Forgot your password?
typodupeerror
Government Security United States IT

RAND Study: Looser Civil Service Rules Would Ease Cybersecurity Shortage 97

Posted by timothy
from the rand-can't-help-seeming-creepy dept.
New submitter redr00k (3719103) writes with a link to the summary of a RAND Corporation study addressing "a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace." One of the key findings: waive the Civil Service rules. (The NSA can already bypass those rules; RAND's authors say this should be extended to other agencies.)
This discussion has been archived. No new comments can be posted.

RAND Study: Looser Civil Service Rules Would Ease Cybersecurity Shortage

Comments Filter:
  • by Anonymous Coward on Sunday June 29, 2014 @03:06PM (#47346049)

    1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
    2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
    3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

    • by Shakrai (717556)

      Good cyber people won't put up with the insane government clearance bullshit.

      There's plenty of Government agencies that need talented IT people (*cough* HHS *cough*) where you don't need to deal with 'insane government clearance bullshit'.

      • Good cyber people won't put up with the insane government clearance bullshit.

        There's plenty of Government agencies that need talented IT people (*cough* HHS *cough*) where you don't need to deal with 'insane government clearance bullshit'.

        When I worked at at DoD lab, the clearances weren't the problem, the soul-crushingly inept, capricious IT systems were. I'm easily twice as productive now that I've come back to the private sector.

    • by Anonymous Coward

      I concur 100%.

      Not only do I not want any part of the government clearance bullshit, I don't want any part of the general government bullshit. I don't want to go without a paycheck when the government randomly shuts down. I don't want to be stuck with a crappy GS pay grade. I want to work in the private sector where multiple employers compete with each other other to hire me and I can pick where I want to live.

      Besides, government jobs are a haven for the mediocre. I've always had the impression that governme

      • by Anonymous Coward on Sunday June 29, 2014 @04:15PM (#47346295)

        So in other words you believe your perception, backed up by nothing, to be actual fact and you intend to conduct your professional life accordingly. I can tell you if I had to choose between you and almost anybody else who would get the interview.

        Here's a hint to work on your thinking a bit: you know anything about government employees because it is possible to learn things about them. You know nothing about the fraud, waste, and abuse rampant in the private sector because their records are not open, their employees' records are not accessible, and their everyday decisions don't have to be made knowing some armchair quarterback will criticize your every move. So you move carefully.

        Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.

        • by ZG-Rules (661531)

          Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.

          I wish I could hug you right now AC.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          I never said my impression was backed up with nothing. I've worked with federal government employees on projects. Before I knew better, I even interviewed for a few federal jobs and saw first hand a little of what goes on there. I know people who work for the government who have related their experiences to me. I even know more than a few people who are completely incompetent and have managed to rake in six figures for decades working for the federal government, and they are obviously aware and proud of the

        • by lucien86 (917502)

          So in other words you believe your perception, backed up by nothing, to be actual fact and you intend to conduct your professional life accordingly. I can tell you if I had to choose between you and almost anybody else who would get the interview.

          Here's a hint to work on your thinking a bit: you know anything about government employees because it is possible to learn things about them. You know nothing about the fraud, waste, and abuse rampant in the private sector because their records are not open, their employees' records are not accessible, and their everyday decisions don't have to be made knowing some armchair quarterback will criticize your every move. So you move carefully.

          Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.

          Most of that drumbeat comes from the evil empire of the Murdock's. They have done everything they can to corrode and corrupt and destroy government power and democracy in countries throughout the world, especially in the US and UK. Every bit of venomous hate towards the US government, the psychotic conspiracy theory mind-set, the actual birth of the neo-cons themselves, the election of at least half the presidents since Carter - they are behind it all.
          They've done exactly the same damage here in the UK, bot

      • by mjwalshe (1680392)
        wont get an interesting job at a List X firm then - I know of major tech companies where for some projects lead devs have to have DV (TS) Clearance
    • by Anonymous Coward on Sunday June 29, 2014 @04:00PM (#47346237)

      I don't think that you're fully considering point 3).

      Have you ever actually worked with any autodidacts?

      Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with.

      They may have a surface-level knowledge of a particular topic, but they just don't have the depth or breadth that somebody with more formal training tends to have. But that's not even the worst part.

      The worst part is that they often have absolutely no idea how much they don't know, thus they think that the little they do know is sufficient. At least people with even just some academic background will know that there's a whole helluva lot they don't know, even after years of study and experience.

