COMMENTARY

Add workforce woes to cybersecurity chief's agenda

Howard Schmidt should make it a priority to build a sophisticated cybersecurity workforce

President Obama has finally named the first-ever White House cybersecurity coordinator—an individual who now must focus government efforts to better protect vulnerable computer networks from attack by foreign nations, criminal intruders, hackers and terrorist organizations.

The new cybersecurity coordinator, Howard A. Schmidt, promises to develop “a new cyber strategy that keeps America secure and prosperous.” To accomplish this goal, Schmidt will have to use the clout of the White House to bring order to a governmentwide technology enterprise where no single individual or federal agency has had the authority to set a clear direction, settle turf battles or ensure accountability in an area that is critical to America’s national and economic security.

As he embarks on this difficult path, Schmidt would be wise to promptly confront a crucial but often overlooked aspect of protecting the federal digital networks—the serious shortage of highly skilled cybersecurity professionals in government. Without building a sophisticated federal cybersecurity workforce, we will never adequately secure the government’s computer networks and the military, intelligence and confidential data that they hold.

The need for such talent is increasing every day. The Government Accountability Office (GAO) reported in November that “pervasive and sustained cyberattacks continue to pose a potentially devastating threat to the systems and operations of the federal government.” While security incidents grew by more than 200 percent from fiscal year 2006 to fiscal year 2008, the report concluded that the country is not optimally prepared to protect itself from such attacks.

In fiscal 2008, the GAO found weaknesses in security controls at 23 of 24 major agencies. A report by the Interior Department’s inspector general that same month cited the “use of substantially underqualified personnel to perform significant information security duties,” a common refrain in many parts of our government.

Clearly there is a need for more effective policies, sophisticated software and better information technology management. But there is also an urgent need to close the technical skill gap, a task that will require a coordinated federal effort to recruit, hire and train professionals in computer network engineering, forensics, software development, defense, vulnerability and protocol analysis, intrusion detection, and, in the case of the military and intelligence communities, digital exploitation and attack.

This will not be easy given the nationwide shortage of such talent, the fierce competition from the private sector and, distressingly, a government system that has impeded development of a high-caliber federal cybersecurity employee base.

To date, no one in the government has been in charge of assessing the cybersecurity workforce, how many people will be needed across the federal system in the short and long term, what skills are necessary and how top talent will be obtained.

As the demand for technical skills and competencies has increased, the government has continued to operate with an outdated job classification system that in many cases does not even provide for “cybersecurity” as a specialty. One computer science job category was last updated in 1988 when the Internet was not a fact of everyday life.

There are no uniform, governmentwide certification standards and no federal career path for cybersecurity specialists. There is insufficient training for workers to upgrade skills, inadequately funded federal scholarship programs to lay a foundation for a talent pipeline, a cumbersome and lengthy federal hiring process, and a lack of in-house capability at many agencies to properly manage contractors.

Congress is now looking at some of these issues, and there are pending cybersecurity bills that contain workforce provisions. John Berry, the director of the Office of Personnel Management, has begun an internal process to develop new job classification and competency guidelines for cybersecurity personnel, a move that represents a positive development.

The new awareness of this problem is a positive development, but immediate action is needed. To build a vibrant and highly skilled government-wide cybersecurity workforce, the cybersecurity coordinator in cooperation with other key administration officials and with the help from Congress where necessary, should more quickly to:

  • Develop and execute a government-wide strategic plan to recruit, hire and retain top cybersecurity talent, and provide guidance on the appropriate roles for civil servants and private contractors.
  • Lead a nationwide call to service to encourage students to develop technology, math and science skills, and expand computer science and cybersecurity scholarship programs in return for a commitment to government service.
  • Create up-to-date cybersecurity job classifications, establish certification requirements and map a federal employee cybersecurity career path starting at the entry-level.
  • Invest heavily in cybersecurity training and develop a cadre of managers with the skills to lead a multi-sector workforce.
  • Provide agencies with hiring flexibilities to expedite recruitment of top talent.

Developing a first-rate cybersecurity workforce will take time, commitment, resources and strong administration leadership. Schmidt will be in a position to take a governmentwide view, and to make the workforce a priority. Failure to do so will increase the susceptibility of our computer networks, and could place our country in greater jeopardy.

Reader comments

Fri, Jan 8, 2010

The government is only interested in computer people who can demonstrate they are social conservatives, are independently wealthy, and can fog mirrors. I've got an interview at Google next week -- where I can throw a Nerf ball at my coworker in the next cube without my getting fired, or even anybody looking at me funny!

Tue, Jan 5, 2010

I have been trying to get back into the government since leaving - get this - to complete an NSA funded cybersecurity scholarship. The hiring process is beyond broken. I now have 2 Masters degress 1 - in Computer Science and 1 in System Management with specialization in Government. I have a TS security clearance. I am qualified at the SES level. In fact, I'm currently making almost twice that of an SES 1 in the private sector yet I am willing to re-enter federal service with a pay cut since I believe it is the right thing to do. But - I can't get in. The irony... Anyone need a turnkey GS-15/SES? I come with Special Hiring Authority, if that helps.

Mon, Jan 4, 2010 freecode US

I do not think that computer experts are an anathema to the government, but I do think that the government faces some innate and very serious challenges in hiring staff that "qualify" as computer experts. First among them is the salary; second is the ability to truly understand the culture of the computer geeks (I am one); and probably the most important is the ability to fully vet and trust those they hire. Salary will probably keep the truly gifted employed elsewhere, and the culture and vetting process will probably make it much more difficult to hire anyone willing to take up the challenge. Where the government should be looking is toward more experienced persons - but the efforts I see are directed at gathering up the youth versus those who already have experience and would be willing to serve their country (you need a mix of both to make the culture work). Another issue that is a significant challenge is the location of many of these jobs (DC, Maryland, Virginia, etc.) where it is simply too costly to live, work and be happy (all of which geeks like me prefer in our working environments). If they opened up jobs and centers around the nation's high-tech hubs - they could fare a lot better at hiring as well. That's just my two cents though, YMMV.

Mon, Jan 4, 2010 oracle2world

Computer experts are anathema within the gov't (and other places). Computers are picky, literal, not deceptive, and have long memories. People are the opposite. That is why most people struggle so much with computers, even though they are among the easiest jobs around. So good luck hiring any. However, on the bright side, the biggest security threats are inside jobs. So given the IT workforce in government, there is little worry about this threat.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above