11 December 2019

Building and Retaining a First-Class Cyber Workforce

By Commander Timothy L. Castro

The first computer virus was created in the early 1970s, and in 1988, the first computer worm was distributed, gaining widespread media attention. More than 30 years later, viruses and malware have evolved significantly in sophistication and complexity. In recent years, there have been numerous high-profile cyber attacks, such as the security breaches at Target or the Office of Personnel Management. There also have been openly reported U.S. offensive cyber operations, such as a recent offensive cyber strike against Iranian computer systems used to control rocket and missile launchers in response to Iran’s shoot down of an unmanned U.S. surveillance drone.

A well-trained and properly resourced cadre of U.S. cyber security professionals and cyber warfare–designated military members is needed to address increasingly complex cyber challenges. The government has taken some important steps to grow its cyber capabilities, but its adversaries are already advanced, skilled operators in the cyber arena and the United States continues to struggle to keep pace. More and better measures are needed to attract cyber talent, including a streamlined hiring process for a civilian cyber workforce, incentives to military members and civilian government employees to retain experienced cyber professionals, and a relaxing of cooling-off period requirements for separating military members seeking civilian federal employment.

The Threat


The January 2019 U.S. Intelligence Community Worldwide Threat Assessment noted, “Russia has been employing cyberwarfare against their adversaries for more than a decade. Russia seeks to influence and restore their global power through cyber activities that undermine support within targeted democratic governments and institutions. They have employed cyber-attacks against other countries’ financial institutions, communication networks, election commissions, and social media networks.” The threat to critical infrastructure cannot be overstated, and it is apparent “Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.” China has steadily grown its cyber capabilities and has fostered a whole industry behind cyber espionage, cyber attack, and cyber theft. CNBC reported:

A new government report calls China the top cyber-espionage threat to government agencies and U.S. businesses, and warns that the country has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure—such as disruption of a natural gas pipeline—for days to weeks in the United States.

The National Cyber Security Alliance states, “The unprecedented demand for well-trained cybersecurity workers continues to grow. Some experts predict that there will be a global shortage of two million cybersecurity professionals by next year.” The personnel shortage extends beyond commercial industry and into the Department of Defense (DoD), prevalent in both the civilian government workforce and the military ranks of all the services. Yet, the Chairman of the Joint Chiefs of Staff, designated the cyber “Global Integrator” in the 2018 National Defense Strategy, is not resourced to ensure unity of effort across the government for cyber activities. Much more is required to bridge the capability gap.

Building a Better Cyber Force

The National Institute of Standards and Technology (NIST), founded in 1901, has worked in the cybersecurity field since the early 1970s. NIST has contributed numerous cyber improvements to industry and government agencies over the years, including developing data encryption standards; developing cybersecurity standards and best practices for system protection; and protecting against attacks to availability, integrity, and confidentiality of information. In 2008, NIST instituted the National Initiative for Cybersecurity Education (NICE), a public-private collaboration among government, academia, and industry. NICE was established to enhance overall U.S. cybersecurity capabilities and as the lead agency, “NIST works with more than 20 federal departments and agencies, as well as with industry and academia, to ensure a digital economy enabled by a knowledgeable and skilled cybersecurity workforce.” NICE will help deepen the pool of cyber talent, but this is just a first step in addressing the shortage of cyber professionals in the United States. Next, it will be up to government agencies—and, more pointedly, their human resources departments—to improve the hiring process and actually get these candidates in the door.

A large misconception is that the federal government cannot attract cyber talent because industry pays substantially more for the same experience level. However, a recent study conducted by LinkedIn Salary debunked this—“An IT manager in the Washington, D.C., area can earn a median base salary of $100,000, but the federal salary falls within a range of $70,000-$145,000 for the region.” On average, industry only pays about $10,000 more per year than a comparable federal cyber employee. Cyber talent turns to industry not because of higher pay, but because the government hiring process takes far too long. Most candidates for federal employment are not willing to wait months to be hired and are effectively pushed to industry by default. There have been attempts to improve the hiring process for federal employees, but after “several years of federal hiring improvement initiatives, agencies have done little to make a dent in their average time-to-hire. In fact, the number continues to creep up. It took agencies, on average, 106 days to hire a new employee in fiscal 2017, short once again of the government-wide goal of 80 days.”

The Office of Personnel Management released the Federal Cybersecurity Workforce Strategy on 12 July 2016. It details government-wide actions to “identify, expand, recruit, develop, retain and sustain a capable and competent cybersecurity workforce in key functional areas to address complex and ever-evolving cyber threats.” The strategy is a promising step in establishing programs to help federal agencies provide flexibility in compensating recruits in the highly skilled cybersecurity disciplines. “For example, agency leaders can offer up to 25 percent of annual pay bonus for retaining an employee and 10 percent for a group of employees. There are also relocation incentives and student loan repayment up to $60,000.”

The fiscal year 2020 National Defense Authorization Act provides “$10 million for the implementation of the Cyber Excepted Service (CES), a component of the excepted service, as authorized in section 1599f of Title 10, United States Code. CES will be a critical pillar in building a cyber workforce for the nation, however, the slow rate of implementation has been a challenge.”1 If approved for the CES, civilian cyber employees stand to receive a pay increase equivalent to two federal civilian within-paygrade steps, which is approximately six percent higher than their counterparts in other disciplines. The CES could be an invaluable recruiting tool to attract cyber professionals to federal service, but implementation must be expedited to start closing the gap in staffing for these critical skills.

The FY 20 NDAA also provides “$12 million for the establishment of cyber institutes at Senior Military Colleges.”2 While cyber institutes help educate a new influx of military members in the cyber disciplines as they climb the ranks and gain experience, they also help these members become even more valuable to the commercial world. Retaining these trained and credentialed cyber professionals will require better reenlistment and retention bonuses, similar to the bonuses provided in other critical career fields, such as the medical profession, nuclear power, and aviation.

The Army currently plans to implement incentives to recruit and retain cyber warriors that include, “an accession bonus of $40,000 for direct commissioned officers . . . and senior NCOS can receive a written bonus agreement of $60,000 or $100,000 for three- or four-year commitments, respectively.” The other branches must follow suit if they intend to retain their cyber professionals. Time is running out, and all the services must act quickly to implement incentives to retain critical cyber skills or risk losing them to industry in the near future.

When it is time for service members to leave active duty, either through retirement or voluntary separation, they often seek and take employment in industry because of a federally mandated six-month cooling-off period before they can be hired as federal civilian employees. This restriction should be relaxed or waived entirely for these well trained and fully credentialed military cyber professionals. Congress must act and provide a pathway to hire them into the federal civilian workforce.

The government has identified measures to grow a first-class cyber workforce capable of competing with peer and near-peer adversaries, but implementation has lagged and the capability gap for cyber talent has increased. A first-class cyber security workforce can be cultivated only by rapidly implementing incentives that will attract and retain military and civilian government cyber professionals. Cyber talent must be hired into the civilian federal government workforce in weeks, not months. The military must also offer incentives to its members in the cyber and information warfare designators to increase retention. Without these and other measures, the United States risks losing more ground to adversaries in the cyber domain and potentially losing a future war in cyber space.

No comments: