White House hints at new cyber policies

The White House is poised to begin acting on recommendations that came from its first cybersecurity directive, issued last May, a top cybersecurity policy official said.

"The series of reports [required under Executive Order 13800] are almost all in,” Tyson Meadors, director for cybersecurity policy at the National Security Council, said at AFFIRM’s March 8 cybersecurity summit in Arlington, Va. “Now we’re starting to look at how do we enact those recommendations. … I’m almost certain you’re going to see stuff that reflects those recommendations in the next month, or month and a half, that directly reflect some of those reports."

The cyber executive order outlined several different strategic goals for the federal government. Meadors and other cybersecurity experts at the summit, however, stressed that the cybersecurity workforce is the linchpin needed to hold all those efforts together.

Meadors' comments came just a day after lawmakers pressed Department of Homeland Security officials how they plan to account for gaps in that agency's cybersecurity workforce, following a critical watchdog report on DHS' efforts.

DHS is required by a 2014 law to classify and code its cybersecurity positions, so it can better keep tabs on positions of need within the department. These job codes are used to define roles and specific tasks for cybersecurity duties at the department, including key back office work such as program management and system administration. The law also requires the agency to identify and report its most critical workforce needs for future planning.

DHS reported to Congress in August it had completed the coding for 95 percent of positions but according to the Government Accountability Office, that number was closer to 79 percent. The discrepancy was caused by DHS’s exclusion of vacant posts in its tally, GAO said.

"DHS cannot bring people into the hiring pipeline if it doesn't have accurate accounting of what needs are," Rep. John Ratcliffe (R-Texas) said at a March 7 joint hearing of the House Homeland Security Cybersecurity and Infrastructure Protection and Oversight and Management Subcommittees.

Gregory Wilshusen, GAO's director of information security issues, described DHS as consistently behind schedule on carrying out the law’s requirements, noting it was 13 months behind on updating its procedures to identify positions and assign employment codes, and 23 months behind on actually assigning employment codes.

Rep. Scott Perry (R-Pa.) said these cyber-related shortcomings are "emblematic of the systemic hiring issues continuing to plague the department."

Angela Bailey, chief human capital officer at DHS, testified that while not all of the positions are yet coded, the department has identified all of its filled cybersecurity positions and mapped them to the critical need areas in NIST's cybersecurity workforce framework. She also testified that by the end of April, "this department will have all of its cyber positions coded on a three-digit code."

However, Bailey noted that DHS personnel operations are still hamstrung because the new coding framework and old personnel system "aren't actually matched together."

"If we're going to do all this work over here on a 21st century code, which makes absolutely perfect sense, it makes no sense to me whatsoever that we have to turn around and try to recruit, hire, retain and pay people on a system that was designed in the 1940s,” she said.

DHS has had problems with talent management systems in the past. John Roth, then inspector general at DHS, last summer said the department’s $24 million workforce training and management system "literally meets GAO’s textbook definition of 'waste.'"

However, it's not just technical matters that challenge the department’s ability to fill cyber talent. Rita Moss, the director of the National Protection and Programs Director's office of human capital, testified that NPPD has made more than 500 cyber hires over the last two years, but attrition has cut into that number.

"Although hiring is occurring, attrition is also occurring," she said, adding that NPPD is looking to hire more interns and younger cybersecurity specialists to "help shape our workforce."

Nor is DHS alone in its struggles to staff key cyber positions. At the March 8 AFFIRM event, Federal Deposit Insurance Corp. CIO Howard Whyte said his agency is now considering engineers and other technical specialists as candidates to be trained and converted into cybersecurity experts. 

Trent Treyema, the cyber readiness section chief in the FBI's cyber division, said his agency is similarly looking to cross-train technically inclined investigators and agents in order to fill cybersecurity rolls.

The FBI also is looking to lure back former employees, and now keeps track of cybersecurity specialists when they leave for the private sector. The agency used to view such alumni as non-starters for subsequent openings, Teyema said, but is now "keeping in touch" and maintaining a queue for re-recruitment.