House and Senate staff members working for committees overseeing federal cybersecurity efforts are placing a bigger focus on the makeup and training of agency workforces this year.
Both the House Homeland Security Committee and the House and Senate intelligence committees want more action from agencies in how they hire and train their workforces to deal with cybersecurity.
And the oversight is for good reason. As Bill Evanina, the national counterintelligence executive, told me recently, 90 percent of all successful hacks are because of spear phishing, and federal employees are more at risk from clicking on links than from sophisticated attacks.
This is why, over the last few years, lawmakers have required agencies to understand the makeup of their workforces and have given DHS more authorities to hire qualified cyber employees.
Insight by Okta: This exclusive e-book highlights how identity and access management will continue to evolve as agencies face more aggressive cyber threats while keeping data and systems accessible.
Both initiatives, to the displeasure of the committees, are slow to materialize.
Let’s start with the governmentwide workforce assessment and training effort.
Congress included in Consolidated Appropriations Act of 2016 the Federal Cybersecurity Workforce Assessment Act of 2015, which required agencies to submit a baseline assessment of their existing cybersecurity workforce.
Michael Bahar, staff director for the minority on the House Intelligence Committee, said at the Hoover Institution on Feb. 22 that the results from the agencies so far are not good.
“I haven’t seen one that is above 50 percent,” Bahar said during a panel discussion with other Hill committee staff members. “There is a lot we can do to get agency IT infrastructures and the people who work on them in better shape.”
The reports from at least two agencies show just how much further agencies have to go.
Federal News Radio obtained the workforce assessment reports from the Energy Department and the General Services Administration.
Energy surveyed 624 IT or cybersecurity employees and found 281 (45 percent) held “the appropriate industry-recognized certifications as identified under the National Initiative for Cybersecurity Education.”
GSA surveyed 38 IT or cyber workers and found 19 (50 percent) had the certifications.
If these two agencies are indicative of where the government stands, it’s no wonder the committees are concerned.
Of course, the White House’s hiring freeze doesn’t help this situation. Agencies could request exemptions by justifying specific mission needs, but probably not the hundreds of cyber experts needed across the government.
So while lawmakers are pressing DHS and other agencies to hire and train more, the White House is making it difficult to bring anyone in and with a year-long continuing resolution, the money for training is far from plentiful.
The reports come after the Office of Management and Budget highlighted the importance of building and training agency cyber workforces as a part of its 2015 Cybersecurity Implementation Plan (CSIP). In that memo, OMB detailed five broad workforce requirements, including mapping the entire cyber workforce landscape across all agencies using the NICE National Cybersecurity Workforce Framework and identify cyber talent gaps and recommendations for closing them.
OMB and the Office of Personnel Management released in July 2016 the first-ever cyber workforce strategy, focusing on four areas, including developing the current federal cyber workforce and creating new career paths for these employees.
Both Energy and GSA in their reports to the committee detail how the plan to grow their cyber workforce capabilities.
Energy says it “will modernize the mechanisms by which it recruits, trains and retains a diverse and highly capable cyber and information resources management federal workforce. The DOE Cyber Strategy articulates a vision for the future, and a tangible plan for realizing it by leveraging diverse perspectives and experience from across the Energy Enterprise.”
GSA said it would use two strategies to address its cyber gaps:
Strategy 1: Provide training resources to employees that leverage available resources such as Department of Homeland Security’s (DHS) Federal Virtual Training Environment.
Strategy 2: Hire additional contract staff with relevant knowledge, skills, and abilities, to include industry-recognized certifications.
Ongoing challenges around the federal cyber workforce aren’t being lost on the House Homeland Security Committee either.
The lawmakers and committee staff are concerned about the Homeland Security Department unwillingness or inability to take advantage of special hiring authorities it received in the 2014 Border Patrol pay reform bill that let the DHS secretary flag certain jobs as critical to cybersecurity, pay those employees what they’d be earning if they worked for the Defense Department and also give them “additional compensation, incentives, and allowances.”
But there may be some confusion between DHS and the committee.
Brett DeWitt, a staff director for the Cyber Subcommittee majority, said at the Hoover Institution event that the workforce authorities are not being implemented yet. He said the DHS chief human capital officer said during briefings with the committee that there were bureaucratic barriers preventing them from moving forward with using the full extent of the authorities.
DeWitt said the committee understands the challenges, but DHS needs to make these authorities a higher priority.
But DHS has taken advantage of at least some of these innovative approaches to hiring and retaining employees.
In May, for example, DHS said it began piloting the use of bonuses to attract cyber workers within its National Protection and Programs Directorate (NPPD) and was ready to expand them across the rest of its headquarters elements. Under the pilot, DHS provided an additional 20 percent to 25 percent on top of an employee’s annual pay, depending on the certifications they’ve earned and the position they occupy.
In December, DHS said it used the authorities in two hiring fairs. The first one in July resulted in 450 new cyber workers with 33 percent at their desks at DHS within six weeks. The second virtual hiring fair happened in December and the results weren’t available.
DeWitt said while the hiring fairs are worthwhile, it’s not using the flexibilities the Border Patrol pay reform bill offered.
“We suggested to the new administration that they invest on the front end around cybersecurity workers,” he said. “We want to remove the barriers stopping DHS from fully using the authorities Congress granted nearly three years ago.”
Part of the problem may be how DHS is describing its efforts in reports to the Hill. Both DeWitt and Hope Goins, chief counsel for oversight for the minority on the committee, said DHS has provided limited details on how they are implementing the hiring authorities, which resemble those Congress gave the National Security Agency more than a decade ago.
DeWitt said the committee is putting together a hearing looking at DHS civilian cybersecurity defensive capabilities in March.
Along with the workforce, the hearing also may review DHS’s progress with the EINSTEIN and continuous diagnostics and mitigation (CDM) programs as well as what needs to be done to establish a new cybersecurity agency within DHS.
DeWitt said the committee drafted a bill to reorganize DHS, but is waiting until some of the agency’s political appointees are in place before introducing it.
“One of the first questions we will ask the new undersecretary for NPPD will be around how many cyber employees they need,” DeWitt said. “We will ask them for a five-year action plan to meet their needed capabilities and use the hiring authorities.”