Forgot your password?
typodupeerror
Government Security Your Rights Online

DHS Wants To Hire 1,000 Cybersecurity Experts 222

Posted by kdawson
from the even-one-would-be-nice-if-you'd-listen-to-him dept.
Cyrus writes "DHS Secretary Janet Napolitano plans to hire 1,000 security experts over the next three years. 'Department officials could not say precisely how many cyberexperts now work at DHS and its various component agencies such as the Secret Service and Immigration and Customs Enforcement. Napolitano said she doubts it will be necessary to fill all 1,000 of the authorized positions, but she is focused on making DHS a "world-class cyberorganization."'" Cringely points out, "There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!," except he uses all caps and bold.
This discussion has been archived. No new comments can be posted.

DHS Wants To Hire 1,000 Cybersecurity Experts

Comments Filter:
  • by AnEducatedNegro (1372687) on Sunday October 04, 2009 @02:53PM (#29637097)
    GS-15 pays 6 figures. combined with federal Job For Live(TM) job security, retirement perks that will allow you to continue as a "consultant" making the same salary for 20 more years, and virtually unlimited teleworking... i think that is pretty good deal. I'll sign up

    aEN
  • by Tablizer (95088) on Sunday October 04, 2009 @03:09PM (#29637213) Homepage Journal

    Well, if they didn't physically conduct most of their operations together, and instead did almost pure telecommuting, then yes, they'd qualify as "cybercorporations". It may be an imperfect term, but that does not necessarily make it useless (if used with some consistency).
       

  • by Animats (122034) on Sunday October 04, 2009 @03:11PM (#29637241) Homepage

    DHS's cyber security operation is headed by Phil Reitinger [washingtonpost.com], who's from Microsoft. So DHS won't be allowed to do anything that would seriously impact Microsoft's business models. Which means nothing significant will happen. Here's his list of priorities. [thenewnewinternet.com] You'll see the problem.

    The first guy in that job, Amit Yoran, came out and said the big problem was weak security in Microsoft operating systems. He was ignored, then quit in disgust. The next guy was Cisco's lobbyist, who was not only useless, the job was downgraded during his tenure.

    I'm not expecting much from that crowd.

  • by gqx (1293372) on Sunday October 04, 2009 @03:17PM (#29637271)

    I have a fairly long track record in the security industry, and I'm really puzzled by Cringely's assertion. It's hard to tell if he is trying to make a point out of a semantic squabble, or if he genuinely believes that the information security community has fewer than 1,000 competent experts.

    If the former, yeah, the term "cybersecurity expert" is unfortunate - but it's clear it's just PR speak for "information security professional". Cringely then attempts to define that first, largely meaningless term, and then polls his anonymous friends (who themselves probably do not fall within that definition) to come up with wild guessess.

    If the latter, yes, we definitely have more than 1,000 security experts. There is something around 500 emitent, internationally recognized folks publishing books, research, and otherwise contributing to the "cutting edge" of the industry. Then there's another 500-1,000 top-tier, notable security VPs, CEOs, etc, working for Fortune 500 companies (they may not all be technically savvy, but they *are* the industry). Then, there is probably something close to 200,000 security professionals working for companies around the world - we have something like 50,000 registered CISSPs alone (which is a certification largely inaccessible to hobbyists, and pursued by a minority of infosec workers), something around 50,000 subscribers to BUGTRAQ and other security mailing lists, etc.

    Does this mean that DHS would be able to hire 1,000 competent experts? Unlikely, as the government historically did a pretty poor job of competing with commercial corporations (in terms of compensation and work culture), and many agencies may lack the hiring rigor and expertise to make the right calls. Given the size of the networked infrastructure in the US, this number is high, but does not sound outlandish by itself, though (many large corporations have 20-100 security people on their payroll).

  • by MrOion (19950) on Sunday October 04, 2009 @03:17PM (#29637273)

    What is a security expert? Is it people who believe that they are experts in one single area, and that area is called security?

    I work with IT security for a living, and there are many areas within that field. We have people who are good at network and data analysis, some who can reverse engineer malware, others who do a good forensics job, one group focuses on incident response and others works with standards and procedures. And this is just a few areas. Encryption is a part of this. Tempest too.

    So again, what is a security expert? One who is an expert in one or all of this areas? What is DHS looking for?

  • by fwr (69372) on Sunday October 04, 2009 @03:30PM (#29637361)
    I would have to agree. Having obtained my CCIE Security this year (no I wasn't the one that passed the new 3.0 blueprint), and having a CISSP for a few years, I can say from my experience that there are likely well over 1000 experts in the country. Heck, we have quite a few experts in the company I work for now, and no it's not Cisco. In fact, Cisco calls us in to fix problems they can't from time to time. I doubt that any of them would want to work directly for the government though; I certainly would not. Consulting work for the government, sure, but not a government employee. His point seems to be that he doesn't know that many security experts, so they must not be out there. From his article, it appears that he knows a few subject matter experts, but he points out himself that they are not all-around experts. To quote "I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru." That's two listed technologies and one all-encompassing "other" category. And apparently this expert "was," no longer "is." Now, I'm not calling them out, and I'm not going to compare resumes in a public forum. I'm just saying, when his own experts say they were an expert, maybe he's not talking to the right experts...
  • by erroneus (253617) on Sunday October 04, 2009 @03:50PM (#29637519) Homepage

    But that doesn't mean they will. And quite frankly, my experience with DHS has been that to make something happen, they hire an incompetent contractor to do the screening and hiring for them which, in turn, hires a the first 1000 people with resumes who have enough of the right keywords matching on their resumes.

