Every Marine a Blue-Haired Quasi-Rifleperson?
All the U.S. military services suffer a shortage of competent and experienced cyber talent. But with a tiny pool of eligible candidates willing to do work for the Department of Defense, hiring programs need to rely on more than just patriotism to be successful. The most recent attempt to shore up cyber capabilities comes from the Marine Corps’ announcement that it will create a Cyber Auxiliary. Here too, this program runs aground by asking for too much and offering too little. The Cyber Auxiliary seeks volunteers willing to provide the “training, education, advising, and mentorship” needed within the Marine Corps, and to provide hands-on instruction in simulated environments.
The Marine Corps is feeling the pressure for real-world skills and training to defend its systems and to conduct offensive operations under conditions of competition as well as combat — especially as it continues to put flesh on its future warfare concepts, specifically its expeditionary access basing operations concepts in the joint fight. Whether those capabilities are provided by Cyber Command, or are organic to the force itself, the capability to integrate with cyber warriors and defend systems — particularly for expeditionary basing — matters. In theory, this is what the Cyber Auxiliary will do: guide and train the Marine Corps in supporting, conducting, and facilitating those operations. The details, though, as with many things in cyber, are scant.
In an innovative move for the Marine Corps, Cyber Auxiliary participants refreshingly need not meet the Marine Corps’ physical fitness requirements or its grooming standards to join — hair color and pull-ups are no longer limiting factors in an institution that places value on conformity, personal bearing, and physical fitness. Insofar as this is the case, the Corps appears to be trying to move beyond its self-imposed high-and-tight, square-jawed image in order to increase the state of the Corps’ cyber readiness.
Nevertheless, the authors remain doubtful of its success. The Cyber Auxiliary as currently described attempts to entice a community it knows nothing about. It is trying to do this as an institution with antithetical values and a fundamentally different culture from the community it seeks to entice. In short, the program is trying to gain talent without accommodating it. While fitness and grooming standards are, perhaps, limiting factors to entry for a broader set of occupational specializations in the Marine Corps, there are bigger issues with recruiting and integrating the current cyber workforce than a penchant for mohawks, purple locks, and flowing beards. Cyber Auxiliary mistakes the loosening of typical requirements for actual incentives to become part of the Marine Corps.
Efforts Underway Across the Defense Department
All of the services, the Defense Department, and U.S. Cyber Command struggle to find, integrate, and retain talent. In recognition of the difficulties, the Defense Department and the services have developed special provisions to recruit and bring in cyber talent. Since becoming a full-fledged combatant command in 2018, Cyber Command has leveraged direct-hire authorities for the cyber workforce, allowing applicants to circumvent the inefficient USAJobs platform and competitive ranking and procedures.
Beyond this, some of the services have even opened up the direct commission route — previously only available for legal and medical professions — for cyber positions. Unlike the Marine Corps, the Army allows for direct commission into cyber jobs at potentially higher ranks “to develop programs and capabilities.” For enlisted positions, cyber operations specialists (17C) receive $300 of special pay on top of the total compensation package, with the potential for other hefty bonuses. The FY18 National Defense Authorization Act further expanded the services’ previous ability to bring in talent by allowing direct commission programs up to the O-6 level (section 502), in language generally seen as supporting cyber talent.
Similarly, the Navy now has cyber job tracks, and just in time. The Navy’s 2018 Cybersecurity Readiness Review was scathing in its findings, saying that “the DON [Department of the Navy] culture, processes, structure, and resources are ill-suited for this new era.” The report called into question the Navy’s ability to react to cyber threats, saying, “a real appreciation of the cyber threat continues to be absent from the fabric of DON culture.” The Navy is now looking to add an assistant secretary for cyber to centralize efforts and build policy.
The Marine Corps already has a cyber command (MARFORCYBER) to direct operations and defense of information networks and conduct full-spectrum military cyberspace operations. The command plans to double its size to improve capacity in the next few years. It includes the Marine Corps Cyberspace Warfare Group, whose issue set seems to overlap with the ideals of Cyber Auxiliary as currently imagined (the group is tasked with organizing, training, equipping, and providing administrative support to assigned forces).
If the Marine Corps wants to compete with other services, the federal workforce, and the private sector, and set an example for the Navy, it needs to be more realistic. For Cyber Auxiliary to be successful, the Marine Corps must seriously consider how to attract existing cyber talent rather than assuming talent will come.
Who Are You Asking to Volunteer?
The current, mature potential cyber workforce is largely divided into two overlapping worlds: the infosec crowd and the hacking community. Both sides are motivated by three things: money, prestige, and challenge. The way those things are prioritized matters.
