Analysis | The Cybersecurity 202: How the shutdown could make it harder for the government to retain cybersecurity talent – The Washington Post
The partial government shutdown that’s now in its 18th day is putting key cyber policy priorities on hold and leaving vital operations to a bare bones staff. But the far greater long-term danger may be the blow to government cyber defenders’ morale, former officials warn.
With the prospect of better pay and greater job security in the private sector, more government cyber operators are likely to decamp to industry, those former officials tell me, and the smartest cybersecurity graduates will look to industry rather than government to hone their skills. That’s especially dangerous, they say, considering the government’s struggle to recruit and retain skilled workers amid a nationwide shortage of cybersecurity talent.
About 20 percent of staffers are furloughed at the Department of Homeland Security’s main cyber operations division, and most are administrative and support staff, a DHS official told me. Across the department’s full cyber and infrastructure security division, about 43 percent of staff are furloughed, according to a planning document.
That leaves enough staff to maintain the division’s “baseline operational capabilities supporting national security” during the shutdown, according to an official agency statement. But the blow of being furloughed or working without pay for weeks on end will likely prove demoralizing — and discouraging to the kind of talent the government wants to recruit.
“There’s unpredictability and uncertainty and instability [for DHS cyber employees],” Greg Garcia, a top DHS cyber official during the Bush administration who’s now a health care liaison to the government, told me. “Add on top of all that not getting paid and I do not envy them.”
For recent graduates looking for cybersecurity jobs, the shutdown will likely have a “generational effect,” Philip Reitinger, a DHS cyber official during the first years of the Obama administration, told me.
“People want to believe that government service is something that’s good for them and good for the country,” said Reitinger who now leads the nonprofit Global Cyber Alliance, “and we are, in all sorts of ways, telling people who are willing to work for the government that we don’t think you’re the best of the best.”
Government cyber pros have plenty of options in the private sector.
As of August 2017 there were an estimated 299,000 cyber job openings in the United States, according to a report prepared by DHS and the Commerce Department. By 2022, that shortage will grow to 1.8 million, the report found.
And the government is already struggling to keep its talent happy.
DHS ranked lowest among major agencies this year in a longtime survey of the best places to work in government and the department’s cybersecurity division ranked 388th out of 415 agency subcomponents.
About 20 percent of DHS employees said they were “dissatisfied” or “very dissatisfied” with their jobs in the government survey underlying that report while another 20 percent were “neither satisfied nor dissatisfied.”
The pay is also probably better in the private sector.
It’s difficult to compare salaries between government and private-sector cybersecurity pros because qualification and experience vary widely among workers, and government definitions for what counts as a cybersecurity employee vary from agency to agency. Anecdotally, however, agency leaders frequently describe a battle to retain cyber workers who are offered double their government salaries or more by private industry.
The Defense Department, for example, loses about 4,000 of its civilian cyber workers each year to the private sector, according to September testimony from Principal Deputy Chief Information Officer Essye Miller.
During a 2015 hearing, then-FBI Director James B. Comey described “a cybersecurity industry that will pay young folks a lot of dough to go work in the private sector” and said he recruited new cyber workers by touting the excitement and patriotism of government work rather than the salary.
Add to all those factors the frustration of being furloughed or asked to work without pay and the temptation to look for another job is sure to become more alluring, Bruce McConnell, an Obama administration DHS cyber official, told me.
And if the government loses those employees, it will become far harder to accomplish major goals, such as securing critical supply chains or defending against Russian and Chinese hacks, said McConnell, who now leads the EastWest Institute think tank.
“Civil servants never feel good during these situations,” McConnell said, “and that’s not good for anybody.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: The shutdown has also prompted the DHS and the Commerce Department cybersecurity divisions to “cancel events, take down widely used online resources, call off nonessential travel and stop delivering paychecks to ‘exempted’ employees who are required to keep working through the shutdown,” according to E&E News’s Blake Sobczak. Jason Christopher, a former employee at the Energy Department and chief technology officer at the cyber risk consultancy Axio Global Inc., told Sobczak that a lot of collaboration on cybersecurity among the federal government, businesses and academia has “come to a standstill” as a result of the shutdown.
Additionally, the National Institute of Standards and Technology, an agency that is part of the Commerce Department and conducts work on cybersecurity standards, has taken a hit. “At NIST, fewer than 500 of 3,378 employees are working through the shutdown,” according to E&E News. “The agency has dropped support for a variety of websites that host popular cybersecurity documents like the Framework for Improving Critical Infrastructure Cybersecurity or the widely referenced 800-53 catalog of federal security controls.”
