Obama plan to boost cybersecurity workforce fails to impress professionals

Cybersecurity experts say a White House plan to bolster numbers of professionals working to safeguard federal networks doesn't go far enough. 

Attendees at the 2016 Black Hat cybersecurity conference in Las Vegas, Nevada, U.S. August 3, 2016. REUTERS/David Becker

David Becker/Reuters

August 10, 2016

The battle over encryption on consumer devices isn't the only area where many in Washington and Silicon Valley diverge when it comes to cybersecurity. 

They also can't seem to agree on the best path to grow the federal cybersecurity workforce so government agencies can better defend against breaches such as last year's massive Office of Personnel Management breach.

While the White House recently proposed a series of measures to address the lack of skilled digital defenders working for the government, many cybersecurity experts say the plan doesn't go far enough – and won't be implemented soon enough – to adequately address the severity of the cyberthreat facing the US.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

"The strategies that have been defined appear to address the challenges currently faced," says Candy Alexander, a member of the Board at the Information Systems Security Association (ISSA), a cybersecurity nonprofit organization. "[But] it appears to address the problem with old solutions.”

The White House Federal Cybersecurity Workforce Strategy is the government's first ever plan to bolstering the number of information security workers and represents several years of research and study on the topic. 

The strategy includes short-term measures such as hiring 3,500 more information security professionals in government by January 2017 and longer-term initiatives such as increasing salaries and establishing formal career paths for government cybersecurity professionals.

The plan also calls on government agencies to expand the sources from which they recruit security professionals and explore opportunities to establish fellowship and other programs for attracting top talent. Up to $62 million will be available in fiscal 2017 for cybersecurity education and training.

Several senior White House information technology officials have cast the plan as a "meaningful first step" but one that will take time to implement and require support from industry stakeholders to become a success.

“It sets forth a vision where private sector cybersecurity leaders would see a tour of duty in federal service as an essential stop in their career arc,” the officials said in a White House blog post last month.

Karen Evans, who served as the de facto chief information officer for the US government before President Obama created the official office, says the new White House strategy addresses many of the issues that federal agencies have been dealing with for years in their efforts to attract and retain more information security professionals.

"These are the things that everyone is working on," notes Ms. Evans, who is currently the national director of US Cyber Challenge. "The workforce strategy articulates all the different initiatives that have to be undertaken at a national level,” to address the skills issue.

In that sense, the White House initiative represents a step in the right direction, she says. But as with many federal proposals, the devil is in the detail, private sector security experts say.

The planned federal investment in education and training for example, is laudable but unlikely by itself to generate the cybersecurity talent that federal agencies need, said many experts.

"The private sector has found that graduates from any technology university program are already behind in skills and knowledge,” by the time they hit the job market because of the rate at which technology and risks change," says Ms. Alexander of ISSA.

A better bet in the short-term would be to put more emphasis on obtaining talent from other careers that have transferable skills that can be used in cybersecurity. A stronger focus on "just in time" learning is another approach worth focusing on, says Alexander. "Cybersecurity is heavily focused on technology, and cybersecurity staff need the ability to keep up with their skills and learn the latest technologies."

There are also questions also over whether the White House proposal will do anything to boost the availability of security skills in areas such as cybersecurity analytics, risk assessment and management, penetration testing and incident detection and response.

Security analysts consider such skills critical to an organization’s ability to defend itself against cyberthreats. But government and private organizations have had an especially hard time finding and retaining such talent because of the broader lack of skilled professionals in the industry.

"There are a lot of people in government calling themselves cybersecurity workers and they do important things" such as implementing security guidance, remedying flaws, and administering systems, says Frank Reeder a former IT official at the Office of Management and Budget and cofounder of the Center for Internet Security. "They are good folks and they need to continue what they are doing."

While the White House workforce proposal will likely end up bolstering the availability of such skills within government agencies, it offers little by way of incentive to ensure availability of the high-end specialist skills that are sorely needed, says Mr. Reeder.  

“Until the government and enterprises focus on that piece of the cyber workforce all we are doing is playing a numbers game,” he says. “We won’t have the high-end skills to provide a first line of defense.”