DHS Wants To Hire 1,000 Cybersecurity Experts 222
Cyrus writes "DHS Secretary Janet Napolitano plans to hire 1,000 security experts over the next three years. 'Department officials could not say precisely how many cyberexperts now work at DHS and its various component agencies such as the Secret Service and Immigration and Customs Enforcement. Napolitano said she doubts it will be necessary to fill all 1,000 of the authorized positions, but she is focused on making DHS a "world-class cyberorganization."'" Cringely points out, "There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!," except he uses all caps and bold.
Well, I've already had my DHS background check... (Score:5, Funny)
Re: (Score:3, Insightful)
Re:Well, I've already had my DHS background check. (Score:5, Informative)
No, they aren't. The Information Assurance and other Information Technology positions in the Federal Government are usually grade GS-13. A GS-13 Step 1 in the Metro DC Area makes $70,615, Step 10 makes $91,801. This is competitive with most commercial salaries. Factor in the generous benefits (retirement, commute cost compensation, flextime, etc.) and the Civil Service positions are lucrative.
Re:Well, I've already had my DHS background check. (Score:4, Informative)
You left off locality pay... a GS 13-1 in Metro DC makes $87K, step 10 makes $113K. So, even better!
http://www.fedjobs.com/pay/washington.html [fedjobs.com]
Re:Well, I've already had my DHS background check. (Score:4, Informative)
You're way off base. IA and IT positions with the government usually start at GS 5 or 7. Most reach full grade at 12. Getting to a 13 generally requires going into management. Of course, all this assumes you're somewhere other than DC. In DC, nearly every job is inflated by one or two grades.
In the rest of the country, an IT tech or entry-level security wonk will be a 7, making a touch over $33K to start. Support techs are dual-tracked in many agencies with most topping out at GS 9.
And the days of good retirement are long past. It's been 25 years since new employees were placed under the Civil Service Retirement System, the high-quality retirement scheme for long-term employees that most people think of when they think of federal retirement. The new Federal Employees Retirement System is significantly more chancy and requires the employee to pay lots more attention to their investments over the years. It's no longer a case of "put in your time, get your dime."
Retirement from federal service is better than most places in some ways and worse in others. A career fed is likely to retire with better life and health insurance than most folks and no danger that it'll be taken away when the company goes belly up. But a career fed is also likely to retire with a much smaller pension and lower net worth than his private industry counterparts.
I like those tradeoffs and have stayed with federal service even though I routinely (that is, at least once a quarter) turned down job offers during the dotcom boom that would have quadrupled my salary. I valued the good work rules and long term stability of my employer. Others place very little value on stability. For those folks, government service is definitely not the way to go.
Re: (Score:3, Informative)
No, I'm not off base. I get a weekly e-mail from USA Jobs that lists these positions, and the lowest I've seen is a GS-11.
Re: (Score:2, Insightful)
Re: (Score:2)
The key point here is that in order to be hired as a cyber-security expert in the private sector, you probably need to be an actual cyber-security expert.
BWAHAHAHAHA!
Equivalent of the TSA... (Score:5, Insightful)
Cringely points out, "There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!,"
No matter. These guys will be the "cybersecurity" equivalent of the TSA goons at the airport, probably with a management culture even worse than those poor slobs have to live with.
Re: (Score:2)
Sir, please take your USB keys out while we scan your network.
Re:Equivalent of the TSA... (Score:5, Funny)
If they use old-school terminology, it could sound really odd to onlookers:
"Sir, please take your dongle out while we sniff your nodes."
Re:Equivalent of the TSA... (Score:5, Funny)
Sir, please take your floppy out while we unzip your tarballs.
Re:Equivalent of the TSA... (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Insightful)
Or they could become overpaid IT techs who can't design an open access website to comply with government accessibility standards. How about 7 million to "install a firewall" from Norton or AVG or something?
Re:Equivalent of the TSA... (Score:4, Funny)
Cringely points out, "There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!,"
No matter. These guys will be the "cybersecurity" equivalent of the TSA goons at the airport, probably with a management culture even worse than those poor slobs have to live with.
I'm sure DeVry and U.o.Phoenix will be glad to pump out several thousand associate degrees in Cybersecurity Expertry or something in the next three years for them to sort through. That way DHS can say they interviewed thousands of candidates and only took "the best."
Jobs to Commie lands (Score:2)
Re:Equivalent of the TSA... (Score:4, Insightful)
Their experts will be very effective, however, against the rather common type of attacker that you can block with the kind of network protection that anyone with half a brain already has. Their effectivity numbers will reflect the number of attacks repelled, and thus they'll be commended for their excellent work.
Re: (Score:2, Informative)
AVUE.com, which lists USDA Forest Service jobs, recently informed applicants that from now on SPOUSES of veterans, not just veterans, will receive preference for filling positions. This preference excludes qualification. In other words, you just have to be married to a vet and you can have the govt. job of your choice.
Before someone says that I'm trying to say the wife of Pfc. John Doe can ask for the EPA director's job, I think there is some limit, especially for executive position (but maybe not), but low
Re:The U.S. government is EXTREMELY corrupt. (Score:5, Insightful)
In this case I'd say it's about damn time, that's probably a good starting point considering that so much of the military network is so completely hopeless right now, depending upon who their looking for it would take a goodly number of entry level employees just to get the simple stuff done. Let alone the more complex tasks.
One area: Prison population. (Score:2, Offtopic)
I guess that you are not someone who reads books. I suggest that anyone who loves the U.S. do some serious research.
The U.S. has more people in prison [commondreams.org] than farmers [epa.gov]. The U.S. has 6 times the percentage of its citizens in prison as European countries.
In the U.S., prisons are a big business [globalresearch.ca].
Those who are not willing to do research cannot say they love the United States. Can you say you love a woman if you
Re: (Score:3, Interesting)
I would say Japan has higher levels of corruption than the US. It is far more endemic and accepted than in the US, to the point that it's just the way people do business here.
Japan's public construction budget is larger than the US defense budget, and most of that is just absolute corruption. Americans complain about bridges to nowhere, but Japan takes it to an even further extreme. And all so that construction companies can get money, then make jobs in the countryside, so that politicians can get votes.
And
U.S. financial system unchanged. (Score:3, Insightful)
The U.S. government food dept. has little power. (Score:3, Interesting)
Re: (Score:3, Informative)
Yes, he is. The burden of proof is on the accuser.
Re: (Score:2)
Re: (Score:2)
Nobody's going to work for a government salary.. (Score:2, Insightful)
When they can make over 6 figures easily, with private company perks and bonuses working outside the government.
If the DHS wants qualified people, they need to pay a competitive salary. Of course, u
Re: (Score:3, Interesting)
aEN
Re: (Score:2)
There ain't too many Gs-15s. In the corporate world, they would be like SVPs. Most of the technical and engineering people are GS-12 to 13 outside of DC, and 13-14 inside DC.
Re: (Score:2)
Cool - how do I become a security expert? (Score:5, Funny)
Is there a major I can take in college?
Re:Cool - how do I become a security expert? (Score:5, Informative)
Re: (Score:2)
Good stuff. Let me add in something else, because this will be bonus points. Work in law enforcement for 2-5 years, while doing that. Get your undergrad in Security and Risk Analysis with a spec in cyber-security.
Simple... (Score:2)
All you have to do is become friends with this guy. [cringely.com]
Apparently, he decides on who gets to be one and determines the global quota of "Cybersecurity Experts". [cringely.com]
You may have to hurry though, as he might just decide that 640 "cybersecurity experts" should be enough for everyone.
And he already knows at least six.
Re:Cool - how do I become a security expert? (Score:5, Funny)
Re: (Score:2)
Yes, but you'll need to find a military college program. When you get there and choose your major, try to make it quick and deadly. Majors are scary when they've just been half-clubbed with a 2x4.
Re: (Score:2)
Iowa State University offers a Masters degree in Information Assurance. Some of their offered classes are: Information Warfare, Cryptography and Forensics.
