The Army Wants To Recruit Cyber Experts By Hiring Civilians At Rank Of Colonel

Having recently worked with an Army Cyber Protection Team, they need all of the help they can get. You're going to "defend" a network and don't know the difference between UDP and TCP?

Cyber, please....
 
It's really not the Officer piece I'm worried about at all. We've been doing that for awhile. But on the enlisted side I don't think the Army has ever done a two-week orientation thing like the Navy previously did for reservists.
 
Having recently worked with an Army Cyber Protection Team, they need all of the help they can get. You're going to "defend" a network and don't know the difference between UDP and TCP?

Cyber, please....

There's NO excuse for that one...

@104TN - I see what you did there.

For others that may not know, those are the two basic (standard) protocols used in computer networking. They're taught on day 1 of the networking phase of 25B school. It would be like an infantryman that doesn't know the difference between 5.56 and 7.62. If a cyber team doesn't understand the building blocks, how will they protect the whole? Unforgivable IMO.
 
I think the observations in your post are strengthening the argument for outside experience rather than opposing it.

Decisions on architecture, implementation, design, and training pipelines are made by commanders and leaders - not technical experts brought in. All of those decisions are structural in nature - meaning they are going to impact significantly on infrastructure, contracting, and budget - all of which require more buy-in than a single leader.

In the civilian world it's not the techs that make those decisions either. IT is a support function in the private sector also. We advise on the proper infrastructure and budget required to execute a strategy or vision. The business ultimately makes the decision on whether or not to fund the project. The civilian experience at the higher level is EXACTLY what the military is missing. I don't think anyone, including myself, @104TN , @AWP or the Army is advocating just giving officer rank to the wiz kid from the local startup. The issue that needs to be addressed is the systemic and cultural issues within the military that are driving the lack of competency in the cyber fields. The technical "how-to" can be taught. The strategic mindset has to be learned via experience.

One of the benefits of the business world is being able to structure authority and organizations to meet business goals. Market competition helps to weed out failure as measured by profit margins. Government and especially the military and IC don't have the same structure - for good and for ill. If the NSA does a shitty job at SIGINT they don't go out of business in favor of a start-up SIGINT section at the FBI. Similarly, the head of the NSA doesn't get to re-organize against EO 12333 because SIGINT coverage is spotty in a target area.

The approach used in business is the same as should be used in the military. At the macro level the military is all about mission alignment, budgets, resource allocation, strategic use of assets and project management of time sensitive projects. ALL of the same things that senior IT leaders (CIO/CTO/CISO) are focused on in the private sector. The biggest differences are in how success is measured and the impact of a failure. In the business world, if you fail (as an individual) you simply start over at another company. In the world of Cyber Defense, you only get to fail once.

Medical professionals are brought in at a high rank to execute their specialty - not to run hospitals. An O-6 thoracic surgeon is brought in to be a surgeon - and they do that under very clear guidelines of professional medical standards (that are the same as the civilian world), in a clear structure (the hospital setting). None of those are present in cyber, where authorities to operate are even more important frequently than the technical skills to operate themselves.
There's a reason ATO is so hard to get. It's because the people who wrote the processes for gaining ATO didn't understand the real world of IT. They went out and did a bunch of research on best practices and then took every single one of them and stuffed them into a series of regulations without any regard to the mission. It's the difference between theoretical and practical knowledge. Then you add in the military's insane need to put everything in a process to the smallest detail and you end up with a set of criteria that is nearly impossible to meet in any type of short time frame. Institutionally that results in a culture where finding ways around the regulations is a path to success rather than having a culture where working within the framework allows for success while still maintaining control. It's a cultural issue, not a technical one. The military will NEVER solve that issue without bringing in outside perspective. Its own institutional practices will hamstring any effort to do so. Sometimes you just need a fresh set of eyes that have dealt with similar issues in other organizations that have a similar scale.

