By Lieutenant Commander Derek S. Bernsen, U.S. Navy Reserve
January 2022 ProceedingsVol. 148/1/1,427NOW HEAR THIS
Navy cyber is a ship without a rudder. While every other service has one cyber designator, the Navy’s cyber expertise resides in three seprate communities. As a result, the three communities are each plagued with unnecessary problems and none are fully empowered or capable of leading the domain. To solve this issue, the Navy must consolidate responsibility for cyber, invest in the cyber warfare engineer community, and require deep technical experience for all cyber roles.
Leadership and management for Navy cyber is currently divided among cryptologic warfare officers (CWOs), information professionals (IPs), and cyber warfare engineers(CWEs). CWOs are ostensibly responsible for offensive and defensive cyber operations, IPs for operating the information technology systems, and CWEs for the technical engineering work that enables cyber operations (e.g. conducting vulnerability research, exploit and capability development). This model may appear reasonable to those not versed in cyber operations, but it significantly inhibits the service from realizing a potent cyber warfighting capability.
CWOs are spread too thin—forced to juggle five different areas of expertise without the focus or depth each requires. IPs have some technical depth but not enough for the more intricate cyber defense tasks, such as malware reverse engineering. CWEs have the expertise to do everything cyber, but are too few in number (currently only 68 personnel). Because of this division of responsibility, major decisions regarding cyber are made by individuals without technical expertise, and these communities are not aligned to capture the value each brings.
Navy cyber also suffers from undervaluation and apathy. Navy leaders hold a misconception that cyber is a purely joint endeavor from which the Navy receives no benefit. Yet each service has specific uses for cyber professionals and the Navy has done little to invest in maritime cyber. This undervaluation creates a negative feedback loop exacerbated by a lack of demonstrated benefit from the CWO community. Continuing to allow responsibility for cyber to be fragmented will turn this misconception into reality. If the Navy continues down its current path, it will have nothing to contribute to the cyber fight in the next war.
Cryptologic Warfare Officers Cannot Do Cyber, Too
The CWO community (roughly 900 officers), the de facto primary cyber community, also provides expertise for signals intelligence and all information operation missions (electronic warfare, operational security, military deception, and military information support operations). It is diffcult enough for one officer community to develop expertise in each of these missions, let adding the cyber mission. CWO community leaders have failed to grasp both the importance and the unique requirements of cyber warfare, resulting in no path to develop cyber experts within their ranks and causing cyber to be undervalued.
Often, CWOs are deemed cyber experts and put in charge of a Cyber Mission Force teams after a single course at the Naval Postgraduate School (NPS) in Monterey, Califorinia, or a one-month basic course in Pensacola, Florida. A cyber expert must be able to solve hard technical problems related to computer security with minimal support because they understand the underlying technology and have sufficient breadth and depth in the many subfields of cyber. Cyber is far larger than many realize: cryptography, forensics, vulnerability research, penetration testing, exploitation, (cyber) operations, steganography, malware, cyber-threat intelligence, reverse engineering, networking, and development (including exploits, payloads, and effects). Given all their information warfare missions, that CWOs can also become cyber experts is a fallacy. Even with NPS’s cyber systems and operationsmaster’s degree, CWOs without several years of focused work in technical cyber areas are nothing more than cyber dilettantes.
Furthermore, the CWO community does not have a mechanism to screen for technical talent, nor does it value technical ability. While CWOs claim to value technical talent by encouraging those who apply to have STEM degrees, it is not a requirement nor is knowledge gained in academia put into practice. This is obvious from their published community values.
Needed: A Unified Cyber Warfare Community
The CWO community fails to grasp the scale, potential, and diverse skills within the cyber domain. Seeing it as a unitary skill in which one can get sufficient “cyber-stink” after completing a single assignment at the National Security Agency (NSA), the CWO community continues to undervalue the unique challenges associated with conducting operations, developing capabilities, and managing personnel. Most CWOs view cyber as a black box and not the vast domain it is. Nicolas Chaillan, the Air Force’s first chief software officer decried this issue: “Please stop putting a major or [lieutenant colonel] (despite their devotion, exceptional attitude, and culture) in charge [of technical projects affecting millions of users] when they have no previous experience in that field,” he wrote. “We would not put a pilot in the cockpit without extensive flight training; why would we expect someone with no IT experience to be close to successful?”
At present, there is no incentive for the CWO and IP communities to develop genuine cyber expertise and viable cyber officer career path, because doing so would require prioritizing cyber above their traditional areas of expertise. Because of this, each community invests far too little into cyber professionalization, which further undervalues cyber. This negative feedback cycle causes the NSA and the other military services to view the Navy as poor performers on all things cyber. Even U.S. Cyber Command recognizes this and does not list Navy CWO as a cyber officer community on its careers page (the Navy enlisted cryptologic technician rating is included).
The CWO and IP communities cannot retain genuine cyber talent, as those officers with the aptitude and desire to be cyber experts feel underused and unappreciated. Why become a cyber expert when your community forces you to continually take unrelated jobs? Even if CWOs with cyber talent were to continue their service, they must check boxes in the five CWO disciplines or risk failing to promote. If they are lucky, they may get a cyber job every third or fourth tour, for a total of two or three tours in a 25–30 year career.
