By George Platsis

In the second decade of the 21st Century, and moving onwards, the cyberworld is a reality that is inescapable from our lives and the threat it creates is the most pervasive and pernicious threat facing the United States today (Sharp, Sr., 2010).  In this reality, we face a myriad of threats, many of them not even known to the everyday user of the cyberworld.  For all our technological advancements and defensive measures, it can be argued that, while operating within the cyberworld, the most critical vulnerability is in fact the human element.  Moreover, this vulnerability is only exasperated by the naivety of the general public and lawmakers, specifically by not taking this issue seriously or even understanding what “cybersecurity” truly is (Cyber Security: U.S., 2006).

From an IT manager’s perspective, this can be a very cumbersome and daunting reality.  The internet, in essence, is a gigantic client-server system on a wide-area network (Hueneman, 2000), and in a context where virtually anybody with the appropriate hardware can access this network, a cyberattack can occur from a near limitless number or sources and even from benign error (Cyber Security: U.S., 2006).  Therefore, it is not unreasonable to assume that a knowledgeable IT manager would be frustrated by the misuse of the internet, particularly if it is a function of organizational policy and individual usage.

The danger that exists is that: once inside a network, without the proper mitigating strategies, much harm can be done, both in the short- and long-term.  Context is important in understanding this issue.  More specifically, the original architecture of the internet was appropriate for its original intents and uses, but as time progressed, and as intents and usage changed, the necessary integrity for secure communications diminished (Hoar, 2005).  Moreover, few users understand that since so many systems are built on the premise of “single point entry” that once an attacker is into the network, they may have an unprecedented amount of access to anybody and anythingthat is on that network (Hueneman, 2000).  The threat therefore becomes even more exasperated due to the human element vulnerability and the threat becomes even more daunting when issues of interdependencies and overlaps in, and within, systems are taken into account.

From a macro sense, it is reasonable to state that few people have the understanding to implement the necessary cybersecurity measures required for an organization, ranging from the small- and medium-sized organizations, all the way up to enterprise and government systems.  This reality is very much a function of policy (or lack thereof).  If the policy is not drafted properly, or even enforced in a meaningful manner, no level of individual user awareness can address the vulnerability; in essence the first stage of awareness begins at the very top of the organization.  To understand the magnitude of the cyber threat, data from 2010 suggests that fifteen million victims will lose more than fifty billion dollars each year (Sharp, Sr., 2010); it is reasonable to assume that this figure is even larger today.  As noted in a previous exercise, the global cybercrime industry is so lucrative, with estimates putting it at over $114 billion USD annually (Serrano, 2011) making this such an unbelievable threat.

From a micro sense, the vulnerability caused by humans and internet usage is only further compounded by the fact that the “average daily user” does not truly understand the implications of their misuse (and this is not to suggest that the misuse is malicious – though it can be – but rather, the misuse is benign in nature).  As of September 14, 2009, more than 10,450,000 American residents had been victimized by identity theft in 2009 alone, and that number increases by one victim each second (Sharp, Sr., 2010).  To make matters even worse, the proliferation of information on how to infiltrate, and specifically take advantage of poor policy and naïve users, is readily available on the internet (Gripman, 1997).  Given that corporate and government breaches are widespread and enormous, the misuse of a government or organizational computer (or any piece of hardware that connects to the internet) by an individual user makes an already difficult challenge that much more difficult.

For all this, valid concerns remain that countries, like the United States, and organizations within these countries, are not organized and prepared to counter, and respond to, cybersecurity realities (Cyber Security: U.S., 2006). Further to that, even with the usage, assistance, and scrutiny of experts, funds, and development of less vulnerable systems, security problems still continue (Hoar, 2005), which accentuate the need for further education at both the policy and user level.  This issue can be illustrated by the fact that the sheer quantity of patches and systems (which are made available on a near daily basis) overwhelm even the best of IT administrators (Nojeim, 2010), showing that using technology as a crutch for security, as opposed to a tool, is not only foolish, but unbelievably dangerous.

The growing number of victims suggests that not only has the vulnerability been properly addressed, but it may not even be properly understood yet (Sharp, Sr., 2010).  No level of technological security can ever provide 100% security, and, even with the most robust systems, if the user (and administrator even) does not understand, and appreciate, the nature of the threat, it will still remain the single-most important vulnerability in the cybersecurity discussion, particularly when any sort of technological fix can have unexpected side effects and take a great deal of time to implement (Nojeim, 2010).

One of the main reasons this occurs is because there is poor all-round awareness amongst users, both daily and professional users.  This is something not hard to believe when in 24 American federal agencies (that should be considered as “information-sensitive”), report spending an average of $19.28 per employee on security training (GAO No. 07-837, 2007).  And while this data is dated by a few years, it is not unreasonable to assume not much has changed since the report, particularly given the current economic pressures, cutbacks, and austerity measures.  It is reasonable to assume that since this vulnerability is so widespread, users: do not know the security implications of their actions, do not know the personal risk they put themselves in, and do not know what sort of unnecessary strains they are putting on systems and networks.

Poor Awareness

An underlying issue for the vulnerabilities is that agencies and organizations rarely implement or enforce their own cybersecurity programs (GAO No. 07-837, 2007).  In many cases, the personal use of the internet on a business-/government-network, which happens often: creates risks (because standards are not adhere to), personal information gets put at risk, and unnecessary strains on resources, such as bandwidth, occur (Sharp, Sr., 2010).

Within that context, some of the most damaging intrusions are a function of cyberexploitation.  Cyberexploitation refers to the obtaining and collective of information, sometimes over a period extended time (information that would otherwise be kept confidential), and, in many cases, may go completely undetected because it works slowly and meticulously (Lin, 2010).  In fact, in any type of warfare, the best type of attack is the attack that goes completely unnoticed until it is too late for the other side to counter and respond.

The problem with this is that so many times it is a human decision, not a technological one, which allows the threat, such as cyberexploitation, to come to fruition.  If one chooses not to take secure measures, the vulnerability is human, not technological.  If one chooses not to implement effective and efficient cybersecurity policies, the vulnerability is human, not technological.  Few people ask: “am I vulnerable to cyber threats?”  The reality is: yes, they are.  But there is an abundant amount of evidence to suggest that most internet users are not aware of the threats, and, even if they are, they again choose to avoid the precautionary measures that could mitigate the threat.  And that in essence in the crux of the vulnerability: the human choice not to take secure measures.  One estimate suggest that 95% of all network intrusions could be avoided (Who Might Be, 2004) which really begs the question: why are so many intrusions happening?  There are readily available techniques and procedures, particularly at the human level, that could curb the threat and reduce the vulnerability, yet, even federal agencies are not taking these measures.  Some of these include (GAO No. 07-837, 2007):

• - Identify and authenticate users to prevent unauthorized access
• - Enforce the principle of at least privilege to ensure that authorized access was necessary and appropriate
• - Establish sufficient boundary protection mechanisms
• - Apply encryption to protect sensitive data on networks and portable devices
• - Log, audit, and monitor security-relevant events
• - Restrict physical access to information assets
• - Configure network devices and services to prevent unauthorized access
• - Assign incompatible duties to different individuals or groups so that no one individual can controls all aspects of the information system
• - Maintain and test continuity of operation plans

This paper would suggest that every single one of these critical issues could be easily addressed yet have not been because of human choice.  It is not the technological imperfections that are costing us, it is our ignorance.  And something that cannot be overemphasized is that there are not only costs associated with the immediateattack that is caused, but there are mid- and long-term costs, both tangible and intangible, such as: repair and restoration costs, which can be staggering (Gripman, 1997), to damaged reputation, brand, and image.  Moreover, one of the most damaging effects of an attack is the loss of confidence by your consumer base or constituents, something, which can be argued, in many cases never becomes fully restored.  When the simple opening of an e-mail can cause irreparable damage (Hoar, 2005), this alone should demonstrate what the potential costs of the human vulnerability in the cyberworld are.

To further illustrate the point that awareness is lacking, virtually every report, congressional hearing, journal article, news article, and so on, almost always lists the human element as a vulnerability and that a mitigating strategy is a function of education and awareness.  The development of any cybersecurity program is a challenge in today’s “always connected” world.  For example, the Department of Defense is the most prolific agency on YouTube, the White House has the most followers on Twitter and the most Facebook friends (Sharp, Sr., 2010), organizations that one may not think of having such a high profile on social media at first thought.