The biggest problem with the whole effort of bringing in civilian IT folk at the flag officer level is that it will never be funded in a way that will attract the level of talent that they should. The people that need to be recruited make more money than the Executive branch of government. Hell, I make more than the SC schedule allows and I don't have a college degree. Throwing O-6 rank and pay out there won't attract an experienced CIO from a company in the $1B+ range. What they need are Fortune 1000 CIO's and they're not even close to the compensation levels.CIO Compensation: Top Information Technology Executives Make Millions of Dollars O-6 compensation will attract the people who WANT to be CIO's in those companies and the people who couldn't make it in those companies. The military doesn't have the knowledge to tell the difference. If they simply judge by a person's resume, things will get worse, not better without some luck. That said, I think they have to try because, as it stands now, the military IT effort isn't self-sustaining and it will have to become so to remain relevant in the future.
 
There's NO excuse for that one....

In three days' time we had:
- UDP vs TCP
- A CW3 ask for a commercial drop into our server room. "Well, can we get Wi-Fi in here? We need to download some drivers." (I thought he was testing us but....)
- The same CW3 then asked where he could plug his Army laptop into an Air Force network. I actually laughed at this point and told him if they can't provide us with their requirements then they should expect limited to no support. (Which leads me to...)
- No hardware requirements except for "a server with 32GB of memory and enough disk space to run xxxxx and store log files." That's too easy to source. Then they arrived and couldn't believe that we "didn't have" what they asked for. The CPT's have so much clout and visibility we had to pull one of our warm spares to give to them and their tests until new equipment could be purchased.

It was pure cluster, especially when they couldn't read the log files from their software. "I think this is..." does not inspire confidence.

As an aside, we're going through our DIACAP (now called RMF) package to press for an extension to our ATO. Our ATO has about a year left and the GS' running the show started our RMF three weeks ago.

You can't make up this stuff. Assuming we have guys with the right tech knowledge, management isn't there. If we have the proper managers I question if the tech knowledge is there. I might be new to DoD security/ IA work, but damn....8570 reads like a fairy tale when compared to the real world.
 
That there can be successful lateral entry is not an issue. That argument was put to bed decades ago, and has been successful ever since.

How they would be integrated and what kind of scope and leadership roles they are given are the questions.
 
@compforce I disagree, but I don't think I can add much more to the points I've already made.

The way I see senior officers operate, influence, and lead in the national intelligence community doesn't match up with what I see as these civilians' bringing to the fight. I think I'm in a good position to have an experienced take on what COL's and GO's do in the IC. However, my knowledge of what senior industry IT leaders bring to the table comes almost exclusively from HBR podcasts and the HBO show Silicon Valley. So, probably not so much expertise there. If I were in a decision room where this came up I would argue against it.

Also, I have to acknowledge knowing how 'things are done' and understanding how they SHOULD be done or COULD be done is always tough. I don't want to be like the douchebags who criticized COL Youngling's article about generalship by saying 'you're not a general so you can't criticize generals.' That kind of intellectual cowardice should have no place in a professional discussion.

I think if CYBERCOM is committed this kind of idea they should try brining over an SES from industry first - see what works and what doesn't - before a pilot on officer billets. But, ultimately we'll have to see how this works if they try it.
 
@Teufel

The focus on information operations will require soldiers to sift through a massive amount of information in cyberspace, determining the enemy’s deceptive tactics just like they would on the real battlefield. The transformation will also be a physical one, with information-related operations moved from Fort Belvoir, Virginia, to Fort Gordon, Georgia, as early as this spring. The rest of the transformation is expected to take place by 2028.

'We want to win the next war': US Army will revamp cyber operations to counter Russia and China
 
I will add a few things here as a non technical commander in the cyber field. The biggest things I bring to the fight for my team is how I interface with the rest of the DOD and IC. I translate my commander's intent down to my people, which sounds super obvious but I don't always see my peers do this effectively. Senior commanders should be able to turn intent into campaign plans and operational design. Intent can also be challenging as things become less clear and directive at the senior levels and C2 gets more complex. Right now I have an ADCON boss, OPCON boss, frequently answer directly to my COCOM CDR, and directly support three four star commands whose priorities don't always align. I do my best to interact with all these commands, weigh all their priorities and come up with a plan to address them, which ultimately my OPCON boss signs off on. He takes the heat if I mess that prioritization up or come short in any line of effort. We've done pretty well so far. The second translation, which is often more important, is how I translate what my people can do and advocate for them. I see many of my peers fail miserably at this because they drift into technical details that force GOs to drift to sleep and ultimately non-concur with otherwise sound plans. I've seen this time and time again. I've actually won resource battles with other units because they hit the J3 with a bunch of unorganized techno babble with one COA while I put things into succinct options, with projected timelines for accomplishment, that weigh risk to mission against risk to force and infrastructure. This has also helped me win intel gain/loss arguments by weighing operational gain/loss.