PATCHED: Bounty hunters don’t need a hacking tool to track cellphone users’ whereabouts. Instead, they can get ahold of a device’s location data via a chain of companies that begins with major wireless carriers including T-Mobile, Sprint, and AT&T, according to Motherboard’s Joseph Cox. As many companies can purchase users’ location information, mobile networks and the data they produce become exposed “to surveillance by ordinary citizens, stalkers, and criminals,” Cox reported. Additionally, smaller companies that access the data down the chain may not have the capabilities to protect it.
Sen. Ron Wyden (D-Ore.) scolded telecommunications companies for those practices. “Wireless carriers’ continued sale of location data is a nightmare for national security and the personal safety of anyone with a phone,” Wyden told Motherboard. “When stalkers, spies, and predators know when a woman is alone, or when a home is empty, or where a White House official stops after work, the possibilities for abuse are endless.”
PWNED: While officials in Washington have warned that the Russian cybersecurity company Kaspersky Lab threatens U.S. national security, Kim Zetter reported in Politico that the same firm tipped off American authorities about Harold T. Martin III, a former National Security Agency contractor who is now accused in a case of theft of classified data. Martin was arrested in 2016 and indicted in 2017. He is set to go on trial in June.
“The company’s role in exposing Martin is a remarkable twist in an increasingly bizarre case that is believed to be the largest breach of classified material in U.S. history,” Zetter wrote. “It indicates that the government’s own internal monitoring systems and investigators had little to do with catching Martin, who prosecutors say took home an estimated 50 terabytes of data from the NSA and other government offices over a two-decade period, including some of the NSA’s most sophisticated and sensitive hacking tools.”
— Jurors at the trial in New York of Mexican drug lord Joaquín Archivaldo Guzmán Loera, also known as “El Chapo,” heard a phone call that was intercepted by the FBI after the bureau hacked into a custom encrypted communications system that was built for the Sinaloa cartel, according to the Associated Press’s Tom Hays. “FBI agent Stephen Marston testified that investigators flipped the tech and had the cartel’s computer servers moved to the Netherlands, where agents could more easily unscramble the data to eavesdrop on Guzman as he ran his empire from a mountaintop hideaway,” the AP reported.
The FBI agent also said calls were intercepted between April 2011 and January 2012, according to Reuters’s Jonathan Stempel. “Marston said the FBI tapped into more than 800 calls on the encrypted system with the help of a cooperating witness, Cristian Rodriguez,” Reuters reported.
— More cybersecurity news from the public sector:
— You may soon be able to skip passwords on your iPhone and use a hardware security key instead. The company Yubico announced a version of its YubiKey that will be usable on iPhones’ Lightning ports and will also connect to USB-C ports, the Verge’s Russell Brandom reported. Security keys are more secure than a password and can be used in two-factor authentication or to replace a password altogether. “The device is currently in private preview and Yubico’s production plans are still in flux, but the company hopes [that] the new key will go on sale sometime in 2019,” according to the Verge. “In part, the early preview is meant as a wakeup call to developers to include Lightning login capabilities in their apps.”
Should Apple’s iOS operating system adopt an approach where users can log in without a password, then such a “passwordless login standard” will have reached every major operating system, Wired’s Brian Barrett noted. “A green light for an iOS YubiKey may be relatively minor news, but it signifies a promising future, one in which the only password you have to remember for any of your devices lives not in your memory, but on your key ring,” Barrett wrote.
— More cybersecurity news from the private sector:
— The housewares company OXO has been struck several times by the Magecart malware, which skims information from billing forms online, CyberScoop’s Greg Otto reported. “In a letter obtained by CyberScoop dated Dec. 26, the company says it discovered ‘the security of certain personal information’ had been compromised via the company’s website” in 2017 and 2018 in three incidents, Otto reported.
— More news about cybersecurity incidents:
THE NEW WILD WEST
— Israel said it is ready to prevent any foreign attempts to interfere in its elections. “Israel’s Shin Bet security service assured the public Wednesday it was well prepared to thwart any foreign intervention in the country’s upcoming elections, after its director warned such efforts were being made by a world power. Suspicions immediately fell on Russia,” the Associated Press’s Aron Heller reported. “The unusual Shin Bet statement followed a TV report that Shin Bet chief Nadav Argaman recently told a closed audience that a foreign country was trying to intervene in the April elections and that operatives were trying to meddle via hackers and cyber technology.”
Trump’s full address to the nation on border security:
Schumer and Pelosi’s full response to Trump’s border address:
Watch Fox News downplay the government shutdown: