US could run short on talent to fight cyber-war, study says
The demand for cyber-security experts in the high-paying private sector is creating stiff competition for the best and the brightest and leaving key government positions unfilled.
Kacper Pempel/Reuters/File
Job postings for cyber-security experts are going unfilled in the federal government, a shortfall threatening to undermine US national security by leaving the nation poorly prepared to fight in cyber-space, a new study says.
Demand for cyber-security professionals has leaped across the United States in recent years, spurred by events like the 2007 Russian hacker attack on Estonia, cyber-crime against retailers, and pervasive Chinese cyber-espionage targeting US corporations.
Emergence of such cyber-threats from the shadows has brought fresh fears among CEOs and a race throughout the US economy to snap up the best and the brightest cyber-experts to safeguard America’s critical and corporate networks.
That race – and its soaring salaries for the best qualified – has left the US government, from the Department of Homeland Security (DHS) to the Pentagon’s new US Cyber Command, scrambling to compete with the private sector for qualified personnel, says the new RAND study “H4CKER5 Wanted: An Examination of the Cybersecurity Labor Market.”
Today the US may have only around 1,000 top-tier cyber-security experts with the specialized security skills needed to function effectively in cyber-space, the study said, citing previous research. Meanwhile, the nation needs maybe 10,000 to 40,000, according to various estimates.
In response, the federal government has tried to prime the pump with a series of “hackathon” style contests to try to interest high school students in getting into the cyber-security field. Events include: US Cyber Challenge, the Cyber Security Treasure Hunt, CyberPatriot, NetWars, and the DC3 (Defense Cyber Crime Center) Digital Forensics Challenge.
Some key agencies like the FBI, National Security Agency (NSA) and Department of Defense also have their own robust in-house cyber workforce programs.
Yet efforts to boost the supply of cyber-experts over the long term have yet to yield enough fruit to meet the near-term need.
"It's largely a supply-and-demand problem," says Martin Libicki, lead author of the study and senior management scientist at RAND, a nonprofit research organization. "As cyber-attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training and hiring these cyber-security professionals takes time."
Simply outsourcing cyber-security isn’t a long-term solution either, the study authors found. At the DHS, an internal study found the agency was having problems finding the cyber-security manpower it needed because “those who were hired did not get the interesting and challenging work assignments – the ‘cool jobs.’ ” As a result, “DHS was not viewed as a ‘cool’ place to work, which made it uncompetitive for finding such professionals,” the report notes.
The opposite is true at the NSA. The caché of working at what is widely considered the top US agency for cyber talent persists despite the debacle over documents released by former NSA contractor Edward Snowden, the study notes.
The NSA has other advantages over other government agencies: It has flexibility to hike salaries above government civil service levels. But it also takes hiring seriously. While just 80 staff are considered full-time recruiters, another 300 work part-time in recruitment with 1,500 more employees involved in the process.
“All told, that is a great deal of effort – suggesting, from our perspective,
that the difficulties of finding enough cyber-security professionals can be largely met if sufficient energy is devoted to the task,” the report authors observe.
But there’s another major problem: Can you teach someone to be a top hacker? Even if agencies can meet demand for the bulk of cyber-security professionals by recruiting and training people, “the same cannot be said for upper-tier cyber-security professionals, of whom there is a much more serious shortfall,” the report notes.
Cyber-security professionals at the high end of the capability scale are commanding salaries of $200,000 to $250,000 or more, Dr. Libicki says. Yet some large organizations – defense contractors, the NSA, and other agencies – have managed to deal with the shortage through internal promotion and education.
To put government back in the game and fix systemic problems recruiting talent, the report recommends:
- Waiving civil service rules that limit salary and impede hiring of top cyber talent.
- Maintaining government hiring of these professionals through sequestrations. (During the recent budget sequestration scores of government cyber-experts were released from their contracts.)
- Funding software licenses and equipment for educational programs.
- Refining tests to identify candidates likely to succeed in these careers, and developing methods to attract women into the field.
Despite all that, the “threats are growing smarter, and new threat actors are learning that they can attack the United States in cyber-space when any other form of assault is impossible,” the report notes.
Given that trend, it’s reasonable to ask with computer networks growing more complex and microchips embedded in cars, refrigerators and mundane devices, will there ever be enough cyber-security experts to meet demand?
Libicki and his coauthors think so. With wages soaring, and cyber education programs popping up like mushrooms, the labor market for cyber-security will eventually even out, he says. But there’s another possibility, too.
“The more expensive and knotty is the cyber-threat, the greater the odds that the target may turn to radically new technology and architectures, which can sharply reduce the harm that threats can cause,” the report concludes, “and with it the need for so many talented cyber-security professionals.”