In 2021, companies such as Microsoft and Samsung faced several high-profile attacks from an emerging type of adversary. However, this was neither a hacking group backed by a nation-state nor an eCrime group with a robust ransomware as a service model. Instead, the attackers were self-taught teenagers looking to see what security vulnerabilities they could exploit.
As the threat landscape becomes populated with nontraditional attackers, it is more vital than ever to recruit, train, and retain the best cybersecurity professionals in the world. To train, service members in cyber warfare ratings and occupational specialties will need to literally step outside of their uniform more often and learn the latest emerging threats via regular engagement with resources in the civilian world. To retain a world-class cyber fighting force, it will be necessary to give the best and brightest reasons to continue their military careers when civilian counterparts—and the service members themselves—recognize military personnel as highly trained in a sought-after profession.
The Modern Threat Landscape
The modern threat landscape is partially categorized by threat actors. A threat actor is a potential adversary identified by their resources and their motivations. Current threat actors include cybercriminals, hacktivists, thrill seekers, nation-state actors, insider threats, and cyberterrorists. Of these, hacktivists and thrill seekers are usually seen as less likely to become an advanced persistent threat (APT) with the motivation and resources to use multiple vectors to carry out a sustained cyberattack. However, although they may not be able to carry out a sustained attack over time, individuals or groups of threat actors are increasingly able to damage critical cyber infrastructure with little time and resources.
Further, the military must compete against the private sector for highly trained cybersecurity professionals, especially when the private sector can offer greater benefits such as increased pay, teleworking, and flexible work-life balance. The solution must be two-fold, focusing on external and internal candidates. Identifying barriers to service will be necessary for both candidate pools.
Recruitment
Barriers to military enlistment largely revolve around physical limitations. A recent Department of Defense (DoD) report stated that only 23 percent of Americans 17 to 24 years old are eligible for military service. The number decreases as the age of potential recruit increases. While programs such as the U.S. Army’s Future Soldier Preparatory Course have shown promise, another solution could be to lessen the physical standards for those enlistees that are guaranteed pipelines for cyberwarfare roles that will exclusively see service members in units that require lower levels of physical prowess. Some physical standards would need to be kept ensuring the continued health of cyberwarfare specialists but demanding peak physical ability for service members who may have otherwise accommodatable physical conditions is counterintuitive if their mission is almost certain to never require physical strength and stamina. Creation of a new “shore duty only” rating would enable such previously ineligible members to join while not decreasing mission readiness of operational units.
Further, the military must go to where the talent is in terms of both physical and online locations. Along with a constant presence in industry trade shows, the military should recruit talent by hosting online “capture the flag” or open-source intelligence (OSINT) competitions in which standalone and formidable infrastructures are created for the sole purpose of allowing competitors to try to be the first to exploit a chain of vulnerabilities. This competition format is already in place at hacker conventions with the winners being highly sought after by private sector recruiters.
Internal recruiting for cybersecurity roles in the military will need a proactive approach. In 2023, the Coast Guard opened applications to service members wishing to laterally transfer to the newly created cyber mission specialist rating. While this is a good start, the Sea Services must take the initiative to recommend service members under their command for cybersecurity missions. Similarly, it is vital that service members are sought and recognized for their skills. Flag officers must develop and disseminate to deckplate leaders a criterion of qualities for cybersecurity warriors, such as basic familiarity with security concepts, desire to pursue cybersecurity as a profession, ability to critically assess scenarios, apply nontraditional solutions, and the flexibility to learn new best practices in an ever-changing landscape.
An incentive program could be offered to both the leader that recommends the service member to cybersecurity training and to the service members themselves after successfully completing training. Incentives could be developed to incorporate award citations, early advancements, bonus pay, or preference in billet selection following reenlistment. By placing the onus on the service member, the military potentially neglects the influence that senior noncomissioned officers and officers have on the members and on their respective branch of service.
