Add workforce woes to cybersecurity chief's agenda
Howard Schmidt should make it a priority to build a sophisticated cybersecurity workforce
President Obama has finally named the first-ever White House cybersecurity coordinator—an individual who now must focus government efforts to better protect vulnerable computer networks from attack by foreign nations, criminal intruders, hackers and terrorist organizations.
The new cybersecurity coordinator, Howard A. Schmidt, promises to develop “a new cyber strategy that keeps America secure and prosperous.” To accomplish this goal, Schmidt will have to use the clout of the White House to bring order to a governmentwide technology enterprise where no single individual or federal agency has had the authority to set a clear direction, settle turf battles or ensure accountability in an area that is critical to America’s national and economic security.
As he embarks on this difficult path, Schmidt would be wise to promptly confront a crucial but often overlooked aspect of protecting the federal digital networks—the serious shortage of highly skilled cybersecurity professionals in government. Without building a sophisticated federal cybersecurity workforce, we will never adequately secure the government’s computer networks and the military, intelligence and confidential data that they hold.
The need for such talent is increasing every day. The Government Accountability Office (GAO) reported in November that “pervasive and sustained cyberattacks continue to pose a potentially devastating threat to the systems and operations of the federal government.” While security incidents grew by more than 200 percent from fiscal year 2006 to fiscal year 2008, the report concluded that the country is not optimally prepared to protect itself from such attacks.
In fiscal 2008, the GAO found weaknesses in security controls at 23 of 24 major agencies. A report by the Interior Department’s inspector general that same month cited the “use of substantially underqualified personnel to perform significant information security duties,” a common refrain in many parts of our government.
Clearly there is a need for more effective policies, sophisticated software and better information technology management. But there is also an urgent need to close the technical skill gap, a task that will require a coordinated federal effort to recruit, hire and train professionals in computer network engineering, forensics, software development, defense, vulnerability and protocol analysis, intrusion detection, and, in the case of the military and intelligence communities, digital exploitation and attack.
This will not be easy given the nationwide shortage of such talent, the fierce competition from the private sector and, distressingly, a government system that has impeded development of a high-caliber federal cybersecurity employee base.
To date, no one in the government has been in charge of assessing the cybersecurity workforce, how many people will be needed across the federal system in the short and long term, what skills are necessary and how top talent will be obtained.
As the demand for technical skills and competencies has increased, the government has continued to operate with an outdated job classification system that in many cases does not even provide for “cybersecurity” as a specialty. One computer science job category was last updated in 1988 when the Internet was not a fact of everyday life.
There are no uniform, governmentwide certification standards and no federal career path for cybersecurity specialists. There is insufficient training for workers to upgrade skills, inadequately funded federal scholarship programs to lay a foundation for a talent pipeline, a cumbersome and lengthy federal hiring process, and a lack of in-house capability at many agencies to properly manage contractors.
Congress is now looking at some of these issues, and there are pending cybersecurity bills that contain workforce provisions. John Berry, the director of the Office of Personnel Management, has begun an internal process to develop new job classification and competency guidelines for cybersecurity personnel, a move that represents a positive development.
The new awareness of this problem is a positive development, but immediate action is needed. To build a vibrant and highly skilled government-wide cybersecurity workforce, the cybersecurity coordinator in cooperation with other key administration officials and with the help from Congress where necessary, should more quickly to:
- Develop and execute a government-wide strategic plan to recruit, hire and retain top cybersecurity talent, and provide guidance on the appropriate roles for civil servants and private contractors.
- Lead a nationwide call to service to encourage students to develop technology, math and science skills, and expand computer science and cybersecurity scholarship programs in return for a commitment to government service.
- Create up-to-date cybersecurity job classifications, establish certification requirements and map a federal employee cybersecurity career path starting at the entry-level.
- Invest heavily in cybersecurity training and develop a cadre of managers with the skills to lead a multi-sector workforce.
- Provide agencies with hiring flexibilities to expedite recruitment of top talent.
Developing a first-rate cybersecurity workforce will take time, commitment, resources and strong administration leadership. Schmidt will be in a position to take a governmentwide view, and to make the workforce a priority. Failure to do so will increase the susceptibility of our computer networks, and could place our country in greater jeopardy.