Troops Are Getting Cyber Training and Then Rapidly Leaving the Military, Report Finds

U.S. Cyber Command personnel work to defend the nation in cyberspace at Fort George G. Meade, Md.
U.S. Cyber Command personnel work to defend the nation in cyberspace at Fort George G. Meade, Md., Oct. 28, 2020. (Josef Cole/U.S. Cyber Command photo)

The military has been competing with the private sector to recruit and retain a workforce with critical cyber skills -- a decade-long contest where pay, purpose and personnel management have driven the flow of talent, and the services appear to be losing, according to a government watchdog report.

Troops who receive extensive cyber training, lured by the lucrative private sector, are parting ways with the military services quicker than some branches can offset the cost of that training.

The Pentagon's efforts have been hamstrung by unclear service obligations and mistracked staffing data in some branches, according to a report from Congress' Government Accountability Office that was released Wednesday.

Read Next: Delivering Babies, Plowing Snow: Hundreds of Guardsmen Deploy as New York Is Buried in Historic Storm

The GAO focused on what the military calls Interactive On-Net Operator, or ION, training -- a valuable skill set that revolves around "network reconnaissance" and analysis to identify adversary strongpoints and vulnerabilities, according to the U.S. Army Intelligence and Security Command.

It is one of three skills that U.S. Cyber Command identified as critical to its mission as the military announced plans this year to increase its cyber workforce over the next half decade.

The Army -- which is looking to double its cyber force -- and Marine Corps came up short on their investment in that skill, and are not getting back what they've put into training troops who assume those roles. And outside of the Navy, all branches had little visibility on how they tracked those billets.

"Personnel who complete training to fill the ION work role -- which may take a year or more and costs the department hundreds of thousands of dollars -- may not remain in the military to use those skills for a significant length of time after training," the report said.

The GAO report, which was ordered by Congress in the National Defense Authorization Act for Fiscal 2022 to review the military's cyber recruiting and retention efforts, pointed to a too short -- or in the Marine Corps' case, completely absent -- service obligation that would offset the time and cost it takes to train a service member.

The watchdog said it could take one to three years to train a service member as an ION operator at a cost of up to half a million dollars per troop, though potentially as low as $220,000.

"Cyber training in general is very complex just because of how technical the issues are," one military cyber officer told on Tuesday, adding that regardless of branch, that complexity will equate to a longer training time. The officer, who requested anonymity due to concerns about reprisals for talking without authorization, said the ION training is particularly intensive because it involves an uncompromising mission.

"The risk surrounding that skill set is tremendous," the officer said. "They are operating inside target environments, they are operating inside adversary networks, and so they cannot afford to make a single mistake."

The Navy and Air Force took steps to ensure a return on their investment in cyber training by implementing an additional three-year service obligation for those who go through the courses.

For the Army, which did not have a clear obligation, the GAO estimated that officers may owe as little as 1.88 years, and enlisted personnel nearly two-and-a-half.

The report found that nearly every branch had limited visibility on their cyber personnel. Traditional troop tracking systems used by the services for nearly every other military career clashed with Cyber Command definitions, leading to bottom-up data gathering and unseen shortages.

The Navy was the exception to this issue; the sea service tracked its cyber personnel using enlistment codes that "mimic" Cyber Command's, leading to better visibility on staffing shortages.

Still, staffing gaps exist between how many roles were authorized and how many were actually filled, especially for warrant officers. The Navy and Air Force were able to staff their cyber career fields at more than 80%; the Army "improved," rising above 80% in 2021; and the Marine Corps "generally did not exceed" 80%.

It's unclear why the services would treat the cyber domain, and the jobs focused on the area, so differently.

"Those skill sets are extremely hard to come by," the cyber officer said. "These trainings do have a fairly substantial washout rate, and so the reality is not only do you have a lengthy amount of time you put into these people, you also have a finite number of people, frankly, that have the skill set to complete the training."

The GAO report made six recommendations, namely that the Army and Marine Corps "clearly define active-duty service obligations for ION training" and that all branches align their personnel tracking to Cyber Command's work roles.

The Department of Defense concurred with all of the GAO recommendations, but both entities stopped short of recommending an increase in service obligation to offset the training time-cost.

The report recognized the underlying pay competition between the military and the private sector, noting that the Pentagon has thrown "at least" $160 million in retention bonuses at cyber troops in the last five years.

Combined with dismal recruiting numbers, the lack of return on investment and a competitive private market, the current money -- even matched with an exciting purpose -- might not be enough.

-- Drew F. Lawrence can be reached at Follow him on Twitter @df_lawrence.

Related: National Guard Leaders Warn More Cyber Security Spending Needed to Help Protect Elections

Story Continues