Sen. Ron Johnson tells me his top cybersecurity goal as chair of the Senate’s Homeland Security Committee this Congress is to make it more attractive for cybersecurity workers to stay in government jobs rather than flee to the private sector.
If the government can’t keep and recruit top workers, Johnson (R-Wis.) worries that the United States won’t be able to defend itself against sophisticated hackers from U.S. adversaries such as China or Russia — and might not be able to help critical industry sectors such as energy plants and airports secure their networks.
Retaining these highly skilled workers — as the nation faces a massive shortage of trained security pros — was already tough because cyber workers can earn two or three times their government salary in the private sector. It’s going to be far harder after the 35-day government shutdown that furloughed about half the Homeland Security Department’s main cyber agency and required the other half to work without pay, Johnson told me in an interview.
“This is not helping the federal government’s ability to attract and retain people in some very important positions that require a fair amount of sacrifice,” Johnson told me.
Johnson says he wants the Senate to consider a wide range of incentives for government cyber workers including raised pay and more flexibility to move from agency to agency to share their expertise and gain new skills.
Concerns that government is losing the race for top cyber talent are long-standing in government but Congress, so far, has done little to mend the situation. Frustration over the shutdown, however, may spark an exodus that necessitates action.
Sen. Mark R. Warner (Va.), ranking Democrat on the Senate Intelligence Committee, fretted in a Monday letter to Homeland Security Secretary Kirstjen Nielsen that “shutdowns like this one have the effect of discouraging talented individuals from joining the Federal workforce, and [push] some of our best toward alluring careers in the private sector.”
Caitlin Durkovich, a former DHS assistant secretary with cyber responsibilities, called on Congress during a mid-shutdown panel discussion hosted by the House Homeland Security Committee to “rethink the civil service system to make sure we can get the best and the brightest, that they’re well paid, that they have benefits and that they have the flexibility we have in the private sector.”
Retaining cyber workers will take more than a single fix, Johnson told me.
As a first move, Johnson said, he plans to focus on creating a fast track for civilian government cyber workers to rotate between agencies.
The goal of the program, which is based on military joint duty systems, is to “boost collaboration between agencies” and to help employees “enhance their careers and broaden their cybersecurity expertise,” Peters said in a statement.
Johnson also wants Congress to consider boosting pay for cyber workers outside the normal range for federal employees, he told me. That’s going to be a tough sell because of agreements with employee unions and because many other categories of federal workers consider themselves underpaid, Johnson acknowledged.
“There will be the question: ‘Why are these people special?’” Johnson told me. “You do risk opening up a large can of worms. But, to a certain extent, the marketplace has to dictate it.”
Congress should also consider allowing some carve-outs for top cyber officials from an Obama-era law that requires top federal leaders to divest from stocks in areas where they might have insider knowledge and to publicly report contents of their stock portfolios, Johnson told me.
That bill, the STOCK Act, which was primarily aimed at halting insider trading by members of Congress, won large bipartisan majorities when it passed in 2012.
Before making other proposals, Johnson said, he wants to hold numerous hearings and gather data about how bad the cyber workforce problem is and if it's affecting some parts of government more than others.
“We really need to examine to what extent we’re not able to attract talent, to what extent we have very high turnover, going through the problem-solving process, gathering information and describing reality before we can really describe a solution,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: A Russian company that Special Counsel Robert S. Mueller III’s team indicted for spreading disinformation during the 2016 campaign is now spreading disinformation about the Mueller probe, prosecutors said.
The company Concord Management and Consulting altered and then leaked some discovery materials related to the prosecution in an effort “aimed (apparently) at discrediting ongoing investigations into Russian interference in the U.S. political system,” prosecutors said in a filing, The Washington Post's Spencer S. Hsu reported.
A Twitter account called “@HackingRedstone” released the altered documents on Oct. 22 and claimed it had accessed the “Mueller probe’s database” after penetrating a Russian server, my colleague reported. In reality, that was just a cover for the documents shared during the legal discover process, my colleague reported. The FBI found no evidence of a hack of Mueller's office, according to the filing.
— The story prompted numerous reactions on Twitter:
From Cindy Otis, a former CIA analyst and branch chief:
Indicted Russians working for the IRA to spread disinformation in the US...spread disinformation about Mueller's investigation into their disinformation, including doctoring documents. I see your disinformation and raise you MORE disinformation! https://t.co/GP0D93cTOL— Cindy Otis (@CindyOtis_) January 30, 2019
From the Atlantic's Natasha Bertrand:
Wow. A disinformation campaign within the investigation into a disinformation campaign. Disinformation-ception 🤯 https://t.co/5kZauebVIN— Natasha Bertrand (@NatashaBertrand) January 30, 2019
PATCHED: The Justice Department is in the final stages of dismantling a massive botnet operated by an elite North Korean hacking unit, according to a news release. Officials charged the operation’s leader Park Jin Hyok last fall with running the botnet that 100,000 routers, but that was only the start of the operation.