Does this qualify? (Score:2)
Re: (Score:3, Funny)
Would knowing that there aren't a thousand experts out there make me an expert?
In my expert opinion, no.
Re: (Score:2)
Re: (Score:2)
I dunno, gubment execs are the ones smart enough to think we need DHS as if we didn't have the NSA, CIA or the US Marshals.
Redundant agencies make our lives more secure. They have no risk of creating additional vulnerabilities in the tiny bureaucracy that is our gubment.
The American Way (Score:2)
"...she is focused on making DHS a "world-class cyberorganization."'"
Because heaven forbid a US federal government agency should be satisfied with being only US class. After all, we have a world to protect from itself.
Re:The American Way (Score:5, Insightful)
That's kind of a bogus observation. If you aren't world-class, then you are at the mercy of those who are. "World-class" doesn't mean "better than anyone else in the world." It just means "good enough to hold your own with the best in the world." Really, everybody needs world-class people. The pity is that not everyone can afford them.
Doesn't matter if they hire 10,000... (Score:3, Insightful)
...as long as they can't hire Bruce.
Cringely points out... (Score:4, Insightful)
..."There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!,"
And he would certainly know, wouldn't he? World-reknowned expert that he is. On everything.
Re:Cringely points out... (Score:5, Interesting)
Re: (Score:2)
Cringely's more than a bit impressed with himself, and definitely has an opinion on every subject. He also puts some thought into what he says. When he's wrong (frequently) it's always for interesting reasons.
Re: (Score:2)
Re: (Score:2)
Some of the quotes are awesome, if you start reading the article in depth...
"So I polled six old friends who ARE cybersecurity experts and they kinda-sorta agreed with me." - so, they didn't agree, is what you mean?
"I'm pretty sure they don't know each other." - So we're talking a group that is apparently terrible at knowing about each other, to estimate how many there are?
"I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru." - So, the press release says "security exper
Re: (Score:2)
This is the same Cringely that's an "expert" on the user interfaces of nuclear power plants [slashdot.org], isn't it? Does he have some sort of credentials that might actually make him an expert in cyber security? Looking on his site....
When it comes to information technology, Cringely knows what he is talking about. Thirty years in and around the PC business has earned him wisdom, if not wealth. It's not that he is so smart, but his friends are smart. The best and brightest in Silicon Valley talk to him all the time. It's Cringely's job to sift through their thoughts for valuable bits to share with you.
So just like his venture into nuclear power expert-ness, his IT knowledge is at best second-hand.
Thanks to the submitter for the links to an actual story, though. :)
"World-class cyberorganization"? (Score:5, Insightful)
"Cyberorganization"? What the hell does that even mean? You use computers and computer networks? Computers and computer networks are your primary focus? Big goddamn deal! You don't see Microsoft or IBM or Cisco calling themselves "cybercorporations", do you?
Look at me, I spend a lot of my time on the Internet! I'm a cyberperson!
Re:"World-class cyberorganization"? (Score:4, Funny)
Re: (Score:2, Interesting)
Well, if they didn't physically conduct most of their operations together, and instead did almost pure telecommuting, then yes, they'd qualify as "cybercorporations". It may be an imperfect term, but that does not necessarily make it useless (if used with some consistency).
Re: (Score:2)
Is was 1995 [imdb.com]. Oh, come on! You liked it. :P
Aww... come on... (Score:3, Funny)
EVERYTHING [cyber-yogurt.com] is [cyberrug.com] better [armandosports.com.au] with a [cybermelon.com] cyber- [linkedin.com] prefix. [worldwidewords.org]
Re: (Score:2)
Wait until you see a cybercyber! It's something that is steering, but in steering space!
Re:"World-class cyberorganization"? (Score:5, Funny)
Re: (Score:2)
So you would not use my new CyberCyber virtu@l e-SocialCloud Turbo iNetExplorer 2000 XFX GTX - Ultimate Web 2.0 Gold Edition?
Re: (Score:2)
Re: (Score:2)
If they are looking to recruit Cybermen for their cyberorganization, they had better talk to John Lumic.
