How existing policy can help fill the cyber workforce gap

The federal government has a cyber talent deficit. With some exceptions (the National Security Agency and FBI come to mind), federal agencies have a difficult time recruiting and keeping cyber talent, especially in today's hyper-competitive labor market. 

This workforce gap, to borrow a phrase from the cybersecurity world, is a kind of advanced persistent threat (APT). So I read with interest a recent announcement from the Office of Personnel Management that a strategy was coming to address the problem. 

But OPM isn't going to solve that problem by using today's outmoded civil service rules to level the cybersecurity playing field among civilian federal agencies. No amount of leveling, ostensibly to avoid internecine internal competition, will fix that–especially when another way to close that seemingly intractable talent gap has existed for well over a decade. 

DHS's Cyber Talent Management System is an alternative

OPM Director Kiran Ahuja has pointed a finger at the Cyber Talent Management System at the Department of Homeland Security, which offers enhanced pay and speedy recruitment, as a factor in stoking competition among agencies for top talent. 

But that is precisely what Congress intended when it gave DHS authority to create CTMS back in 2014, and I believe that legislators had even bigger things in mind–like having that agency's cybersecurity organization actually oversee all non-DOD networks, just like the Defense Information Systems Agency and U.S. CYBERCOM do for the Defense Department. And in so doing, Congress provided a broad range of personnel flexibilities that OPM and DHS could take advantage of right now, without betting on existing rules and/or legislative action. 

I say that with trepidation because DHS's record is less than stellar in this area. It took them over seven years to finally publish CTMS regulations, much of that the result of internal bureaucratic wrangling. And after all that, the result—with initial coverage just in the double digits—is decidedly modest. 

However, the 'good news' here (he says with his tongue firmly planted in cheek) is that CTMS remains far more theory than reality, both in terms of reach and numbers, so there's still time to leverage it to create a governmentwide cyber human capital system that actually achieves its original vision. 

In that regard, I was there at its inception, part of a small team of 'formers' from OPM and the intelligence community expert in cyber talent development, brought in to help DHS design CTMS. And from the beginning, we argued for an end-state that was bigger than that envisioned by DHS, with that  department responsible for employing and deploying cyber workers across federal domestic agencies (that is, those not covered by DISA and CYBERCOM). CTMS would serve as a common set of rules, including 'special' salary ranges, that would have helped the federal government compete with the private sector.  

DOD created its comparable Cybersecurity Excepted Service in less than half that time it took DHS to get CTMS online and has already hired thousands under that system. Because of this under-the-radar success story, some would argue that we should just give the Defense Department responsibility for overall governmentwide cybersecurity. 

I might agree in concept, but that may be just too high a political mountain to climb. Besides, the flexibilities in CTMS were originally intended to not just level the playing field, but to take that playing field to a new level. Thus, while the final design of CTMS is suboptimal, it can be upgraded to provide the answer to the federal government's cyber talent woes. 

If DHS used the full panoply of 'excepted service' flexibilities Congress gave it way back in 2014, it could have in place right now a cadre of cybersecurity experts ready to be deployed across the civilian enterprise to agencies large and small. And small agencies with big data responsibilities (like OPM or the Bureau of Indian Affairs) would not need to compete for cyber talent, something that they might find hard to do even with a level playing field when it comes to pay. 

Risks can be mitigated…it just takes leadership!

We already know that challenge and mission motivate individual cyber workers every bit as much as pay, perhaps more so. That's one area where the federal government has potential competitive advantage, and DHS could leverage that advantage, much as the U.S. military does with CYBERCOM’s  own Cyber Mission Teams.

Would civilian federal agencies on the receiving end of this deployment bristle at having an 'outsider' from DHS come to their cyber defense? Maybe, but I would suggest that those same agencies are likely finding it difficult to hire cyber talent on their own now, and not just because they can't pay as much. Even with special pay, those agencies can at best offer a limited internal career path, which almost guarantees that their cyber specialists will move on to more lucrative and challenging opportunities on their own. Accordingly, I believe that most non-DOD agencies will choose to take DHS talent and the 'common defense' it offers. 

To be sure, these changes are far-reaching, and they won't be easy to implement. But having been in this business for too long, I would argue that the APT problem set is more than sufficient to justify them. This is simply the best available way to solve the Federal government's long-brewing cybersecurity (and cyber talent) challenges. And on the plus side, they are all within current statutory authority, so it won't take another act of Congress to make them happen. What it will take is bold, innovative leadership within the executive branch, something I know National Cyber Director Chris Inglis, DHS's Jen Easterly, OPM's Ahuja and  others can provide.