Modern field guide to security and privacy

Opinion: Don't drop fitness standards for military hackers

The notion that the government needs to lower personnel standards to attract cybersecurity researchers just perpetuates stereotypes of hackers as basement-dwelling slobs.

David Becker/Reuters
Attendees at the 2016 Black Hat cybersecurity conference in Las Vegas.

As the world appears awash in cybercrime and nation-state cyberattacks, there's a global shortage of information security talent to confront new threats. It's a problem that not only impacts security companies but any firm looking to hire security professionals.

Nowhere is this more apparent than in government. A recent search for simply "cyber" at, the federal government's official online job board, listed 90 openings

Government officials have complained they are hampered because the can't compete against private sector salaries. The military claims that finding qualified recruits is even more difficult with their stringent physical fitness standards. 

Recently Lt. Gen. Gina Grosso, the Air Force deputy chief of staff for manpower, said that the Air Force needs to "think deliberately about how we value uniformity." Standards across the entire force "scares a lot of people," she said. "Do I care what a cyber warrior weighs?"

This isn’t the first time we have heard comments like this. The British military waived its physical fitness requirements for cyber reservists back in 2013. Back in 2008, Maj. Gen. William Lord told Wired, "So if they can’t run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in," referring to supervisory control and data acquisition systems often found inside critical infrastructures. And of course FBI Director James Comey has suggested he can't find qualified applicants because we’re all too busy smoking dope.

But relaxing fitness standards for military cyber personnel is the wrong approach to attracting security researchers. As a group, we aren't more fit or less fit than the population as a whole. The stereotype of hackers as scrawny or overweight teenagers with pasty skin because they live in their parents' basement needs to die.

The largest hacker conference in the world, DEF CON, hosted a 5K run every day of the conference this year in the Las Vegas heat. A group known as Cycle OverRide hosts a 20-mile bicycle ride at the Derbycon hacker conference. There is an informal group known as the BJJ smackdown that practice Brazilian Ju-Jitsu at various security conferences throughout the year. Take a walk through the vendor halls at any security conference and try to find that mythical 400-pound hacker that Donald Trump referred to during a recent debate. (If you do you will probably log upwards of 10 miles of walking; these conferences are huge.)

Enlisting in the military as a "cyber warrior," even in the Air Force, should mean more than sitting behind a keyboard pushing buttons. Physical fitness assessments have been a part of every soldier's life since 1858. It has been as much of a part the military’s heart and soul as barracks, mess halls, and weapons maintenance. Physical training also increases esprit de corps, that intangible feeling of pride and common loyalty felt by members of the military. 

By removing the physical fitness requirement for a subset of soldiers, sailors, airmen, and marines you will create animosity within the ranks. Those who are still required to pass physical fitness tests may develop feelings of resentment toward their fellow soldiers. Those who are exempt may develop feelings of elitism and feel that they are no longer part of the basic military or required to abide by its rules. This lack of discipline in a military setting could potentially prove deadly. 

If government is having a hard time attracting security talent because they can't compete on salary, then they should try focusing on other benefits. If it wants to change something that'll appeal to more cybersecurity pros, start with adjusting strict dress codes, limiting assignments to far-off locations, and getting rid of maddening government bureaucracy. 

Security Culture

This journalism empowers people to understand the bigger picture of cybersecurity as it connects to some of the most personal parts of their lives: their job, their education, the evolving digital culture around them, and the technology they use on a day-to-day basis. As part of the Monitor’s overarching commitment to chronicling human progress, we see these very human issues within cybersecurity to be critical and overlooked parts of the conversation.

This initiative is generously supported by

  • Northrop Grumman
  • ISC
You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: Don't drop fitness standards for military hackers
Read this article in
QR Code to Subscription page
Start your subscription today