The Department of Defense’s Cyber Command reportedly wants to quintuple its workforce, but its leader, Gen. Keith B. Alexander, told a House Armed Services subcommittee last week that the threat of furloughs is going to hamstring his ability to recruit people to defend U.S. computer networks.
The Department of Homeland Security is also trying to bulk up the staff of what DHS Deputy Secretary Jane Holl Lute calls “cyber ninjas,” but it can’t do so without Congress’ help, she told the House Homeland Security Committee last week.
On Capitol Hill, debates about cybersecurity have largely focused on how much to regulate industry and how to share threat information between businesses and the federal government. Yet Congress has a less glamorous, increasingly visible problem to address: There is a vast need for trained cyber-warriors at Defense and Homeland Security, but recruiting and training them is difficult.
The need is driven by the danger. Last week, Director of National Intelligence James R. Clapper Jr. led his annual threat assessment presented to the Senate Intelligence Committee with cyberattacks, placing that issue at the top of the agenda for the first time.
One cyber-expert, Alan Paller, said there’s a saying going around the Pentagon that “in the next war, the tanks will be people” — the kind of personnel who can dismantle a piece of malicious code but are in short supply.
“If it’s true that in the next war tanks will be people, our inability to build out is dangerous,” said Paller, director of research for the SANS Institute, a company that specializes in Internet security training.
The ability to hire talent is complicated by the sequester, as Alexander told the House Armed Services Subcommittee on Intelligence, Emerging Threats and Capabilities. It also figures to be a part of Congress’ 2013 stab at cybersecurity legislation, with one panel having already passed a bill that partially tackles the cybersecurity workforce issue.
Trying to Bulk Up
Within the federal government, among the agencies that work on cybersecurity, the vast majority of the top-level expertise is at the National Security Agency and Cyber Command — both housed within the Department of Defense — said House Intelligence Chairman Mike Rogers, R-Mich., adding, “Second place is a long way down.”
Cyber Command is considering an increase in personnel from 900 to 4,900 over the next several years, according to The Washington Post. Separately, a DHS task force concluded last year that the department needs to hire 600 new, extremely high-skilled cybersecurity personnel.
Cybersecurity jobs pay well in the private sector, which makes government recruiting difficult. By Alexander’s estimate, a company such as Google can pay a job candidate twice what he can. According to ClearanceJobs.com’s survey this year of people with security clearances, 22 percent work on cybersecurity initiatives and their pay is $101,198, well above the average.
Another problem is that some of the best candidates lack the squeaky-clean backgrounds usually needed to get a security clearance — many are self-taught hackers who have been “doing things that are shady at best and not legal at worst,” said Evan Lesser, managing director of ClearanceJobs.com.
At the same time, U.S. universities struggle to keep their curriculums current in a fast-changing threat environment, Lesser said. Paller noted that other countries, such as China, have been churning out talented cyber-warriors.
The Pain of Sequester
The current budget crunch comes at a particularly difficult time for agencies trying to staff up. “What we’re getting from some of our people, especially those who come from industry, they already take a pay cut coming to the government, and they do this because they’re patriots,” Alexander said. “The issue is they’re taking the pay cut and now we’re saying, ‘Well, you might get a pay cut again and this pay cut will be furlough, and we’re not sure how that’s gonna go or where that’s going to be.’ That uncertainty is something that truly complicates their willingness to stay with us.”
Rhode Island Rep. Jim Langevin, the top Democrat on the subcommittee that heard from Alexander, said, “DOD cyber-operations are quite literally a growth business, and it’s one of the rare portions of the DOD that will be growing indefinitely into the future.”
But the sequester, Alexander said, is another matter. Langevin said that developing the workforce is “very high on my list” of cybersecurity issues he wants Congress to address.
The House Science, Space and Technology Committee has taken one step in that direction. It approved a bill (HR 756) last week that authorizes university scholarships in exchange for federal government service and creates a task force to improve the training of cybersecurity professionals.
Top senators also have signaled that bolstering the cybersecurity workforce will be a big priority. Senate Commerce Chairman Jay Rockefeller, D-W.Va., last week said that one of the reasons the Senate needs to act on a comprehensive bill rather than focusing on passing a threat information sharing bill (HR 624) like the one in the House is because that bill “doesn’t have much about workforce.”
New Homeland Security and Governmental Affairs Chairman Thomas R. Carper, D-Del., was in charge of writing the section of last year’s failed comprehensive Senate cybersecurity legislation aimed at boosting the cybersecurity workforce.
That measure also had a scholarship-for-service provision, mandated an education curriculum program for federal cybersecurity employees and required the departments of Commerce and Homeland Security to develop national competitions aimed at ferreting out cybersecurity talent.
Even though President Barack Obama signed an executive order on cybersecurity in lieu of legislation passing in Congress, the administration is asking Congress for a few more things.
One of them is flexible hiring authority for the Department of Homeland Security, like the NSA has. Department officials have repeatedly emphasized it as one of the most important aspects of any legislation.
Paller said that “the shortage of cybersecurity skilled people makes it nearly impossible to respond to the current wave of attacks,” but there are signs of progress.
“We’re way behind,” Paller said. “But we’re not dead in the water.”