An advisory council to the White House approved a report on Wednesday affecting the federal and critical infrastructure workforce and called for a number of initiatives or changes to boost hiring of cyber-focused personnel.
The report, issued by the National Infrastructure Advisory Council at the request of the National Security Council and looks at how workforce issues and talent shortages across critical infrastructure impact national security. It argues that despite the critical role of the workforce in protecting infrastructure, the U.S. government has historically opted to give it less “attention” than other resourcing questions around protecting against cyber and physical threats.
The council’s writ was broader than cybersecurity, and they found a general lack of coordination, data and human capital management needed to properly staff for critical infrastructure needs across the board. But it’s clear that the council sees a number of unique challenges that are helping to choke off the pipeline of cybersecurity talent flowing into government and critical infrastructure sectors.
For example, while credentialing is an important component of getting into many sectors and industries and can create obstacles to getting a job, it’s particularly inhibiting in the cybersecurity industry, where debates rage monthly over the importance of certification in hiring decisions.
“Cyber credentials in particular are difficult to maintain given how quickly technologies evolve and how drastically the requirements can change,” the report notes.
With the government and private sector often competing to hire the same workers, departments like DHS have moved to use existing authorities to sidestep traditional federal hiring and pay procedures for cyber-focused personnel, something former CISA officials like Christopher Krebs have said has only inhibited the government’s ability to hire or retain cybersecurity personnel who do come from traditional background or need official certifications to prove their bonafides.
Additionally, NIAC officials said that while increased IT and cybersecurity requirements have changed the level of technical expertise and pay in many sectors, maintaining critical infrastructure is still viewed as a “blue collar” job by many Americans. Dr. Beverly Scott, vice chair of the council, said it was critical for both government and industry to work on public awareness initiatives that can change that perception.
“We’re talking about jobs that are, by and large, very well paid, very meaningful and quite often on the cutting edge of technological innovation, but unfortunately many in the American public don’t know that,” Scott said, adding “There is still a belief that much of the work in the critical infrastructure field is low skill, low wage, low value work. We need to change that narrative.”
CISA Executive Director Brandon Wales praised the council’s report and said it would help guide the agency’s efforts on hiring. He also said CISA was working with the National Institute for Standards and Technology to finalize and release new ICS cybersecurity performance standards mandated in a July national security memo issued by the White House around securing the nation’s critical infrastructure.
The report “is really going to shine a light on where we need to go and on aspects of critical infrastructure that don’t always get billing,” said Wales.
It’s an issue Congress is watching, too: the same day Secretary of Homeland Security Alejandro Mayorkas fielded questions from a House committee on their Cyber Talent Management System, saying it was a top priority for him and that the hiring blitz the department was making around cybersecurity this year is “frankly the biggest in the department’s history.”
“I actually had a meeting yesterday on staffing and the prioritization of staffing for our cybersecurity portfolio specifically,” he told the committee in response to requests for updates.
The burdensome security clearance process was also cited as a problem and, despite reforms in recent years, lengthy delays and hang ups over issues like past marijuana use continue to prevent otherwise qualified applications from accepting federal positions.
To better address these issues, the NIAC council ultimately recommended a range of actions. They include developing a national workforce plan for staffing critical infrastructure needs, tracking all critical infrastructure and related interagency expenses and changing the public’s awareness and perception of critical infrastructure careers. They also call for a specific federal program to develop curricula and guide students in K-12 and college on how to develop their cybersecurity skills and connect with government and critical infrastructure hiring pipelines afterwards.
“That [foundation] needs to be a required part of what you get when you’re coming through our K-12 system,” said Scott.