The exodus of about 20 top FBI cybersecurity leaders in the past five years is a troubling development given the serious threats faced by our election systems, financial networks, the electric power grid, and the vast trove of sensitive data held by federal agencies.
Unfortunately, the FBI’s cyber workforce predicament is emblematic of the experience across the federal government. Agencies are routinely losing out in the competition with higher-paying private-sector employers for scarce cyber talent, often lacking employees with the skills needed to detect and prevent cyber-attacks, and failing to take full advantage of the authority they have to hire and retain information security professionals.
A recent report in May by the Office of Management and Budget found that three quarters of the federal agencies lack the capability in terms of manpower, skill level and technology “to effectively detect data exfiltration attempts and respond to cybersecurity incidents.”
According to recent estimates, there were 301,873 cybersecurity job openings in the U.S. between April 2017 and March 2018, including 13,610 jobs in the public sector that includes the federal government. Attempts to address the talent gap in government have been made by Congress along with the Obama administration and now President Trump, but agencies have displayed a glaring lack of urgency to identify their talent needs and take steps to make up for the deficiencies.
A recent report by the Office of Management and Budget found that three quarters of the federal agencies lack the capability “to effectively detect data exfiltration attempts and respond to cybersecurity incidents.”
In 2014, for example, Congress passed the Homeland Security Cybersecurity Workforce Assessment Act that directed the Department of Homeland Security to identify all of its cybersecurity positions and assess where it was falling short. The Government Accountability Office reported in March that after nearly four years, the Department still did not have a full understanding of its cyber workforce or the skills it needed to protect its networks and the public at large.
In addition, Rep. Michael McCaul (R-Tex.), Chairman of the House Homeland Security Committee, earlier this year chastised DHS for being far too slow in using a special hiring authority provided by Congress to more quickly bring new cyber talent on board.
Government-wide, the GAO reported in June that the process federal agencies are supposed to use under the Federal Cybersecurity Workforce Assessment Act of 2015 to categorize and account for cybersecurity workforce skill gaps has been plagued by missed deadlines and delinquent reporting. The GAO said the Office of Personnel Management fell behind schedule in establishing a structure to track government cybersecurity positions, but it also noted that some of the cyber workforce assessments made by the major agencies have been unreliable or incomplete.
To its credit, the Trump Administration’s plan to reorganize government operations has recognized that reducing agency vulnerability to malicious actors requires investing in the cybersecurity workforce. It has offered several ideas that my organization, the Partnership for Public Service, previously recommended. These proposals include scaling hiring flexibilities across government, promoting employee mobility among agencies, government-wide cyber training programs, and use of retention incentives for entry- and mid-level cyber professionals.
To its credit, the Trump Administration’s plan to reorganize government operations has recognized that reducing agency vulnerability to malicious actors requires investing in the cybersecurity workforce.
Making real progress on these and other initiatives, however, will require determined and sustained leadership from the White House and agency leaders.
As a start, agency leaders need to comply with the Cybersecurity Workforce Assessment Act to fully understand their needs and begin to recruit and hire qualified people. At the same time, the administration should facilitate faster hiring by standardizing job descriptions, reforming the lengthy security clearance process that is now a major barrier to getting people on board, and directing human resources professionals and hiring managers to immediately start using available special hiring authorities.
OPM has granted agencies what is known as direct-hire authority for cybersecurity jobs, but a lack of awareness by some hiring managers combined with the rule-bound hiring process still limits its effectiveness. One notable authority, the Competitive Service Act of 2015, enables agencies to share lists of qualified, ready-to-hire candidates who have not been hired by a particular agency, but it has yet to be used in any significant way.
Agencies also should expand their use of cybersecurity internships and fellowships that provide additional opportunities for younger cybersecurity specialists to enter public service, and they should take a page from the United States Digital Service recruitment playbook. To attract talented tech experts into government, USDS has focused on building the government’s brand, engaging subject matter experts in recruiting, and assessing talent by using specialized recruiters and proactively communicating with candidates throughout the hiring process.
The Trump Administration has the opportunity to make significant progress in closing the federal cyber workforce gap, but strong leadership, a serious commitment, and a sense of urgency are essential. There are clearly obstacles to overcome, including the nationwide shortage of skilled cyber professionals and competition from the higher-paying private sector. But federal leaders must take full ownership and begin to solve a serious workforce problem that is central to protecting our government’s digital infrastructure.
Max Stier is the president and CEO of the Partnership for Public Service.