Join the People Who Join the Army?

The Army is leading the charge to bring civilians with cyber security expertise into the ranks through a direct commissioning program. While an interesting idea that will appeal to some, is such an approach the most effective way to address the service’s cyber security woes?

The Good

Cyber security professionals look for three things in an opportunity: challenging work, a good team, and competitive compensation. If there is one field where there are no shortage of cyber security challenges, it’s the military. Think about all the complications associated with securing the IT enterprise of a single organization at a single location. Now imagine different parts of that organization having to pick up and move to different locations half way across the world, and tell me how tough your day as a corporate IT security manager or CISO is.

As far as your team goes, the Army is a melting pot, and as close as a meritocracy as you’re going to find in this world. It is also subject to the Bell Curve, so you’ll have a few A-players and a lot of B-players and a few C-players, just like in the civilian world. But just as in the civilian world the things you can accomplish with those A players — and sufficiently motivated B-players, is amazing.

The Bad

It may be a base issue, but the compensation scheme is where this plan starts to show cracks. Let’s pretend that a straight leg civilian with no military experience but all the right cyber security qualifications gets a direct commission to Colonel. Base pay plus allowances for food and housing enables her to gross a little over $117,000. For the person who would qualify for such a position that’s an incredible pay cut compared to what they’re making now in industry, and if they stay in they won’t start to get close to their current salary for 30 years.

The Army Cyber Center of Excellence is located in the outskirts of Augusta, Georgia. Not Atlanta, Augusta. Not that there is anything wrong with that, but Augusta is not Austin, San Francisco, Boston or New York. Personally, I’d rather be in Augusta than just about any major metro area, but I’m weird like that. The Army has locations all around the world, and few of them are garden spots. And while remote work in cyber security is increasingly common, showing up for morning formation via Beam Pro robot is not a thing the Army is going to stand for.

The Ugly

If you’re not old enough to remember the commercial, the Army was once known as the place where more got done ‘before 09:00 than most people do all day.’ That’s still true in some respects, but your average day in garrison (not deployed and getting shot at) is not exactly an uninterrupted eight hours of work. A field-grade officer doesn’t have to clean a rifle or police the battalion area, but he’s got to take care of a range of other things that have nothing to do with what he’s ostensibly been ‘hired’ to do. The days might be 12 hours long, but if you get half that time of uninterrupted work in you’d be extremely lucky. Context switching is a devastating productivity killer, especially in cyber security.

It is also important to note that the Army is not known for its flexibility when it comes to regulations and doctrine. Imagine wanting to get rid of one security product/control for something new and demonstrably superior. The obvious heresy to tradition notwithstanding, this chart gives you some idea of what it takes to bring about the change (and that’s just the procurement, not the actual implementation).

I’m not saying I hang out with malcontents and detriments, but I have a disturbingly large collection of friends and colleagues who are experts in the field, but would be rejected for this program for at least one and usually several reasons. They’re not pictures of fitness, they’re covered in (very high-end) ink, they occasionally enjoy prohibited substances, they know more than their fair share of shady individuals, and in some cases they’ve got records themselves. Looks aren’t everything but the Army still places a high value on physical appearance and conformity. While everyone deserves a second chance, the Army gave that up when it adopted a zero-tolerance policy and did away with ‘Charlie’s Chicken Farm.’

Finally, for the past 15+ years the Army has been at war. The probability that a direct commission cyber officer with no or minimal military experience is going to find themselves managing a unit full of veterans who have had to deal with far more challenging — literally life or death — situations is very close to 1. The Army is a tribe, and every unit its own sub-tribe. You salute the rank, not the person wearing it, but let’s think about the mountain that person is going to have to climb to get a tribe he doesn’t belong to, respect him and follow his orders.[1] If it is known for anything the Army is expert at the ‘slow roll:’ wait it out and eventually that trouble-maker will rotate out and we can get back to doing things the old-fashioned way.

Alternatives

One presumes that the options below have all been considered and found wanting, but just in case…

When it comes to training large volumes of people to a given standard in order to address a pressing threat, the Army kind of has that down (see WW II). The Army, like every organization, has far more fundamental security problems to address (blocking and tackling, or in this case fire and maneuver) and you don’t need “cyber ninjas” to address them.

If the Army is willing to bring in someone off the street and make them a Major or Lieutenant Colonel, why not bolster the ranks of the Warrant Officer Corps, which is the traditional source of deep technical expertise? Warrants are practically civilians anyway (dodges stapler thrown from the Wolf Pack).

If we want to go retro the Army also used to have “technical” ranks, which over time morphed into Specialists, which eventually went away (except for Specialist/E-4).

The Army also has Department of the Army Civilians, who are technical or subject matter experts.

In all of these cases I have to assume two key factors prohibit execution: compensation and authority. None of these groups, save for DACs, can make anywhere near what an officer makes (and the DAC is subject to civil service rules, further complicating things). The Specialist might be the smartest guy in the room but no one with authority is going to listen to him. The WO-3 might have developed a novel solution but she doesn’t have the juice to make it happen. A DAC can advise but he can’t command.

The Bright Side

When you compare what the Army is doing, it stands in stark contrast to efforts like those at DHS, who wanted industry to cough up cyber security experts — on a non-reimbursable basis — and then wondered why no one signed up. The fact that the Army is willing to pay as much as it can is a sign of seriousness.

The Army also values performance (in addition to a high shine, a high-and-tight, and a high PT score). I don’t know a lot of potential participants in this program who do not squeeze 36 hours of work into a 24-hour day, all of it to the highest standards. Maybe they don’t have unit patch on their right shoulder or a CAB on their left chest, but soldiers respect competence, and over time that can overcome a lot of reticence about trusting a “cyber” officer.

The program has negatives, but none of them are show stoppers, especially to those who would answer the call because it is in fact a calling, not a job. Anyone with cyber security skills has their pick of jobs today, but you don’t consider an option like this because you need a job, you do it because you have a sense of duty and a desire to do more than just acquire stock options in a unicorn.

The idea that in the near future Alice or Bob, your colleagues at BigCo, Inc. might find themselves in uniform is a pretty radical one. I mean for the Army. stripes for skills and direct commissioning programs are not new in fields like intelligence or medicine, but this is a clear and unambiguous sign of the urgency of the problem. I think it is one of the more unprecedented moves since Roosevelt promoted Marshall ahead of over 30 more senior generals, and Marshall in turn formed the “plucking committee” to clear out officers who were irrelevant to problem at hand (war in Europe) and advance those who, while junior in rank, where our best hope for success.

Hooah!

[1] If at this point you say, ‘that’s every day for a woman’ I would point out that during my time in the Army I happily and faithfully worked for far more women than I did men.

CxO at Senrio, Kyrus Tech, Carbon Black. Former soldier and intelligence officer. Investor and mentor.