Category Archives: Cyber Talent Management

THE WEAPONIZED MIND

As an industrialist nation transitioning to an information society and digital conflict, we tend to see technology and the information that feeds the technology as weapons – and ignore the few humans with a large-scale operational impact. Based on my outlook, I believe that we underestimate the importance of applicable intelligence – the intelligence of applying things in the correct order. The ability to apply is a far more important asset than the technology itself. Cyber and card games have one thing in common: the order in which you play your cards matters. In cyber, the tools are mostly publicly available; anyone can download them from the Internet and use them, but the weaponization of the tools occurs when used by someone who understands how to play them in an optimal order.
General Nakasone stated in 2017; “our best ones (coders) are 50 or 100 times better than their peers,” and continued “Is there a sniper or is there a pilot or is there a submarine driver or anyone else in the military 50 times their peer? I would tell you, some coders we have are 50 times their peers.”

In reality, the success of cyber and cyber operations is highly dependent not on the tools or toolsets but instead upon the super-empowered individual that General Nakasone calls “the 50-x coder”.

In my experience in cybersecurity, migrating to a be a broader cyber field, there have always been those exceptional individuals that have an unreplicable ability to see the challenge early on, create a technical solution, and know how to play it in the right order for maximum impact. They are out there – the Einsteins, Oppenheimers, and Fermis of cyber. The arrival of artificial intelligence increases the reliance of these highly able individuals – because someone must set the rules, the boundaries, and point out the trajectory for artificial intelligence at the initiation. This raises a series of questions. Even if identified as a weapon, how do you make a human mind “classified”?

How do we protect these high-ability individuals who, in the digital world, are weapons, not as tools but as compilers of capability?

These minds are different because they see an opportunity to exploit in a digital fog of war when others don’t see it. They address problems unburdened by traditional thinking in new innovative ways, maximizing the dual purpose of digital tools, and can generate decisive cyber effects.
It is the applicable intelligence (AI) that creates the process, the application of tools, and turns simple digital software in sets or combinations as a convergence to digitally lethal weapons. The intelligence to mix, match, tweak, and arrange dual purpose software. I want to exemplify this by using an example from the analog world, it is as you had individuals with the supernatural ability to create a hypersonic missile from what you can find at Kroger or Albertson. As a nation, these individuals are strategic national security assets.
These intellects are weapons of growing strategic magnitude as the combat environment have increased complexity, increased velocity, growing target surface, and great uncertainty.
The last decades, our efforts are instead focusing on what these individuals deliver, the application, and the technology, which was hidden in secret vaults and only discussed in sensitive compartmented information facilities. Therefore, we classify these individuals output to the highest level to ensure the confidentiality and integrity of our cyber capabilities. Meanwhile, the most critical component, the militarized intellect, we put no value to because it is a human. In a society marinated in an engineering mindset, humans are like desk space, electricity, and broadband; it is a commodity that is input in the production of technical machinery. The marveled technical machinery is the only thing we care about today, 2019, and we don’t protect our elite militarized brains enough.
At a systematic level we are unable to see humans as the weapon itself, maybe because we like to see weapons as something tangible, painted black, tan, or green, that can be stored and brought to action when needed. Arms are made of steel, or fancier metals, with electronics – we fail to see weapons made of sweet ‘tater, corn, steak, and an added combative intellect.

The WW II Manhattan Project had at its peak 125 000 workers on the payroll, but the intellects that drove the project to success and completion were few. The difference with the Manhattan Project and the future of cyber is that Oppenheimer and his team had to rely on a massive industrial effort to provide them with the input material to create a weapon. In cyber, the intellect is the weapon, and the tools are delivery platforms. The tools, the delivery platforms, are free, downloadable, and easily accessed. It is the power of the mind that is unique.

We need to see the human as a weapon, avoiding being locked in by our path dependency as an engineering society where we hail the technology and forget the importance of the humans behind. America’s endless love of technical innovations and advanced machinery is reflected in a nation that has embraced mechanical wonders and engineered solutions since its creation.