The head guy is from Microsoft (Score:5, Interesting)
DHS's cyber security operation is headed by Phil Reitinger [washingtonpost.com], who's from Microsoft. So DHS won't be allowed to do anything that would seriously impact Microsoft's business models. Which means nothing significant will happen. Here's his list of priorities. [thenewnewinternet.com] You'll see the problem.
The first guy in that job, Amit Yoran, came out and said the big problem was weak security in Microsoft operating systems. He was ignored, then quit in disgust. The next guy was Cisco's lobbyist, who was not only useless, the job was downgraded during his tenure.
I'm not expecting much from that crowd.
Re:The head guy is from Microsoft (Score:5, Insightful)
Then you're forgetting the negative things that could happen. Like Linux declared a threat to national security.
Building Parnerships (Score:3, Insightful)
From the referenced link on list of priorities:
Building Partnerships: "We're defining our partnership models, making sure they're as efficient as possible, that they let the private sector work effectively with us and as one, and we're starting the process of developing a national cyberincident response process..."
Translation: If it's a problem with a security exposure in Microsoft Windows, hand it over to Microsoft to deal with. Let them do the coverup.
Re: (Score:2)
Wow, awesome selection of priorities. They're mostly subjective, with no way to measure whether they're achieved or not. Great for hand-waving excuses later about why nothing gets done.
Anyway, do you have a reference for Yoran's statements on weak Windows security? I must have chosen the wrong keywords when I looked for them.
Re:The head guy is from Microsoft (Score:4, Interesting)
Read his congressional testimony here:
http://kyl.senate.gov/legis_center/subdocs/022404_yoran.pdf [senate.gov]
Note the frequent mention of specific Windows threats, something you will find few government people doing. Many trade press publication will often mention a new threat without regard to specific OS dependencies (and 99% of the time it's Windows). The company goes to great lengths to make sure its names aren't taken in vain in public.
He has been associated with user groups that are critical of Windows, but my guess is that his true feelings on the subject are uttered mostly off the record.
http://www.viruslist.com/en/news?id=764 [viruslist.com]
http://radsoft.net/rants/20090318,00.shtml [radsoft.net]
In any event, the hiring of a former Microsoftie is the main issue here. Is he required to divest his stock options? I don't see that spelled out.
Re: (Score:2)
Thank you very much!
Re:The head guy is from Microsoft (Score:4, Insightful)
Notice the focus on words like "ecosystem", "religion" and placing the blame on machines and people. No mention of vulnerable drivers, protocols or applications.
Practical things would be
o Develop reliable methods of network protocol design to prevent vulnerabilites in network services.
o Proper application design so that the above aren't compromised by feature bloat of applications. "Hey, let's add macros and automatic E-mail sending/receiving to our application. Never know when it might come in useful".
Re: (Score:2)
From the list
Identity Management. âoeIf weâ(TM)re going to allow people to protect themselves, theyâ(TM)re going to need to be able to make effective decisions about, do they want to communicate with this person or not, do they want to open this file, do they want to open this program, do they want to allow a machine to connect to their machineâ¦â
Does he want everyone to run Vista?
They'll have choices to make ... (Score:4, Informative)
Yes Cringely, we have 1,000 security experts (Score:5, Interesting)
I have a fairly long track record in the security industry, and I'm really puzzled by Cringely's assertion. It's hard to tell if he is trying to make a point out of a semantic squabble, or if he genuinely believes that the information security community has fewer than 1,000 competent experts.
If the former, yeah, the term "cybersecurity expert" is unfortunate - but it's clear it's just PR speak for "information security professional". Cringely then attempts to define that first, largely meaningless term, and then polls his anonymous friends (who themselves probably do not fall within that definition) to come up with wild guessess.
If the latter, yes, we definitely have more than 1,000 security experts. There is something around 500 emitent, internationally recognized folks publishing books, research, and otherwise contributing to the "cutting edge" of the industry. Then there's another 500-1,000 top-tier, notable security VPs, CEOs, etc, working for Fortune 500 companies (they may not all be technically savvy, but they *are* the industry). Then, there is probably something close to 200,000 security professionals working for companies around the world - we have something like 50,000 registered CISSPs alone (which is a certification largely inaccessible to hobbyists, and pursued by a minority of infosec workers), something around 50,000 subscribers to BUGTRAQ and other security mailing lists, etc.
