|
 Navigating the federal hiring system takes many months, which is
too long in the fast-paced tech world.
"Even when somebody is patriotic and wants to do their duty for the
nation, if they're really good they're not going to wait six months
to get hired," said Mark Weatherford, the former cyber chief at DHS.
After a spate of national security leaks and with cybercrime on the
rise, the department is vying with the private sector and other
three-letter federal agencies to hire and retain talent to secure
federal networks and contain threats to American businesses and
utilities.
Phyllis Schneck, the former chief technology officer at security
software company McAfee Inc who succeeded Weatherford in August,
asked a U.S. Senate committee for help.
"The hiring process is very, very difficult," she said.
Cyber experts can command higher salaries — in some cases up to six
figures more — at private companies, Schneck said, but national
security offers a "higher calling" and valuable experience.
"People say the good talent doesn't come because we can't pay them,"
she said. "We could actually use our mission to outdo some of those
salaries they're offered. But we have to have the flexibility and
some additional competitiveness to bring them inside."
TATTOOED TALENT NEED NOT APPLY
The Homeland Security Department, created after the September 11,
2001, attacks, is playing catchup with the Pentagon's larger and
more established cybersecurity operations at Cyber Command and the
National Security Agency.
Not only does DHS lack the enhanced hiring powers of its military
counterpart and the agility private companies offer, but the rigid
bureaucracy of the 240,000-employee agency can foster an
inside-the-box culture.
"There's a lot of really smart, scary cybersecurity professionals
out there who also happen to have pink hair and tattoos," said
Weatherford.
But you won't find them at DHS, which also is averse to hiring cyber
experts without a college degree, he said.
"Some of the smartest and most talented people I know in this
business don't have a degree," said Weatherford, who left the agency
a year ago for the Chertoff Group consulting firm, founded by a
previous DHS secretary, Michael Chertoff.
DHS Secretary Jeh Johnson, who took office in December, has promised
to get personally involved in recruiting and make "new hiring and
pay flexibility to recruit cybersecurity talent" a legislative goal.
Specifically, DHS wants the secretary to be able to make direct
appointments and reform job descriptions and requirements for
certain cybersecurity positions, and to set salaries and offer
additional incentives, a department official said
At a Senate Homeland Security and Governmental Affairs Committee
hearing on March 26, ranking Republican Senator Tom Coburn assured
Schneck, "we're going to get you the capability to hire the people
you need."
Coburn and Democratic Chairman Thomas Carper are working on a
measure to help DHS boost its cyber workforce by giving it the same
hiring and compensation powers as the Defense Department, a
committee aide said.
The federal government follows a strict hiring protocol that
includes a long application, background check and in some cases a
security clearance. It can take from a few months to more than a
year, said Max Stier, president of the nonprofit Partnership for
Public Service.
The onerousness of the process is "true for cyber, and it's true for
every mission-critical occupation that the government has," he said.
Nevertheless, the problem is especially acute in a fast-moving,
well-compensated field like cybersecurity, where the qualified can
write their own tickets.
"SELF-INFLICTED DAMAGE"
The mission could scarcely be more critical. Security lapses at
government agencies can lead to such diplomatic and national
security crises as the fallout from revelations of former NSA
contractor Edward Snowden and WikiLeaks' release of State Department
cables obtained by U.S. soldier Bradley Manning.
[to top of second column] |
A recent RAND Corp study found that "the ability to stage
cyberattacks will likely outpace the ability to defend against them"
and that cybercrime can be more lucrative than the illegal drug
trade.
Experts say Homeland Security doesn't have to wait for
legislation."It's self-inflicted damage, it's not that they need
something from Congress," said Alan Paller, co-chairman of a task
force DHS set up two years ago to recommend ways DHS could improve
its cyber force.
DHS can bypass time-consuming security clearances and fight cyber
attacks more efficiently by declassifying work that is not secret,
said Amit Yoran, a senior vice president at security company RSA who
held top DHS posts in the George W. Bush administration. He warned
lawmakers about the hiring problems in 2009.
"I called this out as a key issue or critical issue, which I don't
think is solved," he said.
The department works daily with companies and utilities to secure
computer networks for water systems, the electric grid, financial,
commercial, agriculture and healthcare services.
Weatherford said that work was "99.99 percent unclassified," but
since it was performed in a classified DHS facility, it had to be
labeled secret.
IF YOU CHALLENGE THEM, THEY WILL COME
Also, the agency still tends to award outside contractors the most
coveted cyber jobs, including those for forensics investigators and
intrusion malware and detection engineers who understand how attacks
work, said Paller.
"The good technical people want to go to work where they will grow,"
Paller said. "It's especially true in this field because the bad
guys are changing the game all the time."
In the fall of 2012, the task force recommended hiring cyber experts
with advanced technical skills as part of a specialist corps with
enticing missions and growth potential.
DHS spokesman S.Y. Lee said the department offers strong
cybersecurity career paths, including scholarship, fellowship and
internship programs to attract and keep top talent.
The task force recommended DHS have 600 federal workers in
cybersecurity positions that have certain mission-critical skills.
DHS then did a review and identified 1,500 such positions.
But Paller, founder of SANS professional cybersecurity training
institute, said very few of the people in them have the advanced
technical skills needed to carry out DHS' mission of protecting the
federal government's computers.
"Right now, I don't think they can," he said.
DHS has fended off calls over the years, including from Republican
Senator John McCain, to transfer its cyber operations to the larger
and better-resourced Pentagon, which aims to have a 6,000-member
cyber force by 2016.
Schneck, who holds seven information security patents and clearly
impressed senators at last month's hearing, appeared sensitive to
that history.
"For all those skeptics, I want to say I walked into one of the
finest teams on the planet," she said.
(Additional reporting by Jim Finkle in Boston;
editing by Prudence Crowther)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
