The U.S. government is working to attract quality IT professionals, says NICE’s Ernest McDuffie. Dan Kaplan reports.
Ernest McDuffie remembers a time when a government job was in vogue. The period was the 1950s and 60s, and the then-Soviet Union and United States were locked in a Cold War for technological supremacy, rhythmically dubbed the Space Race.
It began on Oct. 4, 1957, when the Soviets unexpectedly – but more importantly, successfully – launched the Sputnik 1 satellite into orbit. Widespread panic quickly encapsulated Americans, many of whom worried that if the Soviets could launch a satellite, was a missile next?
The United States responded with a flurry of government initiatives, including educational programs – designed to recruit new engineers – and research efforts, with the goal of depositing its own satellites (and humans) into space. Of course, no warheads ever were fired and in 1975, the conflict unofficially ended with a joint U.S. and Soviet space flight – but not before the federal government had ushered in a new wave of young, bright and eager government scientists and engineers.
“There was a huge interest in those fields, post Sputnik,” says McDuffie, a former computer science professor at Florida State University, who earlier this year was tapped to lead the newly formed National Initiative for Cybersecurity Education (NICE). “There was something inspirational. Go to the moon.”
The good times for government, though, wouldn’t last forever. Baby boomers aged and few events captivated the nation’s interest in the science, technology, engineering and math disciplines (STEM) quite like the threat of Soviet dominance did. In a phrase, the talent pipeline dried up.
Cybersecurity, a viable career for barely over 15 years, has become the trickle-down victim of an aging STEM workforce lacking new blood. “Now the country has become complacent,” McDuffie says. “There are a lot of other opportunities for students to take the easy way out.”
But with researchers and lawmakers regularly sounding the trumpet of the imminent, if not ongoing, threat of cyber espionage and war at the hands of a sophisticated enemy, the government has recognized the need to significantly ramp up its efforts to attract coveted human capital to not only protect the nation’s critical infrastructure against attack, but also to engineer secure code that is built to withstand digital assaults in the first place.
The need for such a push is quite apparent. According to a July report from the Center for Strategic and International Studies, there are only about 1,000 individuals in the United States with the specialized security skills to defend cyberspace. The report concludes that between 10,000 to 30,000 are needed.
Enter McDuffie and NICE.
The effort, led by the National Institute of Standards and Technology (NIST), evolved out of the White House’s Comprehensive National Cybersecurity Initiative. NICE’s mission has extended beyond the federal government and seeks “to establish an operational, sustainable and continually improving cybersecurity education program for the nation.”
NICE consists of four tracks, each with a specific focus to grow cybersecurity education and each run by a lead federal agency. One concentrates on building national awareness, another deals with improving academic curriculum, the third seeks to reform the federal workforce structure and the last centers on training and professional development. McDuffie is responsible for coordinating the NICE program among each of the various agencies involved.
If successful, the initiative, currently operating on a roughly $18 million budget, not only will help to cultivate a new crop of more educated and empowered end-users, but also replenish the talent pool of cybersecurity professionals nationwide, particularly at the government level, where the need is the most desperate, says McDuffie, who turns 58 this month.
“The systems of the federal government are under attack by other countries, by terrorist organizations, by professional criminal groups,” he says. “It used to be that 20 years ago, hackers were just out to make a name for themselves. The fact that the space is so dynamic and changes on a daily basis, there’s a continuing need for training and new people to come in to defend those systems.”
Government losing out
Tom Kellermann, vice president of security awareness at penetration testing firm Core Security and a member of the CSIS Commission on Cybersecurity for the 44th Presidency, points to systemic and more tangible reasons for why the government has struggled to attract qualified personnel.
On the systemic side, he says that while America’s primary and secondary school systems strongly have advocated internet use in the classroom, they largely have failed to teach students about the dangers of cyberspace. (One idea of NICE is to issue merit badges to Boy and Girl Scouts who ensure their neighbors are running computer security).
“There really is this huge embrace and focus on all the positives, but no focus on ethics, security and risk management as applied to these technologies that we continue to proliferate,” Kellermann says.
