WASHINGTON -- To better manage personnel, "the Army created the Cyber Branch 17 [for Soldiers] and is exploring the possibility of creating a cyber career field for Army civilians," Lt. Gen. Edward C. Cardon told senators.
Cardon, commander of U.S. Army Cyber Command, or ARCYBER, testified before the Senate Armed Services subcommittee on emerging threats and capabilities during a hearing on "Military Cyber Programs and Posture," April 14.
Establishing a cyber career management field for civilians may be easier than recruiting enough of them to fill it, and then retaining that talent, he said.
Recruiting and retaining Army civilian cyber talent "is challenging," he said, "given internal federal employment constraints regarding compensation and a comparatively slow hiring process."
Current efforts to attract and retain top civilian talent include "extensive marketing efforts, and leveraging existing programs and initiatives run by the National Security Agency, Office of Personnel Management, and National Science Foundation," he said.
Also, he said that the "targeted and enhanced use of recruiting, relocation and retention bonuses, and repayment of student loans will improve efforts to attract, develop and retain an effective cyber civilian workforce. These authorities exist but require consistent and predictable, long-term funding."
His last comment about predictable funding was an apparent reference to the congressional use of continuing resolutions, the possibility of renewed sequestration and other unknowns like overseas contingency operations, compensation reform and other factors.
Within the Army's $126.5 billion fiscal year 2016 budget now in lawmaker's hands, $1.02 billion of that is for cyber, including $90 million to build out the new Cyber Center of Excellence operations headquarters on Fort Gordon, Georgia, he said.
Cardon did not give a breakdown in the number of civilians, enlisted and officers the Army would need as cyber grows. Instead, he lumped them together in one number. "After a detailed study, the Army determined it needs 3,806 military and civilian personnel with core cyber skills," he said.
CYBER'S UNIFORMED SIDE
Filling the cyber ranks with Soldiers seems to be going much better, Cardon told lawmakers. "We just started using six-year enlistments. We're having no trouble filling that. We're working through developing the best model to retain them."
Furthermore, the Cyber Center of Excellence, or CoE, in collaboration with ARCYBER and other stakeholders, is working to implement a cyber career management field for enlisted personnel "that will encompass accessions, career management, and retention this fiscal year."
He said that the Army recently approved special-duty assignment pay, assignment incentive pay, and bonuses for Soldiers serving in operational cyber assignments.
Another carrot the Army recently offered, he said, is expansion of cyber educational programs, including training with industry, fellowships, civilian graduate education, and utilization of inter-service education programs including the Air Force Institute of Technology and the Naval Postgraduate School. "We are confident these will serve as additional incentives to retain the best personnel for this highly technical field."
Guard and Reserve retention initiatives include bonuses for Soldiers transitioning into cyber from the active side, he said. There will also be accession bonuses for commissioned and warrant officers going into Reserve-component cyber.
CYBER TEAMS FORMING
As of today, 25 of 41 Cyber Mission Force teams "are on mission now and we expect to have all 41 on mission by the end of fiscal year 2016," Cardon told lawmakers. "We're employing the teams as they reach initial operating capability."
He said that the Army is also building 21 additional Army Reserve and National Guard Cyber Protection Teams.
Those teams will be employed with combatant commanders as part of the joint cyber effort, he said.
Air Force Lt. Gen. James K. McLaughlin, deputy commander of U.S. Cyber Command, then described where that joint effort is headed capability-wise:
There will be a total of 133 cyber teams from all the services, McLaughlin said. "We're halfway through fielding those teams." They should all be stood up by the end of FY16, unless sequestration returns.
Besides defending the Department of Defense's own networks and the U.S. homeland, Cyber Command will have a role to play in protecting allies as well as the U.S. private sector, he added.
U.S. A 'GLASS HOUSE'
In describing U.S. vulnerability to cyber attacks, particularly the civilian sector, Eric Rosenbach, principal cyber advisor to the defense secretary, told senators that the United States is like a "glass house."
He warned lawmakers that although the United States has a robust and growing cyber offensive capability, it is not wise to overuse that capability when attacked because it could provoke rogue nations to demonstrate their own offensive cyber capabilities. Back-and-forth attacks would most certainly ensue and escalate, to the detriment of the United States.
Rather, Rosenbach advocated an interagency approach. For example, when Sony Pictures Entertainment was attacked by North Korea in November, the U.S. response was led by the Treasury Department, which imposed additional economic sanctions. U.S. Cyber Command was in on that planning, along with other agencies.
That is an example of an effective but restrained response, he said, advocating looking at each attack from a cost-benefit analysis perspective.
A senator then told Rosenbach that he thought it might be a good idea, should the United States go to war, to take out the enemy's air defenses through a cyber attack on their electrical grid.
Rosenbach replied that he would discuss the matter with them in the closed session, which followed.
DEFENSE CONTRACTORS VULNERABLE
"We know that a lot of the defense contractors have been penetrated and intellectual property pulled out, so we're trying to use new contracting mechanisms" to limit that from happening, Rosenbach said, adding that for them and the rest of private industry, creating effective cyber defenses represents a "significant investment."
Although the private sector is especially vulnerable to cyber attacks, Rosenbach said DoD is not invulnerable.
For instance, he told lawmakers that U.S. Transportation Command "has been penetrated by some adversaries, the Chinese in particular, who know that by going to the supply chain they may be able to hit us at a weaker point."
Cardon stressed to the senators that cyber security is every Soldier's business.
"We're exposing all officers to cyber security because this has to become part of the foundational education that we expect them to have," he said.
"This is a competitive space, so, we're never really going to be done in this space," he said, regarding the future of cyber space efforts. "This is going to have to be something that we just constantly assess on a regular basis."