Infosec types are the more traditional employee types. They work in firms that create the technologies, tools, and services that most understand as cyber security. The infosec crowd is largely represented through vendors such as Qualys, Cisco, and Accenture. If the military services are looking for contractors to do systems analysis, they are probably looking for someone in infosec. The ranking of motivation is usually money, then prestige, then challenge. Infosec employees are well-paid, they change jobs often, and if they are truly talented they will have little tolerance for “.gov” processes that take months if not years to complete. The Cyber Auxiliary will struggle to pull experienced infosec volunteers into its program, particularly due to the salaries and the autonomy of lifestyle that skilled professionals enjoy.
Conversely, the hacker community is just that: a community. Hackers are a collective of individuals motivated by taking things apart and breaking them, often with little regard for established rules. They are the rebel blood in cyber security, the deviants that do independent security research. There is no unified political ideology among hackers, but the white-hat community (the portion of interest to the Marine Corps — as opposed to black-hat cyber criminals) upholds an ethos of radical inclusivity as regards sexual orientation, gender identification, physical disability, religion, and race. Life as a professional hacker generally means a great deal of salary insecurity, poor options for career development, rampant burnout, and many opportunities to commit felonies. The rough ordering of motivation begins with challenge, then prestige, then money. Wildly successful members of the community go on to start their own firms in infosec, but many will be hired by firms like KnowBe4, Dragos, and Scythe looking to harness their hacking skill as part of their service portfolios.
Hackers able to do the work for the Marine Corps operate on the edges of the law, given their skillset. This will likely weed out a significant number of any candidates willing to step forward.
Whether from the infosec or hacking talent pool, Cyber Auxiliary is asking for volunteer help from an already overworked and increasingly burnt-out community. Andrea Limbago reported in 2018 that skilled cyber talent was leaving the field due to overwork, lack of challenge, poor pathways to professional development, and toxic company culture. This is also a community whose members, at least in part, are consistently mocked, stereotyped, and reminded that they are different.
It is in the face of these issues in acquiring and retaining talent that Cyber Auxiliary has drawn a bright line directly under their willingness to understand and integrate experienced talent. Sure, hair and physical fitness standards will be relaxed, but the Marine Corps has made it clear that members of the Cyber Auxiliary will not be permitted to wear the coveted eagle, globe and anchor that mark a true marine. Moreover, Auxiliary members will not be permitted to assist in actual operations. The Corps has effectively signaled, “Go ahead, give us your free labor, you’ll just never be one of us, you won’t make as much money as your private-sector peers, and you’ll never get to do really challenging stuff.”
It is unclear how that is enticing.
What Are You Willing to Give Up?
The other hurdle to making Cyber Auxiliary or any military cyber talent program functional is to realign the service’s culture so that it can actually integrate the workforce successfully. Culture is the harder reach, particularly for branches of the military with deeply embedded identities wedded to unrealistic masculinist images like those esteemed by the Marine Corps and Special Operations Command.
Thus, for Cyber Auxiliary we ask simply: Is it time for the Marine Corps to move beyond its trademark physicality? Is the only possible future marine its current cornerstone identity? This is the real innovation needed in the Marine Corps and why, we suspect, the program is so quick to point out that volunteers to this program are not actually marines. All the services are facing challenges to traditional warfighting activities and who does them, posing an identity question yet to be fully addressed by the Defense Department.
The problem is, the services have to review their standards, what qualifications are valued, and how to seriously foster and stand by culture change to solve this cyber security problem. And they need to do it now.
It is clear, and has been clear for quite some time, that the information age has thoroughly saturated defense. Current architectures and all future warfighting concepts are shot through with data, networking, and the evolving contests associated with them. There is no military service untouched by the peril (data breaches, hacks, spying) and promise (machine learning, distributed computing) of information systems.
What constitutes “the few, the proud” does not necessarily require physical stature as its primary consideration. Physical elitism was built into the Marine Corps identity in order to fit the warfighting requirements of a former era. What the Marine Corps (and all the services) needs to be asking is: What are the necessary characteristics of tomorrow’s elite warfighter? How do we shift the ideal image so that it can include the humans with the cyber skills we need? The branch of the military that succeeds in answering these questions first will be the most successful in recruitment and retention — even without offering six-figure Silicon Valley salaries.
The Marines Should Be First
Given the realities of the cyber workforce, the Marine Corps via Cyber Auxiliary should consider a range of alternate options to its current quest for volunteers. The following options range in feasibility from immediately doable, to politically tricky, to experimentally innovative.
On the immediately feasible side, Cyber Auxiliary should recruit its experienced talent from recently separated active-duty servicemembers. The recently separated do not face many of the barriers to selection and entry. Their sense of loyalty to the nation, ability to understand the culture of the military, and familiarity with government systems makes them a good fit as Cyber Auxiliary gets started. Moreover, from a cost-savings perspective, they will have successfully completed security reviews and will likely have held security clearances. It may even help servicemembers with their adjustment to civilian life.
