Analyists at the National Cybersecurity and Communications Integration Center a cybersecurity exercise. A task force recommended that DHS hire its own cybersecurity experts. (Jim Watson / AFP via Getty Images)
Department of Homeland Security contractors, not DHS employees, have most of the “cool” jobs in cybersecurity — hacking into systems and networks and assessing whether they can withstand sophisticated attacks, “the jobs that are right at the interface between the bad guys and the good guys.”
That’s one of the conclusions of Alan Paller, director of research at the SANS Institute and co-chairman of DHS’ Cyberskills task force, which this month recommended that the department hire about 600 of its own cybersecurity experts with these mission-critical skills. The task force had broad access inside DHS and spent hours in confidential meetings to assess the size and abilities of DHS’current cyber workforce. The task force also urged DHS to:
Establish a pilot DHS CyberReserve program that ensures cyber experts within DHS and outside government are readily available to DHS in times of need.
Create a two-year, community-college-based program that identifies and trains people for mission-critical cybersecurity jobs.
Federal Times spoke with Paller following the release of the task force recommendations. Following are edited excerpts:
Q: What sets the task force’s work apart from other studies and initiatives focused on DHS cybersecurity workforce issues?
A: One is the concept of red-zone jobs. ... [It’s a focus] on the jobs that are right at the interface between the bad guys and the good guys, the ones that have to be done in real-time, the ones that if you do them wrong, the systems are toast. So, [the report] isolates the most critical jobs and focused on those skills, and that makes it radically different from every other effort in cybersecurity in government.
Everything else talked about cybersecurity professionals, or talked about every single possible job of a cybersecurity professional, like the NICE [National Initiative for Cybersecurity Education] initiative … but you don’t know which ones are critical. So, this is the first time an official body said if we don’t do this well, it doesn’t much matter what else we do.
Q: How did Secretary Janet Napolitano react to these recommendations?
A: I think what we were most amazed by is how deeply she had read them, and how deep her understanding of how to implement them was. … She understood them; she understood why they were going to be hard to implement and where. … I don’t think we had our mouths open, but I looked around the table and there were these wide-eyed looks that, wow, she’s engaged. That’s not unreasonable because at our first meeting with her, she said to us, “Have you solved my problem yet?
Q: What are the next steps, interms of DHS implementing the recommendations?
A: [The secretary] has said she is going to implement them, and she is going to keep us [the task force] informed. She wants to keep the task force together as an asset and keep us informed of progress, which is really amazing because usually when a task force is done, they’re done.
Q: Was there anything about DHS and its cybersecurity and workforce efforts that surprised you?
A: The only one for me was that they had outsourced all the cool jobs. They have a lot of cool jobs at DHS … red teaming and after-action, going into a power company to find out how the bad guys did it. Think of “CSI” [Crime Scene Investigation] or “NCIS” [Naval Criminal Investigative Service].
Q: Does the report at all underscore criticisms from Capitol Hill and some industry groups that argue DHS is not equipped to lead cybersecurity efforts?
A: I think you can conclude from the combination of outsourced cool jobs and need [for] 600 that there is definitely a gap that needs to be filled very quickly for the department to be a full partner with [the Defense Department] in protecting the nation.
Q: What level of access did the task force have inside of DHS?
A: There were at least 40, probably 60 separate meetings or phone calls that were very intense. Think of them like hearings, where we asked really hard questions and people wondered if they had to answer them, and when they found out that they did, they answered them.
Q: What was the hardest question you asked during those meetings?
A: “How many people do you have who have the following skills?” I think it’s hard to answer a question where some outsider is saying you need this particular skill ... and you look around and don’t see very many [who do]. That’s why it’s so important that these [mission-critical] jobs be filled right away, not in a year, but now.
Q: How long do you think it will take to implement these recommendations?
A: I think they’re going to implement this over the next 90 to 180 days, and they can do that. They can’t get all the way up to 600, but they can fundamentally turn the department around between 90 and 180 days. This isn’t illogical. The reason is, for example, we’ve got all these cool jobs that have been outsourced.
Q: The report recommends that DHS’ deputy undersecretary for management and the chief financial officer reprogram funds so that at least 50 mission-critical or cool positions now filled by contractors will be filled by newly hired federal employees
A: If you’re going to act quickly, [insourcing] it’s the only way to do it. You can move a lot of these contractors in 60 days.
Q: How does that work in cybersecurity?
A: For the next year or two or maybe three, the plan is to use board testing [similar to scenario-based board certifications for physicians], and the boards are already being developed. They should be beta tested within 30 days. The boards are independent of DHS. Some of the top schools in the country are building the boards. The very best security organizations in the world do exactly this. They don’t call it board certified, but they put you through a bunch of scenarios and see how you do and put you in front of a terminal and see how you do. So this isn’t groundbreaking thinking.
Right now what [agencies] do is they list a whole bunch of characteristics of the employee, and if the employee is missing any one of them, he drops out. And so what they’ve got left is somebody who on paper does all of these, but in many cases ... [is] not able to do it.
The main challenge will be people who have gotten comfortable not having the technical skills, and they want to fight it.
Q: How does DHS compete for cyber talent or distinguish itself?
A: If it reserves the best of the coolest jobs for employees and explains the whole package of federal employment rather than just salary, we think they will compete very favorably. People really like working for the government if they’ve got a cool job, and they don’t mind a little less money.
You can see that at NSA [the National Security Agency] all the time, you can see that in the military all the time. It just wasn’t true at DHS because the cool jobs were contracted out.