Does this mean that DHS would be able to hire 1,000 competent experts? Unlikely, as the government historically did a pretty poor job of competing with commercial corporations (in terms of compensation and work culture), and many agencies may lack the hiring rigor and expertise to make the right calls. Given the size of the networked infrastructure in the US, this number is high, but does not sound outlandish by itself, though (many large corporations have 20-100 security people on their payroll).
What is a security expert? (Score:4, Interesting)
What is a security expert? Is it people who believe that they are experts in one single area, and that area is called security?
I work with IT security for a living, and there are many areas within that field. We have people who are good at network and data analysis, some who can reverse engineer malware, others who do a good forensics job, one group focuses on incident response and others works with standards and procedures. And this is just a few areas. Encryption is a part of this. Tempest too.
So again, what is a security expert? One who is an expert in one or all of this areas? What is DHS looking for?
This is great. (Score:5, Funny)
Takes one to know one... (Score:2)
Re: (Score:3, Funny)
Someone that responds to the ad.
Yes, it's hight time to fight the Spam! (Score:5, Insightful)
Spammers brings much more harm to the world economy than Afghan tribesmen. Billions of people are working as slaves for free for spammers sorting out and deleting their junk day and night. Billions of hours of working time are being stolen as matter of course.
Maybe the DHS decided at last to tackle this problem? These experts and predators could make the word to sigh with relief. Godspeed!
Translation: (Score:2, Insightful)
security expert=security professional
And as everyone knows, professional=employed
So, they are saying that they're going to employ 1000 people with security nametags.
Business as usual, in other words.
Security clearances? (Score:2, Insightful)
This paragraph from the article is probably the most interesting point:
"Another item of great importance is a security clearance to do the work. This is where you will get only one brand of thinking; DoD or DoE clearance. This will prohibit the security "black hat" types from ever being involved in the project without coming from the DoD or Energy."
This will limit the pool of resources to such an extent to make the project worthless.
Re:Security clearances? (Score:5, Insightful)
I'm going to go out on a limb here and guess that the DHS doesn't need uber-black hat types doing security for them. What they are looking for is a small army of semi-competent employees who can go from agency to agency, department to department and secure them by implementing generally accepted best practices. They need firewalls installed with the rulesets locked down. They need IDS and IPS devices configured. They need anti-virus and anti-malware on the workstations. They need VLANs configured, servers locked down, disaster recovery plans designed and implemented, etc.
This is the government we're talking about. They aren't looking for the best of the best. They're looking for good enough to get the job done. Maybe you guys have heard of the saying, "It's good enough for government work." ?? The DHS doesn't need anything that your average small business or Fortune ## organization doesn't need. They just need clean workstations, secure servers and reliable data. They need to be able to process their reams and reams of paperwork and forms and all the other nonsense that comes with the huge machinery of the Federal government.
Re: (Score:3, Insightful)
It's not accident that reputable companies won't hire them.
The DHS may *WANT* to hire experts (Score:4, Interesting)
But that doesn't mean they will. And quite frankly, my experience with DHS has been that to make something happen, they hire an incompetent contractor to do the screening and hiring for them which, in turn, hires a the first 1000 people with resumes who have enough of the right keywords matching on their resumes.
I once worked for the TSA and I was astounded by the criteria, or lack thereof, in their hiring practices. One teenager was hired on in a supervisory role simply because he applied for it and was early enough in the list of applicants to have not yet filled out their supervisor staffing. Why was this teenager qualified? He wasn't. We knows this because it was his first job...ever! This kid hadn't even mowed a lawn for pocket change.
The DHS screens at airports but barely anywhere else. The airport screeners are beholden to the air carriers and quite literally have to follow their instructions at times. Meanwhile the border crossings of the U.S. were wide open for years and years before people took any notice.
Putting important organizations like FEMA under the DHS showed the world what a great move that was when the hurricane season came in with great force. The only thing we really got out of that was "FEMA Camps" where the angle of the razor wire seems to be be intended to keep people "in" rather than "out" and has U.S. Army equipment parked on it. (Google "FEMA Camps" for more information on the topic... scary... freakin' scary)
The DHS is the agency under the executive that most represents the words "power grab" and "power consolidation."
Power Grab (Score:2)
Agreed. We've had a national security state since the 1950's -- since the nineteen-teens, if you want to count Federal raids during the Palmer Red Scare -- and yet we're told we need more and newer agencies. The FBI and the CIA won't do. Defense Intelligence Agency, National Security Council, not good enough. Tobacco and Firearms ... Christ, how did those two get lumped together? And the list goe
The real reason for this (Score:3, Insightful)
Summary: DHS gets to look more important.
If that is all that they do then be thankful. Be fearful that they start to push pointless rules on everyone.
Maybe there aren't 1000 security experts (Score:3, Insightful)
... but there are surely tens of thousands of people that currently have, or can get, cyber security certification. This is good enough for government work.
Yes there are over 1000... (Score:2)
"Secretary Napolitano says she might not need all 1,000, which to me says she is really looking for 3-5 people. And frankly that ought to be enough if they are truly experts and are both properly led and supported" Cringely is insane (or very misinformed) if he thinks that 5 really good people will be able to make a dent in the role that will be required of DHS as they attempt to secure there own network. When the DHS takes on the task of guarding all government networks.
And yes there are over 1000 experts
Re: (Score:3, Insightful)
1000 people who think they are security experts would do far more harm than 5 people who actually are.
Why Chicago lost the Olympics (Score:3, Insightful)
I think you can lay the blame at Chicago's loss of the Olympics squarely at the feet of DHS and Customs enforcement. The USA is NOT a friendly place to visit. I wish President Obama would have put an end to this Bush era foolishness, but it seems he wanted to cuddle up with the right wing Republicans instead. Strike, one. Strike, two.
Defining "expert", here we go again. (Score:2)
For any specific topic, there is exactly 1 (one) expert. All the rest are just people with less expertise proclaiming themselves to be experts, yet denying people with less expertise than that the same title. So who decides where to draw the line of what we call an "expert"? In the end it's always a subjective title.
If you define "expert" as "the 999 best", then indeed there are not 1,000 experts in the world.
If you define "expert" in this context as somebody who can take a random website or system and inde
semantics issue (Score:2)
I think Cringley is defining "security expert" as someone who is in the process of completing or has completed a doctorate in computer science and done significant peer reviewed research in the area of network security, while the government is seeing a "security expert" as someone with a CS background and some coursework in security or someone with advanced security certs (Eg: CISSP)
The term "expert" has a very different meanings in acadmenia than in industry/government.
Wasteful Spending Alert (Score:2)
Napolitano said she doubts it will be necessary to fill all 1,000 of the authorized positions, but she is focused on making DHS a "world-class cyberorganization."
Nice to know that we're hiring a bunch of random people for spits and giggles. Wasn't there some sort of economic crisis, or did that fix itself up already?
cyber (Score:2)
Re: (Score:2)
That's not a pipe its a file handle. It'll work just fine.
shazbot (Score:2)
I knew I should have actually tried it before putting my ambulatory organs so close to my food intake port.
Re: (Score:2)
I found this exchange totally amusing...
Re: (Score:2)
Am I leet enough to get into super sekrit organization?
Re: (Score:2)
Re: (Score:2)
Yes, when a home land is equipped with 1000 security experts and 1000 other mathematics experts, that's the ultimate security and we can all sleep well.
They can protect the homeland for 1000 years.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Al Qaeda?
They're nothing on this stage.
Look to your trading partners for the real threat.
Re: (Score:2)
Right and I suppose what we could really afford is having a major cyber attack and then have to spend trillions of dollars fighting stupid wars because half the country is terrified of its own shadow. Yes we can't really afford to put everything on the charge card, but if the Republicans hadn't wasted so much cash on s