And for those who do recognize the insecurity of IT systems, the culture in America traditionally has been to scorn this type of person as nothing more than a rebellious youth. “The real issue here is cultural in nature,” Kellermann says. “Extremely talented computer scientists are demonized as hackers, whereas in countries like China, they’re held up on pedestals almost like we treat athletes.”
Still, for those who have garnered enough intelligence, and want to parlay their craft into doing something to help the country, there seem to be valid justifications to avoid a government job, he says. On the tangible side, poor pay, a complex security clearance process that may make a candidate uncomfortable, limitations on information-sharing once hired, and confusion over industry certifications are all working against the government.
As a result, federal agencies are turning to private contractors to fill the hole. But a reliance on for-hire hands may lead to further problems, Kellermann says.
For example, a government worker may be envious of or not respect a contractor, while the same contractor may forego using a better technology in favor of one that is “financially advantageous” to their employer, Kellermann says.
In a comprehensive Washington Post investigative series, “Top Secret America,” published in July, reporters documented the heavily privatized and clandestine national security mission. While the series did not specifically address cybersecurity, it detailed some of the inefficiencies of the current system, which is comprised of 1,271 government organizations and 1,931 private companies working on programs related to counterterrorism, homeland security and intelligence in the United States.
“The complexity of this system defies description,” John Vines, a retired Army general, told the Post. “Because it lacks a synchronizing process, it inevitably results in message dissonance, reduced effectiveness and waste. We consequently can’t effectively assess whether it is making us more safe.”
Filling in the gaps
Jeff Akin, a principal with McLean, Va.-based consultancy Booz Allen Hamilton, sees the talent problem facing government as two-fold. For one, the government is failing to import the right candidates to the interview itself. And even if agencies recognize they are not getting the right job hunters through the door, a cumbersome hiring process hamstrings them from quickly adjusting the criteria for available openings.
The second issue, Akin says, is that when a candidate is hired, the government is doing little in the way of defining a career trajectory.
“The government is not able to as precisely communicate what they have to offer and what their needs are for cybersecurity professionals, as the private sector is able to do today,” he says. “The other piece of the puzzle is they don’t have a plan to develop these professionals once they get in the door. They’re lagging behind the private sector in terms of defining what a career looks like for a cybersecurity professional in a given department.”
McDuffie says part of NICE speaks to this. One of the initiative’s tracks, to be led by the Office of Personnel Management, is trying to create a common taxonomy for cybersecurity professionals that will enable hiring agencies to match roles to competencies. As for defining career paths, another one of the tracks, being led by the Department of Defense, is designed to accelerate training and professional development programs.
Change is underway
The National Cybersecurity Division (NCSD), part of the Department of Homeland Security, has doubled its workforce over the last year to 260 people, says Roberta “Bobbie” Stempfley (left), the division’s newly appointed director.
Within NCSD, the roles vary, Stempfley says. One employee may be tasked with analyzing data from Einstein, an intrusion detection system used by agencies to monitor for undesirable traffic, while another may be in charge of software assurance development or collaboration with universities to build research programs.
She recognizes that many entities across the public and private sectors are competing for qualified personnel. In the case of NCSD, the organization has found success drawing from the National Science Foundation’s Scholarship for Service program, which provides tuition money for students to attend a participating college if they agree to work for the federal government for at least two years upon graduation. The undertaking, formerly managed by McDuffie, has been in existence for more than a decade and actually was one of the first recognitions by government of the need for skilled practitioners in the cybersecurity field.
“You’ve always got that issue of attrition [after the two years of service is up] to deal with,” McDuffie says. “But the students who come to these programs are motivated not so much by money, but by old-time patriotism. That feeling still persists. We want to make them permanent government employees.”
DHS also has been aided by a process known as excepted service hiring, which allows certain agencies to set their own qualification requirements and not be subjected to the appointment, pay and classification rules of typical government hiring. Available positions do not need to be posted on USAJOBS, the federal government’s official job site, and candidates can reach the agency directly. “It is people based,” Stempfley says, “not position based.”