For America, technological wonders are a sign of prosperity, ability, self-determination, and advancement, a story that started in the early days of the colonies, followed by the Erie Canal, the manufacturing era, the moon landing and all the way to the autonomous systems, drones, and robots. In a default mindset, a tool, an automated process, a software, or a set of technical steps can solve a problem or act. The same mindset sees humans merely as an input to technology, so humans are interchangeable and can be replaced.

The super-empowered individuals are not interchangeable and cannot be replaced unless we want to be stuck in a digital war at speeds we don’t understand, being unable to play it in the right order, and have the limited intellectual torque to see through the fog of war provided by an exploding kaleidoscope of nodes and digital engagements. Artificial intelligence and machine learning support the intellectual endeavor to cyber defend America, but in the end, we find humans who set the strategy and direction. It is time to see what weaponized minds are; they are not dudes and dudettes but strike capabilities.

Jan Kallberg, Ph.D.

Inflation – the hidden cyber security threat

 


Image: By Manuel Dohmen – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=185802

In cyberspace, the focus is on threats from malicious activity — a tangible threat. A less obvious threat to cyber is inflation which undermines any cyber organization by eroding budget and employee compensation. Inflation can create unseen resignation rates if not addressed, and jeopardize ongoing cyber efforts and the U.S. Defense Department’s migration to cloud-based services. The competition for cloud security talent is razor-sharp in the private sector already.

There are different ways to build and maintain a cyber workforce: recruit, retrain and retain. The competition between the DoD and the private sector for talent will directly affect recruitment and retainment. Inflation and the shortage of skilled cyber professionals create increasing competition between the federal and private sectors for much-needed talent. Retraining professionals to become a part of the cyber workforce is costly, and if the incentives are not in place to stay in the force, it is short-lived as retrained cyber talent moves on. Inflation creates a negative outlook for recruiting, retraining, and retaining cyber talent.

The inflation expectations in 2022 are the highest in decades, which will directly impact the cost to attract and retain a cyber workforce. Even if the peak inflation is temporary due to COVID-19 as well as disruptions in the supply chain and the financial markets, the pressure on increased compensation is a reality today.

What does it mean in practical terms?

According to the Wall Street Journal, salaries will increase in 2022 for white-collar professionals in the range of 10%, and the federal workforce can expect an increase of less than a third of the gains in the private sector. These signs of growing salary gaps are likely far more severe and exacerbated in the cyber workforce.

For example, by browsing the current jobs ads, a manager for incident response in Rhode Island offers $150,000-$175,000 with the ability to work from home with zero commuting. A fair guess would be there’s a federal GS pay scale at 20-30% less, with work taking place from 8:30 a.m. to 4:30 p.m. in a federal facility; not to mention cloud security, where large players such as Amazon Web Services are actively recruiting from the federal sector.

An increasing salary gap directly impacts recruitment, where the flow of qualified applicants dries up due to the compensation advantage of the private sector. Based on earlier data, the difference in salary will trigger decisions to seek early retirement from the DoD, to pursue a second civilian career or to leave federal service for the private sector as a civilian employee.

The flipside of an all-volunteer force is that in the same way service members volunteer to serve, individuals have the option at the end of their obligation to seek other opportunities instead of reenlistment. The civilian workforce can leave at will when the incentives line up.

Therefore, if we face several years of high inflation, it should not be a surprise that there is a risk for an increased imbalance in incentives between the public and the private sectors that favor the private sector.

The U.S. economy has not seen high inflation since the 1970s and the early 1980s. In general, we all are inexperienced with dealing with steadily increasing costs and a delay of adjusted budgets. Inflation creates a punctured equilibrium for decision-makers and commanders that could force hard choices, such as downsizing, reorganization, and diluting the mission’s core goal due to an inability to deliver.

Money is easy to blame because it trespasses other more complex questions, such as the soft choices that support cyber talent’s job satisfaction, sense of respect, and recognition. It is unlikely that public service can compete with the private sector regarding compensation in the following years.

