Students at the U.S. Air Force Network War Bridge Course learn modern cyber operations under the aegis of the Air Force Space Command. The Air Force risks losing the effectiveness, and the personnel, of its cyber force unless it addresses critical cultural issues in that domain.
http://www.afcea.org/content/?q=Article-air-force-cyber-mission-success-depends-cultural-change
October 1, 2015
By Maj. John Chezem, USAFR
The service ignores this vital aspect at its own risk.
As the U.S. Air Force develops its computer security forces, it finds itself caught in a web of ineffective policies and generational conflict. The arrival of people who have grown up in the information age exacerbates the 21st-century generation gap. Fortunately, a clear understanding of the root causes of problems illuminates sound models that can be evaluated and adopted to support the success of Air Force cyber.
The service has seen a mass exodus of talented cyber professionals over the past few years. Many leave because they are frustrated with Air Force cyber’s constraints and flawed policies. Although not typically the driving factor, pay for industry jobs is often better, further encouraging departure.
Those who do stay struggle to effect change. Often, they advocate good ideas, and their opinions are supported by peers and leadership, but generally people who can enact change cannot be identified. Ideas are floated from office to office, and seldom is action taken to resolve mission needs. The common policy modus operandi is a shortsighted checkbox mentality to appease leadership rather than to stop broken processes and evaluate where policies and procedures do not make sense or are barriers to mission needs.
At the heart of the military’s problems in cyber is culture. A careful look at effective cyber organizations, including an evaluation of how U.S. agencies can mimic their cultures, must be the first step in solving problems.
One Air Force cyber leader, Joy M. Kaczor, states, “With the introduction of the cyberspace domain, the Air Force culture must evolve to truly embrace cyberspace operations and integrate it into the full spectrum of operations.” Another leader, Capt. Robert M. Lee, USAF, states the U.S. Air Force cyber community is failing for a fundamental reason—the community does not exist (SIGNAL Magazine, November 2013, page 56, “The Failing …”). Kaczor and Capt. Lee identified the following: Few professionals within the military understand cyber technically. More fundamentally, they do not understand the culture.
Lt. Col. William D. Wunderle, USA, goes into great detail about the importance of understanding culture in his study, “Through the Lens of Cultural Awareness.” Col. Wunderle’s focus is on errors made from cultural ignorance in past U.S. military engagements. He states, “A lack of cultural awareness among American forces has led to an increase in animosity among many Iraqis and contributed to a negative image of the U.S.” This can be said of any party’s cultural ignorance toward another.
Similarly, Air Force leadership has not understood the culture of cyber, in large part because cyber is a completely different paradigm with a completely different culture. Cyber professionals think differently, learn differently, follow authority better with atypical motivations and expect an unparalleled level of autonomy. For Air Force cyber to succeed, significant changes need to be made culturally, executively and in training to draw the right people at both technical and leadership levels.
Misunderstanding this culture has had a wide range of consequences on everything from hiring to training and assigning job roles. One Air Force cyber unit touted as successful was given the task to grow more units like its own. Funding and staffing were more than doubled, and a spree of civilian hiring took place. This led to large disparities between requisite skills and new hires’ backgrounds. The newly hired civilians were not interviewed; although their resumes looked great, many struggled to perform with technical proficiency a year later.
Capt. Lee states that through its actions, the Air Force has shown it considers cyber skills all the same, with the separation being described as offense, defense or intelligence. This lack of specialization, functional separation and training investment adds confusion that will hamper the mission (SIGNAL Magazine, February 2015, “Saving the Air Force Cyber Community”).
New hires come from a variety of backgrounds, and some comment, “I don’t understand or care about cyber … it’s just a job.” In the flying community, this attitude might get someone killed, yet cyber, unfortunately, has neither adopted the culture to weed out these people nor cultivated the interest of the right people. What Air Force cyber has done under the guidance of the Air Force Space Command is implement strict hard-line training policies with little margin to pass examinations and a checkbox mentality geared to the lowest skilled denominator, appeasing policy and leadership. Mission qualification criteria is mind-numbingly detailed but technically simple. Test rigor derived from specific processes bears little impact on operations, and test criteria disqualify many cyber operators.
Along with numerous instances of subjectivity in rating candidates’ skill sets are test development problems that lead to unnecessary failures.
Because of these continued problems, many subject-matter experts have left. In one cyber unit, over the past four years, 80 percent of its top cyber operators separated when able. Some left for better pay. According to a former top cybersecurity expert at NASA who now works at Google, the typical starting salary for a comparable job in private industry is about $155,000—the maximum he could make working for the federal government.
