There is nothing "new" in recent reports of gaps in the United States government’s cyber security workforce as numerous commissions and reports have identified the problem and solutions for over a decade. We remain stuck in a Ferris wheel of our own making and worse, mistaking movement for progress.
A recently released report by the Inspector General for the Federal Bureau of Investigation found 35% of their special agents assigned to investigate national security cyber intrusions cases lacked the requisite training, experience, and technical skills. These are the G-men investigating the kinds of foreign espionage intrusions reported so frequently in the press– such as spying into “nuclear weapons and research labs” (2001), the theft of data on the F-35 fighter program (2009), “10 to 20 terabytes” stolen from the military (2006), or backdoors found in the electrical grid to abet future crippling military attacks (2009) – so this workforce shortfall is a serious matter for America’s national security.
One reason for this lack of cyber expertise is that the FBI trains agents to be cyber specialists, only to rotate them to non-cyber jobs afterwards. Worse, their replacements often come with little expertise, requiring field offices to start the training process from scratch.
This is of course bad for the Bureau and worse for the United States, as these problems are not confined to the FBI. For example, a 2010 study for Strategic Command found that United States military “commands are forced to do more work with fewer, less-qualified technicians due to high turnover of staff leaving positions and the inexperience of incoming replacement personnel.” Talented junior officers and enlisted have quit the service, frustrated they’d been trained in specific, often highly specialized and classified, skills for the cyber battlefield only to be rotated out to run an IT help desk. All of this leaves the Secretary of Defense feeling “desperately short of people who have the capabilities (defensive and offensive cybersecurity war skills) in all the Services.” This is one reason why our efforts at cyber workforce resemble a Ferris wheel: people get on and swept up and away, but the ride doesn’t last long and they’re quickly replaced by someone else. The replacement takes the same seat and thrills to the same view, but nothing else changes.
We can take some comfort that the FBI and DoD are recognizing this problem and indeed there have been many excellent reports giving both wider and deeper insights. The Center for Strategic and International Studies report on “A Human Capital Crisis in Cybersecurity” gives a high-level view plus specific recommendations, as does “Cyber In-Security” from the Partnership for Public Service and Booz-Allen Hamilton while the Federal CIO Council’s report “NetGeneration” goes into significant depth of the demographics of the Federal cyber and IT workforce.
These excellent studies, however, should only bring cold comfort as they are far too similar to many other reports over the years, just as influential in their time, now shelved and forgotten. Using words that seem chillingly familiar to the FBI’s, the GAO in 1996 “interviewed 24 individuals responsible for managing and securing systems … Sixteen stated that they did not have enough time, experience, or training to do their jobs properly.” Likewise, a finding from a 1999 DoD working group is just as true today as it was then: the military lacks “a consistent capability … to provide initial skill training to all members of the [cybersecurity] workforce, much less continuing training to maintain currency with the rapidly changing technology.”
A Defense Science Board report found in 2001 that “Recruiting is difficult when colleges and universities are only producing enough IT graduates to fill half of the growing annual requirement” and the White House’s 2003 National Strategy to Secure Cyberspace noted “This trend must be reversed if the United States is to lead the world with its cyber economy.” But ten years on, the Navy still worries about an “expected 11.2 percent shortfall in industry-wide … which means there will be almost 98,000 fewer IT graduates than needed.”
This is the other reason why our cyber workforce management efforts resemble a Ferris wheel: the wheel turns on and on, with highs and with lows but ultimately covering the same ground again and again. We move, but around and around, never forward.
There are many solutions to these problems, which the above reports have discussed in more depth and quality than can be covered in a blog post. What the U.S. needs (along with our private sector and international partners) is an understanding of the pressing need for solutions along with an awareness of the hard work done by those around us now and their predecessors.
The authors of “Cyber In-Security” have a succinct and apt bottom line: “Our federal government will be unable to combat [online] threats without a more coordinated, sustained effort to increase cybersecurity expertise in the cyber workforce.” The problems have not changed significantly over the years, nor have the needed solutions.
Unfortunately for us, one other thing has not changed much either: the lack of “a coordinated, sustained effort” and the resources to apply long-recommended fixes to solve these problems. Hopefully the current attention of the leadership in the White House, FBI, DoD, private sector, and elsewhere will be able to end the cycle and finally get us off the cyber workforce Ferris wheel.
Jason Healey is the Director of the Atlantic Council’s Cyber Statecraft Initiative. You can follow his comments on cyber issues on Twitter, @Jason_Healey.