Vulnerability to cyber attacks has grown, with private companies draining militaries of their best talent, a leading technology expert has said.
Max Smeets argued that western armies need to adopt strict policies of retaining specialists by enforcing contracts that prevent well-trained officers being poached by better-paying companies.
He also suggested that some militaries need to review the strict regulations that keep operators from practising carrying out cyber attacks.
“The majority of military cyber commands that have been established still only have a mandate to operate in wartime,” he told the Royal United Services Institute seminar.
“In peacetime, they're actually not even allowed to do reconnaissance.”
He gave the example of the Dutch defence cyber command, which, although it had been established for many years, only had a mandate to operate during wartime.
“In peacetime, it's not even allowed to gain access to foreign networks or potentially see which targets they actually may want to achieve an effect on,” he said.
Governments are failing to realise that people are the “most important element” in cyber warfare, said the author of No Shortcuts: Why States Struggle to Develop a Military Cyber Force.
Western cyber commands, which would play a significant role if Nato entered a direct conflict with Russia, have overlooked the link between their “strategic posture” and “the ability to recruit, train and retain the right people”, said Dr Smeets, who serves as the director of the European Cyber Conflict Research Initiative in Zurich, Switzerland.
Armies rely on a very small core of government-based employees to conduct the most advanced operations and many of these were headhunted by non-military organisations, he said.
“There has been a number of cases where this has led to significant losses of best talent.”
Cyber forces paid to train people on internships but afterwards, “your staff is gone and then moved to a company”.
Dr Smeets told the seminar, titled the Challenge of Building a Military Cyber Force, that it would be in the interests of both the military and the private sector to work together to prevent losses.
“There is a lot more that can be done here for more formalised long-term training,” he added.
The defence sector should also require staff to serve in “dedicated service” roles for a minimum number of years.
“You say, ‘OK, we pay for further education but there's also then a requirement that you must stay for X number of years’,” he said. “For many, that doesn't really exist right now.”
He warned against armies being over-reliant on reservists, such as Britain’s 77th Brigade, as the idea that part-time soldiers could simply “plug in and play” on complex cyber operations was “unrealistic”.
Much greater co-operation is required between European countries that had built “incredibly costly training facilities” with more “burden-sharing together” to reduce vulnerability to attack, he said.
