Government cybersecurity practices remain hobbled by rigid human resources policies that must be changed if agencies are to more effectively recruit, train, and keep talented IT professionals, a group of experts said at a forum on cybersecurity.
"We spend a lot of time in the CIO Council talking about the lack of flexibility in hiring," said Karen Britton, special assistant to the president and CIO, Executive Office of the President.
"We're trying to get out in front" in describing the IT security skills agencies are looking for, but "we do rely on HR for position descriptions," and often, the processes for defining and recruiting IT talent don't yield the results agencies need.
Britton made the remarks May 15 at a forum hosted by the Association for Federal Information Resources Management (AFFIRM) and the US Cyber Challenge, a group attempting to develop future cybersecurity talent.
[InformationWeek's latest IT Salary Survey shows that security pros have high salaries and great job security ... but how long will it last? Tune in to InformationWeek Radio: State of Information Security Salaries & Careers.]
Gregory Wilshusen, director of information security issues at the General Accountability Office, agreed. "[We have] the government hiring practices of the 1940s and '50s in the 21st century," he said.
Within the broad term "hiring practices," there are a whole range of issues. Wilshusen said part of the problem has been that agencies such as the Department of Homeland Security, the National Institute of Standards and Technology, and the US Office of Personnel Management, among others, have not had a common terminology for positions or a common expectation of the skill sets that a given position should include. The National Initiative for Cybersecurity Education, or NICE, program being led by the NIST is "beginning to coalesce" these differences into a shared definition, Wilshusen said.
The length of time it takes to fill a position, which can stretch out for months, and the challenges even government-savvy candidates face in completing the necessary paperwork, are part of the problem. The lack of autonomy in government jobs -- real or perceived -- is seen as another challenge.
Another is that many of the most skilled cybersecurity people don't always fit the profile of individuals agencies typically look for: They may be college dropouts, or they may have gotten in trouble in the past for hacking exploits, which often disqualifies them from consideration, even though they might have the ideal experience for certain jobs.
Steve Bucci, former deputy assistant secretary for homeland defense and defense support of civil authorities at the Defense Department, said one of the biggest unnoticed consequences of classified data leaks
by former NSA contractor Edward Snowden is the harm done to agencies' ability to hire "non-standard" people, who may not have college degrees but who have superior computer skills.
And, of course, there's the pay issue. David Bray, CIO of the Federal Communications Commission, said that when he's trying to recruit someone in IT, he tells them, "We can't pay what the private sector does," but that they will have a compelling mission they can find fulfilling.
Bray said his agency is using its ambassadors program, which brings in contractors from outside Washington, D.C., for a maximum of 120 days, to get new perspectives and fresh ideas. He suggested that perhaps the government could have a "reserve corps" of cybersecurity professionals, former ambassadors who have returned to the private sector, on call for cyber emergencies.
Robert Childs, former chancellor of the National Defense University's Information Resources Management College, said that Singapore could be a model for US practices. Children "learn cyber hygiene in elementary schools," he said. Here, though, "children, Millennials, don't care about cyber... the young people have the skills," but not the knowledge of sound policy and governance.
Bucci added that just getting employees to follow the cybersecurity policies already on the books would help -- and that has to include the bosses.
"If the boss isn't doing it, no one else will," he said.
Wilshusen said many federal agency leaders are starting to understand the importance of recruiting better talent. "The incidents reported to US-CERT have more than doubled in the past four years." But it's going to take more than just agency leaders recognizing the problem.
Childs pointed to previous cyberattacks, including when attackers shut down much of Estonia's electronic infrastructure in 2007 and another on the Saudi national oil company Aramco in 2012, as acts of cyber warfare. The war between Russia and Georgia in 2008 was the first demonstration of "cyber (attacks) combined with kinetic attacks," he said.
Bucci said the US military comes closest to understanding and preparing for these kinds of orchestrated attacks. "But in a [military] exercise, add the cyber component and the exercise comes crashing to a halt within a couple of hours," he said. The leaders of the exercise will usually insist on shutting down the cyber component so they can continue, even though they won't be able to do that on a real battlefield, he said.
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.Washington-based Patience Wait contributes articles about government IT to InformationWeek. View Full Bio