Closing The Cybersecurity Gap In GovernmentIn the face of unrelenting threats to systems and networks, federal agencies must find ways to attract qualified workers and develop new skills internally.
Across the federal government, agencies are grappling with a shortage of cybersecurity pros who have the skills to protect their computers and networks from relentless, and increasingly dangerous, forms of attack. The Department of Homeland Security and the Air Force received authority to expedite the hiring of almost 1,700 cybersecurity pros over the next two years, but fast-track hiring is a stopgap solution. The long-term answer requires new training programs and better ways of attracting and retaining employees with the sought-after skills.
At a recent cybersecurity workforce conference at the National Institute for Standards and Technology's offices in Gaithersburg, Md., chief information security officers and other government IT managers identified a range of related issues: a confusing morass of certifications; HR processes that identify candidates based on buzzwords, not bona fide experience; drawn-out hiring and security-clearance processes; federal mandates that push unqualified people to the front of the hiring line; and competition with the private sector for job candidates.
Given the scope and urgency of the challenge, cybersecurity workforce development has become a key IT initiative of the Obama administration and, government officials say, one of the top priorities of White House cybersecurity coordinator Howard Schmidt.
Cybersecurity education and workforce development were addressed in the Bush administration's Comprehensive National Cybersecurity Initiative, and in April that work was folded into a broader effort called the National Initiative for Cybersecurity Education, led by NIST's Dr. Ernest McDuffie. Two elements of NICE deal explicitly with the federal cybersecurity ranks, one with workforce structure and the other with training and professional development.
"We've got a problem of where the next generation of engineers are going to come from," McDuffie says. "Awareness, education, workforce, and training all have to come together." NICE is still in the early going. McDuffie and team are identifying program goals, timelines, and performance metrics.
In fact, the problem is even more fundamental. The feds have long had difficulty describing the job of cybersecurity specialists, so the Office of Personnel Management, the government's HR department, is working to provide new guidance around cybersecurity job classifications, hiring, and performance management.
Much of OPM's work so far has been gathering information and developing draft policies. OPM and its auditors have found cybersecurity pros working in as many as 18 different federal job "series," or groups of formally defined jobs. They're mulling whether the cybersecurity workforce needs its own series to help define and track the cybersecurity workforce. OPM is also assessing whether hiring authorities and practices need to change, says Maureen Higgins, OPM's assistant director for agency support and technology assistance.
Working groups earlier this year began redefining competency models--the key roles and responsibilities of jobs--for cybersecurity pros in government. "The end goal is that OPM will be able to develop and implement strategies that will allow agencies to attract, hire, and retain the skilled employees they need to accomplish their cybersecurity missions," Higgins says. OPM plans to release the new competency models in December.
The Department of Defense is revising its policy for cybersecurity workers, Directive 8570, which outlines the structure and definition of different cybersecurity jobs, describes training requirements and lists DOD-approved certifications. DOD's updated policy will clarify cyber law enforcement and counterintelligence roles, standardize skill and competency levels, facilitate training and professional development, and potentially include practical, hands-on exam requirements.
"We want to do something that reflects a workforce that is trained and qualified with actual capabilities and competencies and not just a rote exam," says John Mills, DOD's special assistant for the Comprehensive National Cybersecurity Initiative. "There's some divisiveness here, so we're trying to get to what makes sense."
Supply And Demand
Beyond defining roles in the cybersecurity workforce, hiring and retaining talent is a tall order. Ed Giorgio, co-founder of cybersecurity services firm Pontetec and former chief code breaker and code maker at the National Security Agency, says even NSA is hard-pressed to hire enough computer scientists to meet its needs. At civilian agencies, many people with responsibility for cybersecurity are "liberal arts majors" who write policy rather than IT staff on the cyber front lines, Giorgio says.
IT contractors who work for government agencies face some of the same issues. "We've got a lot of people working on these contracts who should be technical and are not," Giorgio says. "When you look at the performance on the job, there's a very small percentage of the people doing the key work."
The shallow talent pool leads to cybersecurity experts jumping from company to company and from job to job, leading to "lost continuity" on projects, Giorgio notes. "The government has a contractor working on a key development project, and all of a sudden they find out he's gone, taking what he knows with him."
Attracting experienced cybersecurity pros to government work is the bigger challenge, however. Hiring backlogs for cybersecurity pros are as long as a year at the Air Force District of Washington, an Air Force unit based at Andrews Air Force base in Maryland.
The Army's Resumix resumé-processing system is intended to facilitate hiring, but such automation too often leads to mismatches between cybersecurity job openings and candidates with only rudimentary skills. Attendees of NIST's NICE event complained that the government's Priority Placement Program, which gives priority to military veterans and certain other federal employees, too often pushes unqualified names into the job queue.
