war on the rocks

Fish Out of Water: How the Military Is an Impossible Place for Hackers, and What to Do About It

July 12, 2018

The U.S. military established Cyber Command almost a decade ago, but it fails to maximize its contributions to national mission. Struggles on all levels — from the political to operational — contribute to Cyber Command’s ineffectiveness. But simmering beneath the surface is a crippling human capital problem: The military is an impossible place for hackers thanks to antiquated career management, forced time away from technical positions, lack of mission, non-technical mid- and senior-level leadership, and staggering pay gaps, among other issues.

It is possible the military needs a cyber corps in the future, but by accelerating promotions, offering graduate school to newly commissioned officers, easing limited lateral entry for exceptional private-sector talent, and shortening the private/public pay gap, the military can better accommodate its most technical members now.

Former Secretary of Defense Ash Carter remarked that he was “largely disappointed” by Cyber Command’s contributions to the fight against ISIL:

It never really produced any effective cyber weapons or techniques. When CYBERCOM did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection. This would be understandable if we had been getting a steady stream of actionable intel, but we weren’t.

These parting thoughts don’t paint a pretty picture of Cyber Command. Unfortunately, the situation won’t improve unless the military focuses on retention and promotion of its most precious resource: its technical talent.

Meet the Military’s Hackers

The Pentagon established Cyber Command in 2009 to “conduct full spectrum military cyberspace operations.” The Pentagon elevated Cyber Command to an independent unified command two months ago. This move means the commander of Cyber Command now reports directly to the secretary of defense, which removes an extra layer of bureaucracy and gives Cyber Command greater operational autonomy and manning authorities.

Cyber Command’s mission is fundamentally technical, since attacking or defending a computing platform requires intimate knowledge of its inner workings. Accordingly, all operational jobs in Cyber Command require some level of technical proficiency, but two are exceptionally demanding: the operator and the developer. The people who do these jobs are some of the military’s most elite hackers. Cyber Command’s original plan called for these roles to be almost exclusively junior enlisted personnel and civilians. As Cyber Command has faced recruiting and retention issues within these populations, it’s been forced to allow junior officers to also fill these roles.

Although Cyber Command’s missions depend on many roles, nothing happens without highly skilled personnel performing these jobs: the most talented tool developers and operators are the servicemembers enabling, gaining, and maintaining low-level access to various computing platforms.

Operators gain, maintain, and exploit control over computing platforms to achieve missions like collecting information from an adversary platform, hunting for adversaries on a friendly platform, or manipulating a platform’s operating characteristics. Good operators have strong knowledge of how to administer their chosen platforms, in addition to a modern understanding of their security features. Operators focus heavily on detecting adversaries on a platform and keeping adversaries from detecting them.

Tool developers write the software that enables operators. Senior tool developers have a breadth of skills that range from security researcher to system software engineer. Tool developers might be tasked with writing software ranging from web applications to embedded device firmware. Whatever platform that a unit is required to defend or attack, the tool developer writes the software that underpins critical elements of the operation.

Unlike other highly skilled uniformed professionals like physicians and lawyers, hackers don’t come from certified university programs. Each service has tried — with varying degrees of limited success — to stand up initial training programs for these roles. The results have been depressing.

Cyber Command’s commanding general and National Security Agency director Gen. Paul Nakasone recently remarked that “[o]ur best [coders] are 50 to 100 times better than their peers.” He’s absolutely right. Just like the private sector, there’s a wide distribution of latent aptitude and motivation in the military’s technical talent pool. The military’s best hackers have spent years of nights and weekends reading and writing blog posts, contributing to open-source software projects, attending conferences and classes, reading books, and, most importantly, executing mission after mission. No one has figured out how to replicate such a blend of skills and experience in any format besides on-the-job training. (Gen. Nakasone will have his work cut out for him in both his roles, as Cyber Command isn’t alone in having a talent management crisis.)

And it isn’t just the government. The private sector doesn’t have this figured out either. “Coding bootcamps” teach basic web and mobile application development (which is only tangentially related to tool development), and the efficacy of these programs is still an open question. The best we have is a handful of long, expensive, high-attrition programs like ManTech’s Advanced Cyber Training Program/Cyber Network Operations Programmer Course and short, opportunistic offerings before major conferences like BlackHat and Defcon.

Tellingly, unit commanders balk at sending servicemembers to such training unless a service member already has a strong background and, more importantly, a substantial service obligation to keep them from absconding with their new skills.

Despite the long odds, the services have managed to foster a coterie of exceptional, uniformed hackers. They are almost exclusively early career (especially junior officers), and they all know each other by name. Although the services report satisfactory retention levels to Congress, I have observed too many of these exceptional individuals leaving the military after satisfying service obligations.

