Inside the Pentagon’s Boot Camp for Cyberwarriors
Inside the U.S. Navy’s Corry Station base in Pensacola, Fla., there’s a school that wouldn’t look out of place on any well-manicured college campus—except for a handful of buildings wreathed in barbed wire, with the windows bricked up. That’s to keep electronic signals from getting in or out. The buildings make up the Center for Information Dominance (CID), the Pentagon’s primary boot camp for personnel training in the art of cyberwar.
U.S. Defense Secretary Ashton Carter has said that cyber may one day become the sixth service branch, but the military doesn’t yet have the staff for it. The Pentagon said in April that U.S. Cyber Command, the organization created in 2010 to coordinate military efforts online, won’t reach its six-year goal of deploying 6,200 military and civilian personnel until 2018, two years late. The new force is to be responsible for defending the Pentagon’s computer systems as well as, at the direction of the president or defense secretary, launching cyber attacks. Admiral Michael Rogers, who heads Cyber Command and the National Security Agency, told Congress the government has been “hard-pressed” to find and train qualified service members.
The Corry Station outpost is at the forefront of efforts to change that. CID’s Joint Cyber Analysis Course, a six-month electronic warfare program that trains service members from each branch, has become required learning for many positions. The program is on track to train about 1,200 students in 2016, almost double the number in 2013, says CID Executive Director Mike Fair. It’s a small part of the overall mission at the center, which trains about 22,000 students a year in cryptology, intelligence, and IT on a budget of $60 million to $70 million.
The first two-thirds of the cyber analysis course consist of mundane but essential subjects meant to help students understand the making and breaking of computer systems. These include math, basic programming, Windows and Unix operating systems, and the science behind networks and wireless technologies. Then students move on to the fundamentals of hacking: target research, signal analysis, network defense, and malware. They learn to hack a simulated network with open source software and tools such as Metasploit. The curriculum is adjusted to keep pace with advances in both offensive and defensive tactics, an unusual challenge for the military, says Maureen Fox, CID’s commanding officer. “Missile technology changes, but it doesn’t change in a day or an hour,” she says. “The technology in the area we’re in does.”
CID recruits students based on the aptitude for math and critical thinking they show on military entrance exams. Tammi Sternberg, one of the heads of the hacker training program, says the learning curve in the classes is steep enough that even people with computer science degrees have flunked. “They think they know it all, and they have a hard time learning,” she says. “That’s why we like to have a blank slate.”
Many students enroll right out of basic training. Estephani Bratschi, 22, joined the Navy earlier this year after graduating from the University of South Florida with degrees in international studies and political science. As for her computer expertise, the Tampa native says with a laugh, “I could press the power button, and I could type pretty well.” She has a hard time picturing herself hacking a militant’s cell phone to locate roadside bombs, but she’s interested in learning marketable technical skills. Worldwide, there’s a shortage of almost 1 million workers for cybersecurity positions, with average salaries topping $100,000.
Entrance-exam recruiting marks a major shift from the scattershot approach the military used to find talent for years, says Chase Cunningham, a onetime Navy diesel mechanic who became a cyberspecialist by accident. In 2003, Cunningham was sent to Corry Station for cryptology training after he managed to fix the faulty code in an engine room system. He went on to a career in cryptology for the Navy and the NSA before becoming the head of threat intelligence for cloud-hosting company FireHost. “It was a million times better than checking oil 100 times a day and cleaning out AC-unit filters,” he says.
For several years after the Navy merged cryptology and IT in 2005 to create CID, an Army team traveled to military bases giving an odd, 20-question test to identify hackers-at-heart. Some questions were technical, such as finishing a Linux command line. Others were logic puzzles designed to tease out creative thinking. One asked students to figure out the words in a phrase based on the first letters of each word. Those who passed were retrained and redeployed as cyber operators. “There wasn’t a really great pipeline or feeder system to get these people,” says Bob Stasio, a former Army captain who helped administer the tests. “We had to find these diamonds in the rough.”
Stasio, who has also managed cyber intelligence for Bloomberg LP, the parent company of Bloomberg Businessweek, says he was surprised to learn which jobs tended to produce the most reliable specialists. People with electronics backgrounds, such as radar technicians and radio operators, naturally thrived, but so did people with highly specific but unrelated training, including mechanics and medics. “They had this intellectual curiosity to do this kind of thing,” he says.
The military is creating formal career paths for cyberspecialists, and demand from the private sector has made it tougher to recruit and retain them. Tim Johnsen, 33, from Randolph, N.J., says he signed on for the cyberwarfare program earlier this year with an eye to getting a job after he leaves the military. “The people who are the best in that world are not linear. They don’t like hierarchy,” says Pat Ryan, a former Army captain who helped assemble the branch’s first cyber unit in 2009 and now advises security startups on contracting for the federal government. “That makes the private sector a more hospitable place.”
The hacker-training pipeline has also attracted people such as Alex Robinson, who completed the CID program in 2010 and became an instructor last year. Before that, he spent eight years as a gunner’s mate. “It’s a huge change from weapons to computers,” he says. “I didn’t know I was a nerd.”
The bottom line: The Pentagon has revamped its cybersecurity recruitment and training process but remains years behind schedule.