Bill aims to codify federal cyber personnel rotation program

Nearly 50 percent of cybersecurity jobs in the United States go unfilled, 2019 think tank study concluded

Rep. Ro Khanna told CQ Roll Call that “it would be very attractive for someone” to rotate among federal agencies as a cybersecurity expert. (Tom Williams/CQ Roll Call)
Rep. Ro Khanna told CQ Roll Call that “it would be very attractive for someone” to rotate among federal agencies as a cybersecurity expert. (Tom Williams/CQ Roll Call)
Posted September 28, 2021 at 7:00am

New legislation making its way through Congress could offer some respite to U.S. agencies struggling to fill cybersecurity positions amid a global shortage of talent.

A bipartisan bill backed by Reps. Ro Khanna, D-Calif., and Nancy Mace, R-S.C., would establish a rotational program for cybersecurity personnel in federal agencies allowing them to move from one department to another. The idea of rotating cyber professionals through agencies began in the Senate version of the bill backed by Sens. Gary Peters, D-Mich., and John Hoeven, R-N.D. that already cleared the chamber as part of the Senate’s innovation and competition legislation.

While fully meeting the cybersecurity needs of federal agencies by hiring enough experts to fill all the positions would require mounting an effort as vast as the Manhattan Project, the bill “takes a step in that direction,” Khanna told CQ Roll Call in an interview. (The Manhattan Project was the program that developed the first U.S. nuclear weapons during World War II.)

The legislation would ensure that cyber professionals rotate through agencies, helping departments understand practices in other agencies, Khanna said, adding that the House is likely to pass the bill early next month.

The opportunity to work in different federal agencies could also be a recruiting tool “because it would be very attractive for someone to come to the federal government, and not just in one agency, but they get to go through all of the agencies” and gain substantial experience before going to the private sector, Khanna said.

Several administrations over the past 20 years have tried to address the overall cybersecurity gaps in government and have achieved only limited success.

The Government Accountability Office, which has been assessing federal cybersecurity risks since 2010, has made more than 5,000 recommendations on what federal agencies should do to address their myriad cyber risks.

Despite spending more than $100 billion annually on cybersecurity efforts, federal agencies still needed to come up with a comprehensive strategy and protect cyber critical infrastructure, the GAO found in March.

'Brand is damaged'

Not only does the federal government struggle to compete with the private sector in hiring cybersecurity experts, but different agencies within the government also face a greater challenge.

While the overall federal cybersecurity workforce grew by 7.85 percent between 2016 and 2020, some departments saw their pool of cyber employees shrink during the same period, Max Stier, president of the Partnership for Public Service, told lawmakers in July.

The Agriculture and Labor departments, for example, saw their cyber workforces decline between 2016 and 2020, Stier said.

Federal agencies also face a challenge in hiring talented people because of recent government shutdowns and hiring freezes stemming from political maneuvering in Congress, Stier said. “The federal government’s brand is damaged,” he said, also blaming negative rhetoric about government work.

Federal cyber employees also are predominantly male and older compared with the overall composition of federal employees as well as the composition in the private sector, Stier said.

As the scale, scope and sophistication of cyberattacks continue to rise, the demand for cyber professionals far outstrips supply.

The Center for Strategic and International Studies in 2019 estimated that nearly 50 percent of cybersecurity jobs in the United States go unfilled and that the global shortage of unfilled cybersecurity positions would reach about 1.8 million by 2022.

“Workforce shortages exist for almost every position within cybersecurity, but the most acute needs are for highly-skilled technical staff,” the CSIS report said.

People with expertise in detecting intrusions, developing secure software and mitigating attacks were the “most difficult skills to find” among cybersecurity operators, the report said.

'Strategic asset'

In August, President Joe Biden noted that the workforce hasn’t kept pace with growing demands. He said about half a million cybersecurity jobs remain unfilled across the country.

The idea of rotating cyber professionals from one federal agency to another began in the Obama administration and was one of the few proposals that was supported by the Trump administration, Khanna said.

In May 2019, President Donald Trump issued an executive order to strengthen the federal cybersecurity workforce, calling it a “strategic asset” and saying the administration intended to improve the mobility of personnel across the federal government.

The order called on the Office of Personnel Management to “establish a cybersecurity rotational assignment program” that would create a “mechanism for knowledge transfer and a development program for cybersecurity practitioners.”

Khanna said the legislation he is co-sponsoring aims to codify in law what previous administrations had attempted to do through executive orders.

The congressional Cyberspace Solarium Commission in its March 2020 report also called for creating a new cyber civil service that would further allow cybersecurity professionals to move across departments.

The civil service would be “a system of established cyber career paths that allows movement between departments and agencies and into senior leadership positions,” the commission said.

“We are definitely exploring that as the next option,” Khanna said.