The Senate Armed Services Committee’s cybersecurity and personnel subcommittees held a joint hearing today to examine the cyber operational readiness of the Department of Defense and heard from leaders of both the military and civilian side of the DoD cyber force about the mounting challenges they face.
Despite a nearly universal consensus between Congress and witnesses over cyber workforce recruitment difficulties, the senators generally favored aspirational lines of questioning, seeking not to chide DoD on cyber workforce shortages, but instead inquiring proactively about efforts to address some of the shortfalls.
Following the hearing, the panel moved to a closed session to discuss sensitive and classified matters. Prior to doing so, the witnesses provided a glimpse into future investments in the Army’s cyber activities, as well as the expanding authorities of U.S. Cyber Command and the possibility of pooling DoD-wide cyber resources.
Cyber Workforce
“A great deal of the Department’s cyber readiness issues revolve around the shortage of skilled cyber-capable personnel,” said cybersecurity subcommittee Chairman Sen. Mike Rounds, R-S.D. Treading ground familiar to many in the Federal government, Rounds also expressed concerns over pay scale and organizational structure issues in government that may contribute to the problem.
“It’s difficult to match some of the compensation packages [available in the private sector],” said Brig. Gen. Dennis Crall, principal deputy cyber advisor at the Pentagon. “It’s also difficult to match the speed with which they hire and onboard and start individuals and clear them for some very sensitive projects.”
He flagged the government’s lengthy security clearance process as a major inhibitor but expressed that “we certainly have ways and means in front of us” to address that problem.
DoD’s acting principal deputy CIO, Essye Miller, noted the toll much of this has taken on the Department’s cyber force. “Most of the job losses that we’ve seen over the last year or so total about 4,000 civilian cyber-related personnel losses,” she said.
Crall added that DoD could look into establishing “targeted market compensation” and “retention bonuses,” and remove current caps on general schedule grades for some cyber positions.
He noted that the military cyber recruitment side boasts some inherent strengths absent on the civilian DoD side, including that the military’s mission and campaign message are better understood by the public. “Very few understand what we offer in the Federal government side that would be an attractant as well,” he said.
Sen. Elizabeth Warren, D-Mass., said she was happy that talent management was included as a major component of the recently-released DoD cyber strategy, but said it “doesn’t offer much detail on the specifics” of recruiting and retaining talent.
“We need to understand our market better,” Crall said. He also flagged DoD’s shortfalls in matching continuous recruitment efforts employed by, for example, the intelligence community in academia. Crall said he would in the closed session discuss new changes to the governance structure of DoD’s cyber force that could address some of these workforce concerns.
Army Expansion
Lt. Gen. Stephen Fogarty, head of Army Cyber Command, expressed the benefits of his command moving from Fort Belvoir, Va. to Fort Gordon, Ga., which is expected to take place in 2020.
“We’ll have the operational headquarters, the operational platform, and the schoolhouse all on the same location,” he said. Fogarty praised the nearly $1.3 billion investment in Army Cyber Command and the Army’s Center of Excellence educational outfit, and said that the centralized location at Fort Gordon will allow operators in active missions to also instruct future cyber personnel in real-time.
The move, he said, will establish much needed stability and continuity for its cyber mission force. “You can have an entire career at Fort Gordon, Georgia if you decided you wanted to have your family there,” the commander said.
Unity of Effort
Sen. Thom Tillis, R-N.C., chairman of the personnel subcommittee, expressed his concern that across DoD and combatant commands, there may not be adequate use of common platforms to unify efforts on the cyber front.
He contended that while military branches may have missions that are notably different, the training and mission sets in the cyber domain have much greater crossover. Tillis suggested that there could be an “innovative way” to leverage cross-learning, and that DoD was at risk of “potentially sub-optimizing” its efforts without a common platform.
To that end, Lt. Gen. Vincent Stewart, deputy commander of U.S. Cyber Command, said that DoD is working on a “joint cyber warfighting architecture” and would “designate a specific service to build one element”–for example, the Army developing the cyber training element–and combine the elements into a common platform for effective DoD-wide effort.
“It includes building common firing platforms, common set of tools, common infrastructure, common cockpit for command and control,” Stewart said of the proposed architecture. Crall later added a lack of common standards and “unique building” have been “significant contributor to delays” in building a strong mission force.
Election Security
Sen. Kirsten Gillibrand, D-N.Y., asked about DoD’s coordination with civilian agencies and state and local authorities regarding election security, saying to Stewart, “You’ve not been given all the authorities you need, in fact, to prevent or stop or respond to cyberattacks to critical infrastructure if it has to do with the electoral system, and I think that’s a mistake.”
Stewart did acknowledge that U.S. Cyber Command does not directly interact with state and local authorities, and that it essentially is working “by, with, and through DHS” to relay the Defense Department’s findings on gaps in election security.
He stated that it does currently fall to DHS to “move indicators of compromise” along the chain from DoD to the actual stewards at the state and local level. Stewart indicated that he would delve further into the specifics of newly delegated authority in the closed session, but backed recent authority enhancements for U.S. Cyber Command with a somewhat opaque response.
“If you’d approached me six months ago about the limits of our authorities, I would tell you that would cause me great frustration. We’re in a much better place today, senator,” he said.
Gillibrand said that she would pursue the issue further in the closed session, noting, “I think there’s even more authority that you should seek.”