Apparently, the CWO community failed to grasp the lessons identified in the book Range—sample and gain diverse experience in the first few years of a career, then specialize for excellence, not dabble in various things forever. The Army, Air Force, and Marine Corps do not ask their officers to be cyber professionals on a part-time basis, instead devoting large communities (the Air Force has nearly 3,000 cyber officers) to the problem and structuring career paths around creating cyber leaders. These services do not have cyber officer career paths that involve random assignments in infantry battalions or aircraft maintenance squadrons just so their officers can experience “the real military.” Yet, the Navy’s CWO community does just that.
According to the Secretary of the Navy’s March 2019 Cybersecurity Readiness Review, the Navy’s “culture, processes, structure, and resources are ill-suited for this new era” and that “a real appreciation of the cyber threat continues to be absent from the fabric of [Navy] culture.” The Navy frequently talks about the importance of cyber, but its actions clearly do not match its words. CWOs should not be the ones making decisions about cyberspace, and its lack of cyber expertise has failed to prepare the Navy for many incidents. For example, the creation of the Navy’s Cybersecurity Task Force and Operation Rolling Tide afterIranian hackers were already in Navy networks.
Empower the Cyber Warfare Engineer Community
The cyber warfare engineer community was created as the home of the true cyber experts. Unfortunately, the CWEs face many challenges that the other communities are unwilling to help resolve. The CWE community currently is small and does not have the manpower to take on the entire cyber mission, nor does it have billets in some of the most important cyber jobs in the Navy. Most CWE billets are at Navy Cyber Warfare Development Group in Suitland, Maryland, and at NSA up the road. The CWE communtiy thus far has failed to obtain billets at numerous Navy and Joint commands. Growing a community in a zero-sum Department of Defense (DoD) manpower environment is a slow, cumbersome process, and with few exceptions. Conversion means taking billets from other communities, something no community in the Navy is keen to allow, even when billets go unfilled for years.
What makes the CWE community capable in cyberspace is its focus on developing deep technical expertise. CWEs have major advantages over other communities for accession thanks to the technical interview process and strict STEM degree requirements. To be competitive, applicants must already have deep technical expertise in security. Candidates compete in a 48-hour capture-the-flag screener, followed by challenging programming assignments, and, finally, a rigorous technical interview. Once in the community, CWEs are sent through a grueling six-month training pipeline in which failure is not tolerated.This is like the Navy’s Basic Underwater Demolition/SEAL (BUD/S) training or Navy Nuclear Power school, only for hackers. Only top talent is selected, with less than 30 percent of applicants screening positively in the capture-the-flag event and less than 40 percent passing the interview. This leads to more than 95 percent of CWEs completing the training pipeline, significantly better than what Navy civilians and enlisted cryptologic techician–network (CTN) developers achieve.
Aside from rigorous screening and training, CWEs have more in common with SEALs than is readily apparent. Like SEALs, CWEs are required to become proficient in a wide range of cyber skills allowing them to do what others cannot. CWEs possess the skills to develop the most cutting-edge offensive and defensive cyber capabilities, similar to those required to win a competition like the Zero Day Intiative’s Pwn2Own competition. China takes Pwn2Own and its own competition, the Tianfu Cup, seriously as a show of force.
No matter where the nation and DoD go regarding building a cyber force, the Navy will always need its own cyber professionals to operate from and defend naval platforms and target maritime adversaries. The CWEs are the only community that has the requisite technical depth, experience, and focus to lead in cyberspace.
The ultimate solution for the Navy will be to turn over full responsibility for the cyber domain to the CWEs—a course of action that will benefit not just the three communities currently involved, but the entire service. CWEs will be empowered to grow, lead, and provide domain superiority. The CWOs will be freed to focus on their traditional areas of expertise. If the IPs continue to expand their own defensive role in cyber operations, the CWE community will not need to grow to the same scale as the Air Force or Army’s cyber officer communities, but it certainly will need more than 1,000 CWEs. This would allow the Navy to not only become a top tier remote cyber operations organization, but to integrate CWEs across the fleet and with Naval Special Warfare, in addition to providing direct support to the fleet when needed.
Empowering the CWEs with full control of the cyber domain also will go a long way in improving retention, resolving billeting issues, and creating more opportunities for impact. But it is an incomplete solution. Empowering also must involve other actions to attract and retain high performers with some of the most in-demand skills in one of the most in-demand industries in the world. There currently are no incentives, bonus pay, or accession bonus options that can be offered to CWEs. As NSA has repeatedly learned, it needs skilled cyber people more than those people need NSA. The same is true for the Navy. NSA has created numerous special pay bands and incentive programs to retain personnel. The Army recognizes the importance of technical leaders and offers software developers and cyber personnel its maximum retention bonus and proficiency pay. The Navy should provide bonus pay for proficiency in programming languages, special duty pay, better career opportunities, and establish a CWE reserve component.
Adversary nations are on near-equal footing in cyberspace and cyber provides a mechanism for outsized impact, even to those that are less sophisticated. The Navy cannot keep untrained and unfocused CWOs operating in this domain. The impact of well-trained CWEs, focused cyber experts, will always be greater than CWOs with only a basic understanding of cyber. Removing cryptologic warfare officers from the cyber domain is a critical move the Navy must take.
Empowering the community that has the intense screening process, deeply technical expertise, and focus on the cyber domain is the only way the Navy can regain its cyber footing. No amount of time in roles that claim to be cyber but provide little technical depth will change the fact that the Navy currently has unqualified personnel in every cyber role. This problem is solvable, but it requires a major restructuring of responsibility for the cyber domain and requires the Navy to put its money and effort where its mouth is and take cyber seriously.