For the past several months, FBI and U.S. Air Force Office of Special Investigations officials have secretly operated servers that posed as infected computers within the botnet in order to map its operations, according to the news release. Now, investigators are reaching the final phase – alerting the remaining botnet victims directly and asking them to disinfect their computers.
“Our efforts have disrupted state-sponsored cybercriminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” U.S. Attorney Nicola T. Hanna said in a statement. “While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet.”
PWNED: Several former U.S. intelligence operatives joined a surveillance team called Project Raven that spied and hacked on behalf of the United Arab Emirates, Reuters's Christopher Bing and Joel Schectman reported. The American former spies used skills that they acquired while working for the U.S. intelligence community to spy on opponents of the UAE. Targets included human rights activists, governments and militants — but also Americans. “I don’t think Americans should be doing this to other Americans,” Lori Stroud, a former intelligence analyst for the National Security Agency who took part in Project Raven, told Reuters. “I’m a spy, I get that. I’m an intelligence officer, but I’m not a bad one.”
The targeting of Americans began after the UAE moved the hacking team to a company called DarkMatter in 2016. The laws governing what U.S. intelligence contractors can do when they work for another country are not very clear, according to experts. But those contractors would be breaking U.S. law if they hacked into American networks or harvested Americans' communications. “It would be very illegal,” Rhea Siers, a former deputy assistant director for policy at the NSA, told Reuters.
— New York state announced an investigation into Apple's response to a FaceTime glitch that allowed users to listen in on the recipient of a call before the person had picked up, the Wall Street Journal's Tripp Mickle reported. A statement from New York Attorney General Letitia James, who announced the probe along with New York Gov. Andrew M. Cuomo, said the probe will look at the company's failure to warn users about the flaw and its slow response to the issue. “New Yorkers shouldn’t have to choose between their private communications and their privacy rights,” James said. “This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years.”
This is a first - I don’t think I’ve ever seen officials investigate a company for its slow/non-response to a security report https://t.co/3H0WqyPqEP— Kim Zetter (@KimZetter) January 30, 2019
-- Another major oversight priority for the Homeland Security Committee this Congress will be making sure DHS is effectively implementing a new law aimed at keeping government’s technology supply chain free from cybersecurity risks, Johnson told me. Congress approved that law after passing separate government bans for the Russian anti-virus company Kaspersky and the Chinese telecoms Huawei and ZTE. Going forward, Johnson told me, he wants to make sure the intelligence community is sharing information with DHS about digital spying threats so questionable companies can be barred from government network as quickly as possible.
Johnson also wants to dig into reports that Homeland Security’s system for detecting and preventing government-wide cyber threats is catching only a small percentage of intrusion attempts, he told me. Federal Chief Information Officer Suzette Kent told Johnson in a September 2018 letter that the system, known as EINSTEIN, detected only 1,600 out of 44,823 cybersecurity incidents across federal civilian networks during a 15-month period. “DHS has got a long way to go in terms of protection of cyber assets,” Johnson said.
— The Defense Department created a working group to patch cybersecurity weaknesses that a group of military hackers and IT specialists spotted last fall, Bloomberg Government's Travis Tritten reported. “The tests found the Military Healthcare System Genesis, which will eventually serve more than 9 million beneficiaries at dozens of military hospitals and hundreds of clinics, was still ‘not survivable’ when the system was hit with staged attacks,” according to Tritten.
— More cybersecurity news from the public sector:
— The Minnesota Department of Human Services reported a data breach that potentially exposed personal information including names, dates of birth and contact information of up to 3,000 people, according to the Associated Press. “Commissioner Tony Lourey tells legislative leaders it happened Sept. 28 when an employee fell for a phishing scam and clicked on a malicious link that caused the employee’s email account to send spam,” the AP reported.
— A collection of breached databases amounting to 2.2 billion unique usernames and associated passwords is circulating “on hacker forums and torrents,” according to Wired's Andy Greenberg. “Despite its unthinkable size, which was first reported by the German news site Heise.de, most of the stolen data appears to come from previous thefts, like the breaches of Yahoo, LinkedIn, and Dropbox,” Greenberg wrote. “WIRED examined a sample of the data and confirmed that the credentials are indeed valid, but mostly represent passwords from years-old leaks.”
— More news about security incidents:
- BSidesPhilly cybersecurity conference in Philadelphia on tomorrow.
- B-Sides Tampa cybersecurity conference in Tampa on Saturday.
In Trump’s White House, everything is “so true”:
Why is “The Masked Singer” so addictive? We asked a psychology professor and comedian Ken Jeong.
Trump's love for the Patriots, explained: