Government Is Falling Behind on Cybersecurity, Report Finds

By Joe Davidson
Thursday, July 23, 2009

Sometimes Uncle Sam acts even older than he looks.

When it comes to the quickly advancing world of cybersecurity, for example, Sam can be as modern as a floppy disk.

That was considered the high-tech way of storing data in 1988, the last time one of the government's computer science job descriptions was updated, according to a new report. The description makes no mention of the World Wide Web, because, of course, that term had not yet been coined.

It's time for Sam to get with the new world, and the report, released Wednesday by a nonprofit organization and a consultant, is pushing him to do just that. "Cyber In-Security" says the federal government is falling behind in the race to keep its computer operations safe because the workforce has too few well-trained cybersecurity experts.

"Critical government and private sector computer networks are under constant attack from foreign nations, criminal groups, hackers, virus writers and terrorist organizations," says the study, published by the Partnership for Public Service and Booz Allen Hamilton.

It says "the overriding finding of our analysis is that our federal government will be unable to combat these threats without a more coordinated, sustained effort to increase cybersecurity expertise in the federal workforce."

A few weeks ago, President Obama declared cybersecurity to be "one of the most serious economic and national security challenges we face as a nation" and said that "we're not as prepared as we should be, as a government or as a country."

His words basically sum up the report, which calls on his administration to quickly and significantly improve the quality and quantity of federal cybersecurity employees.

"Cyber In-Security" outlines four primary challenges it says threaten the workforce:

-- There are not enough qualified applicants for federal cybersecurity jobs.

-- The government's approach to cybersecurity is fragmented and uncoordinated.

-- The "notoriously cumbersome hiring process" that affects all of government also hinders the cybersecurity workforce.

-- There is a disconnect between the needs and perceptions of front-line hiring managers and human resource managers.

To deal with these and other problems, the report offers several suggestions:

-- The cybersecurity czar the White House plans to appoint "should develop a government-wide strategic blueprint for meeting current and future cybersecurity employment needs."

-- The White House should lead a nationwide effort to steer more U.S. citizens into math, science and technology. Congress should fund the expansion of scholarship programs for students in computer science and cybersecurity.

-- Government officials should update job classifications and establish certification requirements for the positions.

-- Using the new job classifications, the Office of Personnel Management should map cybersecurity career paths starting at the entry level.

-- Agencies should develop a corps of managers to lead a multi-sector cybersecurity workforce.

There is a bit of good news. The government's Scholarship for Service Program funnels about 120 graduates into federal cybersecurity jobs each year, but that's just a fraction of what's needed, the report says.

To make up for the lack of government cyber-specialists, the report says, agencies have turned to the private sector for tasks that probably should be the province of government workers. Those include computer and network security, vulnerability analysis and intrusion detection. One government official estimated that 83 percent of the staff members working for the Department of Homeland Security's chief information officer actually work for private contractors.

Not all agencies are lagging in this area, and some are very much on the ball, according to Ronald Sanders, the chief human capital officer for the intelligence agencies. "What's not yet happened is an overarching approach . . . a single coordinated strategy," he said during the release of the report at the National Press Club.

Sanders said he welcomes Obama's promised appointment of a cybersecurity coordinator because "a cyberczar with some authority, particularly over resources, can help connect all of these dots and make sure it's not just on the agenda at the agency level, but is on the agenda for the entire administration."

The study finds that no one is in charge of coordinating government cybersecurity workforce planning or decision making, resulting in a big gap in planning and readiness.

"Currently, there is no strategic government-wide assessment of the current state of the cybersecurity workforce, its size, strengths and weaknesses," the report says. "There is no federal plan projecting how many cybersecurity specialists will be needed next year or in the next five years to meet individual agency and government-wide needs, what skills and certifications they should possess, how they should be trained, or how they should be recruited into federal service."

Links to the report, the president's remarks on cybersecurity and the 1988 job description can be found at http://www.washingtonpost.com/fedpage.

Staff research director Lucy Shackelford contributed to this report. Contact Joe Davidson at federaldiary@washpost.com.

View all comments that have been posted about this article.

© 2009 The Washington Post Company