People, policies both must be addressed to improve federal cybersecurity

Lack of talent a major problem for federal cybersecurity efforts

Cybersecurity talent is in high demand and short supply across every sector. Speaking to CNBC, Matthew Sigelman, CEO of jobs data analytics firm Burning Glass Technologies, noted that demand for these professionals has actually increased 90 percent over the past five years, a rate that’s three times greater than overall IT job growth. This state of affairs is making it difficult for many organizations to find and retain sufficient numbers of cybersecurity staff members to effectively keep them safe from increasing, evolving cyberthreats.

The public sector has been particularly hard-hit by this trend. After all, most agencies cannot afford to offer the same level of compensation to IT security experts as leading private sector companies. Consequently, government leaders have been attending conferences and rethinking their approaches to cybersecurity in order to both recruit more qualified personnel and to shore up inherent weaknesses that may be putting federal and state data at risk.

“The FBI failed to fill more than 50 of the 134 computer scientist positions.”

Hackers’ summits
The Associated Press recently noted that federal officials now regularly attend both DEF CON and Black Hat, two annual conferences that bring together both hackers and cybersecurity professionals. Such efforts, described by the source as “pilgrimages,” have become imperative as the federal government has come up short in its recruiting efforts in recent years. Notably, a Justice Department audit found that the FBI failed to fill more than 50 of the 134 computer scientist positions it aimed to fill, due to a combination of low salaries, exhaustive background checks and strict drug use policies, all of which drive away potential candidates.

By engaging with attendees at DEF CON and Black Hat, federal representatives can pitch their organizations to the ideal audience. However, as the numbers have shown, such efforts are frequently not enough. What’s more, the source noted that there is a great deal of skepticism in the hacker community regarding the government’s culture, and specifically its tendency toward the bureaucratic. Similarly, some federal legislation surrounding cybercrimes is also looked at unfavorably by many hackers, further driving them away from cybersecurity job openings in the government sector.

“It’s essential for public sector organizations to take steps to reduce their vulnerabilities.”

New ideas
Regardless of the government’s success or failure in recruiting new cybersecurity experts, it’s also essential for public sector organizations to take steps to reduce their vulnerabilities. New ideas for achieving this goal were a focus of another recent conference – the 2015 North American International Cyber Summit. As Government Technology reported, this event, hosted by Governor Rick Snyder of Michigan, focused largely on recognizing the threats that cyberattacks pose for government bodies and developing new strategies for reducing the danger.

One of the biggest issues, according to Michigan CIO David Behen, is the need to educate government employees, and the public at large, about the nature and severity of the threats they face.

“There’s approximately 48,000 employees at the state of Michigan, almost 10 million citizens,” said Behen, according to the source. “How do we educate them? How do we make them aware so that things like malware and the phishing emails, how can they detect that and make sure they don’t click on that email? I think that is still the most important piece.”

“The federal government has not updated its information management principles since 2000.”

Unquestionably, both training and policy will be essential to account for these dangers. To address the latter case, the White House recently announced that it will be updating its information management principles, according to Nextgov. The source pointed out that the federal government has not made this effort since the early 2000s. As a result, the existing policy was largely obsolete, complete with references to dial-in access and bulletin boards and no mention of contractor security, multi-step authentication or encryption.

This is particularly problematic because, as Nextgov emphasized, the government’s IT focus at this time was information sharing, as a lack of data availability was seen as a serious problem in the wake of the Sept. 11, 2001, terrorist attacks. Now, however, this emphasis on availability has inherently increased the potential vulnerabilities for cyberattackers to take advantage of.

By modernizing this policy, the government will be better able to address the actual threats that agencies now face. For example, the source reported that the update will aim to encourage continuous monitoring and more regular auditing throughout federal networks. To this end, though, the update draft calls for a number of privileged users to seek out and combat insider threats, and the government is already struggling to recruit personnel who could fill this role.

Given the difficulties agencies have already experienced in their efforts to hire new personnel and shore up their cyberdefenses, it may be necessary to partner with third-party solutions providers to guide the development of a cybersecurity-conscious work force. Specifically, public sector organizations should look for firms with extensive experience working with government agencies to improve their cybersecurity defenses.