The Homeland Security Department is in need of a few cyber ninjas.
DHS requires help in defining and developing about 600 superbly skilled and proficient employees. And the ninjas, or experts, will help set the curriculum for current and future cyber workers.
We are starting with the people that really do have the tradecraft. We are using them in order to identify what are the mission critical functions, tasks and what kind of scenarios do they need to be trained to,” said Steve Myers, who is a member of the Homeland Security Advisory Council’s Task Force on Cyberskills and spent his entire career in the defense and national security area. “What would the necessary proficiency be to be able to perform?”
The need to hire 600 cyber experts and develop a training standards were among the main recommendations from the Homeland Security Advisory Council Task Force on Cyberskills.
The task force released its recommendations earlier this week to Secretary Janet Napolitano.
She immediately endorsed them and said DHS would start implementing them.
“We briefed Secretary Napolitano Tuesday morning and it was a quite gratifying meeting,” Myers said. “She was very engaged, asked a lot of questions, had read the report before the meeting and was committed to its implementation.”
Napolitano directed the committee to create the task force in July to figure out how to meet the increasing demand for skilled cyber workers. The task force conducted interviews with government, private sector and academic experts to come up with 11 recommendations in five areas.
“The problem that the task force was asked to address was really two problems: one of capability and one of scalability,” Myers said. “It was very obvious to Secretary Napolitano and the leaders in DHS that we are just not getting the job done. It’s always easier to be on offense than defense, and we are losing badly.”
DHS, like most agencies, needs more cyber experts than there are available. One way to attract and retain the right people is by defining what they will do for DHS.
The Government Accountability Office found in November 2011 that nearly every agency experienced difficulty in defining and hiring cyber workers.
The DHS task force says the agency must develop and maintain an authoritative list of mission-critical cyber tasks. It offered 10 job titles as a starting point, including system and network penetration tester, threat and counter intelligence analysts and security engineers.
“We need to have an adequate number of people to address the increasing scale of the threat we are dealing with,” Myers said. “We recommended scenario based training as the most practical way of bringing people up to speed and simulation based testing to verify their performance capability.”
An approach modeled after pilots
He said the approach the task force is calling for is very similar to the one the Federal Aviation Administration uses for pilots.
“The first thing we have to do, if I can borrow again from my aviation analogy, is we have to actually find out who the flight crew is,” he said. “If you have job titles that characterize everyone as aviation professionals, it can get difficult to separate out the baggage handlers from the pilots. Everyone is needed to make the system work, but we need in cybersecurity we need the people who can really do the job, under highly stressful conditions and in an ever changing environment.”
Even after defining the cyber skill sets and jobs, the task force recognized the pipeline of workers isn’t meeting the government or industry’s needs.
Additionally, DHS is at a disadvantage because of limitations on pay and bonuses and the slowness of how the government moves.
“What’s going on right now between industry and government is fratricide, where they are competing with each other for what is a very small talent pool. That is not a good thing,” Myers said. “We need to dramatically improve the size of that pool. It’s imperative we give the educational institutions that will be training people better direction on what standards they need to train to and what kind of people are best suited to do this kind of work.”
A shortage of workers
The task force recommended a few ways to increase the talent pool. First, DHS should help create a two-year community-college cyber program. Second, the government should raise the requirements to be a cybersecurity Center of Academic of Excellence. And third, the government should train and hire veterans into critical cyber positions.
“There are a lot of career path advantages to doing this work in DHS and we have to get that message out,” Myers said. “The processes are not in place yet. We have to make that true and then we have to sell it to these young people who want to go into this field.”
Myers said hiring veterans make a lot of sense for several reasons, including the fact that they are computer literate, they have a sense of public service and are well disciplined.
In addition to new hires or veterans, Myers said DHS also has to ensure current federal cyber workers have the right capabilities.
“What’s going to happen over the next several months is a process of detailing out how that is going to work,” he said. “What are those standards? How do we test to those standards? What happens if someone is in a mission critical position but can’t perform those standards? Then we will have to do remediation.”
Again similar to pilots who have to go through training every six months, if one comes up deficient in a certain skill, they get retraining.
Myers said while the task force created the recommendations for DHS, they could easily be used by other agencies. He said the document also is receiving widespread attention from other agencies.