So to retain, it is essential to identify factors other than the compensation that make cyber talent leave and then mitigate these negative factors that lower the threshold for resignation.

Today’s popular phrase is “emotional intelligence.” It might be a buzzword, but if the DoD can’t compete with compensation, there needs to be a reason for cyber talent to apply and stay. In reality, inflation forces any organization that is not ready to outbid every competitor for talent to take a hard look at its employee relationships and what motivates its workforce to stay and be a part of the mission.

These choices might be difficult because they could force cultural changes in an organization. Whether dissatisfaction with bureaucracy, an unnecessary rigid structure, genuinely low interest for adaptive change, one-sided career paths that fit the employer but not the employee, or whatever reason that might encourage cyber talent to move on, it needs to be addressed.

In a large organization like the DoD and the supporting defense infrastructure, numerous leaders are already addressing the fact that talent competition is not only about compensation and building a broad, positive trajectory. Inflation intensifies the need to overhaul what attracts and retains cyber talent.

Jan Kallberg, Ph.D.

Our Dependence on the top 2 % Cyber Warriors

As an industrial nation transitioning to an information society with digital conflict, we tend to see the technology as the weapon. In the process, we ignore the fact that few humans can have a large-scale operational impact.

But we underestimate the importance of applicable intelligence, the intelligence on how to apply things in the right order. Cyber and card games have one thing in common: the order you play your cards matters. In cyber, the tools are mostly publically available, anyone can download them from the Internet and use them, but the weaponization of the tools occur when they are used by someone who understands how to use the tools in the right order.

In 2017, Gen. Paul Nakasone said “our best [coders] are 50 or 100 times better than their peers,” and asked “Is there a sniper or is there a pilot or is there a submarine driver or anyone else in the military 50 times their peer? I would tell you, some coders we have are 50 times their peers.” The success of cyber operations is highly dependent, not on tools, but upon the super-empowered individual that Nakasone calls “the 50-x coder.”

There have always been those exceptional individuals that have an irreplaceable ability to see the challenge early on, create a technical solution and know-how to play it for maximum impact. They are out there – the Einsteins, Oppenheimers, and Fermis of cyber. The arrival of artificial intelligence increases the reliance of these highly capable individuals because someone must set the rules and point out the trajectory for artificial intelligence at the initiation.

But this also raises a series of questions. Even if identified as a weapon, how do you make a human mind “classified?” How do we protect these high-ability individuals that are weapons in the digital world?

These minds are different because they see an opportunity to exploit in a digital fog of war when others don’t see it. They address problems unburdened by traditional thinking, in innovative ways, maximizing the dual-purpose of digital tools, and can generate decisive cyber effects.

It is this applicable intelligence that creates the process, that understands the application of tools, and that turns simple digital software to digitally lethal weapons. In the analog world, it is as if you had individuals with the supernatural ability to create a hypersonic missile from materials readily available at Kroger or Albertson. As a nation, these individuals are strategic national security assets.

Systemically, we struggle to see humans as the weapon, maybe because we like to see weapons as something tangible, painted black, tan, or green, that can be stored and brought to action when needed.

For America, technological wonders are a sign of prosperity, ability, self-determination, and advancement, a story that started in the early days of the colonies, followed by the Erie Canal, the manufacturing era, the moon landing and all the way to the autonomous systems, drones, and robots. In a default mindset, there is always a tool, an automated process, a software, or a set of technical steps, that can solve a problem or act. The same mindset sees humans merely as an input to technology, so humans are interchangeable and can be replaced.

Super-empowered individuals are not interchangeable and cannot be replaced, unless we want to be stuck in a digital war. Artificial intelligence and machine learning support the intellectual endeavor to cyber defend America, but humans set the strategy and direction.

It is time to see what weaponized minds are, they are not dudes and dudettes; they are strike capabilities.

Jan Kallberg, Ph.D., LL.M., is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy, or the Department of Defense.

