A new survey by the Washington Post shows that more than three out of four digital security experts believe that, despite President Donald Trump’s pledge to improve cybersecurity, America is just as vulnerable as when he took office.
While the president’s efforts may not be bearing fruit yet, he recently signaled a promising, new approach – training up cyber-talent instead of trying to recruit it. This change in approach may finally close the skills gap that has made cybersecurity such a vexing and longstanding problem.
Between 2015 and 2016, the Federal Deposit Insurance Corporation suffered as many as 54 confirmed or suspected breaches, compromising the personal data of up to 113,000 citizens. In September 2016, an IRS breach exposed the taxpayer information of another 100,000 individuals. Another 75,000 people had their credit information exposed when an Obamacare-created insurance marketplace was hacked.
Shortly before the last government shutdown, the Trump administration announced the launch of the Cyber Reskilling Academy to help the federal government turn the tide against hackers and data breaches. This new program will seek to retrain current federal employees for new jobs as cybersecurity experts. This could be a promising step toward filling the 285,000 vacant cybersecurity slots spread throughout the federal government today.
Security breaches like these might have been stopped with sufficient cybersecurity manpower. “The overwhelming majority of intrusions rely on known, fixable vulnerabilities,” explains former White House cybersecurity coordinator Michael Daniel. “So the bad guys are getting into a hole that we know about, that we also already know how to fix, and probably could have fixed years ago.”
While there is a clear need for talent, the federal government cannot seem to recruit enough qualified people. Federal recruiters are first of all strictly limited in how they search for and select talent. Unlike a manager or business owner in the private sector, federal managers cannot recruit, interview or make a job offer to a future employee on their own. A third party – the Office of Personnel Management (OPM) – stands between job-seeker and employer at each of these steps.
It takes an average of 106 days to complete the arcane federal hiring process. In the meantime, candidates are too often kept in the dark regarding the status of their application. As a result, many sought-after job seekers — cybersecurity experts certainly fall into this category — simply give up.
Beyond the burdensome hiring process, federal jobs are a hard sell to many highly-trained computer engineers because they do not pay as well as the private sector. While federal employees, as a whole, receive significantly higher total compensation than their private-sector counterparts, those with the highest level of education and expertise actually receive substantially lower compensation.
Training existing federal employees – in addition to hiring new talent – as the Trump administration plans to do, has a long track record of success. In fact, this is essentially what the military does now.
The military does not hire Navy SEALs, fighter pilots, snipers and ship captains – it makes them.
It does not set, as a prerequisite for employment, the ability to fly an F-16 or hit a bulls-eye at 500 yards. Instead, the military looks for people with some latent aptitude, as demonstrated by a standardized test called the Armed Services Vocational Aptitude Battery (ASVAB), combined with a commitment to serve their country. Then, it sends new recruits to training – sometimes at great expense – to hone their talents.
The federal government may also consider using a test similar to the military’s ASVAB to determine which federal employees have the aptitude for a career in cybersecurity. After all, the military does not send anyone who signs up to flight school or Basic Underwater Demolition/SEAL training; it invests in those whose test scores and on-the-job performance suggest potential.
Of course, to be successful, any training program would have to be high quality and rigorous. Employees in both the private and public sector are often subjected to online-based H.R. program or “continuing professional education” programs that are little more than box-checking exercises.
The Cyber Reskilling Academy should not be pro-forma and graduation should not be guaranteed. It should be hard. Some selectees should wash out. Otherwise, completion of the training will mean little to federal managers, potential private sector recruiters, and would-be hackers.
Turning to the military as a model for how to harden America’s digital infrastructure makes sense. Despite a rank and pay structure at least as rigid as the civil service, the uniformed service has successfully adapted to the rapidly changing capabilities and tactics of America’s enemies. What works on the battlefield can work in cyberspace as well.
This piece originally appeared in The Roanoke Times