Major (army reserve) M.W., commanding officer of CYBERRES at Netherlands Cyber Command
Lieutenant Colonel (army reserve) R.V., cyber staff officer at 1st German-Netherlands Corps
(Forfatterne av artikkelen er anonymisert av sikkerhetshensyn, men er kjente for NROF).
The Dutch Defence Vision 2035 states “Our world is in a state of flux and the security environment is deteriorating around us. The Netherlands is a safe and secure nation and our security is an important condition for our freedom, prosperity and democracy. […] Our Kingdom is coming under attack on a daily basis in the cyber and information domain. Crucial physical and digital hubs are targeted ever more frequently.»
That is why the Netherlands armed forces need to be reinforced with broad and deep professional knowledge of the cyber domain. Cyber reservists can help solve cyber challenges. They have demonstrable practical experience because they work for leading cyber security companies or organizations where cyber security is essential.
In November 2013, the Netherlands Ministry of Defence announced its intention to recruit 150 military cyber reservists to support the armed forces in the emerging conflict in the cyber domain. In the beginning of 2018, the lieutenant colonel in command of the cyber reservists tasked the authors of this article with leading a project to grow the unit from 23 to the abovementioned 150 cyber reservists. The project, which was supervised by the Directorate of Operational Readiness of the Netherlands armed forces, consisted of four main work streams:
- Recruiting and selecting the candidates
- Building the cyber reserve organization
- Shaping the readiness of cyber reservists
- Deploying cyber reservists
Other processes, such as medical testing, security background checks, basic military training and officer training, already existed in the armed forces for reservists with civilian expertise.
Currently, while writing this article, the unit is called CYBERRES and hosts 135 cyber reservists, all of them experienced cyber security experts.
Recruitment and Selection
Contrary to some other NATO member states who train existing reservists with military skills to become cyber security experts, we decided to recruit civilian cyber experts and train them in military skills. For that purpose, we advertised online for six profiles with recognizable job titles and job descriptions commonly used by the larger cyber security service companies. Civilian cyber experts could recognize themselves in these profiles:
- Red teaming, ethical hacking and penetration testing
- Cyber threat intelligence
- Cyber security advisory
- Security monitoring
- Digital forensics and incident response
- Hardware and software developers
Furthermore, we created one-day matching events, which we dubbed M-days. During an M-day, up to 15 thoroughly screened candidates come to a naval base in Amsterdam where they are subjected to three interviews, a group assignment and two presentations, two in-depth interviews with senior cyber reservists from our unit, and an interview with an armed forces psychologist. In the weeks prior to the M-day, the candidates complete an online cyber security knowledge test, the results of which are discussed in the interviews.
The presentations explain the armed forces and the further processes that apply to candidates accepted into the armed forces. M-days are entirely organized and executed by a team of cyber reservists, with support from the armed forces recruitment and selection agency.
M-days aim to match candidate profiles with our unit’s needs and with the culture and organization of the armed forces. At the end of each M-day, all presenters and interviewers gather to evaluate the candidates and decide together whom to offer a position in our unit to and whom to reject. Using this method, we can make our selections rapidly and we can make them thoroughly, and we make sure the candidates fully understand what to expect as cyber reservists.
After the M-day, candidates go through the standard selection processes, security clearance, receiving uniforms and gear, basic training and, for the new officers, a short officer training course at the Royal Military Academy.
Cyber reservists with a bachelor’s degree or higher start off in the rank of first lieutenant. Candidates without an academic degree receive the NCO rank of sergeant major. If such candidates subsequently complete a bachelor’s or master’s degree programme, they are promoted to first lieutenant.
In close cooperation with the Directorate of Operational Readiness, we formulated a special project to allow top cyber experts with minor physical limitations that would normally cause them to be rejected at the physical evaluation, to be accepted as members of the military. This applies, for example, to candidates who are partially deaf, or candidates who are physically fit but have Type 2 diabetes. These candidates, once accepted into our armed forces, have a special status which permits them to work only in a regular military office environment. Such cyber reservists do not receive any weapons training, nor will they be deployed on naval vessels, military aircraft or vehicles, or missions.
The CYBERRES Unit
Our unit, which we called CYBERRES, is part of the Netherlands Defence Cyber Command. The commander of CYBERRES is tasked with ensuring that the cyber reservists are prepared and able to deploy their cyber skills within the armed forces. The unit will not be deployed as a whole. Instead, cyber capabilities from within CYBERRES will be attached to other units.
To assist cyber reservists in understanding how to deploy their cyber skills in a military environment, CYBERRES is organized in small peer groups. For convenience, we call these six groups ‘platoons’. The six platoons are the same as the six profiles that we use for recruitment. Each platoon has a platoon commander and a deputy. As most of the cyber reservists have no military background, many topics in the monthly gatherings are focused on providing the members of the platoon with knowledge and skills related to the military organization and to the deployments in which they will take part.
The Work of a Cyber Reservist
Although CYBERRES is a sub-unit of Cyber Command, our cyber reservists are deployed throughout the armed forces and can also work with or for other government agencies. Cyber reservists are always deployed as members of the military, in uniform, with the same legal status as full-time service members. They have zero-hour contracts and get paid for each hour worked, using the same salary scales as their full-time military colleagues.
Cyber reservists can be deployed for exercises, for projects and for training courses. The time frame differs and could be a few weeks, a few days, one day per week for three months or multiple days per week for a year. They can work at a military location or do some of the work from home during the week or during the evenings or weekend. Flexibility and deployability are key aspects that we emphasized when we established CYBERRES. With today’s cyber conflict, no nation needs reservists who are passive, uninformed or uninvolved yet expected to be available when the armed forces call upon them. The urgency and dynamics of the cyber conflict require expert soldiers who are current, engaged and deployable at any time.
Challenges and Lessons Learned
Looking back at the last four years since we started building up CYBERRES, we have reached the following conclusions:
- It must be communicated very clearly and explicitly that each cyber reservist is expected to be able to contribute on average between 4 to 8 hours per week during the course of a year. Whether those hours are bundled in two exercises and a one-week project, or whether the cyber reservist works two days a week for five months pen testing battle systems, depends on the requests for support that Cyber Command receives.
- Cyber reservists must be trained in multidisciplinary cyber teams that must work together in military scenarios. For that purpose, we organize a yearly exercise during which we also invite other NATO cyber reservists to participate.
- Cyber reservists must receive some education regarding military ceremonies, typical military organizational processes and cultural aspects. This is necessary because cyber reservists will most likely work alone in a staff element or join a team of full-time service members. During such deployments, cyber reservists are at all times expected to behave according to their rank and to be integrated into the team and its environment. Examples of such topics are the processes of command and control, the use of typical military jargon, and the conduct expected of officers.
- Cyber expertise is much sought after, hence there is no lack of work for experienced professionals. We are looking for civilian cyber experts who are willing to take on a part-time job next to their current civilian job. Since military wages are no where near civilian salaries, we look for individuals who are intrinsically motivated. In return, we offer an opportunity to contribute to peace and security in a network of peer cyber security specialists.
- There is currently no established training programme for non-expert cyber reservists. You can only become a cyber reservist if you have demonstrable prior cyber security knowledge and skills.
- The required availability of cyber reservists may be perceived as a challenge. Working evenings and weekends and as part of a larger group of cyber reservists instead of individually requires flexibility from the cyber reservists, but also from the armed forces and their organization.
The Netherlands armed forces have set up a cyber reserve unit that currently consists of 135 cyber security experts. These experts were civilians when they were recruited, and then they were trained to deploy their civilian skills in a military context. The CYBERRES unit has been structured to facilitate this.