With IT security experts in short supply, agencies are shaping the next generation from the ground up.
Five years ago, Nalani Fraser's career plans changed with a conversation. As an information technology auditor at the Government Accountability Office, she learned from a colleague about a program that would send her back to school with full tuition paid as long as she would commit to giving a critical service back to Uncle Sam: securing the nation's cyber networks.
That conversation led her to apply for the Scholarship for Service program, which provided her the resources to obtain her master's degree in cybersecurity at The George Washington University. "During college, I had specialized in IT," says Fraser, who is now an IT analyst at the Homeland Security Department's Computer Emergency Readiness Team. "But I realized I didn't want to just report on what others were doing; I wanted to make a direct impact and be on the front lines of security."
Unfortunately, not nearly enough people share the same passions or skills as Fraser, creating immense challenges for the federal government in protecting the nation's cyber infrastructure. In 2009, Jim Gosler, a fellow at Sandia National Laboratory and former director of the CIA's Clandestine Information Technology Office, said at a Pentagon meeting that while there are about 1,000 security specialists in the United States who have the highly specialized skills to operate expertly in cyberspace, the United States really needs about 10,000 to 30,000 such individuals.
The problem is not just of quantity, either. A 2009 report by the nonprofit Partnership for Public Service found that 76 percent of chief information officers, chief information security officers and IT hiring managers ranked recruiting skilled cybersecurity talent a high or top priority, but only 40 percent were satisfied or very satisfied with the quality of applicants applying for federal cybersecurity jobs.
"What creates special challenges for the federal government is that we're still in a place in the country where the demand for folks with real cybersecurity expertise exceeds the supply," says John Palguta, vice president for policy at the Partnership. "The people who have the skills have options."
Alan Paller, research director for the SANS Institute, an organization that provides high-level cybersecurity training and certification, argues that the dramatic increase in the sophistication of cyber-attacks has called for a new breed of cyber warrior, or hunter, who possesses acute front-line skills. "The demand for cybersecurity skills is highly uneven," he says. "Even the managers now need hands-on skills in order to manage the newly emerging technical people."
It's no surprise then that the government's future for hiring cyber talent looks bleaker than ever. But such challenges have not gone unnoticed, and some agencies, namely the Homeland Security Department, have made cybersecurity and its underlying workforce issues a top priority. The Obama administration also has proposed legislation that would make it easier to hire, train and retain cyber talent.
"It's pretty obvious that regardless of the technology and the need for additional hardware and infrastructure improvement, people are still at the heart at keeping us secure," says W. Hord Tipton, executive director of (ISC)2.
In 2010, the administration launched a nationwide cybersecurity education program designed to bolster cyber awareness, education and training. The program-the National Initiative for Cybersecurity Education-is led by the National Institute of Standards and Technology, but it also includes agencies like DHS and the Office of Personnel Management, with the goal of improving the cyber talent pipeline and the recruitment, retention and training of government and private sector cyber professionals.
The workforce component of NICE is considered by many to be one of the most critical because it will help agencies better define what a cybersecurity job consists of. After all, the current classification system for information security is in dire need of an update. According to the Partnership report, one computer science job category was last updated in 1988.
"One of the challenges is it's hard to identify these folks," says Chuck Grimes, acting associate director for employee services at OPM. "There are cybersecurity workers in information technology, criminal investigation and computer engineering, so it's hard to identify a cybersecurity worker simply by their title."
In September, OPM reached out to 50,000 employees and their supervisors as part of the NICE initiative to identify the skills that are most critical to cybersecurity work, with the goal of using the results to help build a cybersecurity competency model for four key occupations: information technology management, electronics engineering, computer engineering and telecommunications. Among the top skills flagged by respondents: integrity, computer skills, technical competence, teamwork and attention to detail.
Keri Nusbaum, program manager for the cyber workforce initiative at DHS, says her agency also is developing a cybersecurity workforce model based on the functional roles identified in the NICE initiative. The plan is to use the model to "assess the workforce, identify the skills needed and identify some gaps where we can provide additional training," she says.
Frank Reeder, a consultant and management expert whose 35 years of public service included more than two decades at the Office of Management and Budget, says a major challenge for government is its lack of a rigorous certification process that allows it to distinguish workers with general cybersecurity skills from those with specialty skills. "To me, the medical metaphor makes sense," he says. "Cybersecurity is not a single field; it's like medicine, a field that requires a range of subspecialties. We may need a generalist running the hospital, but when I go in for neurosurgery, I want someone who is a certified neuro- surgeon. The world of cybersecurity has the same type of complexity."
Meanwhile, workforce development under NICE is moving along, with the main focus geared toward intensifying training and professional development opportunities for current federal cybersecurity workers. According to Paller, the challenge is ensuring cyber workers and training programs can keep up. "What's special about security training is that the problems change every few weeks . . . so even if you knew how to do something, there is always a need for a refresher," he says.
