The Defense Department released its long-awaited cybersecurity workforce strategy Thursday. The strategy will guide a forthcoming implementation plan to identify, recruit and retain a more efficient and capable defense cyber workforce.
The strategy “champions” remote work flexibility and “potential flexibility” around security clearances to improve recruitment and retention. The strategy also calls for an apprenticeship program with the private sector and “a mechanism for part-time surge support based on emergent mission need.”
These strategic goals target longstanding DOD struggles to recruit and retain top tech talent.
“The government has trouble getting people into its offices because of the way it operates,” said Eric Schmidt, a commissioner for the National Security Commission on Artificial Intelligence, during a DOD AI symposium in June 2022. “You identify a young person who takes 18 months to get their security clearance and they need their clearance to do their job. The bizarre baroque way in which personnel are handled … we worked hard on this without much success. Not even the president could fix the HR system in DOD.”
A National Security Imperative
DOD’s workforce strategy comes on the heels of the White House’s National Cybersecurity Strategy released March 2. That strategy emphasizes upskilling and expanding the cyber workforce to close the cybersecurity workforce shortage and address modern cyber needs as a major strategic objective. The Office of the National Cyber Director (ONCD) intends to publish its own cybersecurity workforce strategy by summer.
The Cybersecurity and Infrastructure Security Agency (CISA) estimates there are upward of half a million unfilled cybersecurity jobs nationwide. In a recent fireside chat with GovCIO Media & Research, Assistant National Cyber Director for Technology Security Anjana Rajan said the “arena for [the Russia-Ukraine] war exists in cyberspace,” elevating the role cybersecurity, cyber intelligence and cyber warfare play on a geopolitical scale.
For government, solving the cybersecurity workforce shortage and upskilling the current workforce to adequately handle cyber mission needs is a national security imperative.
DOD’s new strategy “lays the foundation focused on data” for a stronger cyber workforce, the initiative’s leaders said in a call with reporters Thursday.
Mark Gorak, principal director for resources and analysis at DOD, said the department doesn’t have a problem recruiting cyber personnel on the military side, but struggles to retain them. On the DOD civilian side, he added, the problem is recruitment and retention.
“We’re having recruitment issues in each of the services, but not in the cyber domain,” he said during the call with reporters. “On the military side, you don’t have to have prerequisites and the knowledge base, you just have to have the aptitude. Our issue there is retention. On the civilian side, we have a recruitment issue and a retention issue. The challenge here is a global challenge, specifically a national challenge, how do we create more talent in the cyber domain? Our strategy and our implementation plan try to get after that by encouraging all the way down to K-12 to encourage more of the workforce to enter this domain.”
DOD struggles to compete with industry salaries for top cyber talent. To attract capable workers, DOD plans to lean into marketing the national security mission, Gorak said.
“Mission is the key,” he said. “It’s ok because corporations need this talent, and we need theirs, so I view it as a partnership between industry and private sector. We train the talent, we bring them in, and if they choose to leave, we want to maintain those relationships to flow back and forth because they may come back to us as a detail, or as a contractor, and I view that as the key.”
Gorak’s comments echo those from DOD’s Chief Digital and AI Officer Craig Martell, who said the mission lured him away from Silicon Valley to DOD last year.
Strengthening the Current Workforce
Patrick Johnson, who leads DOD’s Workforce Innovation Directorate, said the military services are usually more adept at developing their workforce, especially on the cyber side — something the Pentagon wants to replicate for its civilian cyber workforce.
“We haven’t done a good job of that in the past,” Johnson said in a call with reporters Thursday. “We’re not going to hire our way out of this. It’s time to grow our own, build our bench and bring on more entry level positions and train them.”
The White House National Cybersecurity Strategy highlighted the use of memory-safe programming languages as a key area for cybersecurity workforce development. In her fireside chat at CyberScape: Insider Threats, Rajan said using memory safe languages can reduce software vulnerabilities by up to 70%.
Using memory safe programming languages is not a “silver bullet” for software security, she added, but due diligence can significantly reduce the attack surface for organizations, including DOD.
This adds another layer of urgency to training and developing a DOD cyber workforce conscious of software development pitfalls, especially as DOD increasingly relies on in-house software development for mission-critical capabilities, such as KRADOS, which Air Force software factory Kessel Run recently developed to replace the 609th Air Operations Center’s legacy Theater Battle Management Core System.
The National Security Agency (NSA) highlighted the use of memory-safe software as especially critical given difficulties around shifting existing software development infrastructure from a memory-unsafe language to a memory-safe one, according to a November 2022 document published by DOD.
“Skilled programmers need to be trained in a new language, and there is an efficiency hit when using a new language,” the NSA said. “Programmers must endure a learning curve and work their way through any ‘newbie’ mistakes. While another approach is to hire programmers skilled in a memory safe language, they too will have their own learning curve for understanding the existing code base and the domain in which the software will function.”
Johnson said he “hasn’t looked” at individual programming languages yet for the purposes of training and upskilling the DOD cyber workforce, but said he is in the process of “looking at what is key and what we need to be focused on.”
“We’re addressing, how do we manage the software piece of that, and how do we flow talent and move talent there?” he said.