HSAC CyberSkills Task Force Report

A little over a week ago I wrote about a teleconference to be held by the Homeland Security Advisory Council that was to review a report on cyber skills. That report became publicly available last week, but there is still nothing on the HSAC web site (beyond a link to this report) about the Cyber Skills Task force or mention of last week’s teleconference.

According to the preface to the report, Secretary Napolitano established the Task Force with a two part mission:

• Identify the best ways DHS can foster the development of a national security workforce capable of meeting current and future cybersecurity challenges; and

• Outline how DHS can improve its capability to recruit and retain that sophisticated cybersecurity talent.

Establishing Trained Workforce

While there is a clearly recognized nationwide shortage of trained cybersecurity personnel, the main focus of this report is on building a cybersecurity workforce within DHS to meet the Department’s need for cybersecurity personnel. The report establishes five objectives and eleven supporting recommendations to further that goal. The Objectives are (pages 3-4):

• Ensure that the people given responsibility for mission-critical cybersecurity roles and tasks at DHS have demonstrated that they have high proficiency in those areas.

• Help DHS employees develop and maintain advanced technical cybersecurity skills and render their working environment so supportive that qualified candidates will prefer to work at DHS.

• Radically expand the pipeline of highly qualified candidates for technical mission-critical jobs through innovative partnerships with community colleges, universities, organizers of cyber competitions, and other federal agencies.

• Focus the large majority of DHS’s near term efforts in cybersecurity hiring, training, and human capital development on ensuring that the Department builds a team of approximately 600 federal employees with mission-critical cybersecurity skills.

• Establish a “CyberReserve” program to ensure a cadre of technically proficient cybersecurity professionals are ready to be called upon if and when the nation needs them.

Table 1 goes on to list a number of specific jobs that the Department needs to fill to fulfill its cybersecurity mission. There is no indication where the Department intends to slot these jobs, nor how many of each they expect to need, but it is clearly a fairly extensive set of requirements. The jobs include:

• System and network penetration tester;

• Application penetration tester;

• Security monitoring and event analysis;

• Incident responder indepth;

• Threat analyst/Counter-intelligence analyst;

• Risk assessment engineers;

• Advanced forensics analysts for law enforcement;

• Secure coders and code reviewers;

• Security engineers – operations; and

• Security engineers/architects for building security in

Non-Traditional Education

If the 600 jobs mentioned in Objective 4 cover the jobs listed above, DHS is certainly going to have a hard time finding appropriately trained/experienced bodies to fill those positions. The report notes that the traditional method of hiring folks for skilled positions is to look for college graduates. One government wide program being used to attract such graduates is the Scholarship for Service program, but DHS has only been able to attract 25 such graduates over the last 10 years; competition from more prestigious organizations such as NSA and the military services has proven to be too much for DHS recruiters.

The report suggests that DHS turn to developing non-traditional training programs. One such suggestion is to partner with 10 (unnamed) community colleges to develop certification based educational programs that target necessary hands-on skill sets. The unstated problem with that is that DHS will still have to compete with other federal agencies and civilian employers for graduates of this type program.

There was an interesting private-public partnership at my alma mater, Columbus College (now Columbus State University) in the 90’s. This plan, established by the college and a local credit card processing company, produced a shortened BS degree program in computer programing. Students applied to the program through the company and had their tuition paid and received a small stipend during the two year program. They then had a two-year commitment to work for the company after graduation at a somewhat lower than normal entry-level pay. Those that stayed after the two years (were allowed to and wanted to stay) had their pay increased to that of a standard computer programmer with two-years of experience. It was a very successful program for the company and produced a large core of experienced programmers in the area that brought in a number of other companies to the area.

If DHS could establish this type of program, similar in structure to the military ROTC program, but based upon technical colleges and a certificate type program, they might be able to fill their 600 slots and keep them filled with freshly trained graduates on an on-going basis. This would also lead to more of these types of people becoming available for the private sector; who has essentially the same need for cybersecurity technical personnel.