Cybersecurity legislation granting its wish looks likely to fail this year.
The Homeland Security Department made a final pitch to Congress to equalize pay packages for DHS cyber professionals and their higher-paid Pentagon counterparts, as cybersecurity legislation looked likely to stall for the third consecutive year.
“This legislation takes an important step in terms of hiring and retaining personnel,” DHS Deputy Secretary Jane Holl Lute said Wednesday afternoon, referring to a White House-backed Senate cybersecurity bill that is faltering amid partisan divides.
The measure, S.3414, states that the DHS “secretary may exercise with respect to qualified employees of the department the same authority of that the secretary of Defense has with respect to civilian intelligence personnel . . . to establish as positions in the excepted service, to appoint individuals to those positions and [to] fix pay.”
DHS expects higher salaries and better benefits will provide more leverage in hiring scarce talent from competitors inside and outside government. As of last week, the Air Force reported a cyber workforce of about 17,000 personnel and the Army counted more than 21,000 information security guardians. Estimates by DHS, the Defense Department and the Government Accountability Office tallied fewer than 1,500 DHS cyber professionals compared with 66,000 to 88,000 pros Defensewide.
But any major computer security bill is unlikely until 2013, for reasons ranging from election campaigning to fears of big government, political experts say.
In the meantime, DHS is trying to get creative with existing authorities to attract new employees. For instance, Homeland Security Secretary Janet Napolitano on June 6 announced a new task force will devise workforce-building strategies such as cyber competitions, enhanced public-private programs and cooperation with other departments to “develop an agile cyber workforce across the federal government,” officials said in a statement.
Alan Paller, research director at the SANS Institute, a computer security training center, and Jeff Moss, founder of the annual Black Hat and DefCon hacker conferences, are co-chairing the advisory panel.
“They came up with the coolest solutions to the cyber manpower problem I have ever seen,” Paller said on Wednesday, declining to elaborate on the ideas because of advisory committee nondisclosure rules. “There is no doubt in my mind they will work and that they will work quickly.”
According to Paller, other members of the 15-person task force include Steve Adegbite, director of strategic cyber innovations for Lockheed Martin Corp.; Asheem Chandna, a partner at venture capital company Greylock Partners; Larry Cockell, a 20-year Secret Service veteran now serving as chief security officer at Time Warner; Mike Papay, senior vice president of cyber initiatives for Northrop Grumman Corp.; Facebook Chief Security Officer Joe Sullivan; and Rita Wells, an Idaho National Laboratory researcher who oversees industrial control system test beds.
On Wednesday, Lute, along with military and intelligence officials, spoke with reporters during a conference call about the urgency of passing legislation. Among other things, Homeland Security wants the law to clarify that DHS is the federal government’s lead agency for protecting the networks operating critical infrastructure, such as power lines and dams.
“It’s a mission we’re already performing,” she said. Lute compared critical infrastructure to the “endoskeleton of modern life.”
Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said the Senate legislation would cement DHS as the “digital front door” in cybersecurity, without preventing the military and other agencies from conducting sensitive network operations. The thinking is DHS would take the lead in partnering with critical sectors on information sharing to ensure military forces and law enforcement agents do not violate Americans’ privacy while executing their cyber missions.
Still, even if the measure passes this week before Congress adjourns for summer vacation, the House, which approved a different bill in April, would need time to reconcile inconsistencies with the Senate.
“Both bills have fallen prey to the limits of the current American political climate, where special interests and disputes over the appropriate role of government have combined to harm national security -- and, as a result, neither will do much to protect the United States from cyber threats,” James A. Lewis, a researcher at the Center for Strategic and International Studies who advises Congress and the Obama administration, wrote Tuesday in Foreign Affairs.
He lamented that neither bill will compel companies to take steps to secure their networks.
“Congress could fix this if it revised the [Senate] cybersecurity act one more time to give the federal government the ability to mandate compliance with reasonable standards when this is needed to defend the nation, but there is probably not enough time before Congress goes out of session to do this,” Lewis wrote. “Most observers believe that the United States will only get effective cybersecurity legislation after there has been a crisis and that the country will then overreact, trampling privacy and putting in place rigid requirements.”