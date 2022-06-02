Placeholder while article actions load

Below: U.S. Cyber Command says it has conducted offensive hacks during the Ukraine war, and the FBI blamed Iran for a thwarted cyberattack on Boston Children's Hospital.

Below: U.S. Cyber Command says it has conducted offensive hacks during the Ukraine war, and the FBI blamed Iran for a thwarted cyberattack on Boston Children's Hospital.

Higher pay and less stringent degree requirements could attract more federal cyber workers

The U.S. government needs to radically overhaul the way it hires and compensates cyber pros if it wants to get ahead of the ever-growing digital threat, an advisory report out this morning warns.

Proposed top-line changes include blowing up pay scales to ensure government cyber pros are more competitive with the private sector and rejiggering job requirements so it’s easier to hire people with specialized cybersecurity certifications but who lack bachelor’s degrees.

The report, created under the auspices of the congressionally led Cyberspace Solarium Commission, was shared exclusively with The Cybersecurity 202 in advance of its release today.

Cyber workforce

It follows years of concern that the nation’s cyber workforce is chronically short staffed — both in government and the private sector — and that the problem is getting worse year by year.

Mark Montgomery, who co-wrote the report, told me. The Solarium commission, which helped fundamentally reform the government’s cyber posture in recent years, ended its official work in 2021. But a handful of staff are still doing some follow-up work — and the cyber workforce gap is at the top of the list, the commission’s Executive Director, who co-wrote the report, told me.

The problem: The need for cyber pros in government and industry has skyrocketed in recent years amid a surge in hacking by criminals and government intelligence services that’s growing faster than universities and training programs can prepare workers to combat it.

“We’re about two-thirds manned now,” Montgomery told me. “When you’re two-thirds manned, you clearly aren’t getting the job done. It can make for low morale. … You can end up with an underperforming, unhappy, undertrained workforce.”

Montgomery wrote the report with Laura Bate, a former senior director on the Solarium commission. It’s being published by Foundation for Defense of Democracies (FDD), a think tank that’s housing the Solarium’s current work and where Montgomery is a senior fellow.

Taking action

Efforts are already underway to get the report's recommendations enacted.

Congressional Solarium members have given their stamp of approval to the report and are likely to introduce many of its recommendations as legislation this year or next, Montgomery told me. The commission was co-chaired by Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.).It also included Sen. Ben Sasse (R-Neb.) and Rep. Jim Langevin (D-R.I.).

The report is being formally released today during an FDD panel discussion with National Cyber Director Chris Inglis, who was a member of the Solarium commission before he was appointed to his current role. Creating the national cyber director position was a key recommendation in the commission’s initial report.

A major throughline of the report and recommendations is the idea that cyber jobs are unlike other jobs the government has to fill.

For one thing, many people with the best skills have gained them without gathering traditional credentials such as bachelor’s and master’s degrees.

The field also moves so quickly that taking time off to retrain is far more important than in slower moving fields such as contract law.

As a result, the report recommends developing a specialized cadre of government human resources specialists that are highly trained in these differences and do nothing but hire and manage the careers of federal cyber pros.

That system could end up being a model for other highly technical specialties in government such as people working in artificial intelligence, Montgomery told me.

“I think this is the leading edge of some emerging tech issues we’re going to face,” he said.

Another big recommendation: Fix the government’s data about cyber hiring.

Government agencies hire cyber workers in such a haphazard fashion that it’s hard to even get a ballpark figure for how many cyber pros work in the federal government.

There are about 2,400 employees at the Cybersecurity and Infrastructure Security Agency (CISA) and Inglis is in the process of filling out his staff of about 75 employees. But it's far more difficult to figure out how many cyber pros are protecting computer networks at individual federal agencies.

Montgomery said his extremely back-of-the-napkin estimate is there are about 70,000 to 80,000 civilian government cyber jobs and about 70 percent of them are filled with 30 percent vacant . “Without data, I have no way of proving this,” he said.