The Challenges of Retention

Each servicemember’s decision about staying in or getting out is deeply personal and involves many features, but there are some common themes.

The mission is ostensibly the military’s premier talent management tool. Especially for operators conducting offensive cyber operations, there’s no real legal analog in the private sector. Servicemembers don the uniform at least in part because they believe in the military’s ultimate mission to support and defend the United States, and, as military hackers, they can potentially have an outsized impact on this mission.

Sadly, mission is currently thin, and there’s a risk that, if Cyber Command doesn’t get its act together soon, servicemembers will leave due to lack of mission. There’s no shortage of important work in the private sector, with the explosion of bug bounty programs, penetration testing firms, and cybersecurity startups.

Recognition is a major motivator for hackers, both in uniform and out. Many security researchers toil for countless hours looking for vulnerabilities in popular software simply for peer recognition. The past year alone brought us Cloudbleed, an Apache Struts remote code execution vulnerability, Toast Overlay, BlueBorne, KRACK, an Intel Management Engine remote code execution vulnerability, Spectre and Meltdown, corollaries in the AMD Chipsets, and iOS Jailbreaks. In most of these cases, the researchers (or the labs they work for) who disclose these major issues do it primarily for the security community’s approbation and respect.

Unfortunately, for military hackers, their most senior cyber leaders simply don’t understand their accomplishments, and these senior leaders openly admit it. At a recent U.S. Senate hearing, the Air Force Cyber Commander declared, “I’m not a technologist, ma’am, I’m a fighter pilot.” Military hackers hear such self-deprecating qualifications all too often, and it’s never received well. The result is that praise from the top, however effusive and public, sounds hollow.

Money is an obvious retention tool. Since hacker skills transfer directly to the private sector, and since those skills are in such high demand and such limited supply, the opportunity cost for the military’s best hackers is colossal. The armed services manage to pay physicians and lawyers substantial bonuses to close a similar gap between public and private sector pay, but the corresponding incentive programs for hackers pale in comparison. Cyber retention bonuses never amount to more than a few hundred dollars a month.

To add insult to injury, tool developers often perform technical due diligence for capabilities procured from contractors. These capabilities typically mirror the capabilities that talented tool developers create on a quarterly basis, and the government will pay multiples of a developer’s annual salary for them. Nowhere else in the military is its economic rent so clear to the servicemember.

Lifestyle is a major reason for resignation. The best hackers receive an incessant stream of high-priority work from their leadership. “The reward for hard work,” the saying goes, “is more hard work.” On one hand, junior military members often have or are looking to start a family, and the intense pressure of carrying far more than their weight can have a deleterious effect on work-life balance. On the other hand, the talented individuals can make names for themselves and seek out missions they find most interesting. Since missions are almost universally understaffed with technical talent, talent can often choose where to work.

Mentors keep servicemembers motivated and excited about their work, guide them through tough decisions, monitor progress and critique, and serve as templates for members to imagine the trajectory of their careers. Frankly, the military’s most talented hackers don’t currently have senior counterparts to look up to in contrast.

Thanks to the Defense Officer Personnel Management Act (DOPMA), military promotions are extremely rigid and depend primarily on an officer’s time in service. When the services stood up their cyber components over the past few years, they had to bootstrap senior leaders into their cyber branches from other (sometimes completely unrelated) branches. In my personal experience, virtually none of them have deep technical talent, especially those in command. Unfortunately, DOPMA’s effects on military hackers’ careers are far more insidious than just limiting role models.

Fish Out of Water

Servicemembers are forced to uphold certain unwavering standards, including grooming, height and weight, and physical fitness. These standards further limit an already limited group of technical talent: The intersection of people who can run a 15-minute two mile and dissect a Windows kernel memory dump is vanishingly small. While a number of these unicorns do exist, DOPMA unfortuntely makes it extremely difficult for them to thrive.

Career management inundates military professional education. Servicemembers are constantly reminded what key developmental jobs will make them competitive for promotions, what syntax their evaluation reports should follow, and what their timeline should look like. For military members wanting to climb the ranks, the map is laid out in front of them in 25 years of exquisite detail.

Thanks to DOPMA, it is extremely rare to get promoted even a year ahead of this lock-step plan, and only about 3 percent of officers get selected for “below-the-zone” promotion. Promotion boards comprised of senior officers determine who gets promoted. Since few of these senior leaders have any technical background, it’s no surprise that cyber officers who pursue technical jobs aren’t getting promoted ahead of schedule. Imagine how incredibly frustrating this must be for a talented hacker who’s “50 to 100 times better than their peers” but can’t get promoted even a year early. Even if Congress updated DOPMA to allow accelerated promotions, it is not clear that a centralized promotion board could even recognize this talent. There’s a chicken-and-egg problem of promoting technical talent into senior leadership and having technical talent on promotion boards.

