 21 CAE in Cyber Operations schools, NROTC units exist at eight of them, to include Virginia Tech, Texas A&M, and Carnegie Mellon University. For the CAE Cyber Defense institutions, 35 of the 150 schools have an existing NROTC unit.
U.S. colleges and universities have the programs, attract the talent, provide meaningful instruction, and have the naval recruiting and training infrastructure to develop the next generation of cyber warriors. The missing component is opening the commissioning path to NROTC students. As of 2020, qualified students can apply for accession into the cyber community and receive a commission as a CWE. Making the CWE community a URL community would invigorate this process and bolster CWE officer accessions from NROTC units at CAE-accredited universities.
Training future cyber warfare operators and leaders will never be easy. Standing up new training programs is complex, and the cost will always be a major consideration. However, competition from our adversaries is immense and attack vectors, techniques, and tools are constantly changing. Instructors need to stay on the bleeding edge of cyber defensive and offensive doctrine to give trainees the tools they need to fight and win the next cyber conflict. Luckily for the Navy, it has the leaders, motivation, and commitment to put itself at the forefront of this evolving realm of conflict.