Two new reports–from the Center for Strategic and International Studies (CSIS), and from the consulting firm Booz Allen and the non-profit Partnership for Public Service (PPS)–highlight serious shortfalls among the federal government’s cyber security work force. Against a background of growing threats to the IT infrastructure of the U.S. military, civilian federal agencies, and major private-sector firms, the reports find common ground on short- and longer-term recommendations for grappling with this pressing concern.

The reports make clear the mounting threats to federal agencies and to major private-sector firms and vital national infrastructures. “Foreign powers, criminal groups, hackers, and terrorist organizations have launched cyber attacks on the White House, Pentagon, State Department, and New York Stock Exchange,” notes the Booz Allen/PPS report. In the past few years, millions of attempts have been made to hack into defense digital networks, and cyber criminals have penetrated the nation’s electrical grid.

For “the past six years,” the CSIS report states, “the US Department of Defense, nuclear laboratory sites and other sensitive US civilian government sites have been deeply penetrated, multiple times, by other nation-states.” In 2008, CSIS adds, “one of the nation’s largest processors of pharmacy prescriptions reported extortionists had threatened to disclose personal and medical information on millions of Americans.” Indeed, last year the General Accountability Office (GAO) reported deficiencies in 23 of 24 federal agencies to detect or thwart cyber attacks.

President Obama has declared cyber security to be “one of the most serious economic and national security challenges we face.” Defense Secretary Robert Gates has stated that the Department of Defense (DoD) is “desperately short of people who have capabilities (defensive and offensive cyber security war skills) in all the services.”

The two reports essentially agree on the deficiencies facing the federal agencies. CSIS notes the “shortage of the highly technically skilled people required to operate and support systems already deployed” and “an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools” for preventing and mitigating damage from malicious acts.

Booz Allen identified four serious conditions inhibiting the strength of the cyber security workforce:

1. An inadequate pipeline of potential new talent. Just 40 percent of federal chief information officers (CIOs), chief information security officers (CISOs), and IT managers, according to those surveyed, find sufficient the quality of applicants for cyber security jobs. This leads to a disproportionate reliance on contractor personnel, such as the 83 percent of CIO staff  at the Department of Homeland Security that are private contractors.
2. Uncoordinated leadership and fragmented governance in the federal effort, with no one organization heading up decision making or planning for the cyber security workforce. Thus agencies sometimes work at cross-purposes. None of the people interviewed for the report could provide an official count of the actual number of government cyber security personnel.
3. Recruitment and retention of cyber security talent is hampered by: the federal government’s cumbersome hiring processes, outdated job classifications, inadequate specialized training, and absence of a federal career path. One computer science job category was last updated in 1988–before the adoption of the Internet.
4. Hiring managers, compared to HR managers, are dissatisfied with efforts to hire cyber security talent.

CSIS reaches similar conclusions, and provides others as well. “There is neither a broad cadre of cyber experts,” its report notes, “nor an established cyber career field to build upon.” CSIS specifically criticizes the certification process, asserting that credentials focus on showing expertise in complying with statutes, not risk reduction, thus creating “a dangerously false sense of security.”

The two reports take somewhat similar paths in their recommendations for improving the workforce. Taking the big view, Booz Allen/PPS calls for the White House cyber security coordinator, agency leaders, and OPM to formulate a government-wide blueprint for addressing workforce demands. The blueprint would include tools to gauge the health of the workforce.

Regarding certifications, Booz Allen/PPS advocates updating job classifications, while CSIS calls for the adoption of rigorous professional certifications. CSIS would accomplish the latter through creation of a governance body, to be evaluated after a two-year pilot test, which would formulate and administer certifications in new specialty areas. Members in the governance body would be drawn from key federal agencies, major private-sector organizations, and universities with important cyber education programs.

Both reports urge establishment of a career path in cyber security akin to that in civil engineering or medicine. CSIS emphasizes strengthening the technical competence of personnel through the hiring, acquisition, and training processes, while Booz Allen/PPS stresses the provision by congress of adequate funding for such purposes as worker training and the bolstering of management expertise.

Funds would include graduate and undergraduate scholarships in cyber security such as the Scholarship for Service program. In fact, CSIS posits a number of initiatives to enhance cyber security education, including an OPM action plan on career issues, and the creation via the federal Chief Information Officers Council of a Cyber Corps alumni group.

More broadly, the reports view the dearth in cyber security talent as reflecting the nation’s woes in science and technical education and in the technological workforce generally. To address this, CSIS stresses more rigorous school curricula, while Booz Allen/PPS calls expanding scholarship funding in cyber security and computer science. The White House should lead,” affirms Booz Allen/PPS, “a nationwide effort to encourage Americans to develop technology, math, and science skills.”

The two reports, shown below, were compiled from public reports and congressional testimony, and interviews with and surveys of federal subject matter experts and information officers in many federal agencies.

http://csis.org/publication/prepublication-a-human-capital-crisis-in-cybersecurity http://www.ourpublicservice.org/OPS/publications/viewcontentdetails.php?id=135

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course