However, the underlying problem is less apparent. The younger generations that embrace cyber culture already are everything the government is not: fast-moving, restless for change and entrepreneurial. Many cyber technical personnel tire of dealing with frivolous processes and policies that impact their ability to work and consume most of their time. It’s only natural that they might entertain other options. One federal employment survey found that at many offices, half the staff members think of leaving.
The growing federal cyber work force has more nontechnical than technical members who have extensive federal backgrounds and are well-versed in writing policy and doctrine. They churn out vast amounts of documentation, ensuring job security, but produce wordy, complex policies that create technical and operational barriers and further drive away talent. Many people within top cyber units agree that the system is broken. But they also offer a resounding statement: This is the government. Did you expect it to work or be any better?
Actually, yes. Cyber culture expects to be able to fix it.
Recent research reflects the consequences of a culture that refuses to evolve: Young talent, and motivation, withers. A study of young federal employees from fiscal years 2009-13 showed that work force age demographics are shifting rapidly. The number of federal employees under age 30 is dropping precipitously, from 11.4 percent of the work force to 8.5 percent.
The solution is to fix the root cause—culture. This can be accomplished with the three-tiered approach outlined by career analyst Daniel H. Pink, the best-selling author of Drive: The Surprising Truth About What Motivates Us. The three components Air Force cyber requires to be successful are autonomy, mastery and purpose.
Air Force cyber needs to provide autonomy via a laboratorylike environment. Cyber operators should have direct access and full authority to bring about change and train on equipment to hone skills. Also, Air Force cyber’s leadership model must allow decision making at the lowest level appropriate. Higher leadership would request end products or deliverables, giving authority to unit leadership for decision making to train and direct operations.
Skill mastery is accomplished by allowing time to train and research, with unfettered access to information on the Internet. For a sense of purpose, these operators need a tangible and finite goal. This can be achieved through competitions that drive deeper levels of learning and higher performance.
Unit and leadership models must be redefined. Four successful models already developed would improve the operational and strategic goals of Air Force cyber.
First, cyber needs to be quick, lean and efficient, clearly focused and organized for success, with leadership as smart and as knowledgeable as operators—similar to Special Operations Command (SOCOM). SOCOM is “unique because it can act as a supporting or supported command, and it has its own budget authority and program objective memorandum,” says Paulette M. Risher in a National Defense University publication. The SOCOM model enables leadership to determine precise and efficient policies and processes, stripping away restrictive and unsuitable policies that impede cyber. Capt. Lee and other cyber experts recommend the SOCOM model of well-trained focus areas within units.
Second, a new educational model and accessions pipeline needs to be adopted. This would be similar to the model for medical corps doctors. By necessity, most successful cyber organizations expect all operators to be highly skilled. The Air Force has defined cyber by depicting the elite, most technically proficient security experts who, when all else fails, come to save the day. However, it places any computer information technology person within these units. This problem reinforces the Air Force’s need to reconsider its cyber training pipeline and align more closely with the rigor of medical corps doctors. The medical equivalent of the current Air Force cyber pipeline would be taking newly appointed military members, sending them through six months of anatomy study and then expecting them to be proficient at performing surgery.
The third model for Air Force cyber would be to align work roles with industry best practices. The military neither develops operating systems nor fabricates central processing units that compete with Microsoft or Intel, so defining new and unique job roles in cyber should be no different than that nonconflicting approach. Successful cyber organizations are adept at defining and executing work roles. Air Force cyber could borrow from companies such as Mandiant, which successfully identified and captured forensically the infiltration of a nation-state actor. It could model training and job functions after Mandiant for forensics roles—what the Air Force calls “hunt” or even more recently changed to defensive counterinfiltration. Continual name changes to military job roles are common, but they only strengthen the argument that leaders do not understand cyber. This implies a greater focus on doctrine rather than the right people and capabilities.
Lastly, the fourth model for success in cyber is a training model mirroring Olympic athletes and Navy SEALs. It has been said that a championship requires not only outstanding athletic ability and long-term training progression, but also peak performance at the right time. The same goes for cyber. Industry cyber operators have the skills and aptitude to present at Black Hat information security conventions. They depict their training and effort as always honing abilities further, similar to Olympians or Navy SEALs. Air Force cyber needs to follow this training model by removing distractions such as additional duties and inefficient human resources processes placed on its technical operators.
Either leadership continues down a path where talent, motivation and technical skills wane, or it realizes these problems and takes action based on the advice of the nation’s successful cyber professionals.
Maj. John Chezem, USAFR, is a cyberwarfare operations officer. The views expressed here are his alone and do not represent the views or opinions of the U.S. government, the Defense Department or the Air Force.
- See more at: http://www.afcea.org/content/?q=Article-air-force-cyber-mission-success-depends-cultural-change#sthash.OU349XsY.dpuf
No comments:
Post a Comment