In the race to attract cybersecurity experts to protect the government’s computer networks, the Department of Homeland Security has a handicap money can’t fix.
Navigating the federal hiring system takes many months, which is too long in the fast-paced tech world.
“Even when somebody is patriotic and wants to do their duty for the nation, if they’re really good they’re not going to wait six months to get hired,” said Mark Weatherford, the former cyber chief at DHS.
After a spate of national security leaks and with cybercrime on the rise, the department is vying with the private sector and other three-letter federal agencies to hire and retain talent to secure federal networks and contain threats to American businesses and utilities.
Phyllis Schneck, the former chief technology officer at security software company McAfee Inc who succeeded Weatherford in August, asked a U.S. Senate committee for help.
“The hiring process is very, very difficult,” she said.
Cyber experts can command higher salaries – in some cases up to six figures more – at private companies, Schneck said, but national security offers a “higher calling” and valuable experience.
“People say the good talent doesn’t come because we can’t pay them,” she said. “We could actually use our mission to outdo some of those salaries they’re offered. But we have to have the flexibility and some additional competitiveness to bring them inside.”
TATTOOED TALENT NEED NOT APPLY
The Homeland Security Department, created after the Sept. 11, 2001, attacks, is playing catchup with the Pentagon’s larger and more established cybersecurity operations at Cyber Command and the National Security Agency.
Not only does DHS lack the enhanced hiring powers of its military counterpart and the agility private companies offer, but the rigid bureaucracy of the 240,000-employee agency can foster an inside-the-box culture.
“There’s a lot of really smart, scary cybersecurity professionals out there who also happen to have pink hair and tattoos,” said Weatherford.
But you won’t find them at DHS, which also is averse to hiring cyber experts without a college degree, he said.
“Some of the smartest and most talented people I know in this business don’t have a degree,” said Weatherford, who left the agency a year ago for the Chertoff Group consulting firm, founded by a previous DHS secretary, Michael Chertoff.
DHS Secretary Jeh Johnson, who took office in December, has promised to get personally involved in recruiting and make “new hiring and pay flexibility to recruit cybersecurity talent” a legislative goal.
Specifically, DHS wants the secretary to be able to make direct appointments and reform job descriptions and requirements for certain cybersecurity positions, and to set salaries and offer additional incentives, a department official said
At a Senate Homeland Security and Governmental Affairs Committee hearing on March 26, ranking Republican Senator Tom Coburn assured Schneck, “we’re going to get you the capability to hire the people you need.”
Coburn and Democratic Chairman Thomas Carper are working on a measure to help DHS boost its cyber workforce by giving it the same hiring and compensation powers as the Defense Department, a committee aide said.
The federal government follows a strict hiring protocol that includes a long application, background check and in some cases a security clearance. It can take from a few months to more than a year, said Max Stier, president of the nonprofit Partnership for Public Service.
The onerousness of the process is “true for cyber, and it’s true for every mission-critical occupation that the government has,” he said. Nevertheless, the problem is especially acute in a fast-moving, well-compensated field like cybersecurity, where the qualified can write their own tickets.
The mission could scarcely be more critical. Security lapses at government agencies can lead to such diplomatic and national security crises as the fallout from revelations of former NSA contractor Edward Snowden and WikiLeaks’ release of State Department cables obtained by U.S. soldier Bradley Manning.
A recent RAND Corp study found that “the ability to stage cyberattacks will likely outpace the ability to defend against them” and that cybercrime can be more lucrative than the illegal drug trade.
Experts say Homeland Security doesn’t have to wait for legislation.
“It’s self-inflicted damage, it’s not that they need something from Congress,” said Alan Paller, co-chairman of a task force DHS set up two years ago to recommend ways DHS could improve its cyber force.
DHS can bypass time-consuming security clearances and fight cyber attacks more efficiently by declassifying work that is not secret, said Amit Yoran, a senior vice president at security company RSA who held top DHS posts in the George W. Bush administration. He warned lawmakers about the hiring problems in 2009.
“I called this out as a key issue or critical issue, which I don’t think is solved,” he said.
The department works daily with companies and utilities to secure computer networks for water systems, the electric grid, financial, commercial, agriculture and healthcare services.
Weatherford said that work was “99.99 percent unclassified,” but since it was performed in a classified DHS facility, it had to be labeled secret.
IF YOU CHALLENGE THEM, THEY WILL COME
Also, the agency still tends to award outside contractors the most coveted cyber jobs, including those for forensics investigators and intrusion malware and detection engineers who understand how attacks work, said Paller.
“The good technical people want to go to work where they will grow,” Paller said. “It’s especially true in this field because the bad guys are changing the game all the time.”
In the fall of 2012, the task force recommended hiring cyber experts with advanced technical skills as part of a specialist corps with enticing missions and growth potential.
DHS spokesman S.Y. Lee said the department offers strong cybersecurity career paths, including scholarship, fellowship and internship programs to attract and keep top talent.
The task force recommended DHS have 600 federal workers in cybersecurity positions that have certain mission-critical skills. DHS then did a review and identified 1,500 such positions.
But Paller, founder of SANS professional cybersecurity training institute, said very few of the people in them have the advanced technical skills needed to carry out DHS’ mission of protecting the federal government’s computers.
“Right now, I don’t think they can,” he said.
DHS has fended off calls over the years, including from Republican Senator John McCain, to transfer its cyber operations to the larger and better-resourced Pentagon, which aims to have a 6,000-member cyber force by 2016.
Schneck, who holds seven information security patents and clearly impressed senators at last month’s hearing, appeared sensitive to that history.
“For all those skeptics, I want to say I walked into one of the finest teams on the planet,” she said.
(Additional reporting by Jim Finkle in Boston; Editing by Prudence Crowther)