CISA putting skills over experience as it rethinks cyber hiring approach

The Cybersecurity and Infrastructure Security Agency has come a long way in maturing the federal government’s cyber-threat sharing capabilities with the private sector over the past few years.

And with the coronavirus pandemic changing aspects of the threat landscape, CISA Director Chris Krebs said Monday that the agency hasn’t just seen an increase in the overall scope of threats, but a “dramatic shift” in the consequences of a successful breach.

Hospitals, for example, have long been a data-rich target for ransomware attacks, but bringing down a health care provider’s network during the pandemic would have devastating consequences.

“If you lost a hospital in New York City this time last year, it would not be the end of the world. What I mean is you could shift patients or transfer them to other medical care facilities. But in the deepest, darkest point of New York City’s response, if you lost a hospital due to a ransomware attack or something like that, no joke, people would die,” Krebs said during a virtual keynote hosted by the Wilson Center.

Since March, CISA has played a supporting role in the country’s pandemic response, including protecting Operation Warp Speed, the federal government-led effort to develop a COVID-19 vaccine, which has become a major vector for cyber attacks.

CISA’s effort, which also extends to personal protective equipment manufacturers, hospitals and other aspects of the pandemic-response supply chain, has been dubbed by Krebs as “Project Taken.”

“It was just like the Liam Neeson character in the movie Taken. We were going to send a message very clearly to our adversary that you don’t mess with this, and if you do, then we’ll come and find you,” Krebs said.

Over the past two years, CISA’s National Risk Management Center has built inroads with companies that operate the 16 industrial sectors of the U.S.’s critical infrastructure.

As part of standing up that organization, Krebs said the agency has seen more success with industry when both parties can “share information with a purpose, that has the right context around it.” Instances include major events such as national elections or Operation Warp Speed.

“When it’s general and people can’t say, ‘Maybe that thing’s important, I need to share that thing,’ you don’t make the progress, you don’t get as many people involved. But when you figure out a specific objective, when you decide we’re going to defend the 2020 election from foreign hackers, OK that’s scopeable, I can scale my resources to address that issue,” Krebs said.

Krebs also pointed to other signs to progress in cyber threat information sharing. CISA recently released new guidance on how to set up vulnerability disclosure programs, something that CISA officials outlined as a major agency priority for this year.

Meanwhile, a few weeks after CISA issued its last emergency directive, Krebs said the agency has seen patch times cut in half. And in the event of a major cyber incident, agencies have a much more coordinated response than before.

“We have that interagency template, that playbook for how to work together seamlessly – the intelligence community is over there looking to detect bad guys that want to do bad things. The Department of Defense is over there looking to disrupt bad guys that are going to do bad things. The FBI is here and abroad as well looking, again, to disrupt and prosecute. And then we’re helping protect. That’s the name of the game right now, and I think we’ve made dramatic improvements,” Krebs said.

CISA rethinks criteria to apply for cyber jobs

Meanwhile, CISA is thinking beyond the General Schedule approach to hiring in the federal government, which prioritizes experience in a professional setting, as well as degrees and certifications. Instead, Krebs said the agency is focusing on a younger demographic but with the hands-on experience needed in cybersecurity.

Prospective hires include recent college graduates and those in post-graduate programs with a few years of experience under their belts, as well as younger applicants that are digital natives.

“I’m getting 17 [and] 18 year-olds that apply for jobs that have six years of practical, operational experience in security research because they’ve been online white-hat hackers since they could turn on a computer,” Krebs said. “What we’ve got to do is reconfigure the way that we think about hiring talent pool and maximize those approaches.”

CISA’s reframing of cybersecurity hiring comes a few months after the Office of Personnel Management urged agencies to make skill assessment more of a priority in hiring cyber talent. That OPM memo came in response to the Trump administration’s 2019 executive order to overhaul federal cyber hiring.

Krebs said part of the cyber workforce overhaul should include hiring managers thinking beyond four-year institutions and looking at graduates from trade and vocational schools.

Lastly, Krebs said the cybersecurity community should move away from the “overwhelming” narrative that there are millions of unfilled cyber jobs.

“That’s a nihilistic approach, as I look at it. If we can make stuff more secure by design and deployment, we won’t have all those cybersecurity openings, but that’s just going to put more pressure on the technology job on the front end,” Krebs said.

Related Stories

Comments

Sign up for breaking news alerts