CISA chief wants younger, more experienced hackers in federal government

Federal agencies could do much to improve their cybersecurity talent pool if they moved away from restrictive General Schedule hiring practices and were more open to bringing on younger candidates, according to Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency.

During an Aug. 3 online discussion hosted by the Wilson Center, former Rep. Jane Harmon (D-Calif.) asked Krebs about the recent arrest and charging of a 17-year-old Tampa student alleged to be behind last month's Twitter hack, asking him if CISA had the staffing it needed to "stay ahead of the 17-year-olds."

Some observers expressed surprise that a teenager could thwart the security defenses of a multi-billion-dollar corporation, but Krebs argued that in the digital domain, practical experience quickly outstrips age and even credentials in importance.

"You know at this point, particularly in cyber, I'm not sure it matters if you're 45 or 17, which speaks to the ways that we need to evolve our hiring practices," said Krebs.

"I'm getting, 17, 18-year-olds that apply for a job and [they] have six years of practical, -- operational effectively -- experience in security research," said Krebs. "So, they've been online white hat hackers since they could…turn on a computer."

It's far from the first time that younger hackers have made a big impact on the world stage, for good or ill. The incredibly disruptive Mirai botnet was stitched together by three American teenagers who first used it primarily to run a DDoS-for-Hire operation against rival Minecraft competitors.

Following their arrests, the trio became something of a success story for hacker rehabilitation, with U.S. prosecutors ultimately lobbying to reduce their sentences to probation largely because of their advanced skill identifying and tracking botnet infrastructure. Their insights offered "a unique opportunity" that provided law enforcement operators "the knowledge and tools they need to stay ahead of cyber criminals around the world," U.S. Attorney Brian Schroder told a court last year.

While he didn't specifically float the possibility of hiring former criminals, Krebs noted that the General Schedule system used by the federal government to make hiring and compensation choices doesn't credit adequately reflect the skills and experience of younger hackers. The current standards are "based on a system from 1929, almost a clerical hiring approach…that really prioritizes experience in a professional setting" such as graduate and post graduate degrees.

That approach, where higher levels of credentialing and experience dictate higher performance, is "just not how cyber works," he said.

It's a recurring argument for the agency. In a budget hearing last year, Krebs complained that he couldn't appropriately compensate younger job candidates who had all the skills needed to excel but don't meet traditional educational and credentialing milestones. The result is that CISA and the federal government may be losing out on candidates at the same time it and the private sector are in fierce competition for an increasingly shrinking pool of cyber talent.

The solution, he argued, lies in diversifying STEM education, both in K-12 education and expanding technology trade schools so that two-year degrees replace "the equivalent of…having to go to law school." Policymakers could also get more from pushing to do more to build security into their products by design rather than focusing on the total number of unfilled cybersecurity positions in the market that are needed to implement security after the fact.

"That's a nihilistic approach as I look at it. If we can make stuff more secure by design and deployment then we're not going to need all those [positions]," said Krebs.