Congress wrestles with gaps in cyber workforce

Members of Congress are putting the spotlight on the persistent challenges facing the government as it seeks to beef up its cybersecurity workforce.

Lawmakers on a House panel with oversight of the Department of Homeland Security (DHS) will meet Thursday to explore how to better recruit and retain personnel to fill key federal roles in defending the nation from cyberattacks.

{mosads}The matter is getting attention as the Trump administration grapples with vacancies in high-level cybersecurity positions, including one at the helm of the agency tasked with guarding civilian federal networks and critical infrastructure from cybersecurity threats.

Struggling to find qualified personnel to fill cybersecurity roles is nothing new, as it has become a problem for the public and private sectors as cybersecurity threats have become more pervasive and advanced. But the issue has attracted increased attention in the wake of high-profile breaches, and experts say that challenges will only increase with the expansion of computing devices.

“We have a current problem, but we have an even nastier future problem, because the computer space continues to grow,” said Scott Montgomery, vice president and chief technical strategist at McAfee.

Montgomery is one of a handful of private-sector representatives slated to testify before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection Thursday, a group that also includes the vice president and chief information security officer at Northrop Grumman, a major defense contractor.

Rep. John Ratcliffe (R-Texas), who leads the subcommittee, told The Hill that he’s looking for answers from the private sector on what they have done to hire more cybersecurity workers and keep them on.

The hearing, representing the committee’s first since lawmakers returned to Washington this week from the August recess, follows the exit of several high-level IT officials from the federal government over the summer.

The chief information officer at the DHS, for instance, announced his resignation after just three months on the job. The Office of Personnel Management, which fell under scrutiny in 2015 after a data breach exposed personal information on 22 million Americans, also lost its CIO.

Ratcliffe said that the departure of these officials speaks to the broader issue of retaining personnel in cybersecurity roles.

“It is of concern, and it’s not something we can gloss over. Part of why we have hearings like we are having [Thursday] is to draw attention to the challenges,” the Texas Republican said.

Former officials and experts say that the recent exits are not unusual when compared with past administrations, but they agree that long-term gaps in these roles could make it difficult to drive policy changes going forward.

Many say the federal government is particularly hamstrung by the inability to offer competitive salaries on par with the private sector. Montgomery also pointed to research indicating that employees are likely to leave the federal government because of a lack of ability to take time off to train and advance their skills.

“Because some organizations in government have long-standing cyber problems and no workforce to contend with them, you’re not going to send them out for training,” Montgomery said. “You’re going to put them to work.”

He has observed the most intense gaps among analysts who carry out incident response in the wake of breaches, in both the public and private sectors. 

The Trump administration has staffed up in high-level cybersecurity roles within the White House, with the early-on additions of homeland security adviser Tom Bossert and cybersecurity coordinator Rob Joyce.

In other cases, the administration has been slower to select individuals to fill politically appointed positions.

President Trump has not yet nominated a permanent undersecretary of the National Protection and Programs Directorate, the unit inside the DHS charged with protecting federal and critical infrastructure from cyberattacks and sharing threat information with the private sector.

“Cyber is an area that is lagging and needs a jump start,” said James Norton, who served in a cybersecurity role at the DHS during the George W. Bush administration. “It’s been almost 250 days of the new administration and that’s too long not to fill the critical cyber roles at DHS.”

“Decisions on the [Department of Defense] cyber organization seem to be receiving White House attention, and DHS deserves as much attention on cyber as it receives on the border security wall from the White House,” Norton said.

Trump has also yet to select someone to permanently lead the DHS, more than a month after John Kelly left the helm of the agency to become White House chief of staff.

The delay in announcing a nominee for Homeland Security secretary has prompted some concerns among former officials and within the cybersecurity community.

“We’re involved day-to-day … with difficult levels of diplomacy with third-party nation states. Some of those nation states have demonstrated offensive cyber capability and have used that offensive cyber capability against the U.S. in well-documented cases,” Montgomery said.  “That senior role, given what’s going on in the news, that is absolutely one that is cause for concern.”

“That is a role that I would be very uncomfortable if it were empty for long,” he added.

Democrats like Sen. Claire McCaskill (Mo.) have also pressured Trump to swiftly nominate a replacement for Kelly.

Ratcliffe, for now, says he isn’t worried, voicing confidence in acting Secretary Elaine Duke, who is widely lauded for her extensive experience at the department.

“Like everyone, I want to fill these positions, but this is not one where it is a rudderless ship,” Ratcliffe said. “All of the pieces are running really efficiently and can until that choice is made.”

For his part, Ratcliffe is looking to assess whether the DHS is taking advantage of authorities provided by Congress through past legislation to augment its cybersecurity workforce as part of the subcommittee’s oversight of the department.

The vacancies within the federal government are merely a subset of what has become a global problem. By one estimate, the global cybersecurity workforce is expected to be short 1.8 million people by 2022.

“I’m still optimistic about the improvements that the department is making and that, frankly, the federal government is making,” Ratcliffe said. “The workforce is going to be a continuous challenge.”