A slightly riskier route is leveraging the many infosec companies that were started by former military and intelligence-community members. These mature professionals were acculturated to military systems and could be asked to give back to their government in time and energy. Though volunteers to Cyber Auxiliary should be willing to provide their time and experience free of charge and without any implied promise of contracts or affiliations, the benefits would go both ways. For this to work, instead of a blanket call for volunteers, Cyber Auxiliary should issue individualized invitations for public-private partnering between the most elite firms in service to the nation.
If the Marine Corps can tolerate risk, it could use Cyber Auxiliary to snipe talent from other countries. In a report calling for the creation of a civilian cyber corps, Natasha Cohen and Peter Singer mention “bug bounty” (that is, vulnerability research) programs as an example of a community that does freelance hacking work. The lion’s share of bug bounty work is being done in India. This means more than half of the elite hackers finding vulnerabilities in the United States are not even in the United States. Given the limited mature workforce in the United States, why not steal qualified talent from other markets? There are inherent security concerns, but if the Marine Corps is serious about patching its flaws, it should rely upon the community that already does it, which is in India. There is some precedent with the Military Accessions Vital to National Interest program, which recruited legal aliens residing in the United States with critical skills in return for citizenship.
The global recruitable workforce extends beyond the U.S. hacking community and the more corporate infosec crowd. It is a workforce waiting for an identity, but likely also one that would like to be paid in dollars and be given some sort of reputation for its willingness to do labor (even if it is just a work visa). Participation in Cyber Auxiliary is currently limited to U.S. citizens, which Cyber Auxiliary may want to rethink based on the specific kinds of work that need to be conducted.
Finally, the most experimentally innovative option is for the Marine Corps to recognize that its elitism defines being a marine too narrowly. Clinging to the mystique of physical prowess will harm its relevance in a space where a smaller force could do remarkably well. The Marine Corps is unlikely to change its culture, but to draw people into Cyber Auxiliary, it has to reconsider how it recognizes and rewards talent. In order to successfully draw people into Cyber Auxiliary, the Marine Corps has to reconsider how it is recognizing and rewarding talent. A truly innovative approach would be to accept that “the few, the proud” can also consist of cyber prowess. Rather than deny cyber talent the ability to be marines and wear the uniform, the Marine Corps should determine which aspects of training and standards are required while also creating a competitive force and admit that a patriotic marine can also secure, defend, and respond to cyber attacks without needing to meet the physical standards of the infantry.
The vision of the Cyber Auxiliary support roles remains unclear with the exception of the official statement that they will “train, educate, advise, and mentor.” Further in, the announcement states: “The Cyber Aux will assist in simulated environments and during periods of instruction, but are not authorized to execute hands-on cyber activities.” The role sounds like teaching cyber tactics without enjoying any of the fruits of your labor. On the infosec side, there’s no money, and there is the potential negative reputational blowback of working for the Defense Department. On the hacking side, there’s no fun in the challenge, and a lingering sense that you don’t belong as a real marine. Beyond this, the job likely also involves the gritty boring stuff: teaching cyber hygiene, updating security systems, and running network cables to set up cyber ranges. That work is hard, unrewarding, and likely to burn out a volunteer auxiliary fast. We ask again: Why not make them full-on marines? Pin them and bring them into the fold. If the motivation of the hacking community is challenge and prestige, bring them in as full Marines and give them a seat at the table.
We admit, it is easy to pick apart just about any program for finding cyber talent. No matter what course of action Cyber Auxiliary takes as it develops, it should be applauded for its attempt to move beyond too-narrow identities of who contributes to defense and security. But successful cyber-recruitment programs need to understand the limiting factors as well as the motivations of the communities who work in these spaces.
Historically the Marine Corps has been the smallest and most agile force and can afford to take serious risks because of its structure and size. If there exists the possibility of making an immediate and innovative pivot, that change is possible in an organization of the Marine Corps’ size and risk-acceptant culture. While the Marine Corps has the mentality and approach to challenge the cyber community, most other aspects of Marine Corps culture run fundamentally against these initiatives. Without the ability to recognize and reward skills not seen as central to being in the Corps (like combat arms), the Marines are not truly investing in a Cyber Auxiliary. Instead, the Marine Corps is tip-toeing around a real solution — acted on by the Army — which is direct commission programs and lateral-entry options to recognize true cyber and hacking expertise.
Nina Kollars is an associate professor at the U.S. Naval War College Strategic and Operational Research Department, Cyber & Innovation Policy Institute.
Emma Moore is a research assistant for the Military, Veterans, and Society Program at Center for a New American Security.
Image: Defense Department