      If you've had to deal with Ruby or JavaScript programmers you'll probably know what I mean. They're often young, totally self-taught, and are often high school dropouts. They can create simplistic web apps, but that's pretty much where it ends. The moment it moves beyond that, they're either creating really big messes or they're moving on to their next "opportunity". If you confront them about the messes that they're creating due to a lack of knowledge and understanding, they'll just label you an "academic snob" and dismiss you without a second thought.

      While somebody with college training isn't guaranteed to be better, in practice they usually are, or at least they understand their level of knowledge better. They're much better people to work with, and the work they produce tends to be a lot better. I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Have you ever actually worked with any autodidacts?

        Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with....

        The worst part is that they often have absolutely no idea how much they don't know,

        Yes.

        This is the real problem with autodidacts; their knowledge is patchy and has huge holes, whole areas of study that they are ignorant of. Far too often, you have to spend a few hours educating them just to get them to the point where they understand what they don't know.

      • by Anonymous Coward

        "Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with."

        If you've worked with several hundred of anyone who are "among the worst people to deal with" sounds like there might be a whole different kind of problem...you.

      • I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.

        Of course. Here's a list of some of the other autodidacts whose contributions we can dismiss: Leonardo da Vinci, Frederick Douglass, Thomas Edison, Michael Faraday, Benjamin Franklin, Buckminster Fuller, Jimi Hendrix, Abraham Lincoln, Booker T. Washington, Frank Lloyd Wright and Wilbur Wright.

      • by Grishnakh (216268)

        What level of autodidactism are we talking about here anyway? High school dropouts, or people with slightly different degrees to what they're currently working in?

        Remember, a university education is not a training course. It's supposed to give you the fundamentals so you have a broad education and a starting point to learn more on your own later. It doesn't replace specialized knowledge gained through experience, and never will. Ruby and JavaScript are not languages normally taught at the university lev

      • by PJ6 (1151747)
        I agree that too many people get into the field that shouldn't, but you're out of line using your example to generalize to all autodidacts. The most brilliant people in any field are by definition autodidacts, because what education offers falls short of their capabilities.

        Also, CS teaches absolutely nothing about good real-world design. The most perverse architectures I've seen have come from the highly educated - and I say that being highly educated myself. To borrow an old military cliche, many with hi
    • Very good points, especially the part about autodidacts. That one hits home since I am self educated. I've held jobs that 'require' an MBA/MIS degree, CS degrees, etc. In private industry (I work for a small IT security firm currently) I can easily make six figures in jobs that 'require' a degree. The government can shove it as far as I'm concerned.

    • by mjwalshe (1680392)
      SIS (Mi6) at Bletchy park did ok with a bunch of autodidacts in ww2 in fact they taught the NSA most of what they know
    • by mjwalshe (1680392)
      *cough* *cough* Stack ranking and similar disastrous HR policies plus fetishization of CS degrees
    • by Shoten (260439)

      1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
      2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
      3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

      Point #1 is a generalization, and incorrect. When you get into a lot of the higher-level work in cyber, you have to deal with background checks anyways, even outside of a government clearance. While the highest of the high clearances (like a TS/SCI for the NSA) will be like walking across hot coals, the overwhelming majority of clearances are not that hard a process to endure. And the report functionally states, "lower the amount of clearance bullshit and more people will be hireable." So yeah, Point #

      • by Grishnakh (216268)

        Point #2 is kind of right. Jessup isn't a great place, but you don't have to live there...just work there. You can easily work at Jessup but live in, say, Takoma Park or Columbia or any of the other really nice neighborhoods that are within 30 minutes. Where you work != where you live.

        Not really. You can only realistically commute so far; most people don't want to spend more than 1 hour in each direction, and that's kinda pushing it. So yeah, you don't have to live right in Jessup, but you're still stuck i

    • 1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
      2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
      3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

      I'd be happy to be a government cyber warrior as long as I can do it in my mom's basement and get paid in hot pockets and star trek dvds.

  • by plover (150551) on Sunday June 29, 2014 @03:19PM (#47346105) Homepage Journal

    So how many of these people are actually needed in the federal government? It's not like having an extra cyber security guy in the FBI helps make Joe's Dry Cleaning a safer business. Security isn't transitive.

    • Numbers depend upon the OS you use. It is well known that Linux (or BSD) takes 1/10th the number of administrators to run. How about switching to a lower maintenance OS, and paying off Microsoft for backdooring Windows in some other way?
      • Government is an enterprise like any other.

        It's users are arguably less technically savvy.

        Can you imagine the cost with establishing a secure 1 million user network, where Linux isn't an OS but more probably some disease that was eradicated back in the 1800s. Training would cost so god damn much, take a year or two.

        Sure, probably don't need IIS servers. But users need to be on Windows.

        • by geoskd (321194)

          It's users are arguably less technically savvy. Can you imagine the cost with establishing a secure 1 million user network, where Linux isn't an OS but more probably some disease that was eradicated back in the 1800s. Training would cost so god damn much, take a year or two. Sure, probably don't need IIS servers. But users need to be on Windows.

          But every couple of years, MS hands out a perfect reason to convert: New versions.

          The cost of retraining to use Windows 8 for example is probably going to be on par with retraining to use Ubuntu or Debian. It could probably even be reduced for Ubuntu or Debian by using a more windows 7 like GUI to help keep the environment as familiar as possible. Any organization that cites conversion retraining costs as their primary cost justification for staying with MS now is either lying (to cover a conflict of inter

    • Security isn't transitive.

      But lack of security is transitive.

      Your system is only as secure as the weakest point in the connection.

      • by mjwalshe (1680392)
        "our system is only as secure as the weakest point in the connection."

        Ah Users you mean
    • by mjwalshe (1680392)
      FBI cyberguys are provably more on the contra espionage / secret side /CNI protection
  • by dunkindave (1801608) on Sunday June 29, 2014 @03:49PM (#47346195)
    Let me summarize: if you are a federal employee then you are a civil servant and paid according to the GS (General Service) scale. This is what people mean when they say someone is a GS-12 or GS-15. These scales are published by the US Office of Personnel Management and dictated by the President or by Congress. Unfortunately, these pay levels are below what a decent cybersecurity person expects to be paid, and do not compete with private industry. The result is that the cybersecurity people in federal positions are there either because of a sense of duty, or because they didn't cut it in the private sector. This is the classic image of a postal worker. In order to attract better candidates, they need to be paid better which means exempting them from the GS schedule. This is also why a lot of agencies use contractors for these positions because they can pay a contractor a lot more than an employee and thereby get better people in the job.

    Yes, I know I have greatly simplified certain details, but that covers the basics of the problem.
    • by mjwalshe (1680392)
      the same is true of all technical civil service roles both in the Uk and USA
    • by mjwalshe (1680392)
      I know in the UK I looked at some big data contractor roles and for a full year you would be earning 40% more the Prime Minister
    • by Anonymous Coward

      Don't disgree, but re:

      The result is that the cybersecurity people in federal positions are there either because of a sense of duty, or because they didn't cut it in the private sector. This is the classic image of a postal worker.

      Government is perceived safer, in the sense that companies go out of business or merge and so forth all the time.

      I am not saying this is true, I am saying this is why some people choose government. Do you really think there are many people with a sense of duty? Please. People want safety. What is safer, protesting in the street, or putting on your badge and keeping your mouth shut? The other side of "didn't cut it" is "got sick of constantly being at risk of being cut because someone e

    • Several of the civil service fields in the DoD are exempted from the GS scale. I can say from many years experience it does not help. The study was spot on, the combination of managers not wanting to pay highly skilled labor more than they think themselves are worth kills it. Also just because they are exempted does not mean they actually pay more or have the budget to do so. Add to that the total lack of leadership competency, which the study also addresses, and voila there's a bi-modal distribution of p
    • http://www.opm.gov/policy-data... [opm.gov]

      A GS-15 in Atlanta's starting pay is $120034 and they top out at $156043. Now, that's the top level, but you can make decent money as a gevernment employee.

      Your basic FBI/DEA/ICE/Secret Service agent is a GS13. Their range is $86,355-112,261. I'm sure some people on here make more than that, but I bet a the majority don't. If you go here (http://www.whatsmypercent.com/), it states someone making $100k is in the 96%. That is the entire US workforce, but should paint a releve

  • This is just my opinion but the problem with cybersecurity is the Information Security people do not have the proper technical background. Around where I live, most of the Information Security people come from a management or project management backgrounds and get very basic Information Security training like how often to force password changes and learning why patching is so important.
    In my opinion if an individual does not know how to configure a firewall, do basic packet sniffing/analyzing and fully und

  • So train them. (Score:5, Interesting)

    by Animats (122034) on Sunday June 29, 2014 @04:10PM (#47346271) Homepage

    Read the entire paper, not the summary. There are some interesting points there. One is that NSA does not have a shortage of cybersecurity experts. That's because they train them. It takes three years of full-time training. The agencies that complain that they can't find anybody aren't investing in their people in the way that NSA does. Other agencies don't invest in their people like that.