What this shows is that the “always connected” world very much includes the institutional level, even if it is through social media means of connection.  Moreover, the rise of mobile connectivity, along with remote access, further complicates the vulnerability issues as individuals and organizations to not carry through with the necessary precautions (Who Might Be, 2004) required in a mobile environment.  And while all these means of communication, such as social media and remote connectivity, improve many facets of productivity and collaboration, they are a risk because of how easily information can be made publicly (and subsequently abused) due to the misusage of the internet by the user (Sharp, Sr., 2010).

These are complicated issues, and even those tasked with the responsibility to secure a network can be overwhelmed, suggesting that this human vulnerability is not only one that affects the naïve, but also the educated.  Network administration is extremely complex and so much of the technology is so new that many administrators do not (or cannot) appreciate its scope, magnitude, effect, and power (Hueneman, 2000).  Policy makers, end-users, and administrators need to appreciate that many network intrusions could be avoided by using a mixture of strategies, including: prevention, detection, and response (Who Might Be, 2004).

Taking Advantage of the Human Vulnerability

A semantic attack is a computer-based attack that exploits human vulnerabilities.  More specifically, it takes advantage of the way humans interact with computers or interpret messages, as opposed to taking advantage of the system vulnerabilities (Kumaragugu, Sheng, Acquisiti, Cranor, & Hong, 2010).  Taking advantage of human vulnerabilities can cause a plethora of problems (which any cyberattack would cause in reality), ranging from: infecting the network with a virus, intentionally shutting down a system, disrupting supply chains, and so on (Gripman, 1997).  Even experienced administrators can still make mistakes, including something so seemingly benign, such as assuming “private” means “secure” (Hueneman, 2000), something which it clearly does not.

The taking advantage of human vulnerabilities in many cases can be attributed to users and operators being tricked (or even blackmailed) into doing the bidding of others (Lin, 2010), such as downloading a malicious e-mail or giving up your own or your organization’s information through a phishing attempt.  For the unsuspecting, even the simplest tricks, such as opening an e-mail that states “PLEASE TREAT AS URGENT” (Hoar, 2005) can cause a series of cascading problems to the network.  For any user that has daily usage of e-mail, the improper treatment of unsolicited e-mail can end up costing more than money; it can cost data and reputation.

Behavioural issues and patterns are most often the easiest to exploit, particularly in an arena where anonymity is presumed by so many.  For example, social trust and recommendation services have become wildly popular of late because it allows users to learn about the popularity and quality of products, items, and services (Feng, Liu, & Dai, 2012).  These social rating systems are very convenient, but they act as a template on how to manipulate users in cyberspace.  The premise behind this argument is that in cyberspace, you rarely know who you are talking to at the other end, which in essence, is a threat.  By understanding the behavioural patterns of the user, and what can influence them in cyberspace, the means of infiltration become infinitely easier for the potential attacker.

So how does one take advantage of the human vulnerability?  It is by creating the illusion of trust.  “Social engineering” is a term that: exploits the relationships of trust, reduces situation awareness, and creates a sense of urgency (Hoar, 2005) and is a tactic often used.  In related cases, victims end up following orders or directives where the other side “appears” familiar, and, in other cases, there is the promise of reward if the user proceeds by doing: x, y, z and a, b, c. For many users, it is a tempting proposition, but again, it illustrates how human psychology, behaviour, and choice, plays such a critical role in understanding the threats and vulnerabilities of cyberspace.  And one should not assume that if one is “educated” or a “professional” does that equate to them having the necessary knowledge of the cyberworld.  One study, for example, showed that an educated and awaregroup of users (those within a university setting) showed a nearly 50% failure rate, across the board, on the first day of phishing scam (Kumaraguru, et al., 2009).

It is not the hardware or the software systems, the transmission media, the local area networks, the wide area networks, the enterprise networks, or the intranets, that make the user click “open” on the e-mail they have just received; it is the choice of the individual. The assumption that somebody is curious or trusting enough to open up an e-mail, or plug in a USB jump drive into their computer (that they found in their work’s parking lot) is a valid assumption (Hoar, 2005) and something that has demonstrated positive results for the attacker, even at the most secure facilities.

As time progresses though, there is an interesting by-product that is occurring due to the proliferation of information.  More and more, people are adapting to technology and making it that much more of their daily lives and in doing so, they are also learning way to circumvent standard cybersecurity practices for their own personal use, be it for something so seemingly benign (like checking Facebook messages) to something malicious (such as sending intellectual property to a competitive organization) (Gripman, 1997).  The use of: proxies, VPNs, and so on, ultimately disable all the intents of the IT manager, increasing the threat spectrum.  Again, why is this happening?  Human choice.

Addressing the Challenge

Passwords can simultaneously be the most important, yet most vulnerable element of cybersecurity.  But users far too often pick passwords that are atrociously easy to guess or easy to hack.  It is estimated that over half of the passwords that are in use are said to be the first names of spouses and children, birthday and anniversary dates, or the names of super-heroes (Gripman, 1997).  In some cases, vendor-issued default passwords are not even changed (GAO No. 07-837, 2007).  Within that context, it is hard to argue that the human element is not the most critical vulnerability.

At the micro level, this paper has tried to articulate that the user is in many cases naïve.  Education and awareness tools work.  In that same study already mentioned, where a near 50% failure rate occurred on the first day, awareness tools and education showed that the end of training session, the users acted in a much more prudent and secure way.  Moreover, they even retained the information and knowledge past a 28 day period (Kumaraguru, et al., 2009).  It is something that cannot be escaped: virtually every major report recommends that training and awareness are critical elements to success.  And this training is not limited to simply the end user, but those who are responsible for the policy level decisions and for those tasked with enterprise-wide security.  Security experts require continual training because the threat spectrum is not static.  Rather, it is amorphous, constantly changing at an accelerating rate.

Executive leadership must understand the implication of the vulnerability.  It is one of the biggest challenges in the overall effort; the reality is that in both the private and public sectors, there is little appreciation and awareness for the subject matter (Examing The Vulnerability, 2000).  Moreover, there needs to be an emphasis on ensuring those already responsible for cybersecurity have state-of-the-art training (Examing The Vulnerability, 2000) to further their capabilities and stay up-to-date as to what the new threats are.  Only with such a departure point can minimizing the human vulnerability be minimized.  So many of the combative elements begin at the policy level, such as:

• - Ensuring only authorized individuals have granted access (GAO No. 07-837, 2007)
• - Encouraging the use of passwords that are not easy to guess, like pronounceable nonsense words, or works with numbers and special characters (Gripman, 1997)
• - Passwords changed at frequent intervals (Gripman, 1997)
• - Engrain the habit of memorizing passwords as opposed to writing them down (Gripman, 1997)
• - Encourage the recruitment of new expertise (Examing The Vulnerability, 2000)
• - Implement organization-wide security policies, procedures, and programs (GAO No. 07-837, 2007)
• - Conduct periodic assessments of risk and vulnerabilities (GAO No. 07-837, 2007)
• - Conduct surprise tests of the system

Disciplinary action can also be used, though how it is administered is always a question of huge debate.  Of course, there is the practice of “blacklisting” as a punitive measure if a user misuses their system, but unfortunately, this practice has little-to-no effect.  In these cases, the user has simply had their credentials restricted, but seldom know why, which means they vulnerability still exists, except the threat may be different this time.

One policy change that would have significant impact on reducing the impact of the human vulnerability would be the practice of “whitelisting”, but this concept comes with significant pushback, particularly from senior management and executive leadership.  Whitelisting is a concept of granting or denying access rights and permission that is very similar to what is called “least privilege.”  The principle states that users are only granted access to programs and files that they need to do their work (GAO No. 07-837, 2007).  Unfortunately, this is a poorly performed practice, and in many cases, done in a shoddy way, particularly if the IT manager is not sufficiently trained.  To have an effective whitelisting policy, an extremely knowledgeable IT manager is required, and in today’s landscape, demand for IT managers is high, but supply is low.

Continuing, there is a very obvious upside to whitelisting: it restricts all usage and only lets out usage that the user absolutely needs to perform their task; no more no less.  But there comes the pushback from users (particularly executives) that say: “I need access to the internet to do my job, the intranet is not enough” or “I need access to my Twitter account to do my job.”  This very quickly becomes a muddy battle, particularly when IT crosses paths with leadership.  It takes a very brave IT manager to say, “Ms. CEO, I am sorry, but you really do not need all those applications on your company iPhone.  In fact, they should be blocked because they pose a security threat to the company.”