Training
Cyber threat actors do not limit themselves into traditional routes of cybersecurity education and training. Hackers often begin their education as early as age 13. While the military should not replace the structure of schoolhouses and pipeline training, nontraditional training opportunities should not be neglected. DEF CON, an annual hacker convention held in Las Vegas, Nevada, focuses on the latest changes in the cybersecurity landscape. Competitions in OSINT, capture the flag, and even lock-picking are featured to highlight vulnerabilities in widely used technology while also allowing individuals to showcase their own talent and meet recruiters. Service members can take advantage of these opportunities to compete against simulated adversaries who the military cannot anticipate or reproduce in training.
In addition, partnerships with private sector industry partners can greatly benefit cybersecurity commands that wish to expose their members to a wider variety of training. Contractors specializing in penetration testing and red team firms can offer members insight into how threat actors think while helping private-sector partners deepen their working relationship with the military. By offering a temporary in-house partnership with private firms, service members can gain firsthand knowledge of trends in threats and best defense practices.
While recognizing the need to evaluate and adopt unconventional opportunities for training, there is still no replacement for standardized training and education to solidify a base of knowledge. Using existing standards in certifications such as Security+, Certified Information Systems Security Professional (CISSP), and Certified Information Security Manager (CISM) allows a more streamlined process without losing integrity of training. Allowing military units to proctor the exams required for certification also would allow for a higher level of confidence in both the cybersecurity warrior and their leadership.
Retention
As they train and gain experience, service members become more desirable to private sector partners. Cybersecurity warriors will face greater temptations to leave the service when offered greater compensation, benefits, and work-life balance than what the military can offer. Professionals do not leave their jobs just because a new position is offering more. Professionals also leave their jobs when their employer is unable or unwilling to meet their needs. If the military can meet their needs with work-life balance, monetary compensation, and stability for families, then service members will have a harder time leaving their military careers for the unfamiliar world of the private sector.
Further, service members must be offered guaranteed opportunities for continued training in gaining certifications. The certification pathways for civilians are often a lengthy, cumbersome, and expensive processes with no guarantee of success. Through the military, service members can earn industry standard certifications that would be otherwise inaccessible to them as well as obtaining security clearances that are highly valued in the private sector among defense contractors. This can and must be paired with the benefits usually advertised to civilians such as travel, health care, and family support.
Cybersecurity units must be allowed to operate with a level of autonomy separate from larger military commands. A highly trained cybersecurity professional with multiple certifications and years of experience in a specialized skill will become frustrated if their work is regularly interrupted by micromanaging regarding duties unrelated to their military occupational specialty (MOS) or rating. This does not mean excusing cybersecurity specialists from uniform standards, grooming, and customs and courtesies. Cybersecurity officers and enlisted personnel will still be expected to maintain military bearing. However, if a cybersecurity service member sees that time set aside for specialized training is competing against time participating in training that does not directly pertain to them, they will become increasingly frustrated with their role. Although some autonomy is recommended, service members can and should still be held accountable through their chain of command.
Pay will be another major issue for retaining talent. It is not possible to increase base pay for service members outside of congressionally mandated pay increases. However, reenlistment bonuses can address this need, especially if bonuses can be made available for gaining and maintaining certifications of increasing technical expertise similar to the foreign language proficiency bonus. Further incentives could include making more desirable duty stations available to those who continue their military career and/or their education through gaining advanced certifications.
Service members will always seek to gain better work-life balance regardless of their MOS or rating. For cybersecurity professionals, this could mean providing greater stability by increasing the length of billets before permanent change of station turnover. Cybersecurity experts could be offered retours and extensions contingent on reenlistment and/or gaining advanced cybersecurity certifications. In return, the command would gain the benefit of continuity with subject matter experts familiar with mission sets specific to their units.
Looking Forward
The cybersecurity threat landscape will always be evolving. To adapt, the U.S. military will need to adopt unconventional practices for recruiting, training, and retaining the most talented professionals available. The traditional routes of seeking only individuals with certifications and training within a military setting will stagnate cybersecurity defense readiness. If the military cannot or will not adapt accordingly, the pool of qualified and potential talent will be quickly drained by private organizations who can offer what service members find lacking in their current unformed roles. The military cannot afford to be last in line when it comes to hiring, developing, and keeping the best cybersecurity professionals in the world.