    This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.

    One unexpected item from the paper: "One operating system, having been installed in almost a billion devices, has yet to attract malware in any significant way -- although it is falls short of being provably secure." What are they talking about? QNX? VxWorks?

    • Android is on pace to surpass one billion users across all devices in 2014. By 2017, over 75 percent of Android's volumes will come from emerging markets. Source: http://www.gartner.com/newsroo... [gartner.com]

    • by squisher (212661)

      Read the entire paper, not the summary. There are some interesting points there. One is that NSA does not have a shortage of cybersecurity experts. That's because they train them. It takes three years of full-time training. The agencies that complain that they can't find anybody aren't investing in their people in the way that NSA does. Other agencies don't invest in their people like that.

      I think that's really an unfair comparison. Do other agencies have the insane funding that NSA has? The lack of accountability (and by that I mean they don't have to justify their spend as much). Also, as the article noted, the NSA is except from these pay scales.

      This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.

      And this goes to show that you missed the points of the report. Most federal agencies are forbidden from paying decent wages because they have to use the pay scales that the government sets.

      If you want to make the point that the government pays shi

    • I hate the employers that whine that they can't get good help. The reality is that most employers are not able to pay for skilled or reliable workers. People with tremendous skills and good work habits are available but they do demand real pay. The cabinet shop that wants to hire workers for $10. per hour has a big problem. The cabinet shop that pays $60. per hour gets an entirely different type of worker. Offer $200. per hour and you can create world class cabinets.
      • I hate the employers that whine that they can't get good help. The reality is that most employers are not able to pay for skilled or reliable workers. People with tremendous skills and good work habits are available but they do demand real pay. The cabinet shop that wants to hire workers for $10. per hour has a big problem. The cabinet shop that pays $60. per hour gets an entirely different type of worker. Offer $200. per hour and you can create world class cabinets.

        I suspect that many employers are able, but not willing, to pay for skilled and reliable workers. I recently spent 9 months at a temp job with a large and wealthy employer, demonstrating my skill and work ethic to the hiring manager. At the end of the job he offered me a permanent position, but at $20 to $25 per hour. I would have been willing to take the job if I could have been compensated for my 900 miles per week commute. However, the policies of the institution did not permit him to do that, or, eq

    • I believe they referring to this: http://en.wikipedia.org/wiki/T... [wikipedia.org]
    • by Anonymous Coward

      Correct. Mod up.
      As a .gov worker, I see plenty of contractors NOT training up .gov staff on the 'easy stuff' . Their contracts say they should train, impart knowledge, the managers say the do , but it is not true. A contractors brains/experience/brilliance is only used 5-10% of the time.
      Contractors do like to shirk, or shave time to win their next big assignment/contract. Or curry favor fixing noticeable issues not in their statement of work.

      Therefore, there can be massive improvements in outcomes and busin

  • So basically we're talking about weed here, right? Those dominoes are falling.

    My main objection to the process I went through to get my TS was the fucking "lie detector" test. Junk science is going to tell them if I'm "solid" or not? Please.

    • by Anonymous Coward

      They know the lie detector isn't reliable. It's an intimidation tool. They hope it will psych you out and prevent you from doing something wrong (espionage, etc.) or that it will cause you to get nervous, sweat bullets, and that they can notice your nervousness as suspicion you're hiding something.

    • by mjwalshe (1680392)
      Mi5 tested lie detectors back in 50's the 35% plus false positive rate got that that idea was dropped
  • Can they become more looser with the likes of Keith Alexander?

  • No one will hire anyone w/o clearance and no one will pay someone not to work for the up to 18 months it can take to get clearance. So the community of people with clearance get rehired over and over and over and over

    Which is why you have Edward Snowden. It's easier to hire an angry ex square-badge high school dropout with clearance than to get someone better vetted.

    BTW under Obama the amount of material labeled 'classified' or higher has exploded. It's pretty much everything everywhere.

    • Very good point. It used to take six months. Also, a TS lasted for five years, now, I think, it only lasts for two.

      Just more massive government inefficiency.

  • Who the fuck wants to work for the government except unemployable fucked up alcoholics?

"Never ascribe to malice that which is caused by greed and ignorance." -- Cal Keegan

Working...