While this would very much be a paradigm shift for many organizations, the integration or creation of the Chief Information Officer (or equivalent) into the business/strategy issues of the organization would be a very beneficial start.  In this capacity, the CIO could immediately address the security vulnerabilities, but still have the critical communication channels to executive leadership open and fully understand what sort of cyber access is required, both at the strategic and operational level.

Another technique to combat this issue is to work with your supply chain.  In many cases, their vulnerabilities are your vulnerabilities and your vulnerabilities are their vulnerabilities.  It is a bit of a paradox here, but many of these vulnerabilities in this case may be of a technical nature, but the fact that you are not collaborating with your supply chain is actually a human vulnerability, because again, it is a choice not to address the issue.

For all that though, combating the cyber vulnerabilities, in a holistic manner, requires multiple strategies that generally fall into three categories (Kumaragugu, Sheng, Acquisiti, Cranor, & Hong, 2010):

• - Eliminating the threat
• - Warning users about the threat
• - Training users about the threats

This paper suggests that while all three are combative techniques in addressing cyber threats, the vulnerability that still touches on all issues is the human element.  To eliminate the threat, an organization needs highly-trained individuals; to warn the users about the threat, those tasked with the responsibility needs to have the appropriate awareness of the cyber issues; and training the users is a function of education that ranges from every day use to the implications of poor policy.

Summary

Given that the threat is not properly understood, we face a reality not all too dissimilar from a pre-9/11 world.  There were a handful of people that recognized the threats and vulnerabilities, yet most did not act on the advice of these people.  The same can be said for Hurricane Katrina.  The reality is that many of the vulnerabilities exposed during a disaster are not acted on until the post-disaster phase.  In the cyberworld, it may require a catastrophic cyber incident to force change (Sharp, Sr., 2010).

Unfortunately, one of the compounding problems that we have is that there are not generally accepted network security standards (Gripman, 1997).  If these existed, it would actually help reduce the risk level because of knowledge transfer and operational familiarity, but they do not exist.  Therefore, the hardening of targets is left to the individual or the group.  There is no standard, there is no standard, and in the rare case where one exists, it is limited to a small group.  Addressing the vulnerabilities, be it through working with your supply chain, creating a better design, or education and awareness (Chabinsky, 2010) are all needed.  Moreover, one must understand that absolute protection is not only unachievable, but in many cases, it is not required.  With proper education strategies across the board, and with competent administrators, even the most malicious attacks (which cause significant damage) can be recovered from, so long as the recovery infrastructure and knowledge is already in place and ready to be activated at a moment’s notice.

In summary, an organization must commit itself to a security policy that addresses the vulnerability caused by human usage of the internet.  No level of technology will be able to stop an attack if the user is uneducated and constantly circumvents (unknowingly) the security protocols in place designed to protect the network.  Within that context, and identifying the human element as the single most critical vulnerability along the network, if individual users and institutional users alike do not choose to have the proper level of awareness and education, the threat will always be there.

To close with an analogy: if somebody has a driver’s license, and only knows the basics of a car’s operation, such as accelerator and steering wheel, the driver may be able to get themselves from Point A to Point B easily.  But if they do not know how to use the brakes or the signal lights or willing choose not to follow traffic signs, not only are they a danger to themselves, but everybody else on the road; the internet is no different.

Works Cited

1) Chabinsky, S. R. (2010). Cybersecurity Strategy: A Primer for Policy Makers and Those on the Front Line.Journal of National Security Law & Policy, 4(1), 27.

2) Cyber Security: U.S. Vulnerability and Preparedness: Hearing Before the Committee on Science, House of Representatives, 109th Cong. (2005).

3) Department of Defense. (2011). Department of Defense for Operating in Cyberspace. Washington, DC: Department of Defense. Retrieved February 16, 2012, from http://www.defense.gov/news/d20110714cyber.pdf

4) Feng, Q., Liu, L., & Dai, Y. (2012, January). Vulnerabilities and Countermeasures in Context-Aware Social Rating Services. ACM Transactions on Internet Technology, 11(3), 11.

5) Examing The Vulnerability of the U.S. Systems to Cyber Attack, Focusing on the Administration’s National Plan for Information Systems Protection and its Implications Regarding Privacy: Hearing Before the Subcommittee on Technology, Terrorism, and Government Information of the Committee on the Judiciary United States Senate, 106th Cong. (2000).

6) Government Accountability Office Rep. No. 07-837 (2007).

7) Gripman, D. L. (1997). Comments: The Doors Are Locked But The Thieves And Vandals Are Still Getting In: A Proposal in Tort to Alleviate Corporate America’s Cyber-Crime Problem. The John Marshall Journal of Computer & Information Law, 16, 167.

Hoar, S. B. (2005). Trends in Cybercrime: The Dark Side of the Internet. Criminal Justice, 20, 4.

9) Hueneman, D. (2000). Comment: Privacy On Federal Civilian Computer Networks: A Fourth Ammendment Analysis of the Federal Intrusion Detection Network. The John Marshall Journal of Computer & Information Law, 18, 1049.

10) Kumaragugu, P., Sheng, S., Acquisiti, A., Cranor, L. F., & Hong, J. (2010, May). Teaching Johnny Not to Fall for Phish. ACM Transactions on Internet Technology, 10(2), 7.

11) Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., & Pham, T. (2009). School of Phish: A Real-World Evaluation of Anti-Phishing Training. Symposium on Usable Privacy and Security (SOUPS). Mountain View, CA: Carnegie Mellon University.

12) Lin, H. S. (2010). Offensive Cyber Operations and the Use of Force. Journal of National Security Law & Policy, 4(1), 63.

13) Nojeim, G. T. (2010). Cybersecurity and Freedom on the Internet. Journal of National Security Law & Policy, 4(1), 119.

14) Serrano, A. F. (2011, September 14). Cyber Crime Pays: A $114 Billion Industry. Retrieved February 15, 2012, from The Fiscal Times: http://www.thefiscaltimes.com/Articles/2011/09/14/Cyber-Crime-Pays-A-114-Billion-Industry.aspx#page1

15) Sharp, Sr., W. G. (2010). The Past, Present, and Future of Cybersecurity. Journal of National Security Law & Policy, 4(1), 1.

16) Who Might Be Lurking at Your Cyber Front Door?  Is Your System Really Secure?  Strategies and Technololgies to Prevent, Detect and Respond to the Growing Threat of Network Vulnerabilities: Hearing Before the Subcommittee on Technology, Inforamtion Policy, Intergovernmental Relationships and the Census of the Committee on Government Reform, House of Representatives, 108th Cong. (2004).

Bentley Rayburn

Congress should remember that we are still facing very real threats.

The approaching debt-reduction recommendations from the “Super Committee” seem unlikely to generate a bipartisan consensus. Under the law that created the committee, if Congress doesn’t trim at least $1.2 trillion from the next ten years’ worth of spending, the difference will be made up in massive across-the-board cuts. Certain budget areas — including entitlements — will be exempt from the cuts, but defense will not. The resulting cuts to the Pentagon budget could set back our national security, research capabilities, and industrial base for decades.

Is defense spending really the problem? Defense spending currently accounts for less than 20 cents of every dollar spent by the federal government. And budget experts warn that our current level of defense spending masks shortfalls — after the last decade of “hollow growth” and extended combat, our equipment stocks have only grown “smaller and older.”

Before he left his post as defense secretary, Robert Gates identified almost $200 billion in defense savings and canceled more than 30 programs. He warned, however, that another round of heavy cuts would be “catastrophic.”

Despite such warnings, the president has called for $400 billion in defense cuts over twelve years, and some members of Congress have called for $1 trillion or more. Further, in the event that Congress fails to cut at least $1.2 trillion in total, the aforementioned across-the-board cuts will be split evenly between security and non-security spending. That means security cuts of up to $600 billion.

Congress should remember that we are still facing very real threats. Today, we are fighting wars in Iraq and Afghanistan, and fighting al-Qaeda across the globe using intelligence and special-operations forces backed up with Predator drones and other modern technologies. We’re also protecting the nascent democratic movements in Libya and elsewhere, expanding operations to hot spots like Yemen, and rotating home a fighting force worn down by a decade of repeated, extended combat deployments.

Terror attacks are on the rise as the threat spreads around the globe — according to the National Counterterrorism Center, there were 2,534 terror attacks worldwide in 2010, nearly triple the 945 recorded five years ago.

And as if these rising threats weren’t daunting enough, a surging China is building a new aircraft carrier, several nations are developing and flying stealth aircraft to challenge our dominance of the skies, and space has becoming a battleground of its own, as the Chinese recently proved by shooting one of their own satellites out of the sky. Rogue states such as North Korea and Iran are steaming ahead, developing nuclear weapons and long-range missiles that put the entire world at risk.