Leadership is leadership. It would be great to develop technical leaders and I think one day we will do a better job of this as people grow up in cyber. I replaced a technical "leader" who never visited his troops and didn't submit a single award for any of his subordinates throughout his three year tour. I think we benefit more from putting strong commanders and leaders in cyber and surround them with sharp technical advisors, than thrust technicians into senior leadership billets without strong leadership and planning skills. I already see a lot of field grade officers who can't get anything done in my building because cyber is still a performance sport and you need more than technical skills to be a good cyber Colonel. Keep in mind that senior field grade officers frequently interact with their peers outside of cyber command and need to speak the same language as they do. Just make these super technicians GS15s and call it a day. That will give them the pay and authorities the DOD wants them to have, without any of the military expectations associated with field grade ranks.
 
Last edited:
@Teufel , I need to get back up there for a chat. I’ll send you stuff related to the shit show I’m going through:

@AWP will enjoy this

unit: ”We need a X!”
feds: “mmm, I dunno. Why?”
bigger unit: “Cute, when can we expect a fed to arrive at the unit?”
feds: “We have a highly qualified candidate who arrives soon.”
unit: happy dance
me @ unit: “I’m here to fuck shit up. Feds, I need all this stuff.”
feds : “mmm, I dunno. Why do you want that? What do you do for the unit there?”
me: “counterparts @bigger unit say it need it. Wait, what? You’re asking what I do here?”
feds: “Yes, why do you need it? what mission does that unit have?”
me: “ You phuxers didn’t think to ask that shit and figure it out before I arrived?”
feds: “relax. You won’t get promoted talking like that. Let’s VTC to discuss.”
me: “You phuxing rocket surgeons didn’t allocate VTC equipment for our network. So we can’t VTC.”
feds: “hmmm. Ok, let’s polycom.”
me: “same rocket surgeons didn’t allocate a phone for our net.”
feds: “submit a request.”
me to SAME Fed supe: “I need a phone & VTC to commo.”

I shit you not the reply went along lines of...

feds: “Yes, why do you need it? I honestly don’t think this will be approved. what mission does that unit have?”

O_o
 
@Teufel , I need to get back up there for a chat. I’ll send you stuff related to the shit show I’m going through:

@AWP will enjoy this

unit: ”We need a X!”
feds: “mmm, I dunno. Why?”
bigger unit: “Cute, when can we expect a fed to arrive at the unit?”
feds: “We have a highly qualified candidate who arrives soon.”
unit: happy dance
me @ unit: “I’m here to fuck shit up. Feds, I need all this stuff.”
feds : “mmm, I dunno. Why do you want that? What do you do for the unit there?”
me: “counterparts @bigger unit say it need it. Wait, what? You’re asking what I do here?”
feds: “Yes, why do you need it? what mission does that unit have?”
me: “ You phuxers didn’t think to ask that shit and figure it out before I arrived?”
feds: “relax. You won’t get promoted talking like that. Let’s VTC to discuss.”
me: “You phuxing rocket surgeons didn’t allocate VTC equipment for our network. So we can’t VTC.”
feds: “hmmm. Ok, let’s polycom.”
me: “same rocket surgeons didn’t allocate a phone for our net.”
feds: “submit a request.”
me to SAME Fed supe: “I need a phone & VTC to commo.”

I shit you not the reply went along lines of...

feds: “Yes, why do you need it? I honestly don’t think this will be approved. what mission does that unit have?”

O_o
Zoom or Skype for Business?
 
