The federal government has a shortage of cybersecurity talent. Would a corps of short-term recruits, hired from the private sector, fix that gap?
That’s one of the questions a House oversight committee attempted to tackle Tuesday during a hearing on federal workforce challenges. Rep. Will Hurd, R-Texas, chairman of the information technology subcommittee, asked witnesses whether a model similar to tech groups 18F and the U.S. Digital Service might work for cybersecurity.
18F, housed within the General Services Administration, is a consultancy that helps other agencies use technology and adopt principles of agile software development. USDS troubleshoots large-scale federal tech projects; both groups recruit heavily from the private sector, including from companies such as Facebook and Twitter.
The Commerce Department’s former chief information officer, Steven Cooper, described a central team of cyber experts serving 6-month to 2-year terms; those people might conduct penetration tests, deploy security badges or other short-term projects at various federal agencies.
Those people would be most useful in jobs including product testing and forensics, Debora Plunkett, board member at the International Consortium of Minority Cybersecurity Professionals, testified. But deploying members of a centralized cybersecurity cadre to federal agencies experiencing attacks might not be all that useful, because “you’d want to have some a prior understanding of the network,” she said.
“If it really is a ready reserve where they would go anywhere, it would be difficult to send someone in to address a threat when they don’t know the infrastructure and they’re not up on the current vulnerabilities,” Plunkett said.
Coordination between agencies tapping into that group of cyber professionals would be a challenge, said Nick Marinos, assistant director of information technology within the Government Accountability Office. Traditional tech hiring might require a chief information officer and chief financial officer within an agency to coordinate, but the sharing arrangement also may require coordination with more of the C-suite, including the chief human capital officer and chief information security officer as well as other agency officials.
“If the CIO is not actively engaged, the help may not be going to the right places,” he said.