The Department of Homeland Security’s cybersecurity efforts have been been hamstrung by high-level turnover at the agency, fueled in part by the “lure of private security companies” willing to pay big bucks, according to a report this week in The Washington Post.
Citing federal statistics, The Post reported the rate of employee turnover at the department runs nearly twice as high at other agencies. Senior executives are leaving at an even faster clip.
In the span of just nine months between June 2011 and March 2012, for example, four senior cyber officials left and another retired -- all for positions at private companies.
More recently, the head of the department’s 24/7 cyber-incident reporting hub retired after a 30-year career in government and now works for Citi.
“DHS can’t keep anyone in cyber,” a former official is quoted in the piece. “They just can’t do it. You can make $150,000 protecting the nation or you can make $650,000. Which one are you going to do?’’
But DHS officials are more sanguine about the revolving door at the agency. In a letter to the editor published by The Post Wednesday, DHS Secretary Jeh Johnson said the article “disregarded” recent progress by the agency in plugging leadership gaps.
And in a speech last week at the Billington Cybersecurity Summit in Washington, D.C., -- which preceded The Post report -- Phyllis Schneck, DHS' top cyber official, highlighted a few recent hires in her department.
DHS Says It's Building Cyber Dream Team
Andy Ozment, formerly the senior cybersecurity director at the White House, and retired Air Force Brig. Gen. Greg Touhill, who most recently served as chief information officer of U.S. Transportation Command, have both joined Schneck’s “dream team” in recent months, she said.
Skepticism about DHS’ workforce is nothing new.
"I get asked a lot, 'How can the government have good people?'" said Schneck, who joined the agency last August after many years in industry, most recently as chief technology officer at software giant McAfee.
"It's not about the money," she said. "We can beat the money with the mission. At least for a few years."
In fact, when Schneck attended a conference “out West” recently and called on attendees to consider working for DHS, the “very large, well-known company” hosting the event was concerned her pitch would actually be successful in poaching talent, she said.
“So I'm really excited that that's a threat,” she added.
Cyber Legislation Still Up in the Air
The House and Senate have both passed measures designed to give DHS greater flexibility to bypass the abstruse federal hiring process in onboarding cybersecurity experts, although the two measures still must be merged to formally become law.
Broader cyber legislation spelling out the agency’s authority to carry out its work in cyberspace, however, remains to be sorted out by lawmakers.
"We have a couple of big asks," from Capitol Hill, Schneck acknowledged, including legal clarification of the agency’s role in protecting agency networks.
When the Heartbleed vulnerability was unearthed last spring, for example, DHS officials were delayed in scanning agency systems.
It took DHS more than a week to "get the legal side of some of the agencies to be OK with it, while the technical side sweated bullets knowing that the whole world knew about this vulnerability,” she said.
Still, the spate of executive departures may make it less likely Congress would sign on to codifying -- what some lawmakers see as expanding -- DHS’ cyber role.
“It became so hard to advocate for DHS to be placed in charge and given more responsibility because people were constantly leaving,’’ a former House Homeland Security Committee aide told The Post.