It’s been nearly three years since Congress gave the Defense Department special authorities to pay civilian cyber experts more money and fast track them through the hiring system. Yet a key Pentagon agency in charge of IT systems and protecting DoD networks is still clamoring for people to join its ranks.
“Go to USAJobs and send us your resume,” Vice Adm. Nancy Norton, director of the Defense Information Systems Agency (DISA) and Commander of Joint Force Headquarters DoD Information Network, said. “Please be our partner in securing our nation. The biggest trouble that I have today is finding enough people, the right people to fill the roles in order to do this better.”
But even though DISA is hurting for cyber operators, developers and cybersecurity experts, it has yet to take full advantage of the cyber excepted service — a program granted to DoD in the 2016 Defense authorization act, giving the agency broad authority to create its own pay and personnel system for employees in critical cyber roles.
Right now, without the use of the cyber excepted service, the hiring process can easily take six to nine months, Norton said during a speech at CyberCon 2018 in Arlington, Va. That timeline is not exactly appealing to people in search of employment.
“The hiring timeline is definitely a sore spot. I talk about how long it takes for acquisition of systems, our hiring process, unfortunately, is quite lengthy as well,” Norton said.
The cyber excepted service is supposed to ease some of those issues. But, Norton fully admitted DISA has been “a little bit slow” to adopt the service.
What is taking so long, Norton said, is a classic DoD problem: Culture and risk aversion. Ironically, those issues are two of the biggest stigmas DoD’s cyber realm is trying to get away from.
Part of the slowdown “is just human nature. We know how to do things one way and so we keep doing them the same way,” Norton said. “Our traditional hiring methods, our traditional acquisition methods are things that we’re very comfortable with and we know how to do. You have to get a very large personnel system to understand how to use a different system for the cyber service and that just takes time.”
Norton likened it to turning an aircraft carrier. Even though the order has been given, it will still take a while for the ship to move. Likewise, DoD doesn’t like to jump into things, but Norton said dipping one toe into the pool may not be the best approach.
“When we start things as a small pilot, we actually constrain ourselves because we’re not forcing the whole personnel system to start learning how to adapt to those new processes,” Norton said. “If we were to push it out to everybody and say ‘OK, everybody has to learn this all at once’ and authorize a lot of those billets, we probably would be further along.”
Still, DoD’s reluctance to adopt faster hiring methods comes at a crucial time for cyber. DoD just unveiled a new cyber strategy, which is more focused on cyber operations, deterring attacks and attacking cyber threats.
Last November, DoD said it wanted to finish up the final stages of the cyber excepted service by the end of 2018.
The Pentagon planned to roll out the service in three phases, the first of which started last fall and modified software in DoD’s HR systems to accommodate new hires for the service.
“It may seem like this has been a slow process, but it’s a significant change for us and we’ve been really hammering away at it,” Maj. Gen. Ed Wilson, the deputy principal cyber advisor to the secretary of defense, said in a roundtable with reporters one year ago. “We want to start small, and start with what we thought was our highest need, which is U.S. Cyber Command. The way we’ve set it up, it gives us a headquarters function here in the Pentagon, a headquarters function out in the field and a tactical component as well.”
Phase two is supposed start hiring civilians through the service within the military services and DISA. While DoD hoped to start that phase in 2018, it seems DISA, at least, is not fully in that stage.