The recently released 2016 Defence White Paper prescribed a re-balancing of 1200 Australian Public Service positions to be generated to support growth in intelligence, space and cyber security across Defence. The Army, RAN and RAAF continue to grow their respective service cyber capabilities under the umbrella of the VCDF Group’s guiding strategy.
The APS and Services will naturally compete with each other for the skills of an already constrained pool of specialist cyber operators, managers, planners and executives in Australian society. Further, Defence competes with other government departments employing cyber security specialists. Importantly, the Government is presented with the challenge of making itself attractive to the best of the available pool against the private sector.
Noting these challenges, how do the Services get the best and brightest cyber experts to wear a uniform as opposed to a suit?
Defining the Defence Cyber Operator
The answer lies in describing what a cyber expert would do in a uniform. Defence needs to explain the breadth of tasks required of each level of expert in the cyber hierarchy. In turn, those tasks (and rewards) which are unique to a uniformed member need to be highlighted and promoted. Lastly, discussion on the cyber specialist skillset and job description requires a rethink; the veil of secrecy needs to be lifted, even if ever so slightly.
The Services have undergone significant change in recent years regarding cyber workforce structures. These reflect the requirement each Service sees of the personnel aspect of their cyber capability. Personnel profiles for management, planning and executive roles are somewhat self-explanatory. However, defining the breadth of tasks for a gifted cyber operator “at keys” is the crucial component. One would expect a range of required defensive and offensive skills targeting both standalone terminals and the interconnected devices comprising computer networks. How does this differ from an APS Defence recruit who doesn’t need to wear a uniform? How does a cyber skill set translate into the Profession of Arms?
At the moment, internet-connected devices (computers, routers, servers, access points, etc) are targets of both the uniformed and the suited; tactical battlefield networks are primarily the playground of the uniformed. Due to their military nature many of these networks are not required to be internet-connected. Whether physical infiltration to plant a rubber ducky, or use of high-powered antennae to target an adversary’s WiFi-based LAN, uniformed cyber operators are a combat multiplier in conventional and special operations. Operations in the battlespace which protect our closed networks and target the adversary’s closed networks will become increasingly crucial as digitisation and automation engulfs the modern battlespace. Consequently, we can expect less internet-connectedness in military and intelligence networks and a greater reliance on uniformed operators.
Targeting an adversary’s closed network will require niche offensive cyber capabilities and operators skilled in their use. In order to get cyber operators to wear a uniform, Defence needs to be more realistic about the offensive cyber tasks each of the Services would expect them to carry out. After years of assumed offensive state-sponsored cyber operations being carried out by China’s PLA Unit 61398, admission was given in 2015 that these actions occur. In August this year the Director of US Cyber Command proposed the development of “loud” cyber weapons to blatantly alert an adversary that the United States is owning their system. There is merit in advertising the strength in one’s offensive cyber ability. It is time for Defence, and the Services, to open the door a little further on the offensive cyber tasks that their uniformed personnel carry out.
The Cyber Pond: Small and Competitive
Cyber personnel live in a small pond and are few in number. Highlighting those tasks which make uniformed cyber operations unique in the wider cyber community will make the camouflage lure shine the brightest. The Australian Centre for Cyber Security has committed to improving uniformed cyber operations through provision of short courses for both ADF personnel and civilians. It will continue to be an essential hub for academia, industry and the ADF to interact, educate and promote cyber operations and capability growth. Military careers can be presented as an attractive option to civilian undergraduate and graduate students in this environment. Therefore, further investment in the ADFs relationship with the ACCS will be critical for cyberwarrior recruitment and brightening the camouflage lure.
Do you want to know more? Like video as a medium?
This ABC ‘Four Corners’ episode features the Australian Centre for Cyber Security.
You can also see Major General Day discuss the Australian Centre for Cyber Security on YouTube here.
About the author
Luke Blackmore is an officer in the Royal Australian Corps of Signals. He completed a Master of Applied Science (Information Security) in 2006 and maintains an interest in progressing ADF’s cyber capability. Currently Luke is undertaking a Masters of Cyber Security, Strategy and Diplomacy at the University of New South Wales.
Disclaimer
Grounded Curiosity is a platform to spark debate, focused on junior commanders. The views expressed do not reflect any official position or that of any of the author’s employers – see more here.
