Gallons of ink have been spilled since the Department of Defense began exploring plans to permit cyber-qualified information technology specialists to join the military at ranks above entry-level and without undergoing entry level military training. The idea was initially floated in June 2016, with the Army, Navy and Air Force all considering implementation. In May 2017, the internet almost broke when the Marine Corps weighed whether to allow cyber recruits to skip basic training and enter as staff sergeants, not unlike “The President’s Own”—the Marine Band. The debate has centered around whether allowing Marines to skip the time-honored leveling and shaping experience of boot camp and granting them “unearned” rank would be detrimental to the service ethos. But much of the commentary is missing a more fundamental question: Why does the new crop of cyber operations specialists need to be in the military at all? Spoiler alert: they do not. And an elite Marine Corps shows why.
There are three reasons why the US government assigns tasks during armed conflict to uniformed military members:
(1) Military members are afforded combatant immunity under international law for their warlike acts in armed conflict if captured by enemy forces;
(2) Uniforms permit lawful targets—military members—to be distinguished from unlawful targets, such as civilian noncombatants; and
(3) Military members may be ordered, on pain of legal sanction, to deploy and conduct dangerous and demanding tasks.
These are the most significant reasons to prefer a servicemember over a non-military person (a government civilian employee or contractor) to accomplish a discrete military task. But the nature of cyberspace operations—or military tasks in the cyber domain—do not demand performance by uniformed servicemembers. The entire issue of “to boot camp or not to boot camp” and the question of essentially “hiring” noncommissioned officers can be made moot by simply eliminating the baseless requirement that cyber technicians be in uniform.
If a particular military task requires all or even some of these aspects to be accounted for, it ought properly to be performed by a uniformed member of the armed services. For example, for certain tasks appropriate to infantrymen, such as attacking a military objective with direct and indirect fires to destroy or capture it, it is logical, of course, to use uniformed servicemembers. An infantryman may be ordered to pack his or her gear and deploy to the battlefield. Failure to follow this or any other order can be punished under military law. A captured infantryman cannot be prosecuted under the capturing state’s laws for committing “murder” against enemy soldiers, and is entitled to Prisoner of War status, which entails certain rights under the law of armed conflict.
Similarly, logistics or other support functions must be accomplished by uniformed logisticians and combat service support personnel. It is possible for a logistician, an aircraft mechanic, or a public affairs correspondent to be captured while resupplying combat units or performing other support functions, particularly on fluid battlefields, where there are no real front lines, and where an individual can be an adversary one moment and a noncombatant the next, blending into the protected civilian population. The services must be able to order these support personnel to deploy and face the hardship of combat in order to supply their combat forces. Finally, wearing the same uniform forms a bond of trust between the infantrymen, for example, and the support personnel on whom they are dependent: service ethos commands the support soldier or Marine to employ his very best efforts not to fail the infantryman; and the infantryman counts on this ethos to ensure his resupply or other service function will be provided as planned. Each understands that mission accomplishment and the fate of a unit can depend on this bond and the proper execution of each military task.
Cyber operations, however, are fundamentally different. First, the risk of capture of a cyber operations technician is small, as is the need for a cyber operations specialist to be distinguished, for targeting purposes, from noncombatants by wearing a uniform. For most cyber military tasks, there is no need to co-locate with a deployed military unit. Most cyber operations tasks can be conducted from information technology farms located hundreds or even thousands of miles from an active battlefield, or on naval platforms where the risk of capture is nearly non-existent. To the extent cyber operations tasks need to be synchronized with other battlefield tasks, such as a cyberattack on an electric grid to make a city go dark prior to an armed attack, uniformed cyber planners—smaller numbers of cyber-trained uniformed operational planners—can co-locate with the deployed commander and his staff, and the cyber executors can be 8,000 miles away at Fort Meade. Since the risk of capture by an enemy force at Fort Meade or aboard the USS Harry S. Truman is vanishingly small, the cyber operations specialist’s combatant immunity is mostly irrelevant. If cyberattacks were conducted by a civilian employee or contractor not enjoying combatant immunity, and therefore subject to the attacked state’s criminal jurisdiction, there would be no practical effect, other than that the individual’s privilege to travel to the attacked country or any that might extradite him or her there might be at risk. Any cyber operations specialist identified by a foreign intelligence service by name, will not be able to travel to that country on pain of arrest, just as the United States has recently indicted malign cyberactors.
Second, civilians can be ordered to conduct lawful military tasks the same as military servicemembers. The method of redress for noncompliance is simply different. Criminal sanctions for failing to obey orders are not available generally against government civilians and contractors, with some minor technical exceptions. However, employment agreements can be crafted with tailored employment and enforcement clauses hastening employee discipline in the event of noncompliance, and can even include deployability clauses in case a commander determines, in fact, that the presence of the cyber operations specialist is required closer to the battlefield. Contracts could be written to permit contract termination or require contractors to forfeit surety bonds upon nonperformance of an essential military task, providing contractor companies an economic incentive to carefully screen and select their employees. Contracts also can be written with redundancy, such that a contractor who refuses to perform can instantly be replaced with a contractor two desks away who will readily perform the ordered task. Clearly, concerns about deployment and obedience to orders attendant to uniformed servicemembers can be mitigated through other measures. Furthermore, there is a whole body of law on the issue of civilians directly participating in hostilities. Where they “directly” participate in hostilities, they can be targeted, kinetically or otherwise, just like uniformed personnel, but there is no requirement to be uniformed. Being a civilian does not exempt them from being targeted, though performing most core tasks at Fort Meade or in Hawaii makes the likelihood small.
Finally, cyber operations specialists need not share an ethos or sense of sacrifice with uniformed servicemembers in order to effectively do the job the government requires. This much has already been tacitly acknowledged by crafters of the concept willing to forego the requirement for entry level training and service at junior ranks. Just as The President’s Own, the Marine Band consisting of professional musicians hired at the paygrade of E-6 to play at White House and other state events without ever attending boot camp, are not considered “real Marines” by Marines, the approach of waiving boot camp and service in the junior ranks acknowledges a separate class for cyber operations specialists. Rather than engineering division and resentment into the ranks, it is better to simply acknowledge that they are categorically different than other servicemembers and acquire their skills through civilian hiring and contracting. Moreover, fielding these personnel as civilians rather than military members eliminates the lost man-hours from required trips to the rifle range and the risk of being pulled off cyber tasks for additional duties or non-cyber staff assignments. It simply does not add much for a cyber operator to be proficient in military tasks, such as firing a rifle and running a physical fitness test, which have so little to do with proficiency in their primary operational responsibilities.
There is no question the cyber skillset is increasingly in demand for the Department of Defense. Cyberspace has been acknowledged as an independent warfare domain in US doctrine, and NATO has followed suit. Cyber attacks on US systems are steadily ascending, and the need for investment in systems, infrastructure, and human capital is apparent. Winning the wars of tomorrow will absolutely require cyber operations specialists. Most simply do not need to be in uniform.
Image credit: Petty Officer 2nd Class Jesse A. Hyatt, US Navy