The U.S. military’s computer networks and weapons systems are open to attack from hackers. But there aren’t enough skilled experts to help shore up defenses and prepare the military to fight a war in cyberspace, according to U.S. officials.
On Capitol Hill, lawmakers worry that the military is facing a dangerous shortfall in so-called “red team” operators, who specialize in simulating the kinds of attacks and techniques that an enemy would use. On Wednesday, a bipartisan group of members of Congress called on Defense Secretary Ash Carter to intervene, noting that military networks, including those used by the Joint Staff, have come under increasing attack in recent months. Hackers in Russia who targeted the White House and State Department have also turned their sites on the Defense Department.
A big reason the Pentagon is so-short staffed: The people with the skills to work on red teams are being poached by companies, where they earn far more than they would ever get on a government salary.
In the past three years, several senior red team member have bolted for better paying jobs outside the military, and those left behind “are not keeping pace” with sophisticated adversaries getting better at overcoming U.S. defenses, according to an Pentagon memo obtained by The Daily Beast.
“This trend must be reversed if the DOD [Department of Defense] is to retain the ability to effectively assess DOD systems and train service members against realistic cyber threats,” Maj. Adrian Rankine-Galloway, a spokesman for the department's operational test and evaluation office, told The Daily Beast.
One former U.S. intelligence officer, who was in charge of a red team trained to find vulnerabilities in military and intelligence agency networks, recently told The Daily Beast that he is earning more than $300,000 per year helping a U.S. bank improve its defenses from hackers. That’s more than triple his military salary, said the former officer, who asked that he and his company not be identified by name.
Right now, the Defense Department employs only about 50 red team operators to test military systems and weapons, or one-third of the total number of red team operators that it needs, according to the Pentagon memo. The flaws and weaknesses that those operators find help the military better understand where it’s vulnerable.
The year 2015 saw an “almost non-stop pace of events for all cyber teams,” Rankine-Galloway said, and that frenetic pace “limited the red teams' ability to study the adversary's cyber attack techniques.”
Lawmakers seem to have gotten the message. "As the number and severity of the cyberthreats against the United States continues to mount, realistic cybertesting must become a critical priority that cannot be accomplished without adequate and skilled personnel to do the testing," Rep. Jackie Speier, a member of the House Armed Services Committee, and 25 of her fellow lawmakers wrote to Carter, in a letter obtained by The Daily Beast. "We strongly urge you to adopt enhanced measures to attract, train, and retain such personnel."
“Such cyberattacks could result in significant damage to the weapons systems and information networks that we rely on for our national security,” the lawmakers said, calling on Carter to find “innovative” ways to hire and retain skilled employees, which could involve paying them more money or offering other incentives to stay in their jobs.