Editor’s note: This is the latest article in an ongoing series examining how the federal IT landscape will evolve during the Trump administration.
President Donald Trump’s efforts to shrink the federal budget would, at first glance, seem likely to exacerbate the ongoing struggles of government agencies to fill gaps in the cybersecurity workforce.
But the administration’s hiring freeze — announced in January and lifted in April — made exceptions for national security and public safety, which many agencies took to include cyberprotection. The strategy comes as attacks on government computer systems continue to mount. By late July, the National Institute of Standards and Technology and its National Vulnerability Database had identified more than 92,000 weak points across networks.
The White House has directed agency leaders to plan for workforce cuts as a way to fit their budgets into a smaller spending plan for 2018. Officials have discretion, however, to prioritize hiring in areas where they see the greatest need, including in cybersecurity, says David Berteau, president and CEO of the Professional Services Council, a trade group that represents government technology professionals.
Agencies won’t have trouble finding money to hire for these roles, he says. Instead, the greater obstacle is the government’s ability to attract skilled workers to those positions.
“Cybersecurity is being given priority,” both in budgeting and among agency leadership, Berteau says. “The funding will probably exceed the capacity to get people in place.”
A shortage of cybersecurity experts plagues employers across the economy, from technology behemoths to the local garden center. Competing with the private sector, the government generally moves more slowly in hiring than businesses and often cannot pay workers as well.
In addition, most federal cybersecurity workers need a security clearance. Currently, the government has an investigations backlog of at least 500,000 people waiting for clearance, Berteau says.
To help address the pay discrepancy, Congress has considered expanding “critical pay” hiring authority so agency heads can bypass usual compensation restrictions for cybersecurity roles. Still, one key hurdle is a lack of data on the number and specifics of cybersecurity positions, experts say. Across government, just a few “position codes” cover all IT jobs, leaving one code to identify a series of jobs, from systems analyst to programmer. As a result, cybersecurity might fall into a vague category such as “IT specialist.”
Feds Aim to Attract Cybersecurity Talent
Efforts to solve this problem are already under way. As part of the Federal Cybersecurity Workforce Assessment Act, passed in 2015, the Office of Personnel Management is working with agencies on new job coding and a consistent framework for identifying and organizing cybersecurity roles. With tighter budgets, a new framework would help eliminate overlap and ensure that people are focused on the most critical areas.
“It gives greater granularity and definition to the different types of roles and skill sets that might be needed,” says Gregory Wilshusen, director of information security issues at the Government Accountability Office.
Berteau also expects the increased use of outside contractors to pick up the slack. But even then, agencies need in-house experts to manage those contractors and ensure they’re doing the work.
Another possible solution for agencies is to funnel more cyberexperts into the pipeline. The CyberCorps: Scholarship for Service program covers up to three years of undergraduate or graduate tuition for computer science students who commit to working a year in federal government cybersecurity for each year that they received financial support.
Almost 300 students move into federal jobs annually, says Victor Piotrowski, the CyberCorps program director. The National Science Foundation oversees the program.
Congress has proposed expanding the scholarship to more community colleges, Piotrowski says. The 2018 federal budget request, however, would cut the current $55 million annual appropriation for CyberCorps to $40 million, he says.
“We know that you cannot solve cybersecurity problems just on the technical layer,” Piotrowski says. “We have to have humans doing this.”