As attacks increase, U.S. struggles to recruit computer security experts

By Ellen Nakashima and Brian Krebs
Washington Post Staff Writer
Wednesday, December 23, 2009; A01

The federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policymakers, at a time when network attacks are rising in frequency and sophistication.

Demand is so intense that it has sparked a bidding war among agencies and contractors for a small pool of special talent: skilled technicians with security clearances. Their scarcity is driving up salaries, depriving agencies of skills, and in some cases affecting project quality, industry officials said.

The crunch hits as the Pentagon is attempting to staff a new Cyber Command to fuse offensive and defensive computer-security missions and the Department of Homeland Security plans to expand its own "cyber" force by up to 1,000 people in the next three years. Even President Obama struggled to fill one critical position: Seven months after Obama pledged to name a national cyber-adviser, the White House announced Tuesday that Howard Schmidt, a former Bush administration official and Microsoft chief security officer, will lead the nation's efforts to better protect its critical computer networks.

The lack of trained defenders for these networks is leading to serious gaps in protection and significant losses of intelligence, national security experts said. The Government Accountability Office told a Senate panel in November that the number of scans, probes and attacks reported to the Department of Homeland Security's U.S. Computer Emergency Readiness Team has more than tripled, from 5,500 in 2006 to 16,840 in 2008.

"We know how we can be penetrated," said Sen. Benjamin L. Cardin (D-Md.), chairman of the Judiciary subcommittee on terrorism and homeland security. "We don't know how to prevent it effectively."

Indeed, the protection of critical computer systems and sensitive data, said former National Security Agency director William Studeman, may be the "biggest single problem" facing the national security establishment.

Agencies under attack

One evening in May 2006, a U.S. embassy employee in East Asia clicked on an innocent-looking e-mail attachment that opened the door to the most significant cyberattack the State Department has yet faced, allowing attackers operating through computers in China to send malicious computer code into the department's networks in the region.

State's cyber-emergency response team immediately went into action, working round-the-clock for two weeks to isolate the harmful code and craft a temporary patch that officials said prevented a massive data theft.

The department's response to the attack highlights how skills matter, experts said. In 2000, State had hired technicians -- the vast majority contractors -- who custom-built an intrusion detection system and trained people to identify malicious software and reverse-engineer it to determine an attack's goals and methods. As a result, department technicians in 2006 were able to contain the attack quickly, said Alan Paller of the SANS Institute, who has analyzed the case for the Center for Strategic and International Studies.

Unlike State, most government agencies and private companies lack the skills and resources to muster a robust containment effort.

Two months after the East Asia intrusion, the Commerce Department detected a similar attack -- but only after a deputy undersecretary was unable to log on to his computer. Contractor technicians were never able to identify the initial date of penetration into the computers of the Bureau of Industry and Security, which controls sensitive exports of technology that has both commercial and military uses.

It took eight days once the attack was discovered for technicians to install a filter to prevent leaks, and then they installed the wrong kind of filter, said Paller, sharing previously undisclosed findings about the incident, first reported in The Washington Post in October 2006.

Because of "operational security concerns," the Commerce Department declined to comment for this article. But a senior Commerce official told a House Homeland Security panel in 2007 that the agency had no evidence that data were compromised. Still, the department replaced hundreds of workstations and blocked employees from regular Internet use for more than a month.

Commerce is trying to improve, but it can take years to put the people, processes and technology in place to wage an effective defense, said Mischel Kwon, former director of the Department of Homeland Security's readiness team. For years, she said, most civilian agencies were forced by federal law to spend their cyber-funds on security audits as opposed to crafting a strong security program.

And most federal information technology managers do not know what advanced skills are needed to combat cyberattacks, said Karen Evans, information technology administrator in the Bush administration.

"Skills," Paller said, "are much more important than hardware."

The federal pay gap

A pillar of the federal government's effort to develop talent is the National Science Foundation's Scholarship for Service program, which pays for up to two years of college in exchange for an equal number of years of federal service. However, the program has placed fewer than 1,000 students since its inception in 2001.

The career of a 30-year-old computer scientist named Brian Denny shows how the government is often outbid by the private sector in recruiting cyber-warriors.

Denny earned a computer science masters degree in 2004 from Purdue University on an NSF scholarship. In return, he spent two years at the National Security Agency, identifying novel security flaws in computer systems and software. Then Booz Allen Hamilton, a major intelligence contractor, hired him at a 45 percent pay raise.

Today, Denny works for a small employee-owned firm that has federal government and private-sector contracts, and his pay is higher still. "You can still do a lot of cool national-security-related work as a contractor," said Denny, chief security architect for Ponte Technologies in Ellicott City, Md., near the NSA. "The pay difference is so dramatic now," he said, "you can't ignore it."

Recently, a military officer with 20 years' cybersecurity experience and a coveted security clearance sauntered out of a job interview with Northrop Grumman, a major defense contractor that is making an aggressive play for potentially billions of dollars in government cyber-business.

"It's mind-roasting," said the officer, who is about to retire. "I've had people call my house, recruiters for defense contractors . . . probably 20 calls."

The labor shortage is torquing up salaries, a cost that often gets passed on to the government. Some young people with three years' experience and a clearance are commanding salaries above $100,000. "Companies are paying people to jump from one company to another," said Ed Giorgio, a former NSA official and Ponte Technologies co-founder. The job-hopping can undermine the firm's performance on a contract, he said.

Philip Reitinger, deputy undersecretary of Homeland Security's National Protection and Programs Directorate, conceded that the government generally cannot match industry pay scales. "But in government, one can have a bigger ability to effect change at an earlier place in your career than anywhere else," he said. "And -- your country needs you."

Homeland Security officials acknowledged that hiring 1,000 people will be difficult, so they are also looking at training people already in the federal government.

Cybersecurity lawyers, researchers and policymakers are also in short supply. The Pentagon, for instance, lacks a career path to develop "expert decision-making in the cyber field," said Robert D. Gourley, a former Defense Intelligence Agency chief technology officer. "The great cyber-generals are few and far between."

View all comments that have been posted about this article.

© 2009 The Washington Post Company