Navy Commander Kevin Blenkhorn, a computer sciences professor at the U.S. Naval Academy, works with his Joint Services teammates during the U.S. Army’s ‘Cyber Center of Excellence’, Fort Gordon in Augusta, Georgia. (Georgia Army National Guard photo by Staff Sgt. Tracy J. Smith)

TECHNET AUGUSTA 2024 — A year after the Pentagon launched a new initiative to dramatically boost its cyber workforce, it finds itself making progress but grappling to fill thousands of jobs, to accurately assess the cyber talent it has and to free up its people to learn more when the opportunity is available.

“We’re at a 28,000 shortage, which is better than we were last year, but that’s still a 28,000 shortage, so I have to get after how do we create and generate that next generation of talent,” Mark Gorak, principal director for resources and analysis for the DoD Chief Information Officer, told Breaking Defense on the sidelines of TechNet Augusta last week.

Gorak said the Pentagon has hired 12,000 people as part of the Cyber Workforce Strategy Implementation Plan, but has seen a turnover of 10,000 people in the overall staff in the same time, meaning there’s been a net positive hire of 2,000 people. For context, there are approximately 225,000 total personnel that are part of the cyber workforce, according to Gorak’s office, split between 75,000 federal civilians, 75,000 military personnel and 75,000 contractors. The DoD counts 72 positions as roles in the cyber workforce.

Filling the vacancies in the cyber workforce is one problem, Gorak said, but filling them with qualified people is a whole other issue. 

“The second biggest challenge, I think, is then the qualification of the current workforce and ensuring that we have consistency and competency across the workforce. And for an organization as large as the DoD, the scale of that is immense,” Gorak said. “To make that happen, all the different components, services need to be thought about. How do we ensure that consistency?” 

Chief Information Officer Principal Director for Resources & Analysis Mark Gorak conducts a press briefing discussing the Cyber Workforce Strategy Implementation Plan rollout with Pentagon Press Secretary Air Force Brig. Gen. Pat Ryder at the Pentagon in Washington, D.C., Aug. 3, 2022. (DoD photo by U.S. Air Force Senior Airman Cesar J. Navarro)

In terms of keeping up this “consistency,” there are three levels in which members of the cyber workforce are ranked, Gorak said. The first level is basic, then intermediate and advanced. The DoD determines the qualifications for the basic level, but other organizations, like specific services or companies for contractors, handle the intermediate and advanced levels.

Gorak said that procedure can often cause confusion since there’s no unified metric of skill level beyond basic, and can complicate evaluating different skillsets throughout the cyber workforce. 

“If you’re, you know, an offensive attacker or exploitation analyst, you will have different intermediate and advanced tasks than somebody who does not,” Gorak said. “The hard part, though, is how do you then assess whether they’ve met those qualifications or not?

“If you’re coming out of Carnegie Mellon with a PhD, I’m not going to send you to our eight week basic IT course. You don’t need it. You’re already qualified based on your level of education. It doesn’t apply across the board in general, but we will consider those experiences to see who’s qualified and for what,” he later added. 

Gorak said his office has tried to facilitate exchange programs across the workforce — both inside government and out — to address common challenges within the cyber community. But the department has had trouble letting go of its own people to participate in these programs. 

“So everyone tells me, ‘Oh, yeah, I want to exchange with industry. I want their people to come to my office or my organization, but I don’t want to send them anybody,’” Gorak said. “That’s not how an exchange program works. You exchange talent so that all parties benefit, so the industry understands some of DoD issues and challenges, and then our people understand what industry then can provide, and that should work out. But getting people to give up people when they’re already short is a challenge for us.”

Highlighting another challenge in the services, this week Space Force Vice Chief Gen. Michael Guetlein said that his service branch is spending “an enormous” amount on cybersecurity, but is having trouble retaining operators.

“I cannot hire talent fast enough and keep them long enough, because as soon as I get them trained, industry hires them right back out for a lot more money,” he said at an Intelligence and National Security Alliance event in Washington.

2 Out Of 38 Initiatives

Out of the 38 initiatives outlined in the department’s cyber workforce strategy, Gorak said he and his team have completed two of them — so far eight short of a goal to complete 10 by the end of fiscal 2024.

One he completed was Initiative 4.3.1, the establishment of the Cyber Academic Engagement Office, of which Gorak is dual-hatted as the director and which has a recently appointed a principal director, Diba Hadi. 

That office will “serve as the consolidated focal point for cyber-related activities carried out between the DoD and academia stakeholders,” the department’s website states. 

“It gives me full responsibility for the entire cyber academic outreach for the entire DoD. That is a very difficult job, because each of the components, each of the services, all have outreach with cyber, with academia,” Gorak said of the new office. “The goal is how do we partner? Where are our gaps and teams in all the programs? And how do we partner so that not every single entity out there has to have a separate relationship with a college?”

The second initiative Gorak’s office accomplished is initiative is 4.4.2: increased Congressional awareness of cyber workforce development priorities. 

“That might sound trivial, but we were too busy to really do it in the past,” Gorak said. “Communication between the department and the Hill, we were lacking, we were relying on  the ‘good idea fairy’ if you will.”

He added now that he and his office have been communicating with Congress, there’s less of a need to go through the lengthy process of introducing legislation to bolster the cyber workforce, as Gorak’s team and Congress have the same goal “to fix the cyber workforce” he said. 

Though two of 38 might not sound like much, Gorak said he considers it an early accomplishment, considering the level of bureaucracy that goes into such decisions. 

“I do believe my job, as a champion of these programs, is to at my level, to get through the bureaucracy. You’d be amazed at things that have to come to my level to get approved or to get through where I think that should have been done three or four levels lower. For whatever reason it’s not happening. That is a challenge that we have to continue to work for,” Gorak said. 

“Out of my 38  initiatives, we might actually complete 10. That’s 10 that we wouldn’t have completed if we didn’t do this,” he added.