The Future Cyber Workforce: Some Alternates to the Model

The Australian Army is grappling with the problem of developing an appropriate cyber workforce. As the Army becomes an increasingly digitised force and reliance on the cyber domain increases, the demands on the cyber workforce will continue to grow. To meet these challenges Army must think beyond the traditional cyber workforce model and beyond the workforce currently housed within niche units. Much work is being done throughout the Army to identify the most appropriate cyber workforce.

The aim of this article is to suggest some alternate models to the traditional ‘uniformed’ solution, built on an assumption that there are sources of cyber specialists who will not meet the Army fitness or medical employment standards, or even criminal background and security clearance requirements. Looking at the work being done in the United States, other Defence Forces and in the private sector provides some options for an alternate cyber workforce. Some of the options have considerable risks associated with them. Nonetheless, they are worthy of consideration so that we might understand the scope of the problem and the potential solutions.

If we accept, as many in the private sector do, that hackers are constantly attempting to breach security protocols and steal financial and other commercially sensitive material, it makes sense to employ reformed hackers to test for vulnerabilities in security systems. From 2011 – 2013, the US Defence Advanced Research Projects Agency’s (DARPA) operated a ‘Cyber Fast Track’ program which awarded small, short term contracts to boutique firms and individuals with cyber skills that could specifically solve problems such as reducing vulnerabilities. The program was used to breach the gap between government and the hacker community, employing non-traditional applicants whose home-grown skill-sets were identified as of great use to the government and military. Similarly, the Australian Signals Directory recruits ‘white hat’ hackers or ‘penetration specialists.’ However, there is a stigma associated with hacking that may need to be overcome if the Army is to employ them.

Employing those without the desired level of education in cyber or related science, technology, engineering and mathematics (STEM) degrees, including self-taught programmers with no university education, is an option that will see an increase in the pool of available talent. Steve Jobs and Mark Zuckerburg are just two examples of individuals who would not meet some of the entry-level requirements due to a lack of tertiary qualification. The emphasis should be on skills rather than qualifications. This shift to an emphasis on skills rather than qualifications per se is happening within the private sector and technology industries, who are competitors to Army in the quest to recruit talented cyber professionals.

Recruitment of this kind is not new, think Bletchley Park crosswords puzzles, but it will require a reflection on our biases. GapJumpers is a hiring website developed specifically to help overcome organisational bias towards a potential employees’ race, gender, age and education. The company uses software that allows for ‘blind auditions’: employers dictate the skills that are required, and GapJumpers develops skills-based challenges that job seekers anonymously solve to prove they are qualified and capable of doing the job. The quality of skills becomes the first impression. Compose Inc is a tech firm in the US who use these blind tests instead of CVs, asking applicants to complete a task on the assumption that these tests are better at predicting performance than a résumé or degree. Additionally, tests such as these are potential mechanisms to identify and fast-track the most promising candidates who have the skills but not formal qualifications.

Security clearances may be a barrier to hiring the right people for the workforce. Traditionally, Army has operated on the assumption that those who work in the cyber domain require the highest levels of clearance. There are some jobs which should remain subject to normal security constraints; however, a security clearance is only one form of risk mitigation and an argument can be made as to their effectiveness given IBM’s 2016 report that 60% of all cyber attacks were carried out by insiders, three quarters of which were malicious.

The trusted insider is one of the greatest threats to Army cyber protocols: individuals such as Edward Snowden, David Petraeus, Hillary Clinton and Chelsea Manning met the requirements for a security clearance yet were responsible for major security breaches. No single protective measure is sufficient in and of itself. So it may be possible to overcome the issues associated with those who would not gain citizenship or pass a security clearance assessment due to having a non-checkable background or a criminal offence (such as hacking). Additional measures, such as programs developed by Eric Shaw which are already in use in the private sector, include deep analytics, psychological content analysis and remote assessment. Software exists that allows these checks to occur electronically through routine monitoring, assisting with anomaly detection and predictive analysis and are capable of raising the alert before the breach has occurred. Alternatively, an organisation can seek to understand the areas and information that is of most value to a threat actor and increase the monitoring of those areas identified as being high risk.

If the risk of using those who cannot pass a security clearance test or meet the Australian citizenship requirements is deemed too high, these individuals can participate in some non-sensitive areas of the cyber workforce. Open source or social media exploitation can be done in an UNCLASS environment or even from a home workstation. The information gathered through these means has the potential to significantly contribute to human terrain analysis, and uncleared members of the cyber workforce can routinely conduct such analysis or, for the more technical, develop software solutions to exploit these areas.

The Dandelion Program is an initiative of the Chief Information Officer Group, aimed at recruiting individuals on the high-functioning end of the autism spectrum. In the military context, since 2012 the Israeli Defence Force (IDF) has been running the Roim Rachik (RR) Program within Unit 9900, which is staffed exclusively by soldiers on the autism spectrum. The RR Program began after the IDF recognised the contribution high-functioning autistic people could make to roles requiring skills such as deep focus, mathematics, analysis or interpretation of imagery. Programs such as these present opportunities to Army.

Each of these alternates comes with a unique set of challenges, some more difficult than those associated with the traditional cyber workforce, and some potentially not. But the Australian Army must be open to considering the solutions that others are already exploring, otherwise we will simply not be able to compete with them for a small and specialised workforce.