Over recent years, the Department of Defense has put a number of program and policy initiatives in place to make it easier to recruit and hire cybersecurity personnel to support the military’s increasingly digital mission. And yet, the department continues to struggle, like others across government, to make meaningful progress in narrowing its cyber skills gap, top IT officials testified this week.
“I am concerned about the pace” at which DOD is hiring and training cyber personnel, Lt. Gen. Dennis Crall, CIO of the Joint Staff, said during a hearing before the Senate Armed Services Subcommittee on Personnel on Wednesday. “I think the divide between the need is growing compared to what we’re able to fulfill. I’m not sure we’re closing the gap, and time is ticking for us to do so.”
Veronica Hinton, acting deputy assistant secretary for defense for civilian personnel policy, described the DOD as “one of the three largest markets” for cybersecurity talent in the U.S., competing in the ruthless battle with big tech companies and others in the private sector for top personnel out of college. To improve the department’s chances in this battle, Congress has approved hiring and pay flexibilities like the Cyber Excepted Service not afforded to other agencies, while the DOD itself has worked to streamline its recruitment and better work with industry and universities.
While those initiatives in earnest are meant to work toward narrowing the skills gap, Crall said it might not be enough to keep up.
“The digital nature of the fight that we expect, especially at pace and speed, is going to demand a workforce and talent level that we have not seen before,” he said. “The human-machine interface brings a demand that is going to have to be found, cultivated, educated and implemented to get that level of experience as we learn and work our way through this new capability set.”
Continuing, Crall said, “I’m not absolutely certain” the military will be able to get “the right talent delivered at the right time.”
Admitting his take as “more sobering” than his colleagues’, Crall pointed to DOD’s limited understanding of cyber professionals as the glaring issue. “I don’t think we know our target audience as well as we need to. We need to find out what really motivates individuals to want to serve in the capacity that we’re offering.”
He also said the department must do a better job at evaluating the programs and policies set in place to bring on cyber talent. “While they’re interesting to approach and employ, they may not all deliver in the way that we expect.”
Acting DOD CIO John Sherman acknowledged too that there is “still work to be done” and that “we need a more holistic north star” to guide the department’s cyber mission, saying his office will prioritize developing a new cybersecurity strategy to update the previous version from 2018.
“We’ve put many of the key foundational mechanisms in place and have actively leveraged the tools at our disposal,” Sherman said. “But we must build on the progress by updating our overarching strategy to ensure our workforce is prepared to implement zero trust and the other latest approaches to defending our enterprise.”
Sherman really emphasized zero trust as an emerging concept that will widen the aperture for the types of skills the DOD will need to consider for cybersecurity moving forward. “For this and other evolving cyber strategies, we can expect to draw an even wider range of skill sets in areas like data and artificial intelligence,” he said.
Likewise, Crall said it’s hard enough to plan for the cyber needs of the department today — thinking ahead, say five years, is even harder as the U.S. military moves closer to its sensor-driven, connected warfare operating concept of Joint All-Domain Command and Control (JADC2).
“We have not onboarded the very capabilities we need to employ: machine learning, autonomy, artificial intelligence, a real cloud-based environment, pushing that processing to the tactical edge and a reformed network,” Crall said. “So the speed with which that’s going to require us to operate is going to have a level of human-machine interface we’ve never had before. And it’s hard for me to believe that the force we’re looking at today is necessarily rightly aligned to that new mission set. We’re going to have to lead-turn this and keep a careful eye on what those skill sets are necessary to bring this on board.”