    I once worked for the TSA and I was astounded by the criteria, or lack thereof, in their hiring practices. One teenager was hired on in a supervisory role simply because he applied for it and was early enough in the list of applicants to have not yet filled out their supervisor staffing. Why was this teenager qualified? He wasn't. We knows this because it was his first job...ever! This kid hadn't even mowed a lawn for pocket change.

    The DHS screens at airports but barely anywhere else. The airport screeners are beholden to the air carriers and quite literally have to follow their instructions at times. Meanwhile the border crossings of the U.S. were wide open for years and years before people took any notice.

    Putting important organizations like FEMA under the DHS showed the world what a great move that was when the hurricane season came in with great force. The only thing we really got out of that was "FEMA Camps" where the angle of the razor wire seems to be be intended to keep people "in" rather than "out" and has U.S. Army equipment parked on it. (Google "FEMA Camps" for more information on the topic... scary... freakin' scary)

    The DHS is the agency under the executive that most represents the words "power grab" and "power consolidation."

  • by cmacb (547347) on Sunday October 04, 2009 @06:06PM (#29638549) Homepage Journal

    Anyway, do you have a reference for Yoran's statements on weak Windows security? I must have chosen the wrong keywords when I looked for them.

    Read his congressional testimony here:

    http://kyl.senate.gov/legis_center/subdocs/022404_yoran.pdf [senate.gov]

    Note the frequent mention of specific Windows threats, something you will find few government people doing. Many trade press publication will often mention a new threat without regard to specific OS dependencies (and 99% of the time it's Windows). The company goes to great lengths to make sure its names aren't taken in vain in public.

    He has been associated with user groups that are critical of Windows, but my guess is that his true feelings on the subject are uttered mostly off the record.

    http://www.viruslist.com/en/news?id=764 [viruslist.com]

    http://radsoft.net/rants/20090318,00.shtml [radsoft.net]

    In any event, the hiring of a former Microsoftie is the main issue here. Is he required to divest his stock options? I don't see that spelled out.

  • Read the book, Fast Food Nation [amazon.com] The U.S. government allows abuses that are far, far worse and more extensive than mentioned in this New York Times article: E. Coli Path Shows Flaws in Ground Beef Inspection [nytimes.com].
  • by identity0 (77976) on Sunday October 04, 2009 @09:21PM (#29639767) Journal

    I would say Japan has higher levels of corruption than the US. It is far more endemic and accepted than in the US, to the point that it's just the way people do business here.

    Japan's public construction budget is larger than the US defense budget, and most of that is just absolute corruption. Americans complain about bridges to nowhere, but Japan takes it to an even further extreme. And all so that construction companies can get money, then make jobs in the countryside, so that politicians can get votes.

    And don't get me started on "amakudari", the semi-official system of corruption where retired civil servants get jobs at the companies they gave contracts to.

  • by jeisner (56981) on Monday October 05, 2009 @12:55AM (#29640929)

    Is there a major I can take in college?

    Johns Hopkins University, near Washington, DC, offers a master's degree in Security Informatics [jhu.edu]. This is through their Information Security Institute [jhu.edu], which was founded several years ago and includes several well-known CS faculty.

    The curriculum [jhu.edu] includes many technological courses (theoretical and applied crypto, network design, network protocols, red-teaming, etc.), but also some public policy courses. I'm guessing that their graduates will be prime candidates for these jobs.

    Of course, major in CS first.

  • by Anonymous Coward on Monday October 05, 2009 @06:51PM (#29651269)
    I work in a DOI/MMS building as a contracted software dev. There's 500+ federal employees here.

    Wanna know how many GS-15s are in the building? Two. And one is the regional director.

    Most federal government sciency jobs here start at GS-9 (B.S. degree usually), and an experienced person will usually start at GS-12 and get yearly 'step' improvements in pay. Moving to GS-13 usually requires management responsibilities (team leads, subject matter experts, etc), and there just aren't enough of those jobs to move everyone up a grade. GS-14 are usually section chiefs or department heads, etc, where they sit through meetings all day.

    As a programmer, or security expert, or basically anything that's not upper-management, you have a zero percent chance of being a GS-15.

    The entry-level scientists here start at $36k, roughly 40% of industry pay for most of their fields. IT fairs a little better, but there's a similar gap. The government cannot pay for *real* experts to be on federal staff. Outside of the military, budgets simply don't allow for it.

The cost of feathers has risen, even down is up!

Working...