According to Grimes, the key to NICE, at least from a federal perspective, will be aligning it with strong human resources strategies, including hiring, onboarding and competitive pay. The good news is that federal government salaries already are competitive with the private sector when it comes to cyber talent. A recent study by (ISC)2 shows 57 percent of federal cyber professionals earn $100,000 or more, compared with 42 percent worldwide who earn six-figure salaries.
"At one time, the government would lose people to the private sector after [agencies would] pay for their security clearance," Tipton says. "But now the government is indeed competitive with the private sector, and that's a step in the right direction."
Cyber Solutions In January, DHS stood up an office within the National Protection and Programs Directorate dedicated to developing initiatives for recruiting, hiring and developing cybersecurity workers. The move has led to the creation of programs like the Federal Cybersecurity Training Exercise, or FedCTE, which allows security professionals from 25 agencies to build, refine and maintain their skills through training sessions that simulate cyberattacks. "We began it last year as a pilot and it proved exceptionally successful," Dean says, adding that a portion of the $24.5 million DHS requested in its fiscal 2012 budget for cyber workforce efforts will be dedicated to making FedCTE a permanent program.
This summer, DHS also launched the Secretary's Honors Program for Cybersecurity Professionals, which offers college students going into their senior year a 10-week internship at one of its cybersecurity programs. Students then can become eligible for a full-time position in a two-year, cybersecurity rotational training program following graduation. The department launched a similar program-the Emerging Leaders in Cybersecurity Fellowship-for recent grads with a cybersecurity-related master's degree.
"They have the opportunity to see the different types of work from a law enforcement perspective and a mission perspective, which really gives them a great idea of the DHS mission," Nusbaum says. "There's also training involved to ensure these folks are on a leadership track."
In 2012, the department will launch a program that offers rotational assignments to its cybersecurity employees, as well as a program that pairs them with partners at places like the Software Engineering Institute at Carnegie Mellon University and the Secret Service National Computer Forensics Institute. The department in 2009 also was granted Schedule A hiring authority to bring on more cybersecurity workers, a flexibility that helped DHS boost staff at its National Cybersecurity Division from 35 to 260, according to Nicole Dean, acting director of NCSD. By October 2012, DHS' cyber workforce will grow from 260 to 400 employees, she says.
Outside DHS, the government is boasting great success with the U.S. Cyber Challenge, a competition, sponsored by a national coalition of public-private sector entities. The program identifies promising students who are high school age or younger and invests in their educational and professional development. Since its launch in 2009, the program has grown to 260 students. The goal is to find 10,000 of America's best and brightest to become the next generation of cyber warriors.
Whether the Cyber Challenge will move fast enough or even tap 10,000 prospects is still in question, according to Paller. "What's cool about this is you don't have to work five years to get there," he says. "It's more like sports than academics. A great basketball player doesn't necessarily have to go to high school and college; they can earn the right to go straight to the pros."
The Final Piece
Even with all the progress it has made on hiring and training, DHS would certainly benefit from a couple of additional changes and flexibilities, Dean says. In May, the Obama administration sent a comprehensive cybersecurity package to Congress in hopes of helping lawmakers craft passable legislation from 50-some bills pending in both chambers. The plan gives DHS the remaining workforce flexibilities Dean says are necessary to keep up the momentum and to help the department compete with the private sector as well as military and intelligence agencies in terms of salary and hiring time.
The proposal would offer DHS the same hiring and pay flexibilities that are in place at the Defense Department, in part by authorizing the DHS secretary to make direct appointments, set compensation rates, and pay additional benefits and incentives for cyber talent. In addition, the proposal would authorize the DHS secretary to establish a scholarship program for information security employees to pursue a degree or certification in an information assurance discipline.
The administration's proposed legislation also would reactivate and streamline the government's Information Technology Exchange Program, which allows government and industry to temporarily swap cyber professionals. DHS' chief human capital officer already is looking into ways to detail employees to the private sector and vice versa. "It's a two-way learning environment we'd be able to create, which would allow us to better share information and work to the common goal of preventing cyber events," Nusbaum says.
The jury is still out on whether such rotations would be effective, or even possible, given the lack of consistency in federal job descriptions and training. OPM's Grimes says the previous IT exchange program was not widely used. "People don't like to leave their jobs," he says. "And there's also the issue of what if they learn something from the private company and want to go work for them."
Another question is whether the administration's cybersecurity workforce proposal goes far enough. One Senate bill (S. 413), for example, would increase the number of students like Nalani Fraser who can participate in the Scholarship for Service program, and would require OPM to develop a comprehensive cyber workforce strategy that includes a five-year recruitment plan and 10- and 20-year projections of staffing needs.
"More bodies are not enough for the government," Palguta says. "The work of government is important enough that we need the best talent possible for jobs to be done. And that requires knowing how well you're doing and setting your benchmarks."
Brittany Ballenstedt, a former staff writer for Government Executive, covers the IT workforce for Nextgov.