Gallons of ink have been spilled since the Department of Defense began exploring plans to permit cyber-qualified information technology specialists to join the military at ranks above entry-level and without undergoing entry level military training. The idea was initially floated in June 2016, with the Army, Navy and Air Force all considering implementation. In May 2017, the internet almost broke when the Marine Corps weighed whether to allow cyber recruits to skip basic training and enter as staff sergeants, not unlike “The President’s Own”—the Marine Band. The debate has centered around whether allowing Marines to skip the time-honored leveling and shaping experience of boot camp and granting them “unearned” rank would be detrimental to the service ethos. But much of the commentary is missing a more fundamental question: Why does the new crop of cyber operations specialists need to be in the military at all? Spoiler alert: they do not. And an elite Marine Corps shows why.
There are three reasons why the US government assigns tasks during armed conflict to uniformed military members:
(1) Military members are afforded combatant immunity under international law for their warlike acts in armed conflict if captured by enemy forces;
(2) Uniforms permit lawful targets—military members—to be distinguished from unlawful targets, such as civilian noncombatants; and
(3) Military members may be ordered, on pain of legal sanction, to deploy and conduct dangerous and demanding tasks.
These are the most significant reasons to prefer a servicemember over a non-military person (a government civilian employee or contractor) to accomplish a discrete military task. But the nature of cyberspace operations—or military tasks in the cyber domain—do not demand performance by uniformed servicemembers. The entire issue of “to boot camp or not to boot camp” and the question of essentially “hiring” noncommissioned officers can be made moot by simply eliminating the baseless requirement that cyber technicians be in uniform.
If a particular military task requires all or even some of these aspects to be accounted for, it ought properly to be performed by a uniformed member of the armed services. For example, for certain tasks appropriate to infantrymen, such as attacking a military objective with direct and indirect fires to destroy or capture it, it is logical, of course, to use uniformed servicemembers. An infantryman may be ordered to pack his or her gear and deploy to the battlefield. Failure to follow this or any other order can be punished under military law. A captured infantryman cannot be prosecuted under the capturing state’s laws for committing “murder” against enemy soldiers, and is entitled to Prisoner of War status, which entails certain rights under the law of armed conflict.
Similarly, logistics or other support functions must be accomplished by uniformed logisticians and combat service support personnel. It is possible for a logistician, an aircraft mechanic, or a public affairs correspondent to be captured while resupplying combat units or performing other support functions, particularly on fluid battlefields, where there are no real front lines, and where an individual can be an adversary one moment and a noncombatant the next, blending into the protected civilian population. The services must be able to order these support personnel to deploy and face the hardship of combat in order to supply their combat forces. Finally, wearing the same uniform forms a bond of trust between the infantrymen, for example, and the support personnel on whom they are dependent: service ethos commands the support soldier or Marine to employ his very best efforts not to fail the infantryman; and the infantryman counts on this ethos to ensure his resupply or other service function will be provided as planned. Each understands that mission accomplishment and the fate of a unit can depend on this bond and the proper execution of each military task.
Cyber operations, however, are fundamentally different. First, the risk of capture of a cyber operations technician is small, as is the need for a cyber operations specialist to be distinguished, for targeting purposes, from noncombatants by wearing a uniform. For most cyber military tasks, there is no need to co-locate with a deployed military unit. Most cyber operations tasks can be conducted from information technology farms located hundreds or even thousands of miles from an active battlefield, or on naval platforms where the risk of capture is nearly non-existent. To the extent cyber operations tasks need to be synchronized with other battlefield tasks, such as a cyberattack on an electric grid to make a city go dark prior to an armed attack, uniformed cyber planners—smaller numbers of cyber-trained uniformed operational planners—can co-locate with the deployed commander and his staff, and the cyber executors can be 8,000 miles away at Fort Meade. Since the risk of capture by an enemy force at Fort Meade or aboard the USS Harry S. Truman is vanishingly small, the cyber operations specialist’s combatant immunity is mostly irrelevant. If cyberattacks were conducted by a civilian employee or contractor not enjoying combatant immunity, and therefore subject to the attacked state’s criminal jurisdiction, there would be no practical effect, other than that the individual’s privilege to travel to the attacked country or any that might extradite him or her there might be at risk. Any cyber operations specialist identified by a foreign intelligence service by name, will not be able to travel to that country on pain of arrest, just as the United States has recently indicted malign cyberactors.
Second, civilians can be ordered to conduct lawful military tasks the same as military servicemembers. The method of redress for noncompliance is simply different. Criminal sanctions for failing to obey orders are not available generally against government civilians and contractors, with some minor technical exceptions. However, employment agreements can be crafted with tailored employment and enforcement clauses hastening employee discipline in the event of noncompliance, and can even include deployability clauses in case a commander determines, in fact, that the presence of the cyber operations specialist is required closer to the battlefield. Contracts could be written to permit contract termination or require contractors to forfeit surety bonds upon nonperformance of an essential military task, providing contractor companies an economic incentive to carefully screen and select their employees. Contracts also can be written with redundancy, such that a contractor who refuses to perform can instantly be replaced with a contractor two desks away who will readily perform the ordered task. Clearly, concerns about deployment and obedience to orders attendant to uniformed servicemembers can be mitigated through other measures. Furthermore, there is a whole body of law on the issue of civilians directly participating in hostilities. Where they “directly” participate in hostilities, they can be targeted, kinetically or otherwise, just like uniformed personnel, but there is no requirement to be uniformed. Being a civilian does not exempt them from being targeted, though performing most core tasks at Fort Meade or in Hawaii makes the likelihood small.
