A few weeks ago during the Army Cyber Skills Challenge I had the chance to chat with a guy who was up from Fort Gordon. He was one of the primary recruiters for the Army’s direct commissioning program for cyber officers. This morning, I was going through the Army Times early bird and came across an article called Army offers direct commissions to boost cyber force. Talk about this came out initially a few months ago. Like many ideas, I think it’s a good idea but probably not one that is fully thought out.
The DOD, and really US government in general has been trying to get experienced cyber folks to join for several years now with fairly limited success. In a perfect world, the government is looking for people who have experience in cyber, both offensive and defensive. The thought is, that we can appeal to their sense of civic pride (and for some, this will work) and give them the chance to go against some of the best attacker/targets out there. While this idea will attract some people (according to the article, about 50 so far), I think we can do better.
Show me the Money
One of the biggest hold-ups we have is money. Most of you reading this know that if you know your shit, you can make a lot more money commercially then you can working for the government (especially if you’re wearing the uniform). This has been true for signal warrants for years, and is even more so true when it comes to cyber guys (enlisted, officer and warrant) today. Over the last couple of years, I’ve had several Soldiers who I would consider good, but not great, get out and make more then I do currently. The Army has tried to fix this starting in 2015 with it’s assignment incentive pay for cyber operators but it tops out at $500 per month and that is for a very select few. In general, you can expect $200 a month and at least for the defenders, nearly 3 years later, we haven’t started to collect that yet. According to everything I’ve heard we are bringing these guys in as either a O1 or O2. Just for the best case scenario, lets go with O2 which has a monthly pay of $3496 ($41,952 yearly). If I toss in BAH at $2,088 (O2 for Fort Meade) and BAS of $253, I get a yearly income of $70,044.
Another option, is to bring them in as GS civilians. This has a few advantages of not having to worry about them PCSing or really having to play Army but we still have a money problem. For the Army CPTs out there, all of the civilian positions on the team except one are GS12 positions (we have one GS13). In the Washington DC area, that means everyone (except the one GS13) can expect a salary of between $80,00 and $103,000; All of that being fully taxable. In 2015 (the most recent number I could find), the DC metro area had a median household income of $93,294 which means there is a sizable number that is significantly higher then that.
When you consider the fact that according to the Bureau of Labor Statistics, the median income for a security analyst in 2015 was $88,890 (and this is a relatively entry level job) with a number of jobs easily reaching into the high $100k to low $200k, its easy to see this is a tough sell. Also toss into the pile that there are currently over 200,000 unfilled cyber jobs and a rate of growth of 36.5%. No matter what we do, the government is going to lose the pay war when it comes to competing against large corporations.
OH ya….about that
Another obstacle we put in place is the security clearance. As a cyber guy, you are required to maintain a TS/SCI clearance and in many cases have a polygraph. I joined the Army when I was 18 and have had a clearance since then which was fairly easy because I had to keep myself clean from before I really had time to get into to much trouble. That is not the case for a lot of these people. For better or worse, many of the most talented people in the cyber domain have probably been on then wrong side of the law. For many, its as minor as them smoking pot. For a number of others, its a lot worse; breaking into computer systems that they probably shouldn’t have. Not to be malicious, but because we all learn somehow. All of these can present a substantial obstacle to getting the clearance that these guys need.
Another problem is college degrees. The direct commissioning program has been around for a very long time but in the past it has been aimed primarily at doctors and lawyers. One thing both of those jobs have in common is that you HAVE to have a degree before you can become a doctor or a lawyer. The same is not true with cyber. While a large number of cyber professionals have degrees (more so now then ever), there is still a substantial portion that don’t. The tech industry has always been one of the those fields where certifications and experience count a lot more then a formal education. Where this becomes a problem is that under law, you can’t become a Captain without at least a bachelors degree.