Talented hackers who wish to remain in the military are faced with an impossible choice. Cyber Command partitions leadership into two chains of command: those with operational control (OPCON) and those with administrative control (ADCON). Every servicemember has both an ADCON commander and an OPCON commander. The ADCON commander makes sure a member is compliant with onerous mandatory training, urinalysis screenings, and physical fitness tests. The OPCON commander employs the servicemember in achieving real-world mission.

The most successful OPCON leaders are fiercely technical, especially those who’ve cut their teeth as hackers. They plan and execute operations against adversaries on extremely complicated computing platforms in contested space, and they defend the merits of their approach from non-technical bureaucrats. In contrast, a prototypical junior officer ADCON job — like an Army company command — requires virtually no technical skills aside from basic PowerPoint familiarity. Such jobs demand far more generalized skill sets like interpersonal skills, institutional knowledge, and administrative leadership.

Unfortunately, the ADCON chain generates all of a servicemember’s evaluation reports. If a hacker wants to avoid the substantial promotion risk, they absolutely must serve in the required, service-specific ADCON job to check the box. Even worse, senior leaders have limited top-level evaluations to hand out. Since promotion boards weigh key ADCON job evaluations most heavily, senior leaders tend to guard their rating profiles and give preference to officers in ADCON jobs.

For most hackers, an ADCON job means one to two years away from mission doing a non-technical job they’ll probably detest. So, the military’s most talented hackers are caught squarely in an identity crisis: Buck the promotion system and continue being a contributor who is “50 to 100 times better than their peers” fighting adversaries in cyberspace or take a year or two off mission to collate push-up scores in Excel spreadsheets.

It might seem that putting technical talent in ADCON command positions would help fix the problem, but it doesn’t for three reasons:

First, the cultural problems stem from the colonel- and lieutenant-colonel-level command positions. In Cyber Command, junior commanders have little say. Plus, for reasons we’ve just explored, it’s unlikely that technical, career-minded junior officers will push hard against their senior raters. This arrangement is far more likely to leave a bad taste in the junior officer’s mouth than to make any real impact on the organization.

Second, there just isn’t enough technical talent, and taking top talent out of the OPCON force has a serious impact on Cyber Command’s ability to achieve mission.

Finally, Cyber Command’s ADCON/OPCON split is a vestigial structure that should be eliminated altogether. In units like an infantry battalion, a submarine, or a fighter squadron, there’s one person in charge. This principle is called unity of command: A subordinate should never report to more than one boss.

The ADCON/OPCON split is a cultural feature that the service-specific cyber branches inherited from their ancestors. For example, the Army’s Cyber Branch grew primarily out of Signal and Military Intelligence. In those branches, the ADCON/OPCON split makes sense: An ADCON commander donates her people to OPCON maneuver commanders (for example, to work in an infantry battalion’s intelligence or communications shop).

In Cyber Command, this split has several deleterious effects. It creates confusion and frustration for OPCON commanders who don’t have control over their people, and it lowers morale for ADCON personnel who feel like they spend most of their time generating make-work to justify good evaluations.

Why Bother?

The military’s current personnel management system is an abysmal fit for hackers. That much is clear. But should we fix it? How many uniformed hackers does the military actually need?

There’s nothing inherently military about writing cyber capabilities — offensive or defensive. Defense contractors have been doing it for decades. And unless an operator is directly participating in hostilities, it’s not clear they need to be in uniform either. The talent pool is much larger if we look beyond servicemembers.

I see two reasons for seeking to retain talented hackers as servicemembers. First, the best senior leaders will have deep technical backgrounds. Second, the military should employ talent in whatever form it wants to serve. The way the military accesses talent into military medicine provides an instructive model.

Doctor’s Orders: The Military Medicine Model

After fully funded medical school, newly minted captains (Navy lieutenants) show up at military hospitals across the country to complete residency. They work long hours and contribute massively to serving the military hospitals’ patient population. After completing residency, these newly board-certified physicians complete a four-year service obligation running military clinics. They get promoted every six years automatically, and the military mostly gets out of their way and lets them serve patients. It’s a great return on investment to the government, even after considering medical school tuition and physician bonus pay.

Most physicians will leave after their obliged service term, but that’s okay. Some will stay in and seek out roles of increasing responsibility in hospital administration. And all along, the military’s total cost is a whole lot less when an active duty physician sees a patient instead of a private physician.

