Rigid hiring processes and low pay for specialized employees have kept the U.S. government from developing the type of cyber workforce it needs to keep up with growing attacks, according to an independent analysis.
Aside from non-competitive pay and strict hiring practices, other causes of the deficiency include weak talent pipelines and the lack of a government-wide strategy for hiring and retaining talent, according to the group.
“Taking a page from the nation’s approach to counter-terrorism, we believe it will take a network to defeat — or at least defend against — all the cyber threats against our network,” the report said. “And that network cannot just be one of terminals and fiber optic cables, it must be about the people.”
The study follows up on a 2009 analysis from the management-consulting firm Booz Allen Hamilton that found the government had virtually no sense of the size or competence of its cyber workforce, let alone what it would need for the future.
The Partnership for Public Service said the problems have only grown more acute in recent years as the threats have multiplied. A report from the Government Accountability Office said federal systems were breached more than 67,000 times in 2014, representing an astronomical 1,121 percent increase compared to 2006.
Among the more notable incidents in recent years, attackers have hacked the White House, State Department, Postal Service and National Weather Service networks, in addition to a U.S. military Twitter account.
An analysis last year from the Rand Corporation found that agencies are struggling to find employees who can analyze sophisticated cybersecurity threats, as well as the rare worker who can combine elite technical expertise with leadership, communication and team-building skills.
The partnership recommended that the government address its recruitment problem in part by exempting all cybersecurity job openings from federal competitive-hiring guidelines, which can restrict agencies from landing high-demand workers.
Under that policy, agencies could appoint applicants to cybersecurity positions without advertising the vacancies to the general public and without following certain veterans-preference requirements. Congress already authorized the policy for the Department of Homeland Security last year, through a bill sponsored by Sen. Tom Carper (D-Del.).
In terms of pay, the partnership found that senior-level cybersecurity employees with the government earn between $24,000 and $33,000 less than their private-sector counterparts. Entry-level federal workers in the same field earn $8,000 to $14,000 less than their non-government colleagues.
The report recommended that the government conduct a salary analysis of its own and develop a “market-sensitive pay system” for its cyber workforce.
The partnership acknowledged that the Office of Management and Budget has taken steps to “close the cybersecurity workforce gap,” but it said the government still has not developed a comprehensive plan for all federal agencies.
“Without this master strategy in place, agencies are operating largely on their own under a haphazard system,” the report said.