| WASHINGTON, April 26
WASHINGTON, April 26 In the race to attract
cybersecurity experts to protect the government's computer
networks, the Department of Homeland Security has a handicap
money can't fix.
Navigating the federal hiring system takes many months,
which is too long in the fast-paced tech world.
"Even when somebody is patriotic and wants to do their duty
for the nation, if they're really good they're not going to wait
six months to get hired," said Mark Weatherford, the former
cyber chief at DHS.
After a spate of national security leaks and with cybercrime
on the rise, the department is vying with the private sector and
other three-letter federal agencies to hire and retain talent
to secure federal networks and contain threats to American
businesses and utilities.
Phyllis Schneck, the former chief technology officer at
security software company McAfee Inc who succeeded Weatherford
in August, asked a U.S. Senate committee for help.
"The hiring process is very, very difficult," she said.
Cyber experts can command higher salaries - in some cases up
to six figures more - at private companies, Schneck said, but
national security offers a "higher calling" and valuable
"People say the good talent doesn't come because we can't
pay them," she said. "We could actually use our mission to outdo
some of those salaries they're offered. But we have to have the
flexibility and some additional competitiveness to bring them
TATTOOED TALENT NEED NOT APPLY
The Homeland Security Department, created after the Sept.
11, 2001, attacks, is playing catchup with the Pentagon's larger
and more established cybersecurity operations at Cyber Command
and the National Security Agency.
Not only does DHS lack the enhanced hiring powers of its
military counterpart and the agility private companies offer,
but the rigid bureaucracy of the 240,000-employee agency can
foster an inside-the-box culture.
"There's a lot of really smart, scary cybersecurity
professionals out there who also happen to have pink hair and
tattoos," said Weatherford.
But you won't find them at DHS, which also is averse to
hiring cyber experts without a college degree, he said.
"Some of the smartest and most talented people I know in
this business don't have a degree," said Weatherford, who left
the agency a year ago for the Chertoff Group consulting firm,
founded by a previous DHS secretary, Michael Chertoff.
DHS Secretary Jeh Johnson, who took office in December, has
promised to get personally involved in recruiting and make "new
hiring and pay flexibility to recruit cybersecurity talent" a
Specifically, DHS wants the secretary to be able to make
direct appointments and reform job descriptions and requirements
for certain cybersecurity positions, and to set salaries and
offer additional incentives, a department official said
At a Senate Homeland Security and Governmental Affairs
Committee hearing on March 26, ranking Republican Senator Tom
Coburn assured Schneck, "we're going to get you the capability
to hire the people you need."
Coburn and Democratic Chairman Thomas Carper are working on
a measure to help DHS boost its cyber workforce by giving it the
same hiring and compensation powers as the Defense Department, a
committee aide said.
The federal government follows a strict hiring protocol
that includes a long application, background check and in some
cases a security clearance. It can take from a few months to
more than a year, said Max Stier, president of the nonprofit
Partnership for Public Service.
The onerousness of the process is "true for cyber, and it's
true for every mission-critical occupation that the government
has," he said. Nevertheless, the problem is especially acute in
a fast-moving, well-compensated field like cybersecurity, where
the qualified can write their own tickets.
The mission could scarcely be more critical. Security lapses
at government agencies can lead to such diplomatic and national
security crises as the fallout from revelations of former NSA
contractor Edward Snowden and WikiLeaks' release of State
Department cables obtained by U.S. soldier Bradley Manning.
A recent RAND Corp study found that "the ability to stage
cyberattacks will likely outpace the ability to defend against
them" and that cybercrime can be more lucrative than the illegal
Experts say Homeland Security doesn't have to wait for
"It's self-inflicted damage, it's not that they need
something from Congress," said Alan Paller, co-chairman of a
task force DHS set up two years ago to recommend ways DHS could
improve its cyber force.
DHS can bypass time-consuming security clearances and fight
cyber attacks more efficiently by declassifying work that is not
secret, said Amit Yoran, a senior vice president at security
company RSA who held top DHS posts in the George W. Bush
administration. He warned lawmakers about the hiring problems in
"I called this out as a key issue or critical issue, which I
don't think is solved," he said.
The department works daily with companies and utilities to
secure computer networks for water systems, the electric grid,
financial, commercial, agriculture and healthcare services.
Weatherford said that work was "99.99 percent unclassified,"
but since it was performed in a classified DHS facility, it had
to be labeled secret.
IF YOU CHALLENGE THEM, THEY WILL COME
Also, the agency still tends to award outside contractors
the most coveted cyber jobs, including those for forensics
investigators and intrusion malware and detection engineers who
understand how attacks work, said Paller.
"The good technical people want to go to work where they
will grow," Paller said. "It's especially true in this field
because the bad guys are changing the game all the time."
In the fall of 2012, the task force recommended hiring cyber
experts with advanced technical skills as part of a specialist
corps with enticing missions and growth potential.
DHS spokesman S.Y. Lee said the department offers strong
cybersecurity career paths, including scholarship, fellowship
and internship programs to attract and keep top talent.
The task force recommended DHS have 600 federal workers in
cybersecurity positions that have certain mission-critical
skills. DHS then did a review and identified 1,500 such
But Paller, founder of SANS professional cybersecurity
training institute, said very few of the people in them have the
advanced technical skills needed to carry out DHS' mission of
protecting the federal government's computers.
"Right now, I don't think they can," he said.
DHS has fended off calls over the years, including from
Republican Senator John McCain, to transfer its cyber operations
to the larger and better-resourced Pentagon, which aims to have
a 6,000-member cyber force by 2016.
Schneck, who holds seven information security patents and
clearly impressed senators at last month's hearing, appeared
sensitive to that history.
"For all those skeptics, I want to say I walked into one of
the finest teams on the planet," she said.
(Additional reporting by Jim Finkle in Boston; Editing by