The last ten years have demonstrated that there is no virtue in using low-tech methods to fight low-tech enemies. The methods we use to combat simple IEDs rely on cutting-edge technologies.

Virtually every major success in the war against terrorism — from Operation Jawbreaker, which dropped special forces into Afghanistan to identify Taliban targets for destruction, to the killing of Osama bin Laden, which depended on advanced drones, stealth aircraft, and orbiting satellites as well as our SEAL marksmen — can be attributed to our superior military technology used by a superbly trained force.

Similarly, the Defense Department’s own forward-looking strategy review warns that “U.S. air forces in future conflicts will encounter integrated air defenses of far greater sophistication and lethality than those fielded by adversaries” in previous conflicts. Expert analyses call for more investment in fighter aircraft — from multi-purpose F-35 Joint Strike Fighters to the lower cost F-15s and F-18s — if we want to maintain U.S. dominance in the skies.

The Pentagon may understand the shift we’ve experienced from the Cold War to the asymmetrical shadow world of terrorists and rogue states, but does the Congress? The paradox of technology means that even the lowest-rent criminals and despots can now get hold of the most sophisticated and devastating armaments. From Pakistan to Libya to Yemen, our ability to act in ungoverned or insecure places without unduly risking American lives depends on being able to do so with stealth and precision.

Those sounding the alarm about the deficit are surely well intentioned, but they must square their cleaver-like cut proposals with our actual security needs.

— Before retiring from the Air Force, Maj. Gen. Bentley B. Rayburn was the president of the Air War College and commander of the Air Force Doctrine Center.

Click HERE to download the entire document.

By Captain Samuel F. Wright, JAGC, USN (Ret.)

1.1.1.7–USERRA Applicability to State and Local Governments
1.1.1.8—USERRA Applicability to Federal Government
1.4—USERRA Enforcement

A person claiming that his or her rights under the Uniformed Services Employment and Reemployment Rights Act (USERRA) have been violated is permitted to file a formal complaint with the Veterans’ Employment and Training Service of the United States Department of Labor (DOL-VETS). See 38 U.S.C. 4322(a). DOL-VETS is required to investigate the complaint. If the agency concludes that the complaint has merit, it is to try to persuade the employer to come into compliance. See 38 U.S.C. 4322(d).

If the DOL-VETS investigation does not result in the resolution of the complaint, the claimant is permitted to request that DOL-VETS refer the claim to the Department of Justice (DOJ), and upon receipt of such a request DOL-VETS is required to refer the file to DOJ, if the claim is against a state or local government or private employer. See 38 U.S.C. 4323(a)(1). If the claim is against a federal agency, as employer, DOL-VETS is to refer the claim to the Office of Special Counsel (OSC). See 38 U.S.C. 4324(a)(1).

If DOJ is reasonably satisfied that the claimant is entitled to the benefits that he or she seeks, DOJ may appear and act as attorney for the claimant and file suit against the employer in the appropriate federal district court. In such a civil action, the named plaintiff will be the individual claimant, unless the employer is a state, in which case the named plaintiff will be the United States. See 38 U.S.C. 4323(a)(1).

Within DOJ, responsibility for enforcing USERRA, by filing and litigating cases that have been referred by DOL-VETS, is assigned to the Civil Rights Division, which is headed by Assistant Attorney General Thomas E. Perez. On August 18, 2011, I sent the below letter to Mr. Perez, with my suggestions about USERRA enforcement.

Dear Mr. Perez:

Thank you for the invitation to participate in the telephone conference call yesterday. I am writing you this letter with my input about enforcement of the Uniformed Services Employment and Reemployment Rights Act (USERRA).

Service Members Law Center and Law Review Library

I invite your attention to www.servicemembers-lawcenter.org. You will find more than 800 “Law Review” articles about USERRA, the Servicemembers Civil Relief Act (SCRA), the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA), and other laws that are particularly pertinent to those who serve our country in uniform. You will also find a detailed Subject Index and a search function, to facilitate finding articles about very specific topics. I initiated this column in 1997, and we add one or two new articles each week. For your information, I am enclosing a copy of the new article that we added to the website yesterday.

I have made the reemployment statute the focus of my legal career for almost 30 years. In 1982, I left active duty (in the Navy Judge Advocate General’s Corps) and took a job as an attorney for the United States Department of Labor (DOL). Together with one other DOL attorney (Susan M. Webman), I largely drafted the interagency task force work product that President George H.W. Bush presented to Congress, as his proposal, in February 1991. What Congress enacted in 1994 is about 85% the same as the Webman-Wright draft.

As you probably know, Congress enacted USERRA (Public Law 103-353) and President Clinton signed it on October 13, 1994. USERRA represents a long-overdue rewrite of the Veterans’ Reemployment Rights Act (VRRA), which was originally enacted in 1940, as part of the Selective Training and Service Act (STSA). The STSA is the law that led to the drafting of millions of young men (including my late father) for World War II.

I have also dealt the VRRA and USERRA as a judge advocate in the Navy and Navy Reserve, as an attorney for the National Committee for Employer Support of the Guard and Reserve (ESGR), an attorney for the United States Office of Special Counsel (OSC), and an attorney in private practice. In June 2009, I retired from private practice and joined the full-time staff of the Reserve Officers Association (ROA), as the first Director of the Service Members Law Center (SMLC).

Each month, I provide information to 400-500 service members, military family members, employers, attorneys, congressional staffers, reporters, and others about military-legal topics, mostly USERRA. Along with attorney Thomas G. Jarrard, I wrote and filed an amicus brief in the Supreme Court in the case of Staub v. Proctor Hospital, and we are very pleased with the 8-0 favorable decision.

I encourage you to make DOJ attorneys aware of the “Law Review Library” and of my availability to provide information and research assistance on USERRA. Also, I would be happy to conduct a CLE for DOJ attorneys.

ROA will be conducting its National Security Symposium (NSS) January 29 through February 1, at the Wardman Park Marriott here in Washington. We will likely be conducting a CLE on USERRA (and possibly the SCRA as well) in conjunction with the NSS. The CLE is tentatively scheduled for Sunday, January 29, but we could move it to Monday, Tuesday, or Wednesday, if that would facilitate attendance by DOJ attorneys.

In promoting USERRA compliance, please start within DOJ.

USERRA’s very first section expresses the “sense of Congress that the Federal Government should be a model employer in carrying out the provisions of this chapter.” 38 U.S.C. 4301(b). As the department that is responsible for enforcing USERRA against state and local governments and private employers, DOJ should, I respectfully submit, especially strive for “model employer” status in dealing with its own employees, but some of the worst USERRA violators are in DOJ. I am thinking particularly of the Bureau of Prisons and the United States Marshals Service.

Tuesday evening, I spoke at length with an Army Reservist who is being harassed and discriminated against by his civilian supervisor, concerning his military duty and the occasional absences from work necessitated by that military duty. He works for the Executive Office of United States Attorneys.

Yes, I realize that USERRA cases against federal agencies, as employers, go to OSC and the Merit Systems Protection Board (MSPB), not DOJ and federal district courts. But DOJ’s status as USERRA violator must necessarily detract from DOJ’s effectiveness as an advocate for the enforcement of USERRA. “Do as I say and not as I do” has always been a losing argument.

“And why beholdest thou the mote that is in thy brother’s eye, but considerest not the beam that is in thine own eye?” Matthew 7:7 (King James Bible).

Please give priority to cases against state government employers.

As enacted in 1994, USERRA authorized the individual USERRA claimant to sue a state, as employer, in federal court, but the 7th Circuit held this provision to be unconstitutional under the 11th Amendment. See Velasquez v. Frapwell, 160 F.3d 389 (7th Cir. 1998). Later in 1998, Congress amended USERRA to address the 11th Amendment issue.

Under the 1998 amendment, the Attorney General can file suit against a state (as employer) in the name of the United States, as plaintiff. See 38 U.S.C. 4323(b)(1). This solves the 11th Amendment problem, because the 11th Amendment does not forbid a suit against a state by the United States.

Alternatively, the individual USERRA claimant can file suit against a state in a state court of competent jurisdiction, “in accordance with the laws of the State.” 38 U.S.C. 4323(b)(2) (emphasis supplied). The problem is that in many states sovereign immunity is still the rule, and the state is not amenable to suit in state court. Alabama, Delaware, Georgia, North Carolina, Pennsylvania, and Wisconsin are among the states where sovereign immunity is an apparently insuperable barrier to relief, unless DOJ brings the suit in the name of the United States.