Ways around such obstacles include getting direct hiring authority or designating cybersecurity workers as Schedule A priorities, which requires OMB approval. Schedule A, often associated with hiring disabled workers, is also used for filling critical capability gaps and shortens the process to hire candidates by removing some of the HR barriers. Homeland Security and the Air Force are using Schedule A for some of their new cybersecurity hires.
Security clearance for job applicants can be a hurdle at places like Homeland Security, DOD, and intelligence agencies, where much of the federal cybersecurity workforce resides. The clearance process can take months and discourages many would-be applicants from moving forward. It took Bruce Potter--Giorgio's well-qualified business partner--two years to get government clearance. Many applicants simply opt out of that process.
"The military has to be able to hire the kid with weird piercings and strange hair," says Steven Bucci, associate partner and lead for IBM's cyber global leadership initiative. "It has to break this 1950s hiring process, or we won't have a good answer to this."
Closely related to hiring is cybersecurity training--expanding the workforce through education, skills development, and certification. Government agencies can fill positions from within by giving employees the necessary training or, as programs like NICE kick in, choose from an expanding pool of skilled professionals.
Many cybersecurity certifications are available. Among the most popular are CompTIA's Security+ and (ISC)2's Certified Information Systems Security Professional (CISSP), which are designed to demonstrate competency in a breadth of areas. There are also more narrowly focused certs, such as the SANS Institute's Global Information Assurance Certifications, covering areas like security management and IT auditing. Cisco and other vendors also have certification programs, and a few agencies, including the DOD, have their own internal certifications.
Cybersecurity programs range from certifications gained through multiple-choice tests to undergraduate and graduate programs. The University of Maryland University College recently began offering BS and MS degrees in cybersecurity, as well as a master's degree in cybersecurity policy. The curriculum includes a virtual lab, where students learn how to defend against cyberattacks and receive instruction on the psychology of cyberterrorists.
Some federal agencies have their own training programs. The State Department has been providing role-based, instructor-led cybersecurity training for 12 years; it trains more than 1,000 employees annually in areas such as public key infrastructure.
The State Department's Federal Virtual Training Environment (FedVTE), which is in development, will be made available to other agencies by November, said Susan Hanshe, an Avaya contractor involved in cybersecurity training at the State Department, in a presentation at August's NICE conference. FedVTE includes 800 hours of online cybersecurity training material, mostly recorded lectures from Carnegie Mellon University, and a hands-on lab. FedVTE grew out of work at DOD to train staff, and the State Department's Foreign Service Institute, with funding from Comprehensive National Cybersecurity Initiative, will now make that content more widely available for free, rather than for a fee, as before.
In July, the State Department helped stage the first Federal Cybersecurity Training Exercise. Sixty people from 26 agencies were put through a red team-blue team exercise to spot cyberintrusions. A follow-up exercise will take place this fall.
The State Department is also joining with the Department of Agriculture, National Defense University, and the Air Force on a virtual world-style education program. Virtual training is already happening elsewhere. The Naval Postgraduate School's CyberCIEGE is a game where players operate and defend networks, managing risk with various technologies and defending against a range of attack scenarios.
Homeland Security has been given the authority to use a streamlined process to hire 1,000 cybersecurity pros by the end of 2012, and some of those new hires will end up at the agency's National Cyber Security Division, home of US-CERT.
Now in its third year, the National Cyber Security Division employs about 300 cybersecurity pros and 630 contractors. The division's programs for workforce development include on-the-job training, NCSD-specific modules in FedVTE, instruction through the Federal Cyber Training Exercise program, and mentoring.
DHS plans to expand a program co-sponsored with NSA called the National Centers of Academic Excellence, which provides scholarships and grants to students studying cybersecurity at more than 100 colleges and universities.
"There's no silver bullet," says NCSD director Bobbie Stempfley. "The issues we're facing at a technical, analytical, and policy level are very complicated, so we have to have a rounded approach, give workers the experiences they need, and help them answer more complex questions and respond to more complex interactions as they go on."
Oversight And Compliance
The Navy, too, has efforts under way to train cybersecurity workers, including continuous learning initiatives; virtual exercises called the Systems Administration Simulators Toolkit that occur in "realistic and secure environments"; establishment of a cybersecurity workforce oversight and compliance council; and Navy Credentialing Opportunities Online, which lays out which commercial certifications map best to Navy requirements. The Naval Postgraduate School also offers the Information Systems Security Engineering Certificate, which qualifies workers for DOD cybersecurity work.
As these programs demonstrate, federal agencies are working across the board to close the cybersecurity skills gap, both by hiring from the outside and developing new skills sets internally. Given the stakes involved, the sense of urgency is warranted.