The military should continue to reach into the service academies and ROTC programs, hand-selecting the most promising cyber initiates. It could offer them a fully funded two- or three-year graduate school experience in an approved, narrowly tailored program immediately upon commissioning in exchange for a six-year total service obligation after graduation. Like physicians, these talented servicemembers would qualify for special pay and bonuses. By guiding their course selections and summer experiences, the services could access a stream of highly trained technical experts.

Here’s the key: The military provides the special personnel management for these servicemembers to be hackers for as long as they want. Promote them like military physicians. Most of them will probably resign after their service obligation concludes, but some will love the mission and the military way of life. They’ll stay in and — if they want to — compete for promotion and increasing levels of leadership responsibility.

Each service could establish special functional areas for positions like operators and tool developers, allowing officers to remain deeply technical for an entire military career. Maybe they should promote a world-class tool developer to colonel (Navy captain) in the same way they promote highly specialized surgeons. (Besides, how catchy is a colonel kernel developer?)

Given just how expensive technical talent is, Cyber Command should to take an all-of-the-above approach to attracting and retaining it. Most of the military’s top hackers will probably be officers simply due to the accessions pool, the pay, and the advanced civilian schooling opportunities. But that doesn’t mean we shouldn’t develop corollaries for enlisted personnel who don’t want to (or can’t) take a commission. There’s simply too much work to do and too few capable hackers.

Bootstrapping Technical Leadership

Even if the Defense Department instituted all these changes, there’s still the crucial issue of technical talent in Cyber Command’s leadership positions. Thanks to limited lateral entry, few commanders at the lieutenant colonel (Navy commander) level or above could do an operator’s or a tool developer’s job. This situation is unacceptable everywhere else in the military. For all its failings, DOPMA does produce leaders who have excelled at lower levels. The senior ranks are full of former F-16 fighter pilots, Army Rangers, submarine captains, and Marine platoon commanders.

There are three ways Cyber Command can bridge the technical talent gap.

First, the services can direct commission top talent from industry into the field-grade ranks to give junior officers technical mentors. Programs are already underway to direct commission cyber officers, but we’re limited to bring new accessions in at first lieutenant (Navy lieutenant junior grade). If a senior vulnerability researcher from, say, Google’s Project Zero wants to don a uniform and lead a tool developer battalion, the military should absolutely have the flexibility to make that happen.

Second, services can spot promote the most promising junior officers. General officers in the cyber branch should be able to promote their most talented hackers ahead of schedule to help fill the talent lacuna in the field-grade officer ranks. They simply can’t rely on centralized promotion boards.

Finally, the military should incentivize departing talent to remain in the National Guard or Reserves. Brig. Gen. Stephen Hager is a modern example of how the military can successfully invest in highly technical future senior leadership. After leaving active duty in 1995, he joined the Army Reserves and moved to Silicon Valley to begin a new software-engineering career. Nearly two decades later, he came back on active duty to oversee construction of the strategic communication network in Afghanistan. Currently, he serves as second in command of the Cyber National Mission Force, the Cyber Command unit charged with “defending the nation by identifying adversary activity … and maneuvering to defeat them.” He’s widely regarded by the hackers in his organization as a superlative exception to the non-technical-leadership rule.

What’s the Worst That Could Happen?

Cyber Command wouldn’t be risking much to implement a few recommendations from this article. Promoting a few junior officers five to ten years ahead of schedule, paying for some freshly commissioned servicemembers to obtain their Ph.D., direct commissioning a few senior officers, and authorizing some substantial incentive pay won’t cause an implosion. On the contrary, the potential upside of retaining a few more extremely talented individuals, and of employing them at senior levels of leadership, is enormous.

Perhaps the services can’t — or shouldn’t — manage to keep hackers in, and what the Defense Department needs is a cyber service. While we debate the merits of that massive organizational restructuring, let’s implement some simple measures to stem the bleeding.

Cyber Command should strive to make a home for its most talented members. Otherwise, it should expect the secretary of defense to echo the broad disappointment of his predecessor.

 

Josh Lospinoso is an active duty Army captain. After graduating West Point in 2009, he earned a Ph.D. at the University of Oxford on a Rhodes Scholarship, where he also co-founded a successful cybersecurity software startup. After graduating Infantry Basic Officer Leader Course and Ranger School, he transferred into the Army’s newly formed Cyber Branch in 2014 and became one of the Army’s first journeyman tool developers. He currently serves as the technical director for Cyber National Mission Force’s tool development organization. He is resigning from active duty to complete his forthcoming book, C++ Crash Course, and to prepare for his next entrepreneurial venture. He keeps a blog and tweets at @jalospinoso.

The views and opinions expressed in this paper and or its images are those of the author alone and do not necessarily reflect the official policy or position of the U.S. Department of Defense, U. S. Cyber Command, or any agency of the U. S government.

Image: Defense Department