If DOJ turns down the claimant’s request for representation in a case against a private employer (and political subdivisions of states are treated as private employers, in accordance with 38 U.S.C. 4323(i)), there is at least a possibility that the claimant can find private counsel and prevail. When the employer is a state, DOJ’s declination will often be fatal to the claimant’s possibility of prevailing. Accordingly, please give priority to cases against states.

Please don’t farm out USERRA cases to the United States Attorneys.

In 2004, responsibility for USERRA enforcement, within DOJ, was transferred from the Commercial Litigation Branch (CLB) of the Civil Division to the Employment Litigation Section (ELS) of the Civil Rights Division. This transfer was a big improvement, and I applauded it at the time.

The CLB should never have had a role in enforcement of USERRA or the VRRA, but that Branch had that responsibility for many decades. Among other responsibilities, the CLB is responsible for defending federal agencies accused of violating USERRA as employers. The same attorneys cannot effectively argue for a liberal interpretation of USERRA, with respect to state and local governments and private employers, while arguing for a stingy interpretation of this law, with respect to federal agencies as employers.

Under the CLB, DOJ headquarters was merely a conduit for USERRA and VRRA cases, which were referred to the 93 United States Attorneys. Leaving it to the United States Attorney to decide whether DOJ will provide representation necessarily means that representation will not be provided, in most cases. The United States Attorney will always have “higher priorities” in his or her own mind.

Under the ELS, after the 2004 transfer, the United States Attorneys have been largely cut out of this process, and I think that is a big improvement. I am concerned that in recent months there has been backsliding—USERRA cases are again being delegated to the United States Attorneys. I respectfully urge you to reconsider this policy.

Conclusion

I hope that my comments and suggestions are useful to you. If you or your staff has questions, please call me at (202) 646-7730. I would welcome the opportunity to meet with you or an appropriate member of your staff.

By Captain Samuel F. Wright, JAGC, USN (Ret.)

1.2—USERRA Discrimination
1.4—USERRA Enforcement

Bunting v. Town of Ocean City, 2011 WL 288657 (4^th Cir. Jan. 31, 2011).

The pertinent section of USERRA:

(a) A person who is a member of, applies to be a member of, performs, has performed, applies to perform, or has an obligation to perform service in a uniformed service shall not be denied initial employment, reemployment, retention in employment, promotion, or any benefit of employment by an employer on the basis of that membership, application for membership, performance of service, application for service, or obligation.

(b) An employer may not discriminate in employment against or take any adverse employment action against any person because such person

(1) has taken an action to enforce a protection afforded any person under this chapter,

(2) has testified or otherwise made a statement in or in connection with any proceeding under this chapter,

(3) has assisted or otherwise participated in an investigation under this chapter, or

(4) has exercised a right provided for in this chapter. The prohibition in this subsection shall apply with respect to a person regardless of whether that person has performed service in the uniformed services.

(c) An employer shall be considered to have engaged in actions prohibited—

(1) under subsection (a), if the person’s membership, application for membership, service, application for service, or obligation for service in the uniformed services is a motivating factor in the employer’s action, unless the employer can prove that the action would have been taken in the absence of such membership, application for membership, service, application for service, or obligation for service; or

(2) under subsection (b), if the person’s

(A) action to enforce a protection afforded any person under this chapter,

(B) testimony or making of a statement in or in connection with any proceeding under this chapter,

(C) assistance or other participation in an investigation under this chapter, or

(D) exercise of a right provided for in this chapter, is a motivating factor in the employer’s action, unless the employer can prove that the action would have been taken in the absence of such person’s enforcement action, testimony, statement, assistance, participation, or exercise of a right.

(d) The prohibitions in subsections (a) and (b) shall apply to any position of employment, including a position that is described in section 4312 (d)(1)(C) of this title.

Title 38, United States Code, section 4311 (38 U.S.C. 4311).

FACTUAL BACKGROUND

William Bunting is a Senior Chief Petty Officer (E-8) in the Coast Guard Reserve (now retired) and a Sergeant in the Ocean City Police Department (OCPD).  He was called to active duty from February 2003 to September 2004.  He met the eligibility criteria for reemployment under the Uniformed Services Employment and Reemployment Rights Act (USERRA) and was reemployed promptly in September 2004.

From time to time, on no particular schedule, the OCPD gives Sergeants the opportunity to apply for and be considered for promotion to Lieutenant, and such an opportunity arose in 2004, while Bunting was on active duty.  In its decision, the United States Court of Appeals for the 4^th Circuit wrote:  “Though Bunting apparently did not find out about the promotion [opportunity] until after the position had been filled, there is no evidence in the record that OCPD took any steps to prevent him from learning of the opportunity.  Indeed, notice of the opening was sent to his OCPD e-mail, though he apparently did not know that he could access his e-mail account remotely.”

When he learned of the closed promotion opportunity, Bunting sent a letter to the Ocean City Mayor, complaining and asserting that his USERRA rights had been violated.  When the Mayor did not respond, he made a formal USERRA complaint to the Veterans’ Employment and Training Service of the United States Department of Labor (DOL-VETS), which conducted an investigation and at least initially concluded that Bunting’s complaint had merit.  The DOL-VETS investigation did not result in the Department of Justice filing suit on his behalf against Ocean City.  Bunting later retained private counsel and sued Ocean City in the United States District Court for the District of Maryland.

When she learned of Sergeant Bunting’s letter to the Mayor and complaint to DOL-VETS, the OCPD Chief directed the OCPD’s Internal Affairs Division to investigate Bunting for possibly violating OCPD policy by making such a complaint.  The Chief’s action at least arguably violated section 4311(b), which makes it unlawful for an employer to reprise against an employee for exercising USERRA rights or making a USERRA complaint.

The OCPD had new promotion opportunities, from Sergeant to Lieutenant, in 2005 and 2007, after Bunting returned from active duty.  Bunting applied for both opportunities but was not selected.  In separate counts of his complaint, he claimed that Ocean City violated USERRA in denying him the promotion on each of these three occasions.

As with any civil case, there was a period of discovery during which the plaintiff (Bunting) and the defendant (Ocean City) had the opportunity to depose witnesses and to propound and answer interrogatories and document production requests.  After the discovery process had been completed, Ocean City filed a motion for summary judgment, in accordance with Rule 56 of the Federal Rules of Civil Procedure.  Under Rule 56, the court is to grant a summary judgment motion if it finds, based on the evidence produced during the discovery stage, that there is “no material issue of fact” and that no reasonable jury could find for the non-moving party on that count of the complaint.

The District Court granted the summary judgment motion with respect to each count of Bunting’s complaint, and this appeal followed, to the United States Court of Appeals for the 4^th Circuit.  The 4^th Circuit is the federal appellate court that is located in Richmond, Virginia and that hears appeals from district courts in Maryland, Virginia, West Virginia, North Carolina, and South Carolina.

The Court of Appeals reviewed the District Court’s summary judgment separately with respect to each count of Bunting’s complaint, affirming the summary judgment with respect to the missed promotion opportunity while he was on active duty but reversing the summary judgment with respect to the 2005 and 2007 promotion opportunities.  There now must be a trial on those counts, unless Bunting and Ocean City come to a settlement.

OCEAN CITY DID NOT VIOLATE USERRA WITH RESPECT TO THE 2004 PROMOTION OPPORTUNITY

It would have been unlawful for the OCPD to discriminate against Bunting with respect to the 2004 promotion opportunity, based on his Coast Guard Reserve service, but the OCPD did not have an “affirmative action” obligation to ensure that Bunting was aware of the opportunity and had the opportunity to apply.[1] After reviewing all the evidence, with an eye most favorable to the non-moving party (Bunting), the 4^th Circuit found that there was no evidence from which a reasonable jury could infer that Ocean City had violated USERRA with respect to the 2004 promotion opportunity, and the 4^th Circuit affirmed the summary judgment with respect to that count of the complaint.

AVOID PUTTING YOURSELF IN BUNTING’S DILEMMA

Senior Chief Bunting was fully engaged with his Coast Guard duties during the entire time of his active duty.  The point of USERRA, as well as the Servicemembers Civil Relief Act, is to ensure that the service member can devote his or her full attention to military duties, without undue distractions related to the civilian job and other legal issues back home, and without losing out on valuable opportunities and benefits because of the military service.

