Feds experiencing critical cybersecurity staff shortage

The Homeland Security Department is focused on recruiting and hiring cybersecurity personnel. It tripled the number of professionals working in the National Cybersecurity Division in fiscal 2009 and doubled it again last year.

But that still brings the number of cybersecurity professionals working in the division to only 220.

“We just don’t have enough people yet,” Philip Reitinger, deputy undersecretary in the National Protection and Programs Directorate, said Thursday at a forum on workforce development hosted in Washington by Deloitte. “This is going to be a continuing challenge for us.”

DHS has been recruiting from other agencies as well as from the private sector, but Reitinger called that a “zero sum game,” because there are not enough trained professionals coming into the field to meet demand. “There are not enough people to go around.”

The problem has been recognized for several years and a number of public-private initiatives are under way to identify students with the proper interests and abilities in high school or even earlier, and to provide them with educational opportunities and career paths.

Related stories:

Cybersecurity boot camps are a start toward a skilled workforce

Deadline looms for CyberPatriot competition

Several high school and collegiate cybersecurity competitions are flourishing, and the University of Maryland University College has established three cybersecurity degree programs to help fill the demand for tens of thousands of professionals in Maryland, which is home not only to the National Security Agency but also to the Pentagon’s new Cyber Command.

It will be two to 12 years or even more before these new pipelines begin supplying significant numbers of new workers, however. In the meantime, the federal government is at a disadvantage in this market because of its recruiting and hiring practices.

“The current federal process is a disincentive to come in” to government work, said James Lewis, director of the technology and public policy program  at the Center for Strategic and International Studies. He said the problem was not limited to cybersecurity. “It’s a larger workforce problem.”

Reitinger agreed. “Hiring in the federal government has to be modernized across the board,” he said.

DHS has obtained waivers from the Office of Personnel Management to use greater flexibility in its hiring process and has experimented with techniques, such as a virtual job fair conducted online. But this cannot make up for the lack of a trained workforce produced by strong science, technology, engineering and mathematics (STEM) programs.

“This is a glaring weakness here in the United States,” said Jake Olcott, counsel to the Senate Commerce, Science and Transportation Committee. “Our STEM educational system is not working well right now.”

Colleges and universities have offered computer science programs since the days of punch cards, but the integration of computer science with security, law, law enforcement, government policy and all things cyber is only just getting under way.

“Professionalization” is key to developing a cyber workforce, Lewis said. “We need a more disciplined approach.”

There are plenty of training and certification programs available, but Lewis said there is no correlation between certification and job performance. Better ways are needed to assess competence and performance.

“We need to move cyber more toward science,” Reitinger said, in order to replace the guesswork and blind assumptions that dominate much of the field today with documented, quantifiable and testable knowledge.

One of the leaders in this effort is the UMUC, where three bachelor’s and master’s degree programs are being offered for the first time this fall.

“We have taken it on as a critical priority,” said UMUC President Susan C. Aldridge. The programs were announced earlier this year in response to efforts to establish Maryland as a cybersecurity hub.

One of the drivers for the program is the school’s work with the Defense Department, providing educational programs for military personnel.

The degree programs were created with input from industry to provide practical and theoretical training. The bachelor’s degree in cybersecurity will require 120 credits, including 33 credits of coursework in the major, and is being offered both completely online or in a combination of online study and on-site instruction. Master's degrees are being offered in cybersecurity and cybersecurity policy, each of which will require 36 credits of coursework offered in six six-credit online courses. Students also must complete internship programs.

The University of Maryland also announced this week the creation of the Maryland Cybersecurity Center, a multi-disciplinary educational and research and development center. Educators from engineering and computer sciences, as well as from non-technical disciplines, including business, public policy and economics, will work with the private sector to produce technology and services that can be commercialized.

Aldridge said UMUC’s cybersecurity programs are not waiting for students to arrive through the usual educational pipeline. “We can’t just take traditional students,” she said. The average age of students enrolled in the program is 32.

The Navy, which recently stood up its 10th Fleet as a cyber command, is not waiting on college programs to recruit personnel, said Kevin C. Cooley, the fleet command’s information officer.

“We’re trying to attract young men and women who have just finished high school,” he said. Recruiting tech-savvy youngsters takes some innovation. Cooley said he and others experienced an “old person’s revelation” when it dawned on them they would have to go outside the usual channels to attract the people they needed. The Navy is relying more on its digital presence, using tools such as Facebook and other social media to communicate.

Reitinger said government has one advantage in recruiting critical technical skills. Many government workers accept the lower pay and lack of flexibility because they see the work as a public service in a mission critical area, he said.