Modern field guide to security and privacy

US could run short on talent to fight cyber-war, study says

The demand for cyber-security experts in the high-paying private sector is creating stiff competition for the best and the brightest and leaving key government positions unfilled.

Kacper Pempel/Reuters/File
A man types on a computer keyboard in Warsaw in this February 2013 illustration file photo.

Job postings for cyber-security experts are going unfilled in the federal government, a shortfall threatening to undermine US national security by leaving the nation poorly prepared to fight in cyber-space, a new study says.

Demand for cyber-security professionals has leaped across the United States in recent years, spurred by events like the 2007 Russian hacker attack on Estonia, cyber-crime against retailers, and pervasive Chinese cyber-espionage targeting US corporations.

Emergence of such cyber-threats from the shadows has brought fresh fears among CEOs and a race throughout the US economy to snap up the best and the brightest cyber-experts to safeguard America’s critical and corporate networks.

That race – and its soaring salaries for the best qualified – has left the US government, from the Department of Homeland Security (DHS) to the Pentagon’s new US Cyber Command, scrambling to compete with the private sector for qualified personnel, says the new RAND study “H4CKER5 Wanted: An Examination of the Cybersecurity Labor Market.”

Today the US may have only around 1,000 top-tier cyber-security experts with the specialized security skills needed to function effectively in cyber-space, the study said, citing previous research. Meanwhile, the nation needs maybe 10,000 to 40,000, according to various estimates.

In response, the federal government has tried to prime the pump with a series of “hackathon” style contests to try to interest high school students in getting into the cyber-security field. Events include: US Cyber Challenge, the Cyber Security Treasure Hunt, CyberPatriot, NetWars, and the DC3 (Defense Cyber Crime Center) Digital Forensics Challenge.

Some key agencies like the FBI, National Security Agency (NSA) and Department of Defense also have their own robust in-house cyber workforce programs.

Yet efforts to boost the supply of cyber-experts over the long term have yet to yield enough fruit to meet the near-term need.

"It's largely a supply-and-demand problem," says Martin Libicki, lead author of the study and senior management scientist at RAND, a nonprofit research organization. "As cyber-attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training and hiring these cyber-security professionals takes time."

Simply outsourcing cyber-security isn’t a long-term solution either, the study authors found. At the DHS, an internal study found the agency was having problems finding the cyber-security manpower it needed because “those who were hired did not get the interesting and challenging work assignments – the ‘cool jobs.’ ” As a result, “DHS was not viewed as a ‘cool’ place to work, which made it uncompetitive for finding such professionals,” the report notes.

The opposite is true at the NSA. The caché of working at what is widely considered the top US agency for cyber talent persists despite the debacle over documents released by former NSA contractor Edward Snowden, the study notes.

The NSA has other advantages over other government agencies: It has flexibility to hike salaries above government civil service levels. But it also takes hiring seriously. While just 80 staff are considered full-time recruiters, another 300 work part-time in recruitment with 1,500 more employees involved in the process.

“All told, that is a great deal of effort – suggesting, from our perspective,

that the difficulties of finding enough cyber-security professionals can be largely met if sufficient energy is devoted to the task,” the report authors observe.

But there’s another major problem: Can you teach someone to be a top hacker? Even if agencies can meet demand for the bulk of cyber-security professionals by recruiting and training people, “the same cannot be said for upper-tier cyber-security professionals, of whom there is a much more serious shortfall,” the report notes.

Cyber-security professionals at the high end of the capability scale are commanding salaries of $200,000 to $250,000 or more, Dr. Libicki says. Yet some large organizations – defense contractors, the NSA, and other agencies – have managed to deal with the shortage through internal promotion and education.

To put government back in the game and fix systemic problems recruiting talent, the report recommends:

  • Waiving civil service rules that limit salary and impede hiring of top cyber talent.
  • Maintaining government hiring of these professionals through sequestrations. (During the recent budget sequestration scores of government cyber-experts were released from their contracts.)
  • Funding software licenses and equipment for educational programs.
  • Refining tests to identify candidates likely to succeed in these careers, and developing methods to attract women into the field.

Despite all that, the “threats are growing smarter, and new threat actors are learning that they can attack the United States in cyber-space when any other form of assault is impossible,” the report notes.

Given that trend, it’s reasonable to ask with computer networks growing more complex and microchips embedded in cars, refrigerators and mundane devices, will there ever be enough cyber-security experts to meet demand?

 Libicki and his coauthors think so. With wages soaring, and cyber education programs popping up like mushrooms, the labor market for cyber-security will eventually even out, he says. But there’s another possibility, too.

“The more expensive and knotty is the cyber-threat, the greater the odds that the target may turn to radically new technology and architectures, which can sharply reduce the harm that threats can cause,” the report concludes, “and with it the need for so many talented cyber-security professionals.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.