I strongly recommend that a person in this situation should draft and sign a limited power of attorney to a trusted colleague at work, authorizing that individual to have access to the absent service member’s personnel record and to apply, on the service member’s behalf, for promotions, transfers, benefits, etc.  The agent to whom the limited power of attorney is granted should be someone who is familiar with the service member’s interests and qualifications and who can readily become aware of opportunities as they arise.  The agent should be someone who is not likely to be in competition with the service member for the same promotion opportunities.

The limited power of attorney for the trusted colleague at work is separate from the general power of attorney that the service member grants to his or her spouse or other close relative, empowering that person to act on the member’s behalf in business matters generally.  Unless the spouse works for the same employer, he or she likely will not have the information necessary to act for the member with respect to the employer.

OCEAN CITY AT LEAST ARGUABLY VIOLATED USERRA WITH RESPECT TO THE 2005 AND 2007 OPPORTUNITIES

Bunting’s claims about denial of the 2005 and 2007 promotions were different, the 4^th Circuit found:  “We have reviewed the record, and we conclude that Bunting has adduced evidence rising to the level of a disputed issue of material fact.  When [OCPD Chief] DiPino was notified of Bunting’s complaints to the mayor, she informed Ocean City’s attorney that she was referring the matter to the OCPD’s internal affairs bureau.  In addition, Ocean City responded to DOL-VETS’s communication by implying that Bunting would face discipline for failing to comply with OCPD policies.  In light of the fact that these threats of discipline were made in response to protected USERRA activities, the statements clearly raise the specter of retaliation.  Finally, in evaluating Bunting for a promotion in 2007, one senior officer commented that Bunting was unfit for promotion because he filed actions against the OCPD.  We conclude that these facts could lead a reasonable jury to find that Bunting may have received promotions in 2005 and 2007 if he had not engaged in protected activities, i.e., complaining to the mayor and filing a USERRA complaint with DOL-VETS.”

There are many published court decisions about section 4311(a) of USERRA—employer discrimination based on an individual’s membership in a uniformed service, performance of uniformed service, or obligation to perform future service.  There are only a handful of published court decisions about section 4311(b)—employer retaliation for having exercised or sought to enforce USERRA rights.  This case is important.

[1] The Office of Personnel Management (OPM) USERRA regulations provide:  “[Federal] Agency promotion plans must provide a mechanism by which employees who are absent because of … uniformed service can be considered for promotion.”  5 C.F.R. 353.106(c).  The OPM regulations apply to federal agencies, as employers, and not to state and local governments and private employers.  The DOL-VETS regulations applying USERRA to non-federal employers contain no similar provision.  Please see Law Review 0855, available at www.roa.org/law_review.

(Summary of servicemembers’ reemployment rights under federal law.)

By CAPT Samuel F. Wright, JAGC, USN (Ret.)

Since 1940, federal law has given members of the Armed Forces the right to return to the civilian jobs they left in order to perform voluntary or involuntary military service or training. Congress largely rewrote this law in 1994 as the Uniformed Services Employment and Reemployment Rights Act (USERRA).
I have been speaking and writing about reemployment rights for more than 25 years, and in 1997 I began the Law Review column in THE OFFICER. What follows is a summary of USERRA drawing on the more than 300 Law Reviews written for ROA. You can find all of these on ROA’s website at www.roa.org/law_review.

To Which Employers Does USERRA Apply?
USERRA applies to almost all employers in the United States, including the federal government (as a civilian employer), the states, counties, cities, school districts, and other local government organizations, as well as private employers, regardless of size. Other federal laws only cover employers with a specific minimum number of employees (often 15), but the reemployment statute has never had such a requirement. You only need one employee to be an “employer” for purposes of this law. See Cole v. Swint, 961 F.2d 58, 60 (5th Cir. 1992).
The only employers within the United States that are exempt from USERRA are religious institutions (Law Review 185), Indian tribes (Law Review 186), embassies and consulates in the United States for foreign governments, and international organizations (such as the United Nations and World Bank). USERRA even applies outside the United States to U.S. employers and to foreign employers that are owned and controlled by U.S. companies (Law Review 24). Foreign-owned companies are subject to USERRA with respect to their operations in the United States. See Law Review 0715.

I don’t have any one employer—I work as a longshoreman through a hiring hall operated by my union. I work for many different employers, as assigned by the hiring hall. Does USERRA apply to a situation like this? In this sort of situation, who is my “employer”?
USERRA does apply to the hiring hall situation. The hiring hall is your employer. People who work as longshoremen, construction workers, stagehands, or in other kinds of work where a hiring hall assigns workers most definitely have USERRA rights, just like workers in more traditional jobs. Please see Law Reviews 28, 174, 183, and 0712.

What conditions must I meet to have the legal right to return to my civilian job?
Under USERRA, you must meet five simple conditions to have the right to reemployment in your civilian job:
1. You must have left the job for the purpose of performing voluntary or involuntary service in the uniformed services.
2. You must have given the employer prior oral or written notice.
3. Your period of service (the most recent period plus any prior periods while employed by that same employer) must not have exceeded five years. All involuntary service and some voluntary service do not count toward your five-year limit.
4. You must have been released from the period of service without having received a punitive (by court martial) or other-than-honorable discharge.
5. You must be timely in reporting back to work or applying for reemployment.
You must meet all five of these conditions—four out of five is not good enough. I suggest that you carefully “dot the I’s and cross the T’s.” Keep in mind that you may be called upon to prove that you meet each condition.
Now that I have mentioned the five conditions, let me go into greater detail on each one.

Leaving Civilian Job for the Purpose of Service
The uniformed services are the U.S. Army, Navy, Marine Corps, Air Force, and Coast Guard, as well as the commissioned corps of the U.S. Public Health Service (Law Review 46). The commissioned corps of the National Oceanic and Atmospheric Administration is not a uniformed service for USERRA purposes, although it is a uniformed service for other legal purposes. See Law Review 52.
A period of service in the uniformed services can be anything from five hours (one “drill” period for a member of the National Guard or Reserve) to five years of full-time, voluntary active duty. Contrary to popular misconception, USERRA applies to voluntary as well as involuntary military training or service. See Law Reviews 30, 161, 203, and 205. Because Congress abolished the draft in 1973, all military service today is essentially voluntary—you may be mobilized involuntarily, but only if you originally volunteered.
USERRA is not limited to the National Guard and Reserve; it also applies to individuals who leave civilian jobs to join the regular military. Anyone who meets the five conditions set forth previously has the right to reemployment under USERRA. See Law Review 0719.
USERRA’s definition of “service in the uniformed services” also includes time away from work for purposes of an examination to determine fitness for military service. For example, let us say that you visit an Army recruiter, who schedules you for an examination (including a physical examination, as well as the Armed Forces Qualifying Test) at a Military Examination and Processing Station (MEPS). If you notify your civilian employer, you have the right, under federal law, to a day or two off from work to get to the MEPS, take the examinations, and return to your home and then back to work. You can have the right to return to your job even if you were found unfit for military service. See Law Review 50.

Prior Notice to the Civilian Employer
Regardless of what kind of service you will be performing, you must give prior notice to the employer, orally or in writing. I strongly recommend you give the notice in writing and retain a copy of the notice, because you may be required to prove that you had given notice.
The law does not specify the amount of advance notice, just that the notice must be in advance. If your work day starts at 8 a.m. and you call in at 7:30 to say you are performing military service that day, that is advance notice, but if you call in at 8:30 a.m. that is not advance notice. I strongly recommend that you give as much advance notice as possible. If you have many weeks of advance notice from the military and withhold it from your civilian employer until the last moment, and if the lateness of the notice disrupts the employer’s operations, that will be “viewed unfavorably.”
If you receive late notice from the military, the lateness of the notice to your civilian employer is not to be held against you. If giving the employer advance notice is precluded by military necessity or otherwise impossible or unreasonable, you will not lose the right to return to your job for having failed to give notice.
If you are a member of the National Guard or Reserve, you will probably have a drill weekend, generally the same weekend each month. In that situation I recommend that you give the employer notice, in writing, for the whole fiscal or calendar year and then reiterate the notice orally as each drill weekend approaches.
I recommend that you give the employer the actual dates of your scheduled drills; don’t just say “first weekend” or “third weekend.” If there is a federal holiday on the Monday after the first weekend of the month, the “first weekend” is the following weekend, as far as your Reserve unit is concerned. Don’t expect your employer to figure this out; give the employer the actual calendar dates you expect to be away from work for military training or service.
If you leave a job to enlist in the regular military service, give the employer notice, even if you think that it is unlikely that you will want to return to that job. Giving notice costs you nothing, and you should be giving the employer such notice in any case, just as a matter of simple courtesy.
I suggest you avoid using words like “quit” or “resign” when giving the employer notice that you will be away from work for military training or service, but using such words does not cause you to lose the right to return to the job after service. See Law Review 63. For other articles about notice, I invite your attention to Law Reviews 5, 29, 77, 84, 91, and 117.

Five-Year Limit on the Duration of the Period or Periods of Service
If you enlist in the regular military, you will have the right to return to your pre-service civilian job, so long as you do not go over the five-year limit through a voluntary reenlistment. Your active duty period could be longer than five years if that is your initial period of obligated service. For example, persons who enlist in the Navy and choose nuclear power must commit to remain on active duty for at least six years. If you leave active duty at the end of six years, and if that was your initial period of obligated active duty, you will have the right to reemployment. Of course, you must meet the law’s other requirements.
If you are in the National Guard or Reserve, your training duty (weekend drills, annual training, etc.) does not count toward your five-year limit, and any involuntary service (in a mobilization, for example) also does not count toward your five-year limit. Even some voluntary emergency active duty is exempted from the computation of your five-year limit. Moreover, when you start a new job for a new employer, you get a fresh five-year limit with the new employer. Please see Law Reviews 201 and 0714 for a comprehensive discussion of what counts and what does not count toward using up your five-year limit with your current employer.

Release from Service under Honorable Conditions
If you receive a punitive discharge by court martial as part of the punishment for a serious offense, that would disqualify you from the right to return to your civilian job. Such a discharge would be called a “bad conduct discharge” or a “dishonorable discharge” or a “dismissal” for a commissioned officer. An “other than honorable” administrative discharge would also preclude you from the right to return to your pre-service civilian job. A “general discharge under honorable conditions” or an “entry-level separation” would not disqualify you from reemployment rights. Please see Law Review 6.

Returning to Work in a Timely Manner
If your period of service was less than 31 days (such as a drill weekend or two-week annual training period for a member of the National Guard or Reserve), you must report for work at the start of the first full work period (like a shift) on the first day you are scheduled to work, after the completion of the period of service, the time reasonably required for safe transportation from the place of service to your residence, plus eight hours for rest after you get home. If your return to work is delayed by factors beyond your control, like an automobile accident while driving home from your drill weekend, you must report back to work as soon as reasonably possible. Generally, you must be back at work the next work day after one of these short military tours, or by the second day if you have a long return trip.
If your period of service was more than 30 days but less than 181 days, you must apply for reemployment within 14 days after the date of release from the period of service. If your period of service was 181 days or more, you may wait up to 90 days after the date of release from service to apply for reemployment.
There is no particular form required for an application for reemployment, but see the attachment to Law Review 77 for a sample letter of application for reemployment. You need to make it clear to the employer that you have returned and are seeking reemployment—you are not an applicant for new employment, and the employer should not treat you as one. For more information about applying for reemployment, please see Law Reviews 7, 60, 77, 86, 91, 154, 156, 174, 178, 0622, and 0710.

Entitlements of the Returning Veteran
If you meet the five conditions discussed above, the employer has a legal obligation to reemploy you promptly. After a period of less than 31 days of service, such as a drill weekend or a standard two-week annual training tour, you must report back to work immediately, and the employer is required to put you back on the payroll immediately, as soon as you report back to work. After a longer period of military training or service, the employer is required to act on your application for reemployment and have you back on the payroll within 14 days after you submit your application.
If you have been away from work for military service for a significant time, it is entirely possible that the employer has filled your position in your absence—the work must go on whether you are there or not. The fact that there is no current vacancy does not preclude your right to reemployment. In some cases, the employer is required to lay off the replacement in order to reemploy the returning veteran. Moreover, you can have reemployment rights under USERRA even if your pre-service job was considered “temporary,” “probationary,” or “at will.” Please see Law Reviews 8, 73, 77, 87, 94, 95, 130, 203, 206, 0616, 0621, 0642, and 0701.

Continuous Accumulation of Seniority
The reemployment statute dates back to 1940, when Congress enacted it as part of the Selective Training and Service Act. For a comprehensive discussion of the history of this law, please see Law Review 104.
In 1946, the year after the end of World War II, the first case under this statute made its way to the U.S. Supreme Court. In that case, the Supreme Court held: “[The returning veteran] does not step back on the seniority escalator at the point he stepped off. He steps back on at the precise point he would have occupied had he kept his position continuously during the war.” Fishgold v. Sullivan Drydock & Repair Corp., 328 U.S. 275, 284-85 (1946).
Several later Supreme Court cases elaborated on this “escalator principle,” and section 4316(a) of USERRA [38 U.S.C. 4316(a)] codifies it in the current law. The escalator principle does not apply to everything you might have received in your civilian job if you had remained continuously employed instead of going away for service; the escalator principle applies to perquisites of seniority. You are entitled to a benefit as a perquisite of seniority, upon returning from a period of uniformed service, if the benefit meets a two-part test.
1. The benefit must be a reward for length of service rather than a form of compensation for services rendered.
2. It must be reasonably certain (not necessarily absolutely certain) that you would have received the benefit if you had been continuously employed.
The employer is not required to give you the vacation days you would have earned if you had been continuously employed. More than 30 years ago, the Supreme Court determined that vacation days fail under the first part of this two-part test; they are not a reward for length of service. See Foster v. Dravo Corp., 420 U.S. 92 (1975).
On the other hand, the rate at which you earn vacation is a reward for length of service and a perquisite of seniority that the returning veteran is entitled to claim upon reemployment. For example, let us take Joe Smith, an Army Reservist and an employee of the XYZ Corporation. At XYZ, employees with 0-5 years of seniority earn one week of vacation per year, and employees with more than five years of seniority earn two weeks of vacation per year. Joe has worked for XYZ for four years, before he is called to active duty for 18 months. When Joe returns to work, he starts immediately earning two weeks of vacation per year; if he had not been called to active duty he clearly would have gone over the five-year point in XYZ employment. But Joe is not entitled to the vacation days he would have earned during that 18-month period. For more information about USERRA and vacation benefits, see Law Reviews 26 and 59.
Upon returning to work, you are entitled to the rate of pay that, with reasonable certainty, you would have attained if you had been continuously employed. After a lengthy period of service, your proper rate of pay on reemployment will probably be significantly higher than your rate of pay before you left work for service. If most of your colleagues at work received pay raises, you are also entitled to a pay raise, as if you had been continuously employed.
“Merit pay” systems are common today in the private sector, and even in some government agencies. In such a system, each employee gets evaluated, and the evaluation determines the individual’s pay raise for the next year. A handful of employees are rated “superior” and receive pay raises well in excess of inflation. Most employees are rated “satisfactory” and receive pay raises roughly equal to inflation. A handful of employees are rated “unsatisfactory” and receive no pay raises.
Let us say Joe Smith received pay raises from XYZ for each of the four years he worked there, before he was called to active duty for 18 months. Based on his record of satisfactory work performance at XYZ before his military service, Joe is entitled upon reemployment to the pay raise he probably would have received if he had been continuously employed. Denying him that pay raise based on the mere possibility that his performance might have “tanked” to an unsatisfactory level is a violation of the law. Please see Law Reviews 120, 169, and 0604.
More than 30 years ago, the Supreme Court applied the escalator principle to pension benefits. See Alabama Power Co. v. Davis, 431 U.S. 581 (1977). The Court held that Mr. Davis was entitled to his company pension as if he had been continuously employed from 1936, when hired by the company, until 1971, when he retired, including the 30 months he was on active duty during World War II. Please see Law Review 139 for more information about pension credit for military service prior to 1994, when Congress enacted USERRA to replace the 1940 law.
Section 4318 of USERRA [38 U.S.C. 4318] applies the escalator principle to pensions, including both defined contribution plans and defined benefit plans. I invite your attention to Law Reviews 4, 9, 40, 74, 75, 76, 82, 107, 119, 138, 167, 177, 183, 0607, and 0703 for detailed information about how USERRA applies to pension benefits.
Please recognize that the escalator can go down as well as up. USERRA does not protect you from a layoff or reduction in force (RIF) that clearly would have happened anyway even if you had not been away from work for military service at the time. If you are part of a collective bargaining unit represented by a labor union, the collective bargaining agreement between the union and the employer probably determines how employees are laid off, such as by seniority order. In a unionized situation, it is generally easy to determine what would have happened to your job if you had not left the job for military service.
In non-unionized companies, layoffs and RIFs are generally not based on seniority. In that case, determining what would have happened to your job is much more difficult. The employer may tell you that your job would have gone away anyway, but you should ask for proof.

