As the world appears awash in cybercrime and nation-state cyberattacks, there's a global shortage of information security talent to confront new threats. It's a problem that not only impacts security companies but any firm looking to hire security professionals.
Government officials have complained they are hampered because the can't compete against private sector salaries. The military claims that finding qualified recruits is even more difficult with their stringent physical fitness standards.
Recently Lt. Gen. Gina Grosso, the Air Force deputy chief of staff for manpower, said that the Air Force needs to "think deliberately about how we value uniformity." Standards across the entire force "scares a lot of people," she said. "Do I care what a cyber warrior weighs?"
This isn’t the first time we have heard comments like this. The British military waived its physical fitness requirements for cyber reservists back in 2013. Back in 2008, Maj. Gen. William Lord told Wired, "So if they can’t run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in," referring to supervisory control and data acquisition systems often found inside critical infrastructures. And of course FBI Director James Comey has suggested he can't find qualified applicants because we’re all too busy smoking dope.
But relaxing fitness standards for military cyber personnel is the wrong approach to attracting security researchers. As a group, we aren't more fit or less fit than the population as a whole. The stereotype of hackers as scrawny or overweight teenagers with pasty skin because they live in their parents' basement needs to die.
The largest hacker conference in the world, DEF CON, hosted a 5K run every day of the conference this year in the Las Vegas heat. A group known as Cycle OverRide hosts a 20-mile bicycle ride at the Derbycon hacker conference. There is an informal group known as the BJJ smackdown that practice Brazilian Ju-Jitsu at various security conferences throughout the year. Take a walk through the vendor halls at any security conference and try to find that mythical 400-pound hacker that Donald Trump referred to during a recent debate. (If you do you will probably log upwards of 10 miles of walking; these conferences are huge.)
Enlisting in the military as a "cyber warrior," even in the Air Force, should mean more than sitting behind a keyboard pushing buttons. Physical fitness assessments have been a part of every soldier's life since 1858. It has been as much of a part the military’s heart and soul as barracks, mess halls, and weapons maintenance. Physical training also increases esprit de corps, that intangible feeling of pride and common loyalty felt by members of the military.
By removing the physical fitness requirement for a subset of soldiers, sailors, airmen, and marines you will create animosity within the ranks. Those who are still required to pass physical fitness tests may develop feelings of resentment toward their fellow soldiers. Those who are exempt may develop feelings of elitism and feel that they are no longer part of the basic military or required to abide by its rules. This lack of discipline in a military setting could potentially prove deadly.
If government is having a hard time attracting security talent because they can't compete on salary, then they should try focusing on other benefits. If it wants to change something that'll appeal to more cybersecurity pros, start with adjusting strict dress codes, limiting assignments to far-off locations, and getting rid of maddening government bureaucracy.