Attracting enough cyber and IT talent is a well-known problem across government, but technology always has ripple effects and those are starting to affect hiring in other fields as well.
One example comes from the Justice Department. The rapid growth of information systems and cyber at one time left gaps within the agency’s workforce, but now that could be changing.
“It’s even harder to find the lawyers who are good at technology, because, at least when I was in law school, cybersecurity didn’t exist as a topic you would study as a lawyer,” Adam Hickey, deputy assistant Attorney General, said on Agency in Focus: Justice Department. “And that, fortunately I think, has changed a great deal. So we are seeing many younger attorneys who are coming on board having had, if not a background in computer science, or at least some greater technical fluency because of their own experience, their personal life.”
Hickey said that’s to be expected, since every generation is more comfortable with newer technologies than the one that came before, and more likely to integrate that into their everyday life. But the flip side of that is adversaries can be more comfortable weaponizing it.
As cyber breaches and espionage become more common, and more of a direct threat to the federal government, the DOJ has found it needs to step up its efforts to build a workforce that is more conversant with modern technologies, even if that isn’t the primary focus of their careers. But hiring new talent isn’t the only way to do that.
Cybersecurity consultant’s report lays out areas of US vulnerability
“We aggressively recruit for folks who have that background, but not having had it myself, I’ll also tell you, there’s no substitute for working closely with some top agents at the Bureau and learning the technology and learning how to investigate an intrusion case by working side by side with the agents that do have that computer science training,” Hickey told the Federal Drive with Tom Temin. “And you just ask a lot of questions. And any litigator will tell you the secret to becoming good in a particular case, it’s just knowing when to say you don’t know and ask me a lot of questions. And once you pick it up, in one case, you take and you apply to other cases.”
And that training pays off when it comes time for the DOJ to interpret or enforce laws Congress puts in place around these technologies. Especially as cyber breaches and espionage bring data privacy, data collection, cybersecurity and big tech companies into greater public scrutiny.
“I think courts and lawyers are looking for how to adapt physical world principles to technology,” Hickey said.” And that’s a slow process. And maybe it’s good that it’s a slow process, because you hit the balance wrong one or the other day on what the government can collect or not, or how it collects it, you might be making a serious mistake either under-enforcing the law or over-collecting information.”
One major topic the DOJ is addressing right now is a new initiative on China. China is working to become more self-sufficient, and while that’s not a problem, Hickey said, some of the methods it is using can be. The DOJ is shifting toward being able to better deal with cyber espionage, for example, and that requires more cross-training within the department.
“Over the last seven years I’ve been here, I’ve seen cyber and counterintelligence divisions of the FBI work very hard to become more integrated to cross staff, individuals and various units and to communicate about what they’re seeing, so that we don’t approach the threat as cyber in one silo and counter intelligence in another,” Hickey said. “I think that’s really important, and not just restricted to China, right? You can think about malign foreign influence in the Russian context or otherwise, there’s the cyber dimension to it. You might have hacking of a political party or attempts to intrude on an elections website. But these are not just computer problems, right? These are actions, motivated by the objectives of foreign nation states, you always have to be thinking about what that nation state is, what they want, and how to counter them. And that’s a counter intelligence problem, that’s not a technical problem.”
That starts with data sharing, Hickey said, and not just between agencies and departments. Government contractors, especially within the defense industrial base, are also at risk. For example, China has previously obtained technical data and specifications on the F-35 joint strike fighter by targeting defense contractors working on the program.
“A determined adversary with enough time and resources is going to achieve some measure of success. He or she really wants into your network, particularly if we’re talking about people backed by the resources of a nation state. But what we can do is become better at detecting breaches like that, and organizing our networks so that the consequences of the breach are reduced and can be mitigated more quickly,” Hickey said.
Right now, Hickey said, it takes about six months to detect a cyber breach. But he said that the private sector, especially vendors who specialize in incident response and defense, say that gap is narrowing as they get better at spotting this kind of activity.
But DOJ is also working with these companies, and other federal departments and agencies like the Defense Department, to ensure that the first response to any breach is to call law enforcement. Hickey said sometimes contractors are hesitant to come forward and report a breach because they’re worried about how the DoD, in many cases their biggest customer, will respond. They don’t want breaches to cost them future contracts.
So DOJ has to help these vendors understand that, while they may need to adjust their cybersecurity posture in the wake of a cyber incident, in the long run, contacting law enforcement is the smarter choice.
“And I think you’re seeing a change in the culture in C-suites across America, where companies have come to understand that cyber security is not kind of like physical security, something you relegate to administrative officials, it’s actually a major risk vector for business, or it can be,” Hickey said. “And so it’s getting the attention that a major risk areas should get from executives. And so I think we’re getting better. We’ve got a long way to go, obviously. But there’s a reason to be hopeful.”