Finally, cyber operations specialists need not share an ethos or sense of sacrifice with uniformed servicemembers in order to effectively do the job the government requires. This much has already been tacitly acknowledged by crafters of the concept willing to forego the requirement for entry level training and service at junior ranks. Just as The President’s Own, the Marine Band consisting of professional musicians hired at the paygrade of E-6 to play at White House and other state events without ever attending boot camp, are not considered “real Marines” by Marines, the approach of waiving boot camp and service in the junior ranks acknowledges a separate class for cyber operations specialists. Rather than engineering division and resentment into the ranks, it is better to simply acknowledge that they are categorically different than other servicemembers and acquire their skills through civilian hiring and contracting. Moreover, fielding these personnel as civilians rather than military members eliminates the lost man-hours from required trips to the rifle range and the risk of being pulled off cyber tasks for additional duties or non-cyber staff assignments. It simply does not add much for a cyber operator to be proficient in military tasks, such as firing a rifle and running a physical fitness test, which have so little to do with proficiency in their primary operational responsibilities.
There is no question the cyber skillset is increasingly in demand for the Department of Defense. Cyberspace has been acknowledged as an independent warfare domain in US doctrine, and NATO has followed suit. Cyber attacks on US systems are steadily ascending, and the need for investment in systems, infrastructure, and human capital is apparent. Winning the wars of tomorrow will absolutely require cyber operations specialists. Most simply do not need to be in uniform.
Image credit: Petty Officer 2nd Class Jesse A. Hyatt, US Navy
Other previously debated recruiting and retention issues that may be solved by manning the majority of the cyber force with government civilian employees and contractors are fitness standards and making pay commensurate with skill and experience to attract the correct workforce.
Every uniformed member has to attain and maintain a baseline level of fitness to ensure they have the physical ability to move under fire wearing a uniform, helmet, armor and weapon, at a minimum. If the assumption is that members of the cyber force will for the most part not be required to be forward-deployed and thus do not face kinetic threats, then they do not share this particular physical fitness requirement. Further, as outlined above, if the cyber force is highly unlikely to face kinetic threats, then there is no need to create a sub-organization filled with unfit uniformed service members; rather, the force can be manned by government civilian employees or contractors that typically are not required to meet any fitness standards.
Attracting a workforce that possesses uncommon technical skills, aptitude, and experience requires the appropriate compensation level to compete with other, similar jobs offered by commercial firms seeking the same candidates. Entry-level military compensation is completely inadequate for this task, and the concept of assigning a rank typically earned through years of experience to a new cyber force member in an effort to artificially adjust that member's compensation levels will create resentment and divisiveness within the ranks from the majority of service members that must still earn rank in the traditional manner. This issue can be completely avoided by employing government civilians, who would not be required to be initially hired at entry-level ranks and correspondingly low compensation levels. Instead, cyber force positions could be set at appropriate GS levels that have the appropriate skill, education, and experience requirements for hiring consideration, along with commensurate base compensation (based on position grade and step levels) and locality pay to attract the correct work force.
Steve nailed it. The same reasoning as using military pilots for the original astronauts vs. civilian test pilots. They are cheaper.
Who is cheaper — the military pilots? Probably not after you consider the ENORMOUS overhead that goes into making and supporting an O5 fighter pilot. His salary and direct benefits are the tip of the iceberg.
Thank you! I've been saying this for a couple years, now. This can be widened to not just cyber personnel, but many in the wider force as well.
The enemy doesn't wear a uniform. So, why do we?
In many cases outside of a deployed environment, uniforms do nothing but make you a target for terrorism.
Doug, there are good reasons to wear uniforms for some individuals who perform military tasks. For infantrymen and combat aviators, it's key to them being afforded status upon capture and combatant immunity. But for certain fields, it's unnecessary, if you are willing to endure the consequences of not being in uniform. For "cyberwarriors" at Fort Meade or Fort Gordon, the consequences are virtually zero. I also agree there are other tasks being performed by people in uniform for whom their uniformed status is irrelevant. Many supply chain management functions, for example, where the uniformed personnel never leave a US depot. Many engineers, particularly Corps of Engineers officers who never deploy. I could go on.
Any work done remotely (network defense, network recon, weaponizing software, etc) have little need for uniform (security clearance and technical skill more important).
There will still be a need for uniformed cyberwarriors for both in-theater deployment and combat unit deployment. Urban or semi-urban landscapes provide countless ways a cyberwarrior can be critical for the unit. From cel phone interception, honeypot, and disinfo (like what NSA agents did in Iraq 2007) with own resources to physical breaches (fast and most efficient way to p0wn any devices) and then let the remote units to bring the big guns on it.
100% agree with you