A Senate committee on Wednesday advanced legislation that would empower the Homeland Security Department to pay DHS cyber recruits as much as Pentagon computer security professionals. There is a shortage of skilled computer security employees at many civilian agencies with heavy cyber responsibilities.
The bill could help DHS compete with the private sector and the U.S. military for scarce talent, say backers in the Homeland Security and Governmental Affairs Committee, which passed the measure by a voice vote.
But some cybersecurity specialists advising Congress say the bill could be abused to boost information technology hiring that doesn't fill information security staff shortages.
It has happened before.
In 2010, then-Homeland Security Department Secretary Janet Napolitano said her department had been granted direct hire authority to add 1,000 new cyber professionals over three years so it could compete with the Defense Department. However, DHS IT managers hijacked that license, to hire people without cyber skills for regular IT roles, said Alan Paller, director of research for the SANS Institute.
The Senate bill "included no controls that would stop a repeat of the misuse of hiring authorities," Paller told Nextgov on Wednesday.
An eligible position, according to the legislative text, would be one that "performs, manages, or supervises functions that execute the responsibilities of the department relating to cybersecurity.”
Under current law, Defense can make direct appointments for cyber positions, set rates of basic pay, and provide additional compensation, benefits, incentives, and allowances. Committee members say those authorities give Defense and its Nationals Security Agency an unfair recruiting and retention advantage.
The Senate proposal would provide DHS matching authorities so the department can hire at the same clip and salaries as NSA and other military components, proponents say.
An amendment agreed to on Wednesday would mandate that Homeland Security follow guidelines by the National Institute of Standards and Technology, called the National Cybersecurity Workforce Framework. The NIST materials include a common vocabulary for cybersecurity work, a uniform classification system for job functions, and specific employment codes.
Paller said the change would not add teeth to the bill. “There is nothing in the framework that enables talent to be assessed,” he said.
The bill, however, includes many reporting and transparency requirements, committee members have pointed out.
Within a year of enactment, and every year after for four years, DHS would be required to hand Congress a "detailed report" that discusses the processes for vetting cyber candidates, giving preference to veterans, and measuring results, among other things.
The department would have to quantify progress, under the proposal.
It requires an accounting of the number of cyber employees hired for each occupation and pay grade, people placed in particular offices, and employees who leave the department.
Four months after enactment of the bill, DHS would have to give lawmakers an execution plan.
In addition, Homeland Security would have to coordinate with the Office of Personnel Management on regulations to carry out the legislation.
The Justice Department also is trying to bolster its cyber squads. The department has been granted the ability to fast-track cyber job offers through a "direct hire authority," Justice Chief Information Security Officer Melinda Rogers told Nextgov last week.