Legislation aimed to help the Department of Homeland Security recruit and retain cybersecurity professionals is one step closer to becoming law.
The Senate on Sept. 19 unanimously passed the Border Patrol Agent Pay Reform Act of 2013, which incorporates the DHS Cybersecurity Workforce Recruitment and Retention Act, that would:
- Strengthen the cybersecurity workforce at DHS by granting the department secretary personnel authorities similar to those of the defense secretary to hire and retain cybersecurity professionals. This includes the authority to hire qualified experts in an expedited manner and pay these recruits more competitive salaries as well as furnish benefits and incentives than other employees receive.
- Require the DHS secretary to report annually on progress in the hiring effort and to ensure adequate transparency and oversight of the recruitment and retention program.
- Require DHS to assign employment codes to its cybersecurity workforce to help identify its critical cybersecurity needs.
A similar, though not identical bill, passed the House on July 28 (see How House Passed 3 Cybersecurity Bills). The Homeland Security Cybersecurity Boots-on-the-Ground Act would require DHS to develop occupation classifications for individuals performing cybersecurity activities.
For the DHS cybersecurity recruiting and retention legislation to become law, either the House or Senate must pass the other chamber’s measure without altering its language. Otherwise, House and Senate conferees must meet and agree on an identically worded bill that must win approval of both house before it’s sent to the White House for the president’s signature.
Struggle to Find Qualify Personnel
The bill’s sponsor, Sen. Tom Carper, D-Del., points out that DHS has struggled to recruit qualified cybersecurity personnel to address the 21st century threats the government faces.
How dire is the situation? A year ago, the Government Accountability Office issued a report that showed DHS’s National Protection and Programs Directorate’s Office of Cybersecurity and Communications, which houses much of the department’s cybersecurity personnel, had a vacancy rate of 22 percent.
“Unfortunately, the demand for cybersecurity experts in the government greatly outpaces the supply, and many agencies have had difficulty attracting the best and brightest and retaining those already in service,” says Carper, who chairs the Senate Homeland Security and Governmental Affairs Committee, the panel that provides federal government IT security oversight.
“This legislation would help address this problem by giving the secretary of Homeland Security the personnel authorities the department needs to improve their ability to compete with the private sector and other agencies to hire and retain the most skilled cyber workforce,” Carper says.
Pay May Not Be High Enough
But giving the DHS the power to provide higher pay and better benefits to prospective IT security personnel might not help boost the department’s roster of IT security experts.
“It’s always going to be difficult for the government to be competitive purely on the basis on pay,” says Franklin Reeder, co-founder and board member of the Center for Internet Security, who has researched the IT security skills shortage in and out of government. “It may make a little bit of difference at the margin but, ultimately, folks of quality are drawn in for reasons other than pay. They can make a lot more money in the private sector, and they always will be able to. So, I’m a little bit skeptical of the claims that pay authority in and of itself will make a difference.”
The bill, though, would encourage the government to look at innovative ways to attract individuals with needed cybersecurity skills. Reeder suggests the government could appeal to the patriotism of experienced, private-sector IT security professionals in their 30s and 40s to perform short stints of government service at lower pay, perhaps for two to five years, before they would return to more lucrative jobs in business.
DHS Secretary Jeh Johnson is championing the Senate legislation. At a House hearing on Sept. 17, Johnson cited the Senate measure as legislation the department needs to help recruit cybersecurity professionals. “I’m hoping along with some other pending legislation in cyber that the Congress will act on that because I do need help in attracting cyber talent,” he said.
At that hearing, Johnson said the skills shortage hit close to home. “I just lost a very, very valued member of my cybersecurity team to Citigroup,” Johnson said, referring to Larry Zelvin, who retired as director of the National Cybersecurity and Communications Integration Center. “So, yes, there is an issue with retention. And the financial sector has much more capability to offer, very attractive packages.”