I want to talk about my experience working for the Federal Government, but also look at some wrinkles in the Cyberspace Solarium's efforts to address recruitment and retainment. At some level, every government proposal to address this problem is a twelve-dimensional remastering of Groundhog Day. You can see this in the supporting document on Lawfareblog, which focuses on the military talent shortage, possibly inspired by a meeting with CyberCom?
Most reports of this nature nibble around the edges of the problem and the Lawfareblog article proposes the following:
- Relaxing military grooming and fitness standards for people in IT roles
- Paying IT people more to compete with private industry
- Opening offices in cities that people want to work in (or say, in Silicon Valley, where nobody WANTS to work but apparently people end up)
- Building a skills database (which ironically would probably get hacked)
- Offering unique perks (like training on emerging technologies, or one-of-a-kind challenge coins!)
All of the typical suggested measures largely ignore the the number one issue with recruitment and retainment which is the clearance system. In this day and age, not being able to offer a clearance within a week is insane. In many ways, we need to completely rethink the clearance system, which right now is a one way door - people are required to be working in the Government or for a Government contractor to hold a clearance, and when they lose it, they rarely get it back as it requires a full-on reprocessing, which can take years.
That brings me to my story. I filed for some scholarships in high school, one with NASA and one with the NSA. My high school grades were not great, but the NSA application included an interview and I was even then, as obviously geeky as it got. I had, as it were, mad Turbo Pascal skills, and some beginner assembly language, and the NSA had a voracious appetite for minority students in technical fields like computer science, which I already knew was my focus to the total exclusion of anything else, like social skills or any fashion sense.
At the time the program was called the Undergraduate Training Program and started in 1986 (legend has it a member of the Congressional Black Caucus got a tour of the NSA and didn't see any minorities and threatened to yank funding until he did), but it appears to have been renamed the Stokes Educational Scholarship. I highly recommend it, if you are a high school student reading this blog, or happen to have one near you!
But also, I think the UTP/Stokes program has offered massive strategic advantages to the United States, getting students into the NSA who otherwise never would have considered it, who have gone on to contribute immeasurably to our national security. It has had high return on investment, in other words. So please don't take this blogpost as saying these efforts are not worth it. However, they will not change the game or solve the problem.
One reason for that is that these programs exist and have for forty years. So what are the new proposals in the Cyberspace Solarium efforts?
Not that we can't "Do more" but aside from the "institutional barrier" of clearances, it's hard to see what we can drastically change to open a huge pipeline of new applicants for the 33K billets we need to fill.
Ask yourself this:
- Why does it take 2 years to get a TS-SCI?
- Why do you lose your clearance after five years of not using it?
- Why can't a small company hold a facilities clearance? Why do companies hold your clearance, and not the government itself?
- Do we know anyone who has given up their clearance, gone on to have a successful private industry career that involved extensive travel, and then re-applied and been accepted? If not , why not?
- Why have we not already copied and expanded the massively successful NCSC Industry-100 program?
To be fair, the report acknowledges this pain point by asking for a new report!
We don't need another report - we need a massive change to an obviously broken system. |
If you've been following DARPA's work in the area, you may have noticed they've already done research on getting people a clearance in a week - we just need the political wherewithal to follow through on implementing it.
It may be, of course, that even with the clearance roadblock removed, the Culture roadblock, as identified by the authors of the Solarium report, would remain. Culture is not about haircuts and fitness levels - and in fact most hackers I know are very into Brazilian Jiu Jitsu and can run a reasonably fast mile.
Culture is about a deeper set of problems, none of which are in the cyber domain:
- Politicization of the Mission, including the ICE mission
- The Drug War
- "Stop and Frisk"
- "Why are we still in Afghanistan?"
If exposure to Stop and Frisk already pre-tuned you to thinking that law enforcement was an unacceptable career path, you're not going to apply to fix IT security issues at the FBI. CISA's mission may be amazing, but you can't retain workers who have their friends getting detained by ICE in front of their kids. You can't have the AG writing polemics against End to End encryption and then try to recruit people out of Facebook into DoJ because they already know the head boss is full of it.
Sometimes you can't solve your recruitment problem by throwing money at the problem, or more scholarships, or reaching out to more people. A better solution would include an agency that is removed from these complications - entirely out of the executive structure, with a mission that attracted the best and brightest because they believed it was uncorrupted. We can still call it CISA!
But until we solve the personnel problem, we can't solve the other problems the Solarium report tries to address. And until we address the Culture and Clearance problems, we can't even begin.
Another note:
No comments:
Post a Comment