Analysis | The Cybersecurity 202: How the shutdown could make it harder for the government to retain cybersecurity talent
By Joseph Marks
President Trump delivers an address about border security amid a partial government shutdown on Jan. 8. (Carolyn Kaster/AP)
With the prospect of better pay and greater job security in the private sector, more government cyber operators are likely to decamp to industry, those former officials tell me, and the smartest cybersecurity graduates will look to industry rather than government to hone their skills. That’s especially dangerous, they say, considering the government’s struggle to recruit and retain skilled workers amid a nationwide shortage of cybersecurity talent.
About 20 percent of staffers are furloughed at the Department of Homeland Security’s main cyber operations division, and most are administrative and support staff, a DHS official told me. Across the department’s full cyber and infrastructure security division, about 43 percent of staff are furloughed, according to a planning document.
That leaves enough staff to maintain the division’s “baseline operational capabilities supporting national security” during the shutdown, according to an official agency statement. But the blow of being furloughed or working without pay for weeks on end will likely prove demoralizing -- and discouraging to the kind of talent the government wants to recruit.
“There’s unpredictability and uncertainty and instability [for DHS cyber employees],” Greg Garcia, a top DHS cyber official during the Bush administration who's now a health care liaison to the government, told me. “Add on top of all that not getting paid and I do not envy them.”
For recent graduates looking for cybersecurity jobs, the shutdown will likely have a “generational effect,” Philip Reitinger, a DHS cyber official during the first years of the Obama administration, told me.
“People want to believe that government service is something that’s good for them and good for the country,” said Reitinger who now leads the nonprofit Global Cyber Alliance, “and we are, in all sorts of ways, telling people who are willing to work for the government that we don’t think you’re the best of the best.”
Government cyber pros have plenty of options in the private sector.
As of August 2017 there were an estimated 299,000 cyber job openings in the United States, according to a report prepared by DHS and the Commerce Department. By 2022, that shortage will grow to 1.8 million, the report found.
And the government is already struggling to keep its talent happy.
DHS ranked lowest among major agencies this year in a longtime survey of the best places to work in government and the department's cybersecurity division ranked 388th out of 415 agency subcomponents.
About 20 percent of DHS employees said they were “dissatisfied” or “very dissatisfied” with their jobs in the government survey underlying that report while another 20 percent were “neither satisfied nor dissatisfied.”
The pay is also probably better in the private sector.
It’s difficult to compare salaries between government and private-sector cybersecurity pros because qualification and experience vary widely among workers, and government definitions for what counts as a cybersecurity employee vary from agency to agency. Anecdotally, however, agency leaders frequently describe a battle to retain cyber workers who are offered double their government salaries or more by private industry.
The Defense Department, for example, loses about 4,000 of its civilian cyber workers each year to the private sector, according to September testimony from Principal Deputy Chief Information Officer Essye Miller.
During a 2015 hearing, then-FBI Director James B. Comey described “a cybersecurity industry that will pay young folks a lot of dough to go work in the private sector” and said he recruited new cyber workers by touting the excitement and patriotism of government work rather than the salary.
Add to all those factors the frustration of being furloughed or asked to work without pay and the temptation to look for another job is sure to become more alluring, Bruce McConnell, an Obama administration DHS cyber official, told me.
And if the government loses those employees, it will become far harder to accomplish major goals, such as securing critical supply chains or defending against Russian and Chinese hacks, said McConnell, who now leads the EastWest Institute think tank.
“Civil servants never feel good during these situations,” McConnell said, “and that’s not good for anybody.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
The Department of Homeland Security logo at the U.S. Immigration and Customs Enforcement headquarters in Washington on May 11, 2017. (Salwan Georges/The Washington Post)
Additionally, the National Institute of Standards and Technology, an agency that is part of the Commerce Department and conducts work on cybersecurity standards, has taken a hit. “At NIST, fewer than 500 of 3,378 employees are working through the shutdown,” according to E&E News. “The agency has dropped support for a variety of websites that host popular cybersecurity documents like the Framework for Improving Critical Infrastructure Cybersecurity or the widely referenced 800-53 catalog of federal security controls.”
Commuters use their smartphones as they wait for a train in a subway station in New York on July 1, 2016. (Jewel Samad/AFP/Getty Images)
Sen. Ron Wyden (D-Ore.) scolded telecommunications companies for those practices. “Wireless carriers’ continued sale of location data is a nightmare for national security and the personal safety of anyone with a phone,” Wyden told Motherboard. “When stalkers, spies, and predators know when a woman is alone, or when a home is empty, or where a White House official stops after work, the possibilities for abuse are endless.”
The National Security Agency campus in Fort Meade, Md., on June 6, 2013.
“The company’s role in exposing Martin is a remarkable twist in an increasingly bizarre case that is believed to be the largest breach of classified material in U.S. history,” Zetter wrote. “It indicates that the government’s own internal monitoring systems and investigators had little to do with catching Martin, who prosecutors say took home an estimated 50 terabytes of data from the NSA and other government offices over a two-decade period, including some of the NSA’s most sophisticated and sensitive hacking tools.”
Police outside the Brooklyn Federal Courthouse in New York where the trial of Joaquín Archivaldo Guzmán Loera, also known as “El Chapo,” takes place on Jan. 7. (Don Emmert/AFP/Getty Images)
The FBI agent also said calls were intercepted between April 2011 and January 2012, according to Reuters's Jonathan Stempel. “Marston said the FBI tapped into more than 800 calls on the encrypted system with the help of a cooperating witness, Cristian Rodriguez,” Reuters reported.
— More cybersecurity news from the public sector:
The iPhone XS, from left, iPhone XR and iPhone XS Max in New York on Oct. 22, 2018. (Richard Drew/AP)
Should Apple's iOS operating system adopt an approach where users can log in without a password, then such a “passwordless login standard” will have reached every major operating system, Wired's Brian Barrett noted. “A green light for an iOS YubiKey may be relatively minor news, but it signifies a promising future, one in which the only password you have to remember for any of your devices lives not in your memory, but on your key ring,” Barrett wrote.
— More cybersecurity news from the private sector:
Hands type on a computer keyboard in Los Angeles on Feb. 27, 2013. (Damian Dovarganes/AP)
— More news about cybersecurity incidents:
In this March 18, 2015 file photo, an election campaign poster with the image of Israeli Prime Minister Benjamin Netanyahu lies among ballot papers at his party's election headquarters, in Tel Aviv. (Dan Balilty/AP)
- The Brookings Institution hosts a discussion titled “How China and the U.S. are advancing artificial intelligence” on Jan. 14.
- The Center for Strategic and International Studies hosts a discussion on the Justice Department's responses to cyber threats on Jan. 15.
Trump's full address to the nation on border security:
Schumer and Pelosi's full response to Trump's border address:
Watch Fox News downplay the government shutdown: