In order to attract the highly skilled and qualified cybersecurity workers the Department of Homeland Security needs to fulfill its mission of protecting government computer systems and overseeing the security of critical infrastructure systems, DHS has to reserve its coolest cybersecurity jobs for federal workers, not contractors, according to a task-force report submitted to DHS this month.
This means, in part, hiring at least 600 new cybersecurity professionals, including ones who have proven, hands-on experience to take on critical tasks, the task force recommended in its 41-page report (.pdf).
Furthermore, the government needs to focus less on professional certifications in making its hiring decisions and more on real-world experience and expertise. To do this, it needs to build a system for actively measuring these skills, such as one that is currently used for testing pilots, the group said.
The group noted that pilots undergo situational testing that becomes more complicated as their skills increase, such as placing them in conditions where the weather deteriorates or where systems malfunction, in order to test them under duress.
“The result is a continuous improvement in pilot competency and proficiency,” the task force wrote in its report, noting that pilots must pass proficiency exams “not once but regularly — as often as every six months for some pilots — in order to keep their jobs.”
“The standards are strict because people’s lives depend on these professionals doing their job effectively,” the group noted. “Certainly the risks of malicious actors penetrating the computer systems of America’s power systems, or hostile nations stealing U.S. military and economic secrets, rises to a similar level of urgency.”
The task force, composed of 15 people, was co-chaired by Alan Paller, director of research at the SANS Institute, a cybersecurity training institute, and Jeff Moss, a former hacker and founder of the BlackHat and DefCon security and hacker conferences. Moss is currently chief security officer at ICANN — which helps oversee the internet domain name system and the maintenance of other core parts of the global internet.
Known as the Homeland Security Advisory Council Task Force on CyberSkills, the group was set up in July upon the request of DHS Secretary Janet Napolitano to develop a plan to attract workers with high levels of cybersecurity skills who can fill major gaps in the DHS’s workforce. The task force consulted with outside experts from private industry, academia and government to compile its recommendations.
“This is all about getting better people,” DHS Deputy Secretary Jane Holl Lute told Wired. “The people we have are great. But we need people with better skill sets…. We really need people with cutting-edge, highly technical and sophisticated skill sets. We’re not going to pull them out of the air. We’ve got to deliberately focus on creating systems that generate people with those skill sets willing to serve in the public sector.”
But the number of people who have these skills are limited, and competition from the private sector to hire them is fierce.
To attract the right workers, therefore, the task force recommended first identifying a list of critical-mission jobs that need to be filled — penetration testers, security engineers and coders, malware and intelligence analysts, incident responders and advanced forensic analysts — and then finding ways to attract and retain them.
This includes streamlining the convoluted hiring process for government workers and reserving the most interesting and challenging cybersecurity jobs — such as penetration testing and reverse engineering — for government workers, instead of hiring contractors to fill them.
“If you want the best people to stay, you also have to have the best jobs to attract them — ‘cool jobs’ that are exciting, challenging, and offer a path for growth in skill and responsibility,” the task force noted.
It also includes providing workers with the right tools and laboratory environments to help challenge them and keep them stay proficient in their jobs.
Lute agreed with the task force that proficiency testing will be a crucial part of making sure that workers can meet the demands of critical-mission jobs.
“We don’t want to just put you in a program, send you out at the other end, hand you a sheepskin [certificate] and say you’re qualified,” she said. “We want to have proficiency, professional-level testing against peer-reviewed standards that say this is world-class talent.”
The task force noted that one of the biggest obstacles to attracting highly skilled workers to government positions is the salary gap that exists between federal and private-sector jobs.
Asked about the salary issue, Lute said the government shouldn’t try to compete with the private sector in that regard.
“I don’t know that you have to pay what they would get in the private sector,” she says. “The model is to appeal to that piece of you that wants to connect to meaning, that wants to give rewarding work and have an opportunity to add value and to feel valued. Not everybody who joins the government plans to make it their lifelong career….[I]f money is their chief primary motivator, the private sector is their better answer for that.”
The task force acknowledged that people who enter public service generally don’t expect to earn the highest salaries and are more often driven by an interest in service and the chance to do something unique. But even these people will leave their government job if it offers a lackluster career path.
One way to combat this is to establish an attractive career path with opportunities for growth and challenging work so that employees see a future in their job, and to create a more supportive work environment that engages highly skilled workers in developing the direction of their work as well as the growth of others, so that they feel valued.
“People are much more likely to stay in federal service if they feel that they are doing unique work and have unique opportunities, are in service to something bigger than themselves, and believe that the people and the system they work for care about their long-term careers,” the task force writes.
To augment the work that DHS employees will do, the task force also advised building a reserve army of cybersecurity specialists — inside and outside government — who can be called upon in times of emergency, akin to the National Guard, to help address attacks against critical infrastructure and other cyber crises.
The group acknowledged, however, that a number of legal, privacy and practical issues would need to be resolved to make such a program viable.