Status of the Returning Veteran
Upon your application for reemployment, and assuming you meet the five conditions, the employer is required to reemploy you in the position of employment you would have attained if you had been continuously employed (usually but not always the position you left). If your period of service was 91 days or more, the employer does have some additional flexibility. In such a situation, the employer has the option of reemploying you in another position, for which you are qualified, that provides like seniority, status, and pay.
The word status is an important word, full of meaning. Location (commuting area) is an aspect of status. You are not required to accept the employer’s offer of a similar job in a distant city, unless there is evidence that the job itself moved during the time you were away from work for military service. If the store where you worked closed during the time you were on active duty, and all of your colleagues moved to a new store in a distant city or left the employ of the company, then the evidence shows that you would have been affected by that move even if you had not been on active duty at the time, and USERRA does not exempt you from changes that would have happened anyway.
If the job you had still exists in the same metropolitan commuting area where you worked before your military service, then the employer must reemploy you in that commuting area, even if it means displacing another employee. See Law Review 206. Of course, the employer may “sweeten the deal” by offering you relocation benefits and other incentives to take the job in a distant city. You can take that offer if you wish to, but if you decline the offer the employer must reemploy you in a job of like status (including location) to the position you would have attained if you had been continuously employed. Other aspects of status include hours of employment (most people prefer daytime to nighttime work) and being the supervisor instead of the supervisee. Please see Law Reviews 8, 79, 129, 153, 170, and 191 for a detailed discussion of status.

Reinstatement of Your Civilian Health Insurance Coverage
Upon your reemployment, you are entitled to immediate reinstatement of your health insurance coverage (including coverage for family members). There must be no waiting period and no exclusion of “pre-existing conditions” other than conditions that the U.S. Department of Veterans Affairs has determined to be service-connected. Please see Law Reviews 10, 69, 85, 118, 142, and 176.

Protection from Discharge after Reemployment
If your period of service was 181 days or more, it is unlawful for the employer to discharge you, except for cause, within one year. If your period of service was 31-180 days, it is unlawful for the employer to discharge you, except for cause, within 180 days. This period of special protection begins on the date that you are properly reinstated. If you were reinstated in a position inferior to the position to which you were entitled under USERRA, the period of special protection never started running and therefore has not been exhausted. Thus, in some circumstances the special protection period would remain in effect for more than a year after you return to work.
The purpose of this special protection period is to protect the returning veteran from a bad-faith reinstatement. Please see Law Reviews 184 and 0701 for more information on this provision.

Accommodations for Returning Disabled Veterans
If you return from service with a service-connected disability, the employer is required to make reasonable efforts to enable you to return to the position of employment that you would have attained if you had been continuously employed. Of course, not all disabilities can be accommodated in the same position of employment; a blinded veteran cannot return to the cockpit of an airliner. If your disability cannot be reasonably accommodated in that particular position, the employer must reemploy you in some other position for which you are qualified, or can become qualified with reasonable employer efforts, and that provides like seniority, status, and pay, or the closest approximation consistent with the circumstances of your case. Please see Law Reviews 8, 77, 121, 130, 136, 155, 174, 183, 199, and 0640.

Discrimination Prohibited
Section 4311 of USERRA provides as follows:
(a) A person who is a member of, applies to be a member of, performs, has performed, applies to perform, or has an obligation to perform service in a uniformed service shall not be denied initial employment, reemployment, retention in employment, promotion, or any benefit of employment by an employer on the basis of that membership, application for membership, performance of service, application for service, or obligation. (b) An employer may not discriminate in employment against or take any adverse employment action against any person because such person (1) has taken an action to enforce a protection afforded any person under this chapter, (2) has testified or otherwise made a statement in or in connection with any proceeding under this chapter, (3) has assisted or otherwise participated in an investigation under this chapter, or (4) has exercised a right provided for in this chapter. The prohibition in this subsection shall apply with respect to a person regardless of whether that person has performed service in the uniformed services. (c) An employer shall be considered to have engaged in actions prohibited— (1) under subsection (a), if the person’s membership, application for membership, service, application for service, or obligation for service in the uniformed services is a motivating factor in the employer’s action, unless the employer can prove that the action would have been taken in the absence of such membership, application for membership, service, application for service, or obligation for service; or (2) under subsection (b), if the person’s (A) action to enforce a protection afforded any person under this chapter, (B) testimony or making of a statement in or in connection with any proceeding under this chapter, (C) assistance or other participation in an investigation under this chapter, or (D) exercise of a right provided for in this chapter, is a motivating factor in the employer’s action, unless the employer can prove that the action would have been taken in the absence of such person’s enforcement action, testimony, statement, assistance, participation, or exercise of a right. (d) The prohibitions in subsections (a) and (b) shall apply to any position of employment, including a position that is described in section 4312(d)(1)(C) of this title.
Proving a section 4311 violation (discrimination) is more difficult than proving a section 4312 violation (reinstatement). If you are fired after the special protection period has expired, or if you are denied initial hiring or denied a promotion or benefit, that would be a section 4311 case. You are required to prove that your membership in a uniformed service, performance of uniformed service, application or obligation to perform service, or one of the other protected factors mentioned in section 4311(a) or 4311(b) was a motivating factor (not necessarily the sole factor) in the employer’s decision. You need not prove that your service was the reason; it is sufficient to prove that it was a reason. You can prove “motivating factor” by circumstantial as well as direct evidence; there need not be a “smoking gun.” Please see Law Reviews 11, 35, 36, 64, 122, 135, 150, 162, 198, 205, 0609, 1616, 0631, 0701, 0702, 0706, 0707, 0713, 0717, and 0731 for a detailed discussion of section 4311 of USERRA.

Assistance and Enforcement
If you have questions or need assistance, as a person claiming USERRA rights with respect to civilian employment, I suggest you contact the National Committee for Employer Support of the Guard and Reserve (ESGR) at 1-800-336-4590 or DSN 426-1386. I also invite your attention to the ESGR website, www.esgr.mil.
ESGR is a Department of Defense organization, established in 1972. ESGR’s mission is to gain and maintain the support of public and private sector employers for the men and women of the National Guard and Reserve. ESGR has a network of more than 900 trained volunteers called “ombudsmen.” An ESGR ombudsman will contact the employer on your behalf to explain the law and try to work things out in a non-confrontational manner. If the ombudsman’s efforts are not successful, the ombudsman will advise you to contact the U.S. Department of Labor, the U.S. Office of Special Counsel, or to retain a private lawyer to assist you in enforcing your rights.
I suggest that you not call from work ESGR or anyone else to complain about your civilian employer, and that you not use your civilian employer’s e-mail system when seeking advice or making a complaint about your employer. You probably have no privacy when using the employer’s telephone or e-mail system, and your employer probably has a rule against non-work activities on work time or with the employer’s equipment. If your employer is annoyed with you for the time you are away from work for military training and service and is looking for an excuse to fire you, the last thing you should do is give the employer such an excuse. Please see Law Reviews 150 and 0702.
ESGR’s toll-free line is only answered during regular business hours Eastern Time, but ESGR is expanding its hours in order to make it possible for National Guard and Reserve personnel to contact ESGR from the privacy of their own homes outside ESGR’s business hours. ESGR also recently established a way for individuals to seek ESGR assistance through the ESGR website. Go to www.esgr.mil and select the link “USERRA Complaint Request” on the right side of the page. Provide contact information for yourself and your employer, as well as a brief explanation of the problem or issue. This information is stored on a secure server, and ESGR will assign your request to one of its 900 ombudsmen.
A detailed discussion of USERRA’s somewhat complicated enforcement mechanism is beyond the scope of this article. For detailed information about USERRA enforcement, please see Law Reviews 12, 24, 34, 65, 67, 89, 93, 108, 115, 123, 148, 149, 159, 172, 189, 197, 200, 203, 205, 206, 0605, 0610, 0611, 0616, 0619, 0623, 0634, 0637, 0639, 0701, 0706, 0707, 0711, 0712, 0715, and 0717.

CAPT Wright recently retired from the Navy Reserve, with more than 37 years of Active and Reserve service, including more than 10 years of full-time active duty. His military decorations include two Meritorious Service Medals, a Joint Service Commendation Medal, and two Navy Commendation Medals. He worked for the U.S. Department of Labor (DOL) as an attorney for 10 years, and during that time he and another DOL attorney, Susan M. Webman, largely drafted USERRA.