I see one other obstacle. Lets say that we find the guy that is willing to work for way less then they are worth, has a degree and can get the clearance he needs. We still have one more problem…The fact that he’s wearing a uniform. As we all know, there are a number of things expected of us being in the Army that have absolutely nothing to do with doing our “job”. I’m gonna go out on a limb and say that the guy that the Army wants to hire is probably not a gym rat, spends a substantial amount of time sitting on their ass, and probably could lose a few pounds. Because they are wearing a uniform, these guys have to pass and APFT and height/weight. What’s going to happen if/when they don’t? Is the Army willing to do what it’s supposed to do and chapter someone that they just fought like hell to recruit because they can’t pass an APFT? What standard does that set for the rest of the force? Granted there are some minor exceptions in the chapter regulation, those are aimed primarily at doctors if I remember correctly. Yes that could be updated to include these guys, but that’s not gonna happen over-night.
One last problem (man there are a lot of them) is how do we utilize these guys? From the sound of it, these guys will be initially pulled in and put in a specific assignment. But fast forward a year or two and then what happens? Do they get pulled to be a platoon leader or take command somewhere? Deputy S3? Does cyber PCS them to Fort Irwin? The medical and legal guys have it figured out. You will never see a doctor take command or do a job like that. That’s what they have medical services for (which is different). Cyber doesn’t have that. There is nothing to distinguish this dude from any other cyber LT when HRC is looking to grab people.
Solutions?
So what is the answer? I personally think that the GS system is the best answer but it needs work. For a while now, the intel community has had their own civilian grade system outside of the GS system. It’s pay scale is similar, but different from how the GS system works. The DOD (and government in general) need to create something similar for cyber. A system that has enough flexibility to allow us to recruit the people that we want/need and offer them the pay and benefits that they expect. By keeping them civilian, we are able to ensure that they don’t run into the problems with many of the Army-isms out there. Ya, there is still the security clearance issue but I don’t see that changing any time soon.
I dont understand this at all. Today we had the Signal WFF where they showed the stats for current 17 series.We do not have a problem getting people.
The solution is not GS but the GG system. It doesnt require supervision at the higher grades. There are also other government pay scales for paying PhD level engineers as well.
Command billets will be far and few and yes, we can expect their involvement at the CTCs, I am sure. Maybe we can get one on the MCAT too.
The problem isn’t so much numbers (although the numbers are still growing and will be a challenge at times to fill), it’s talent. The amount of time it takes to train and develop a quality developer is substantial. Short of making it an MOS on its own (which won’t happen), the military move cycle doesn’t support it so you want someone who already has the experience. Same thing with things like malware reversing and so on. Everything I’ve heard is that this is primarily for niche roles.
Agreed that GG is a better solution than GS, but if we’re saying Cyber should remain a civilian function then I don’t understand what ARCYBER will bring to the table that the NSA hasn’t already provided.
Also, the strongly-worded certifications versus degrees comment detracts from the strength of the article. I disagree, but I’m not trying to debate the point except to say that readers who disagree with this orthogonal issue may find the article less persuasive than if it were omitted or reworded with qualifiers.
Feedback out of respect – it is a good article, well-written overall and relevant.
William John Holden, maybe I need to clarify my point. I’m not arguing that we shouldn’t have green suiters in cyber, just that when it comes to recruiting people from industry I think the best way to stay competitive vs industry is to bring them in as civilians.
As far as degrees go, like I said in the article they are absolutely becoming more and more the norm but still not actually required. Go to DEFCON and you’ll see exactly what I’m talking about.
Ah, no I think I’ve wrongly projected my own skepticism of uniformed cyber operators into your message.
People that want to do Cyber will be drawn to do Cyber so I dont think we will have a talent or numbers problem. What I dont understand is the need for uniformed workers. Govt civilians can deploy if required and also can fit in the chain of command. Heck, I was rated by a GS-13 at one point and my current boss is a GS-14.
PT will be a limiting factor for a lot of people as will post detail, formations, etc. that Soldiers always face.
Also, you can stay in a single civilian grade forever while Soldiers are expected to progress up or get kicked out.
Also, the NSA has a well oiled machine so I cant see why we couldn’t have applied a Joint inter-agency architecture to go after what we needed.