Do federal agencies need to send their cybersecurity professionals to a cyber version of Top Gun? That was one of the suggestions for improving cybersecurity hiring and training that came out of this week’s GITEC Summit 2017 in Annapolis, Md.
Agencies face not only a shortage of cyber pros but also a lack of cyber defenders with the right skill sets, including experience dealing with real-world cyberattacks, the officials said.
Former federal CIO Tony Scott said in November 2015 that there were an estimated 10,000 openings for cyber professionals in the government. The government hired 3,000 cyber workers in the first six months of 2016 and aimed to add another 3,500 by January. In January, the Office of Personnel Management launched the CyberCareers.gov website as part of its effort to recruit, hire, develop and retain cyber talent. Yet there remain concerns that President Donald Trump’s hiring freeze and proposed budget will hamper the government’s plans to hire more cyber talent.
A Government Accountability Office report released on Tuesday found that agencies “continue to be challenged in recruiting and retaining qualified cybersecurity staff.” A cybersecurity commission created by former President Barack Obama recommended in December that the Trump administration launch a program to train 100,000 cybersecurity practitioners and initiate a national cybersecurity apprenticeship program to train 50,000 more by 2020. However, Angela Bailey, chief human capital officer at the Department of Homeland Security, said in November that DHS has proven it can quickly hire cyber talent.
Hiring Cyber Defenders with Experience
During a cybersecurity panel at GITEC, Brian Varine, chief of the Justice Security Operations Center at the Justice Department, said that the people agencies do wind up hiring for cybersecurity jobs are “kind of green.”
A key reason, he said, is that most cyber defenders “have never actually seen a real cyberattack,” an advanced persistent threat that tears apart a network and forces them to respond.
What should agencies do about this? Varine notes that in the 1950s and 1960s, the armed forces sent out young pilots in multimillion-dollar aircraft, and many of them would get shot down early in their deployments.
“Eventually, the Navy figured out, when they invented Top Gun, ‘Hey, most of our guys are getting shot down in their first 10 missions because that’s where they’re making all of their mistakes.’ Once they got past 10, they got pretty good.”
The government needs to give cyber defenders those 10 missions, either with training on government networks or before they set foot inside agencies, Varine said. Entire agencies also need to go through training for real-world cyberattacks, he added.
“When was the last time their enterprise really went through a live-fire cyber defense exercise? Well, I can tell you: never,” Varine said. “Because what organization is going to say, ‘Hey, come in here, take my entire IT operation out of commission for three days while we simulate an attack’?”
The military decided to send their best pilots for real-world fighter pilot training. “We kind of need that, minus the shades, for cyber,” Varine said.
When those workers come back to agencies, they can then train their colleagues, he said. “Unfortunately, what we do is, the guys that do see those incidents and they get the experience, they go off to the private sector to go work for the same person you’re going to pay $600 an hour to come and help you out with the next incident,” he noted.
Many agencies are reluctant to turn their networks into battlefields, Varine said. “Well, that’s OK, the adversary is real cool with that,” he added sarcastically.
Getting Talent in the Door Is Harder Than New Tech
Brad Nix, director of the U.S. Computer Emergency Readiness Team at the Department of Homeland Security, another panelist, said that it is easy to fix processes and get new technologies inside agencies. What’s more difficult?
“Getting the right people in the chairs,” he said. “It’s keeping those people in their chairs.”
Nix said that if he can get a talented cybersecurity professional and keep that person for three years, he’s fine with that worker then going off to the private sector, or leaving for Silicon Valley and then eventually coming back.
Nix said he does a great deal of recruiting through OPM’s Scholarship for Service program, in which students receive scholarships but then must commit to government service after they graduate; for example, if a student gets funding for three academic years, they must then serve for three academic years once they graduate.
Mark Kneidinger, director of federal network resilience in the Office of Cybersecurity & Communications at DHS, agreed with Nix and said that agencies also need to have more continuity in leadership to attract talent. He noted that over the past few years there has been 85 percent turnover in federal CIOs.
Meanwhile, Dan Jacobs, cybersecurity program coordinator at General Services Administration, praised GSA’s 18F unit, which is filled with developers from the private sector who help agencies deliver digital services, as “a really great way to get some hot talent on board for you.”
However, Jacobs said, it’s sometimes difficult for those private-sector hires to get through the security clearance process. It’s also not helpful, Jacobs said, that agencies are facing budget cuts and operating under continuing resolutions for funding, which makes it difficult for managers to convincingly tell cyber recruits that their positions are fully funded.
Jacobs noted that OPM recently sent a memo to agencies detailing incentives agencies can offer, such as telework and assignments in remote locations like Silicon Valley, to get hires in the door.
“If you don’t have that in your back pocket, you are seriously doing your organization a disservice because you don’t know how to attract great talent,” he said. Until agencies exhaust all opportunities to hire, they cannot say they have a problem with recruitment and retention.