Does Homeland Security have too much discretion in hiring cybersecurity people?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Department of Homeland Security recently completed rulemaking to carry out a law enacted in 2014. It gives the Cybersecurity and Infrastructure Security Agency a lot of discretion in hiring cybersecurity people. Bob Tobias, a longtime federal employment experts, and a professor in the Key Executive Leadership Program at American University, said maybe it’s too much discretion? He spoke to Federal Drive with Tom Temin for more insight.

Interview transcript:

Tom Temin: Bob, good to have you back.

Bob Tobias: Thank you, Tom.

Tom Temin: And run through us what the discretionary abilities now to hire cyber people actually are under this new rule just completed?

Bob Tobias: Well, in the interest of DHS attracting the cybersecurity talent that we really, really need in the federal government. Congress gave DHS the authority to pay these cyber security employees up to a cap of $255,800, which is pay equivalent to the vice president salary, based solely on the skills of the applicant and the needs of DHS. And I think there’s no question that the federal government needs top cybersecurity talent and the ability to pay more than GS rates. But the law also provides that DHS may hire these employees without competition. They can increase pay based solely on DHS management’s judgment, whether their work has more mission impact. If the impact increases, their pay increases, and they have the authority to not review one of these employees solely at the discretion of DHS management. So I question whether it’s wise to give so much discretion, which can so easily be translated into unchallengeable abuse to any public sector manager.

Tom Temin: I guess a detailed question is whether fixing the highest salary at the vice presidential level, which is a good reference mark for federal employment, is there any relation to that figure to the actual market for cybersecurity people? That is to say, what if they are on an average of 175 and not 255? Then the government would be overpaying.

Bob Tobias: Well, that’s the top cap, they can pay anything under that cap. And presumably, they would exercise that discretion wisely. So it’s not the top cap that worries me so much. It’s the administration of the program as it affects federal employees. We discovered back in 1883, when Congress passed the Pendleton Act, that government leaders pursue their own interests, not the public interest. And so Congress enacted in 1883 and subsequent legislation to say that the government should be administered using merit principles. In this case, those merit principles have been waived.

Tom Temin: Sure, I guess maybe the Merit Systems Principles -in recent years, we’ve seen them get circumvented, because it’s the hiring process that is somehow broken. And so they’re may be using the wrong fix sounds like you’re saying?

Bob Tobias: it is. Without standard hiring criteria, and without standard evaluation criteria, employees are going to be receiving pay increases based on who they work for, rather than the work that they do. And I mean, it just follows because even in the best of circumstances, one supervisor will evaluate a person for a 2% increase, and another will evaluate the same employee for the same work, a 5% increase. So without standard evaluation criteria in place, it’s inevitable that people will not be paid the same for similar work.

Tom Temin: We’re speaking with Bob Tobias. He’s a professor in the Key Executive Leadership Program at American University. And the idea that the increases are tied based solely on mission impact, that can get into some subtleties that might allow for abuse too, I suppose, because what is the mission impact of cybersecurity? The impact is that the mission is not interrupted. So you almost have to prove a negative to be able to prove their mission outcome unless the mission is CISA, which – cybersecurity is its mission.

Bob Tobias: Well, right. Mission impact – I have no idea how I will judge mission impact as a supervisor. It’s, I know it when I see it. Well, I know it when I see it – if I’m supervisor A but I know it as I see it – supervisor B – inevitably that amount of unsubstantiated and undefined discretion is going to lead to abuse.

Tom Temin: And then there’s also the possibility of the “my brother the cybersecurity pro, we got to get him in” possibility – that potential, too, for just old fashioned nepotism.

Bob Tobias: Absolutely, absolutely, Tom. If I have the sole discretion to hire whomever I want, it will be possible to hire, and to pay employees based on loyalty based on relationships to a boss, or a political party, and discharge those who are not my relatives, or who are not loyal to my political party. So there’s much abuse that can occur.

Tom Temin: Now one difference, though, is these are term appointments, even though they’re renewable, but they’re not permanent employment that you would have to have some merit basis for. So maybe it’s just a way for CISA to get in people they need temporarily, get things pushed along, and then those people move back to the private sector, presumably?

Bob Tobias: Well, that’s the idea that these folks would come to the government and leave the government. But also that can be subject to abuse because if I’m on a term, and it’s renewable, and I decide I don’t like you, just because I don’t like you, I won’t renew your contract, even though the employee is doing great work. So that too, is subject to abuse.

Tom Temin: So perhaps maybe the best way, in your view for the agency to conduct these types of hiring under this program is to do it competitively. They’re not prevented from doing it, even though they’re not compelled to do it competitively. But you could have a competitive hire that doesn’t fully follow the standard procedures you would use for a permanent federal employee under the Merit Systems Principles. But nevertheless, you could have people compete for a job.

Bob Tobias: That’s correct. I think that the great part of this law is it allows the federal government to pay more competitive rates. But if it included the merit system principles, in implementing that increased pay discretion, we would ensure what has happened in the past will not happen in the future.

Tom Temin: Now we know that the Department of Defense has a similar authority. They’ve hired thousands of people under that. You just wonder what might have gone on, I suppose.

Bob Tobias: I guess. There are 4,500 people that DoD has hired under this system, and we don’t know how it’s been implemented.

Tom Temin: Bob Tobias is a professor in the Key Executive Leadership Program at American University, some good things to think about. Thanks so much.

Bob Tobias: Thank you, Tom.

Related Stories

    DHS photo by Zachary Hupp/Zachary HuppEric Hysen, DHS

    DHS CIO highlights ways to strengthen cyber workforce under IT modernization strategy

    Read more
    AP Photo/Manuel Balce CenetaFILE - In this Feb. 25, 2015 file photo, the Homeland Security Department headquarters in northwest Washington. President Joe Biden has selected two former senior National Security Agency officials for key cyber roles in his administration.  Chris Inglis, a former NSA deputy director, is being nominated as the government's first national cyber director. Jen Easterly, a former deputy for counterterrorism at the NSA, has been tapped to run the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. (AP Photo/Manuel Balce Ceneta, File)

    DHS cyber talent system set to go live with ‘around 150 positions’ next month

    Read more
    AP Photo/Manuel Balce CenetaFILE - In this Feb. 25, 2015 file photo, the Homeland Security Department headquarters in northwest Washington. President Joe Biden has selected two former senior National Security Agency officials for key cyber roles in his administration.  Chris Inglis, a former NSA deputy director, is being nominated as the government's first national cyber director. Jen Easterly, a former deputy for counterterrorism at the NSA, has been tapped to run the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. (AP Photo/Manuel Balce Ceneta, File)

    CISA looks to tie together public-private partnerships through new cyber planning office

    Read more

Comments