The Death of the Cyber Generalist

I recommend reading Patrick Bell and my article from June 2018:

“The Department of Defense (DoD) must abandon its “up-or-out” promotion model for cyber forces. It should let competent officers hold their positions longer. Applying the outdated Defense Officer Personnel Management Act’s (DOPMA) staffing model to the cyber force is foolish, and makes it difficult to keep experienced, technically-proficient cyber officers in the military. DOPMA’s prescribed career paths entail officers’ attendance at a variety of schools, with several rotations through geographical areas and work domains. In the process, domain-specific knowledge that would allow officers to lead and understand the impact of their various choices in a technically complex and ever-changing environment evaporates. In a world of increasing complexity, shortened windows of opportunity to act, and constantly-changing technical environments, the generalist leaders that the DOPMA system yields may doom the military’s cyber force to failure.”

The link to the article:

https://warroom.armywarcollege.edu/articles/death-of-cyber-generalist/

 

Retention is Key for Cyber Talent Management

 

If the armed forces seek to create a more significant force, recruitment and training of cyber support will only meet demand if retention is high. (Bill Roche/Army Cyber Command)
The United States is an engineering country where technical solutions are born, and solutions are thought up, in an innovation-friendly environment of academia and industry. There are gaps, but the United States is highly adaptive and able to face technological challenges due to its research capacity and industrial base.

The more substantial challenges are retention, maintaining an able workforce and transferring the willingness to serve to the next generation. The cost for the Department of Defense to recruit and train, or transition a mid-career officer, are high. Equally challenging is the time to replace an officer that decides to leave the armed forces. This is a simple math problem: If the armed forces seek to create a more significant force, recruitment and training will only meet demand if retention is high; otherwise, the inflow is only compensating the outflow from the service.

With the strengthening of the American economy, combined with a radically increased demand for information security competence in the civilian workforce, retention of cyber skills and cyberwarriors will be an ongoing concern. If you train, you need to be able to retain the personnel — otherwise it is a lost investment for the organization.

The millennials are likely the next decade’s cultural-change agents, not by intent but through catalyzing change and, from a cyber perspective, it might be necessary.
According to the RAND study “Millennial Perceptions of Security,” millennials and young people are less invested in national security issues, but care about their economic security. Millennials will be the predominant workforce in the next decade, slowly replaced by the post-millennials in the late-2020s. The retention of “Generation Instagram” is likely different than earlier generations.

Should we expect that “Generation Instagram” to leave their social media-upheld island in the digital world, return to the 20th century and embrace the bureaucracy and its industrial age apparatus?

A culture shift is needed. Conventional forces consistently prepare for war, while cyber forces are continuously engaged in cyberwar. Therefore, rotating cyber officers through assignments reduces readiness and increases risks. Allowing one individual to hold a position for five or more years will significantly improve operational readiness. Exempting the cyber force from mandatory positional and geographic moves will help build and maintain a more effective future force.

Also in need of change is the dated Defense Officer Personnel Management Act, which includes an embedded assumption that one partner makes a career and the other tags along with the rotations, trying to see what they can do at the post where they land. To retain these two smart individuals as a military family we have to design rotations and positions in a way that the spouses have career opportunities that match their abilities. Millennials and the younger generation want to influence their future.

Alexander Hamilton, writing in 1775, said “There is a certain enthusiasm in liberty, that makes human nature rise above itself, in acts of bravery and heroism.” A rigid bureaucracy has limited workplace appeal for millennials; to release the enthusiasm, an organization that has a higher degree of freedom is more adaptive and mission-centered as the unit commanders are empowered.

Freedom is also a prerequisite for innovation, the freedom to fail an informed and rational attempt. Millennials are likely the next decade’s cultural-change agents, not by intent but through catalyzing change, and from a cyber perspective, it might be necessary.

The rapid changing technical landscape, the increased velocity in engagements, the thick fog of uncertainty, all create a need for future cyberwarriors to stay current within an innovative, embracing, and enabling culture. At a large scale, it can be a strategic advantage compared to our potential adversaries that lack initiative, and have fear-driven cultures and repressive outlooks.

Jan Kallberg, PhD

Jan Kallberg is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy or the Department of Defense.