@Teufel , I need to get back up there for a chat. I’ll send you stuff related to the shit show I’m going through:

@AWP will enjoy this

unit: ”We need a X!”
feds: “mmm, I dunno. Why?”
bigger unit: “Cute, when can we expect a fed to arrive at the unit?”
feds: “We have a highly qualified candidate who arrives soon.”
unit: happy dance
me @ unit: “I’m here to fuck shit up. Feds, I need all this stuff.”
feds : “mmm, I dunno. Why do you want that? What do you do for the unit there?”
me: “counterparts @bigger unit say it need it. Wait, what? You’re asking what I do here?”
feds: “Yes, why do you need it? what mission does that unit have?”
me: “ You phuxers didn’t think to ask that shit and figure it out before I arrived?”
feds: “relax. You won’t get promoted talking like that. Let’s VTC to discuss.”
me: “You phuxing rocket surgeons didn’t allocate VTC equipment for our network. So we can’t VTC.”
feds: “hmmm. Ok, let’s polycom.”
me: “same rocket surgeons didn’t allocate a phone for our net.”
feds: “submit a request.”
me to SAME Fed supe: “I need a phone & VTC to commo.”

I shit you not the reply went along lines of...

feds: “Yes, why do you need it? I honestly don’t think this will be approved. what mission does that unit have?”

O_o
Such a diva. ;-)
 
@Teufel , I need to get back up there for a chat. I’ll send you stuff related to the shit show I’m going through:

@AWP will enjoy this

unit: ”We need a X!”
feds: “mmm, I dunno. Why?”
bigger unit: “Cute, when can we expect a fed to arrive at the unit?”
feds: “We have a highly qualified candidate who arrives soon.”
unit: happy dance
me @ unit: “I’m here to fuck shit up. Feds, I need all this stuff.”
feds : “mmm, I dunno. Why do you want that? What do you do for the unit there?”
me: “counterparts @bigger unit say it need it. Wait, what? You’re asking what I do here?”
feds: “Yes, why do you need it? what mission does that unit have?”
me: “ You phuxers didn’t think to ask that shit and figure it out before I arrived?”
feds: “relax. You won’t get promoted talking like that. Let’s VTC to discuss.”
me: “You phuxing rocket surgeons didn’t allocate VTC equipment for our network. So we can’t VTC.”
feds: “hmmm. Ok, let’s polycom.”
me: “same rocket surgeons didn’t allocate a phone for our net.”
feds: “submit a request.”
me to SAME Fed supe: “I need a phone & VTC to commo.”

I shit you not the reply went along lines of...

feds: “Yes, why do you need it? I honestly don’t think this will be approved. what mission does that unit have?”

O_o

Me as a KO: But first you must fill out this brand name justification for X and then tell me your requirement.
 
As @Teufel said, the best model is just to give these people a GS position with all the benny's. Otherwise you're bringing them in at O4/5/6 and giving them instant authority but little understanding of the culture. I admit my attitude has changed a little bit on this since I've been out and thought about it a little more. Direct commission works for a lot of fields, but even direct commission in the medical and nursing fields have to go through a lot of the standard Navy leadership courses, they're just not given the rank and authority without a strong support network. But it's been that way for how many hundred years now?

Can it work? Sure but with a metric shit-ton of growing pains. I don't know if you can take the medical model or the JAG model or new the others and just apply it to the field.

I suppose another idea is to bring them in as a warrant with big buck contracts and incentives and keep them out of the leadership structure and let them do the voodoo they do so well.
 
As @Teufel said, the best model is just to give these people a GS position with all the benny's. Otherwise you're bringing them in at O4/5/6 and giving them instant authority but little understanding of the culture. I admit my attitude has changed a little bit on this since I've been out and thought about it a little more. Direct commission works for a lot of fields, but even direct commission in the medical and nursing fields have to go through a lot of the standard Navy leadership courses, they're just not given the rank and authority without a strong support network. But it's been that way for how many hundred years now?

Can it work? Sure but with a metric shit-ton of growing pains. I don't know if you can take the medical model or the JAG model or new the others and just apply it to the field.

I suppose another idea is to bring them in as a warrant with big buck contracts and incentives and keep them out of the leadership structure and let them do the voodoo they do so well.
I'm also a huge fan of using the warrant officer program to recruit cyber talent. We could easily use the 160th warrant officer pilot model and apply it to this field. It takes almost two years to train and certify some of the more technical work roles. Some people can jump right in and make it through the assessment and training programs. Some need more time. I would propose to make the cyber analysis work roles in the enlisted ranks and offer the warrant officer program as an ascension program or direct entry.
 
Last edited:
Back
Top