Previous efforts to improve matters have also been hit and miss. The Department of Homeland Security spent seven years developing a streamlined system for cyber hiring that it rolled out last year. But so far, the system has only completed one hire while 15 to 20 more people are going through pre-hiring processes such as background checks, Natalie Alms recently reported for FCW

Other recommendations include:

Boosting congressional spending on recruiting and retaining cyber workers in the government

Increasing congressional funding for CyberCorps, a Scholarship for Service program that recruits cyber pros into the federal workforce

Some of the recommendations — like improving government data about cyber jobs — can be implemented in a matter of months. The bigger changes, however, will likely take several years, Montgomery told me.

“This will take years of implementation and attention to detail and tracing and tracking by the [national cyber director],” he said. “Then, five to seven years from now, we could have a stable, properly manned cyber workforce.”

Cyber Command has launched hacks amid Ukraine war, Nakasone says

U.S.-backed hackers have “conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations,” U.S. Cyber Command Chief Gen. Paul Nakasone told Sky News’s Alexander Martin. It marks the first public acknowledgment that U.S. government-backed hackers are backing up Ukraine by launching offensive cyberattacks.

Nakasone pushed back against claims that the conflict's cyber components have been overblown. “If you asked the Ukrainians, they wouldn't say it's been overblown,” he said. “If you take a look at the destructive attacks and disruptive attacks that they've encountered … this is something that has been ongoing.”

Nakasone cited a cyberattack on U.S. satellite firm Viasat early in the conflict, which the U.S. government and its allies have blamed on Russia.

The Biden administration does not believe that cyberattacks violate the U.S. position of avoiding military conflict with Russia, White House Press Secretary Karine Jean-Pierre said.

Offensive cyber abilities against #Russia don't violate the US policy of avoiding a direct military conflict with Moscow, according to @PressSec. pic.twitter.com/rEicMPLeXd — Steve Herman (@W7VOA) June 1, 2022

FBI director blames Iran for foiled cyberattack on Boston Children’s Hospital

Going after the hospital — which is one of the country’s largest pediatric centers — was “one of the most despicable cyberattacks I’ve ever seen,” FBI Director Christopher A. Wray said. The FBI notified the hospital after learning about the threat, and the FBI was “able to help them ID and mitigate the threat,” Wray said, per the Wall Street Journal’s Dustin Volz.

“It is rare for the FBI to identify victims of cyberattacks, and such information is typically classified,” Volz writes. The hospital told Volz that it had “proactively thwarted the threat to our network” with the FBI’s help.

It’s not clear what the hackers would have done if they had been able to fully penetrate the hospital’s network. They could have shut down networks, hampering some medical care, an official familiar with the matter told Volz. They could have also stolen data and deployed ransomware, though an official told Volz that the hack didn’t develop far enough to find out whether it could have led to a ransomware attack.

Biden poised to select cyber executive to lead new State Department bureau

Nathaniel Fick is the likely pick to be the first leader of the State Department’s new Bureau of Cyberspace and Digital Policy, CyberScoop’s Suzanne Smalley reports. Fick, who is general manager of security at the software firm Elastic, served in Afghanistan and Iraq as a Marine and spoke at the 2008 Democratic National Convention.

The Biden administration hasn’t officially announced Fick’s nomination. A person with knowledge of the decision told Smalley that “Fick was still being vetted as recently as a couple of weeks ago and that the appointment could still fall through, pending President Biden signing off,” Smalley writes.

The State Department and Fick declined to comment to CyberScoop. The White House didn’t respond to the outlet’s requests for comment.

The State Department launched the cybersecurity bureau in April. It was designed to play a key role in talks about international cyber rules and ransomware, diplomacy over 5G equipment made by Chinese tech giant Huawei and Internet governance issues.

A bill that would mandate creating such an office passed the House but has stalled in the Senate.

Similar offices existed under former presidents Barack Obama and Donald Trump but without a presidentially appointed official at their head.

