Feds look to get creative about cyber hiring

Policymakers are keeping an open mind when it comes to improving the cybersecurity workforce.

weak link

It's no secret that the federal government is desperate to add more cybersecurity talent to its workforce. The difficulty is in figuring out how.

According to a May 2017 report from the Center for Cyber Safety and Education, "traditional recruitment channels are not meeting the demand for cybersecurity workers" across the economy fast enough to close an expected global shortage of 1.8 million qualified personnel by 2021.

At a Dec. 5 cybersecurity conference in Washington, D.C., acting Federal CIO Grant Schneider said White House IT modernization initiatives like shared services and cloud computing are considered a way to automate some functions and reduce the number of highly skilled information security personnel the federal government relies on.

"We're never -- certainly in government and also in industry -- going to be able to get the workforce we need … to defend all of these different systems," Schneider said. "Quite frankly, we just end up stealing each other's employees."

Schneider told FCW that congressional authority to offer higher pay rates to cyber workers and loosening rules to allow lower level personnel to more easily move between public- and private-sector jobs is also needed.

"I'm not saying throw the ethics rules away…. I think there are ways we need to be more flexible and make sure that we've got the firewall in place," Schneider said.

Michael Daniel, former White House cybersecurity coordinator during the Obama administration, told FCW that increased automation within the federal government could also reduce the surface area for human error across the workforce.

"We have to get humans out of the business because having humans sitting there going through large reams of data is not the most effective use of their time and skill," he said.

However, there is also evidence that even a marginal bottom-up improvement in cyber hygiene within the existing federal workforce may have a greater cumulative effect in protecting systems than hiring more specialists. In a September 2017 survey, federal CIOs ranked vulnerabilities associated with human error, as well as malware and phishing attacks directed at their employees, as higher cybersecurity concerns than cyber criminals, ransomware, internet-facing cyberattacks and the technology supply chain vulnerabilities.

During his panel, Daniel said that when looking at the large number of data breaches that have occurred in the private and public sector over the past few years, a common theme emerges.

"If you pull up any one of the [after-action] reports, you'll see that the overwhelming majority of intrusions rely on known, fixable vulnerabilities. So, the bad guys are getting into a hole that we know about, that we also already know how to fix and probably could have fixed years ago," said Daniel, now president of the Cyber Threat Alliance.

As former federal chief information security officer under the Obama administration, retired Air Force Brig. Gen. Greg Touhill frequently emphasized improving the government's posture around basic cyber hygiene. He told FCW that building a system of accountability and ownership among non-technical feds where both carrots and sticks are clearly communicated can help address some of the low-level human-error cyber problems that plague the federal government.

While successful federal managers will focus more on rewarding good behavior than punishing transgressions, devising a system with clear expectations is key.

"I think it's really important that if you do have rewards and consequences … you need to follow through," Touhill said. "It's like being a parent: if I tell you don't touch that [over and over], the consequence is you get burned. There has to be consequences for folks that fail to perform at acceptable levels."