The drift of cybersecurity talent from the federal government to the private sector has been a perennial problem for national security officials, particularly as cyberattacks against the United States have risen. That has led to an increasing need to collaborate with tech in the private sector.
Seeking to fix the situation, Congress passed several pieces of legislation in 2015 that sought to inspire cooperation between the private sector and government. That included the USA Freedom Act, which transferred the onus for some forms of surveillance to private companies, and the Cybersecurity Act of 2015, which effectively releases those companies from liability for engaging in that surveillance.
Yet that legislation was aimed largely at offensive action, enabling the government to more effectively monitor criminals and terrorists, most notably those associated with the Islamic State. Analysts note that those actors represent only half of the problem, and more needs to be done to increase talent among the feds.
“Some federal agencies have some talent, but nowhere near enough,” says Steve Bucci, the director of the Center for Foreign Policy Studies at the Heritage Foundation. “Others don’t have any. They have crappy equipment, and leadership, in some agencies, frankly doesn’t get it, and is fighting the battle of why they need to spend money on what they see as computer junk.”
The reason that federal agencies lack talent, studies and officials have repeatedly indicated, is that the best workers tend to be drawn away by jobs in the private sector, where compensation is more lucrative and workplace culture tends to be more flexible.
“The biggest challenge for the U.S. is not, at the moment, jihadists,” says Tristan Reed, a security analyst at Stratfor, a private intelligence firm based in Texas. “The biggest challenge right now is protecting assets from state actors, and it’s going to remain that way for some time.”
Additionally, Reed notes, “cooperating” with private industry means something different for the U.S. than it does for its adversaries around the globe.
“Coordinating with the private sector in this country requires the government to have partnerships within it,” Reed said. “In China or Russia, they have significantly more pull over the private sector, over the infrastructure, and they can centralize a strategy. The U.S. government doesn’t have that ability.”
While Congress did make strides over the years in developing infrastructure to prevent terrorist attacks, it was able to accomplish less that could help to defend that infrastructure against those state actors. That was made painfully clear by attacks from those countries that penetrated agencies ranging from the State Department and the Pentagon to the White House and the Office of Personnel Management, the latter of which constituted the largest breach in history.
Of course, that congressional focus on working with industry less to defend against foreign states than to pursue terrorists could be partially a consequence of the complexity involved with defensive versus offensive strategy.
“It’s inherent in cybersecurity,” said Matt Mayer, a visiting fellow in security studies at the American Enterprise Institute. “It is far easier, I think, to develop an offensive tool, than it is to predict what your enemies are going to develop and what you need to develop to thwart that. I think playing defense is much harder in this environment.”
However, he also noted, “We have the most sophisticated technology companies in the world. Collaborating and learning from them on the best practices and technologies is going to be key for us in in winning the cyberwar.”
Bucci echoed the sentiment. “People with cyberskill are like fighter pilots. There’s a component in them, it’s part of their personality, their outlook. You can take a Steve Bucci off the street and train them, but they don’t have it from the beginning,” he said.
“DoD’s response is usually, let’s train and recruit the best people we can, fit them in in the military rank structure, and train them to be better than they were when they came in. It’s an O theory. It works in terms of producing better people. But it takes a special kind of person, and it takes more than just training,.”