Meanwhile, recruitment efforts are underway at various hacker conferences and through the recently launched U.S. Cyber Challenge – boot camps held in various U.S. cities that seek to identify mostly college- and high school-age students who can aspire to help protect the nation’s critical infrastructure from attack. The goal is to reach a previously untapped or underappreciated pool of candidates who may not otherwise have considered a career in cybersecurity, either in government or the private sector (which controls some 85 percent of critical infrastructure).
College campuses, meanwhile, remain the top breeding ground of future cybersecurity specialists. Sensing the opportunity, the University of Maryland University College (UMUC) this fall launched one bachelor’s and two master’s programs in cybersecurity.
While a number of universities, known as Centers of Excellence, have cropped up across the country to offer programs in information assurance, the hope at UMUC is to offer a state-of-the-art curriculum that will map skill sets with what industry and government are looking for out of their cybersecurity hires, says UMUC President Susan Aldridge.
“We need to prepare individuals for the positions that the companies and government desperately need,” she says. “We become a very attractive partner with the government and with industry because we’re able to recruit these mature people who have this experience already who can come into the workforce with these academic credentials.”
A higher calling
As for salaries, many believe the government’s pay system needs reform. Despite a recent USA Today story that reported that federal civil servants earned an average salary and benefits of $123,049 in 2009, more than double their private sector counterparts, the Office of Personnel Management insists that federal workers earn 22 percent less than private employees. And a proposed Congressional bill that includes a 1.4 percent raise for civilian federal employees in 2011 – the smallest jump in more than a decade – won’t help the matter.
Stempfley says pay parity certainly is an issue at the government, but she is hopeful that federal investment in cybersecurity, combined with the desire for the cause, helps to offset any reticence.
“What I find is that individuals are motivated by the mission,” she says. “It comes down to a sense of service and allegiance to that mission and giving them something exciting to work on that isn’t the same every day. I want qualified, capable, passionate people who are focused on helping us defend and secure the United States and federal government. Do you wear a suit and tie? That’s not important to me. I don’t care if you have tattoos. I’m interested in capability and passion.”
McDuffie agrees, contending that while a government job may not be for everyone, an interested candidate must look at such a career path from a philosophical perspective.
“If you look at all scientific fields, all of those things are being enabled by computer systems,” he says. “For them to function properly and provide economic and innovative advantage, they have to be secure. In a real sense, working in cybersecurity is fundamental and underlying to the whole scientific enterprise of the country and world.”
Who needs Sputnik as a rallying cry now?
Certification: Gets rigorous
A newly formed nonprofit, known as the National Board of Information Security Examiners (NBISE), wants to develop exams and certifications that can help government agencies ensure they are hiring the right candidate for the job.
The tests will measure practical expertise in specific, highly skilled disciplines – such as penetration testing, forensics and incident response – with the goal of identifying those professionals who can apply their skills and experience in a role that is uncertain and constantly changing.
And these won’t be your run-of-the-mill exams. NBISE tests will be rigorous, challenging individuals in the areas of emotional intelligence, logic and cognitive thinking. NBISE wants to model itself after the National Board of Medical Examiners, which assesses health care professionals.
Does NBISE, under the direction of North American Electric Reliability Corp. veterans Kelly Ziegler and Michael Assante, anticipate any pushback from professionals nervous about failing?
“The real experts want to distinguish themselves,” says Assante, NERC’s former CSO. – Dan Kaplan
National Initiative for Cybersecurity Education (NICE)
Track 1: National Awareness Campaign
Goal: Increase understanding of cybersecurity
Example: Cyber Teen Advisory Board, a group of teens who work to ensure the campaign communicates its message effectively to youths
Track 2: Formal Education
Goal: Develop educational programs for K-12 students and teachers
Example: The president’s “Educate to Innovate” campaign to attract and reward outstanding educators in the science, technology, engineering and math disciplines
Track 3: Federal Workforce
Goal: Define cybersecurity jobs, and attract and retain skilled employees.
Example: The Office of Personnel Management is working to define key roles and responsibilities for cybersecurity jobs in government
Track 4: Workforce Training and Professional Development
Goal: Identify and manage cybersecurity training for government, military and contractor personnel.
Example: U.S. Air Force ROTC cadets recently gathered for a 10-week summer “boot camp” with the goal of developing future cyber officers.