DHS Wants To Hire 1,000 Cybersecurity Experts 222
Cyrus writes "DHS Secretary Janet Napolitano plans to hire 1,000 security experts over the next three years. 'Department officials could not say precisely how many cyberexperts now work at DHS and its various component agencies such as the Secret Service and Immigration and Customs Enforcement. Napolitano said she doubts it will be necessary to fill all 1,000 of the authorized positions, but she is focused on making DHS a "world-class cyberorganization."'" Cringely points out, "There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!," except he uses all caps and bold.
Re:Nobody's going to work for a government salary. (Score:3, Interesting)
aEN
Re:"World-class cyberorganization"? (Score:2, Interesting)
Well, if they didn't physically conduct most of their operations together, and instead did almost pure telecommuting, then yes, they'd qualify as "cybercorporations". It may be an imperfect term, but that does not necessarily make it useless (if used with some consistency).
The head guy is from Microsoft (Score:5, Interesting)
DHS's cyber security operation is headed by Phil Reitinger [washingtonpost.com], who's from Microsoft. So DHS won't be allowed to do anything that would seriously impact Microsoft's business models. Which means nothing significant will happen. Here's his list of priorities. [thenewnewinternet.com] You'll see the problem.
The first guy in that job, Amit Yoran, came out and said the big problem was weak security in Microsoft operating systems. He was ignored, then quit in disgust. The next guy was Cisco's lobbyist, who was not only useless, the job was downgraded during his tenure.
I'm not expecting much from that crowd.
Yes Cringely, we have 1,000 security experts (Score:5, Interesting)
I have a fairly long track record in the security industry, and I'm really puzzled by Cringely's assertion. It's hard to tell if he is trying to make a point out of a semantic squabble, or if he genuinely believes that the information security community has fewer than 1,000 competent experts.
If the former, yeah, the term "cybersecurity expert" is unfortunate - but it's clear it's just PR speak for "information security professional". Cringely then attempts to define that first, largely meaningless term, and then polls his anonymous friends (who themselves probably do not fall within that definition) to come up with wild guessess.
If the latter, yes, we definitely have more than 1,000 security experts. There is something around 500 emitent, internationally recognized folks publishing books, research, and otherwise contributing to the "cutting edge" of the industry. Then there's another 500-1,000 top-tier, notable security VPs, CEOs, etc, working for Fortune 500 companies (they may not all be technically savvy, but they *are* the industry). Then, there is probably something close to 200,000 security professionals working for companies around the world - we have something like 50,000 registered CISSPs alone (which is a certification largely inaccessible to hobbyists, and pursued by a minority of infosec workers), something around 50,000 subscribers to BUGTRAQ and other security mailing lists, etc.
Does this mean that DHS would be able to hire 1,000 competent experts? Unlikely, as the government historically did a pretty poor job of competing with commercial corporations (in terms of compensation and work culture), and many agencies may lack the hiring rigor and expertise to make the right calls. Given the size of the networked infrastructure in the US, this number is high, but does not sound outlandish by itself, though (many large corporations have 20-100 security people on their payroll).
What is a security expert? (Score:4, Interesting)
What is a security expert? Is it people who believe that they are experts in one single area, and that area is called security?
I work with IT security for a living, and there are many areas within that field. We have people who are good at network and data analysis, some who can reverse engineer malware, others who do a good forensics job, one group focuses on incident response and others works with standards and procedures. And this is just a few areas. Encryption is a part of this. Tempest too.
So again, what is a security expert? One who is an expert in one or all of this areas? What is DHS looking for?
Re:Cringely points out... (Score:5, Interesting)
The DHS may *WANT* to hire experts (Score:4, Interesting)
But that doesn't mean they will. And quite frankly, my experience with DHS has been that to make something happen, they hire an incompetent contractor to do the screening and hiring for them which, in turn, hires a the first 1000 people with resumes who have enough of the right keywords matching on their resumes.
I once worked for the TSA and I was astounded by the criteria, or lack thereof, in their hiring practices. One teenager was hired on in a supervisory role simply because he applied for it and was early enough in the list of applicants to have not yet filled out their supervisor staffing. Why was this teenager qualified? He wasn't. We knows this because it was his first job...ever! This kid hadn't even mowed a lawn for pocket change.
The DHS screens at airports but barely anywhere else. The airport screeners are beholden to the air carriers and quite literally have to follow their instructions at times. Meanwhile the border crossings of the U.S. were wide open for years and years before people took any notice.
Putting important organizations like FEMA under the DHS showed the world what a great move that was when the hurricane season came in with great force. The only thing we really got out of that was "FEMA Camps" where the angle of the razor wire seems to be be intended to keep people "in" rather than "out" and has U.S. Army equipment parked on it. (Google "FEMA Camps" for more information on the topic... scary... freakin' scary)
The DHS is the agency under the executive that most represents the words "power grab" and "power consolidation."
Re:The head guy is from Microsoft (Score:4, Interesting)
Read his congressional testimony here:
http://kyl.senate.gov/legis_center/subdocs/022404_yoran.pdf [senate.gov]
Note the frequent mention of specific Windows threats, something you will find few government people doing. Many trade press publication will often mention a new threat without regard to specific OS dependencies (and 99% of the time it's Windows). The company goes to great lengths to make sure its names aren't taken in vain in public.
He has been associated with user groups that are critical of Windows, but my guess is that his true feelings on the subject are uttered mostly off the record.
http://www.viruslist.com/en/news?id=764 [viruslist.com]
http://radsoft.net/rants/20090318,00.shtml [radsoft.net]
In any event, the hiring of a former Microsoftie is the main issue here. Is he required to divest his stock options? I don't see that spelled out.
The U.S. government food dept. has little power. (Score:3, Interesting)
Re:One area: Prison population. (Score:3, Interesting)
I would say Japan has higher levels of corruption than the US. It is far more endemic and accepted than in the US, to the point that it's just the way people do business here.
Japan's public construction budget is larger than the US defense budget, and most of that is just absolute corruption. Americans complain about bridges to nowhere, but Japan takes it to an even further extreme. And all so that construction companies can get money, then make jobs in the countryside, so that politicians can get votes.
And don't get me started on "amakudari", the semi-official system of corruption where retired civil servants get jobs at the companies they gave contracts to.
Re:Cool - how do I become a security expert? (Score:2, Interesting)
Johns Hopkins University, near Washington, DC, offers a master's degree in Security Informatics [jhu.edu]. This is through their Information Security Institute [jhu.edu], which was founded several years ago and includes several well-known CS faculty.
The curriculum [jhu.edu] includes many technological courses (theoretical and applied crypto, network design, network protocols, red-teaming, etc.), but also some public policy courses. I'm guessing that their graduates will be prime candidates for these jobs.
Of course, major in CS first.
Re:Nobody's going to work for a government salary. (Score:1, Interesting)
Wanna know how many GS-15s are in the building? Two. And one is the regional director.
Most federal government sciency jobs here start at GS-9 (B.S. degree usually), and an experienced person will usually start at GS-12 and get yearly 'step' improvements in pay. Moving to GS-13 usually requires management responsibilities (team leads, subject matter experts, etc), and there just aren't enough of those jobs to move everyone up a grade. GS-14 are usually section chiefs or department heads, etc, where they sit through meetings all day.
As a programmer, or security expert, or basically anything that's not upper-management, you have a zero percent chance of being a GS-15.
The entry-level scientists here start at $36k, roughly 40% of industry pay for most of their fields. IT fairs a little better, but there's a similar gap. The government cannot pay for *real* experts to be on federal staff. Outside of the military, budgets simply don't allow for it.