With the threat of cyber attacks constantly looming, a group of current and former federal chief information officers and IT leaders argued Thursday that federal cyber recruitment and hiring needs to open to a broader range of applicants.
The rigid requirements of applying for a cybersecurity position through USAJobs.gov tend to weed out those who may have the analytical and critical thinking skills to fight cyber threats but lack specific experience or certifications, participants said during a panel at the Association for Federal Information Resource Management’s Cybersecurity Summit.
Adrian Gardner, CIO at the Federal Emergency Management Agency, said there needs to be a macrocosmic understanding of the team sport that is cybersecurity.
Cyber units “have everything from policy to the folks that are actually on the keyboard, breaking down networks, doing social engineering,” said Gardner, who revealed that despite his title, he was educated as an environmental scientist and biologist. “I don’t think we should just pigeonhole our efforts on computer scientists. I think it does take a whole wealth of skill sets.”
But making widespread change to the cyber hiring process would take extensive effort, and this is a need that “is very immediate,” said Karen Evans, the national director of the U.S. Cyber Challenge who is also a former administrator of e-government and IT within the Office of Management and Budget. That’s a reason she helped start the Cyber Challenge.
“So how are we going to solve and grow the aperture of people today while the education system is figuring out the [STEM] curriculum and all these other things?” she asked. The Cyber Challenge’s Cyber Quests, which were announced Thursday, give people with a range of backgrounds the chance to prove their skills working on a cybersecurity team.
“What we’re trying to do is if you see somebody who has come through a program like the U.S. Cyber Challenge, and you see it on their resume, then you’re going to know they had to do something hard skills-wise in order to qualify,” said Evans, who graduated college as a chemist and earned her Master of Business Administration prior to serving as one of the highest ranking IT officials in federal government.
It shouldn’t matter what somebody studied in college anymore, she said. “I think we’re at the tipping point now where everything is IT and no matter where you are and what you do, you’re going to have to use technology.”
Many panelists said they struggle with hiring the right people because after they meet them, the applicants don’t show up on their best-qualified candidates list filtered from USAJobs.gov by agency hiring professionals.
“We have to reshape the way we think about this whole hiring process and our evaluation of skill sets,” Gardner said, offering Microsoft’s hiring model as an example. “They didn’t even require high school education. They just said you got to be smart, we’re going to run you through some hackathons, and if you pass there and you are actually stellar, we’re going to hire you.”
While that wouldn’t fly in the General Schedule hiring process, panelists offered the Pathways internship program and the Presidential Management Fellowship as ways to circumvent the system.
Interns who meet simple requirements “can be careered into the federal government,” said Shelley Metzenbaum, president of the Volcker Alliance and former associate director for performance and personnel management at OMB.
Dave Wennergren, who served in several CIO positions throughout the Defense Department prior to his current role as senior vice president of technology for Professional Services Council, said there’s more freedom than people think in federal hiring.
“You get what you ask for,” Wennergren said. “Are you asking for the right qualifications? Or are you asking for certifications and education requirements that aren’t exactly germane to what you want to achieve? If your drive is just about the lowest possible cost solution rather than the most effective outcome, then you will get what you ask for.”
Nuclear Regulatory Commission CIO Darren Ash also tended to disagree that cyber recruitment is a broken system. “It takes effort,” he said.
No matter where the panelists stood, though, they all agreed on one point regarding cyber talent: It’s hard to come by, and it’s needed now.
“There’s never enough,” Ash said.
Gardner said while there hasn’t been some catastrophic event to show how grave the issue is yet, it’s possible. And if a major cyber attack were to occur to the U.S., the entire nation — governments of all levels and even the private sector — would be underprepared, he said.
“Suppose it actually happens across the board, the whole East Coast is taken down, and then that spreads to the West Coast … we don’t have enough,” Gardner said. “And what that means is there are huge sectors that we rely on day to day that we simply could not protect and will not bring back for days” or months, maybe even “six to seven months dealing without a transportation system. Six to seven months without electricity.”
“Are we as a country prepared for that?” he asked. “We’re not.”
“We have got to think about sort of recruiting folks at all levels,” Gardner said. From high school dropouts to Ph.D. graduates, he said they should all get a shot.