At Marine Corps Tactical Systems Support Activity, cybersecurity is a story about doing more with less.
MCTSSA does developmental testing and systems engineering, including digital systems. Cybersecurity is a big part of the program, yet that effort runs lean. In matters of cyber, the roster calls for 14 people on the job, but in mid-summer only seven positions were filled. That’s not uncommon.
“Sometimes we see people who have been working on the fundamentals of computers but they don’t have the cybersecurity skills,” said Senior Principal Engineer David Yergensen. “To hire people who are already experienced is very expensive. We also lose people to industry: Once people have the skills, they get pulled away with offers of promotion somewhere else.”
With the demand for cyber solutions ever on the rise, the team must attack the problem strategically, to squeeze the greatest possible level of digital protection out of its limited resources. The finesse lies in weighing the odds.
“It’s all about the risk assessment,” Yergensen said. “Every system will have some vulnerabilities, but you have to weigh that risk against the effort that it would take to find that vulnerability and the likelihood that an adversary would find it. We have lots of layers of defense to protect our systems, so you weight all that against how much you need the system and how likely it is for this problem to ever arise.”
In short, you don’t squander time and effort sewing closed a hole that the adversary probably isn’t going to find.
Once the team has found a high-priority bug, or a system with a strong likelihood of being breached, that’s where they focus their attention.
“We don’t test a new system every week,” Yergensen said. “Typically, we are testing the same systems over and over to make sure past problems have been fixed, and maybe digging into areas we didn’t hit the first time. The number of C2 systems is limited, so we can be really tight in our focus over time.”
At the same time, MCTSSA is taking part in an overall service effort to build up the cyber workforce.
Building the pipeline
This spring the Marine Corps created a new cyberspace occupational field. The new job category “will enable the Marine Corps to continue to compete successfully on future battlefields while enhancing the Marine Corps’ ability to conduct cyberspace operations and improve cyberspace manpower readiness and retention,” the service said in announcing the move.
“We just really have to get more return on investment … and what we want to be able to do is continue to increase our proficiency and skills,” Maj. Gen. Lori Reynolds, commander of Marine Corps Forces Cyberspace Command, told Fifth Domain at the time. “When you’re constantly moving people out of the cyber workforce, you’re starting over again all the time. That doesn’t work.”
The new cyber field gives a boost to recruiting and could supplement existing programs that Yergensen said are helping him to identify cyber talent.
He’s recruited successfully through the Defense Department’s SMART Scholarship Program, which pays for college in return for a future work commitment. “We go after them in their junior year, when we can see that they were going to be successful and that they were not going to change majors. Then they get two years of college and we get them for at least two years,” he said.
The Naval Acquisition Development Program has been another helpful feeder. “They are looking for entry-level people who are new to government,” Yergensen said. “The Navy pays them for their first two years, so they don’t cost us anything. They get an opportunity to work for two years and if they are successful we guarantee them a job at the end of the two years.”
None of this stems the flow of attrition, as cyber workers get lured away by the higher salaries in industry. There’s not a lot Yergensen can do about that. “If somebody else throws money at them, we can’t get into a competition over that. We need to do the things we do well. We try to be flexible and we try to be competitive, but we still have to work within our budget,” he said.
At the end of the day, Yergensen said, he is able to run his shop with a less-than-full bench because the people that he has on board can tackle at least 80 percent of the likely cyber perils. Again, efficiency comes down to playing the odds.
“We can get the majority of the benefit with seven people, so we don’t spend as much time and energy recruiting the other seven just to get that last 20 percent,” Yergensen said.