3 thoughts on “Future Thinking – Recruiting the Uniformed Cyberwarrior”
ACCS courses and a closer ADF-ACCS relationship are great for individuals already in the system and may have a positive effect on recruitment within the existing public service workforce. In my view, which is unashamedly ‘in the weeds’ in its technical outlook, in order make the broader ADF in general, and the Army in particular, an attractive proposition for highly capable and readily employable young cyber minds, a Specialist Service Officer career stream should be available to other ranks across a very specific range of employments. Such Specialist Service Soldiers of the future may include cyber specialties and would be a handy fit from a workforce modelling point of view.
In the near term, at a purely functional level , we likely don’t yet need uniformed cyber-warriors – the landscape is too fluid to fit the extant military training and career progression paradigms.
Imagine trying to introduce a weapons system into service associated with a specific trade, when the laws of physics that determined the operation of that system where changing in a similar timeframe.
Unlimited liability service doesn’t likely give a tactical or strategic advantage in cyber. There is real merit in uniformed staff knowing how to target – as cyber can readily have unintended consequences (DDOS) or be indiscriminate in its effects (killing the power grid).
Right now, cyber is a very rapidly moving environment, and it takes 5-10 years of deep technical development to be any good as an operator. Even civilian agencies, where in government cyber-skill sets attracts a ~25% premium, have difficulty attracting suitable talent , and even greater difficulty retaining it.
The simpler tasks that some countries do assign to uniformed personnel , are likely a stop gap – AI is approaching a point where those tasks can be completely automated, and having a person with 2-3 years experience performing those tasks will no longer needed.
Right now, cyber more likely lends itself to a blended, Bletchley Park or Manhattan project or JSOC style approach, where its fully combined-joint, integrated/fused and relative to most of the uniformed world – simultaneously unstructured and effect focussed.
If we look at who is leading in cyber right now – thats the kind of organisational characteristics they are already exhibiting – blended effect across private contractors, government civilians, and pretty limited uniformed use.
You don’t need an SSO to insert a rubber ducky, or use a directional antenna to target a LAN, any more than you need the operator firing a Javelin to be a rocket scientist.
You might need a SSO to adjust parameters on a tool thats been installed on the rubber ducky.
However, cyber largely exists in a landscape built on commercial products, and the terrain types aren’t marsh, jungle, rolling plains and mountains, they are Cisco, Microsoft, Linux, Apple, Google etc.
Mostly this means the terrain is changing (and generally getting more resistant to attack) over time.
The long lifetime of Windows XP as a static target is largely a technological aberration, and is ageing out of the market.
What that means is the time scale between vulnerability discover, weaponisation, use, detection of use, and mitigation by the vendor, is trending downwards to a tighter time cycle.
e.g. If a cyber team had a weaponised tool chain that worked against Apple’s iOS 9, the clock on the value of that is ticking, as since iOS 10’s release a month ago, over 50% of iOS devices world wide have upgraded already, likely negating use of that tool chain. Within a few more months, the usage will be north of 80%, and 95% within a year.
How do you deal with an environment where you need to introduce a new rifle every ~12 months, because the old one is no longer effective at killing your enemy ?
Thats the way most of the end user device industry is going, and we’d be fools to gaze longingly at the static target environment of the last 15-20 and assume that its entering an age of targetable stability. Training & structuring for the last war is rarely a winning strategy
Recruiting of individuals with cyber capabilities, from within Defence as well as outside, is key to our staying on the front foot of this particular battle.
In the UK, the military quickly realised that the armed forces were not the sole preserve of those with cyber capabilities; the British have been recruiting civilian cyber SMEs from across UK industry to be part of their Joint Cyber Unit (Reserves) for some time. These individuals are selected on their cyber abilities and not their conventional soldiering potential. This has resulted in a step-change in specialist recruit entry policy (also in the mindset of some senior officers), but has resulted in clear entry and career progression paths (Offr and OR, with commensurate remuneration packages) for individuals. It maybe of note that these individuals, although serving members of the Army Reserve and holding military rank, only wear uniform during basic training; because of the nature of their working environment, they wear civilian clothing at other times.
The UK MoD has made a series of announcements this year concerning new capability (Cyber Security Centre) and their willingness to use it (Cyberspace Operations).
Cyber is the forth dimension of warfare. Maybe the cyber units of today should be compared to the formation of the [UK] RAF in 1918.
Our conduct of cyber operations needs to match (or over-match) those ranged against us; in capability, if not number. The British approach proved that our units do not need to follow military convention, but we do need to raise a creditable capability to ensure that we as a nation maintain our own creditable defence/offensive abilities. It is the conduct of operations, against whom and using what ROE that is a discussion that must be had at the very highest levels of government.
Comments are closed.