Federal cyber workforce described as unequal to threats
Rigid hiring processes and low pay for specialized employees have kept the U.S. government from developing the type of cyber workforce it needs to keep up with growing attacks, according to an independent analysis.
The federal government has positioned itself poorly for recruiting cybersecurity personnel at a time when the nation as a whole is facing a shortage, the Partnership for Public Service said in a report released Tuesday.
Aside from noncompetitive pay and strict hiring rules, the causes of the deficiency include weak talent pipelines and the lack of a government-wide strategy for hiring and keeping talent, the group said.
“Taking a page from the nation's approach to counter-terrorism, we believe it will take a network to defeat -- or at least defend against -- all the cyber threats against our network,” the report said. “And that network cannot just be one of terminals and fiber optic cables, it must be about the people.”
The study follows up on a 2009 analysis from the management consultancy Booz Allen Hamilton that found the government had virtually no sense of the size or competence of its cyber workforce, let alone what it would need for the future.
The Partnership for Public Service said the problems have grown more acute in recent years as threats have multiplied. A report from the Government Accountability Office said federal systems were breached more than 67,000 times in 2014, a 1,121 percent increase from 2006.
Among the more notable incidents in recent years, attackers have hacked the White House, State Department, Postal Service and National Weather Service networks, in addition to a U.S. military Twitter account.
A Rand Corp. analysis last year found that agencies are struggling to find employees who can analyze complex cybersecurity threats, as well as the rare workers who can combine elite technical expertise with leadership, communication and team-building skills.
The partnership recommended that the government address its recruitment problem in part by exempting all cybersecurity job openings from federal competitive-hiring guidelines.
Under that policy, agencies could appoint applicants to cybersecurity positions without advertising the vacancies to the public and without following certain veterans-preference requirements. Congress authorized the policy for the Department of Homeland Security last year.
Regarding pay, the partnership found that senior-level cybersecurity employees with the government earn between $24,000 and $33,000 less than their private-sector counterparts. Entry-level federal workers in the same field earn $8,000 to $14,000 less than their nongovernment colleagues.
The report urged the government to conduct its own salary analysis and craft a “market-sensitive pay system” for its cyber workforce.
The partnership acknowledged that the Office of Management and Budget has taken steps to “close the cybersecurity workforce gap,” but it said the government has not developed a comprehensive plan for all federal agencies.