17 July 2017

Building a cyber ROTC


By Michèle A. Flournoy and Amy Schafer

In the past week, crippling cyberattacks have been directed at Ukraine — targeting banks, the postal service, the airport in Kiev, and other major industries, disrupting the day-to-day lives of Ukrainians already embroiled in a three-year-long conflict with Russia. The United States has faced similar targeting, with phishing attacks against nuclear power plants and other key infrastructure attributed to Russia.

Cyberattacks have also interfered with the presidential election, exported sensitive personnel data from the federal government, stolen technology secrets from defense companies, and hacked into military networks. The frequency and severity of these attacks underscore the importance of having robust cyber talent to protect the economy, the military, the government, and the nation.

Yet the federal government lacks the cyber talent it needs to defend government, military, and intelligence networks as well as assist the private sector in protecting critical infrastructure. It also lacks the talent to conduct offensive cyber operations when warranted. Moreover, it lacks a talent management strategy to recruit, develop, and retain cyber talent. Notwithstanding requisite pockets of expertise in the intelligence and military communities, current personnel systems are generally not delivering the quantity and quality of cyber talent the government needs to fulfill its roles.

Granted, this is no small challenge, as the competition for these specific skillsets nationally is incredibly fierce. Some 43,000 Americans graduate with computer science degrees every year to fill an estimated 500,000 job openings. With companies launching bidding wars for talent and offering ever larger salaries and benefits packages, it’s hard for government agencies to compete. That said, there are a number of steps that Congress and the administration could take to attract and retain high-quality cyber talent to serve in the public sector.

First, the administration and Congress should work together to create an ROTC-like program to attract and develop a pipeline for cyber talent in public service. Here’s how it might work: Undergraduates and graduates in relevant computer science programs would compete for government-funded scholarships that would cover the costs of their university degree. In exchange, they would owe the government five years of service and would be assigned to an agency or mission based on their skill set and the greatest need. After completing their required service, they could compete for a permanent government position or leave to pursue their career elsewhere.

Building a successful cyber pipeline will also require recruiting from the right places. For starters, the federal government should ramp up its efforts to target the best computer science programs at the best universities across the country. Too often, federal agencies are no-shows at cyber recruiting events and job fairs. Although the government may not be able to compete with the private sector on compensation, it has a compelling comparative advantage: It offers the chance for recruits to work on projects that make a difference and serve the public good. Emphasizing the opportunity to work on a “mission that matters” and, in some cases, to work with key technologies on tough problem sets not found in the private sector, can be a deal maker.

Next, the administration should establish a talent superhighway between the federal government and the private sector, with the flexibility and incentives to enable cyber professionals to seamlessly transition between the two worlds. Government agencies should offer sabbaticals and fellowships for selected personnel to spend time in the tech sector to refresh their skills and gain new experience to bring back to their agencies. By the same token, fellowships should be offered to private-sector cyber experts to enable them to serve for a two or three year rotation in government working on an important public-sector problem. To its credit, the Obama administration piloted a similar approach by establishing the US Digital Service. This approach deserves to be refined and scaled to enable thousands of tech professionals (rather than a few dozen) to work in government each year.

In a similar vein, the US military should create new cyber reserve units concentrated where talent already exists — regardless of whether there is military infrastructure in place. Taking a page from the Defense Innovation Unit Experimental organization that was established to serve as a bridge between the Department of Defense and the tech community, the Defense Department should also invest in establishing cyber reserve units in places such as Silicon Valley, Austin, Seattle, and Boston. This not only provides an opportunity to harness the talents of those who would otherwise not consider serving in a full-time capacity, but also to begin cross-pollinating between the two communities and organically generating further interest in the most competitive regions and companies for the work the military is doing.

The ability to retain top cyber talent would also be helped enormously by allowing for the use of a non-standard pay scale, allowing higher compensation levels as well as targeted bonuses to attract and keep cyber professionals with hard-to-find skills in critical areas, including signing and retention bonuses similar to other in-demand fields, such as pilots. Relaxing some of the more stringent requirements to access the best talent also makes a lot of sense. The military needs top engineering talent regardless of whether or not they have tattoos, man buns, or the ability to pass a physical fitness test. Though cyber may prove to be an essential offensive capability for the military, much of it will be used remotely, not requiring the same physicality we traditionally think of for those on the front lines.

The cyber challenges facing the United States are real and multiplying. The federal government needs to get serious — and creative — about recruiting, developing, and retaining the technical talent we need to protect our nation.

Michèle A. Flournoy is cofounder and CEO of the Center for a New American Security and former undersecretary of defense for policy. Amy Schafer is a Research Associate at CNAS.

No comments: