There was another hearing this month on the federal government’s challenges in recruiting and retaining skilled IT workers. Once again the Government Accountability Office pointed out that
“The ability to secure federal systems depends on the knowledge, skills, and abilities of the federal and contractor workforce . . . .”
It is no coincidence that federal cybersecurity and workforce management are both on the GAO’s list of high-risk activities.
The problem isn’t limited to government. “The federal government and private industry face a persistent shortage of cybersecurity and IT talent,” said Nick Marinos, GAO director of cybersecurity and information management issues. But government is at a disadvantage when competing for qualified workers. Government salaries are not competitive with private sector, and private sector jobs offer more autonomy and flexibility.
Researchers from the Center for Long-Term Cybersecurity at the University of California at Berkeley put the cause for the shortage bluntly: Good tech workers don’t want to work in Washington. “We believe that one significant reason the federal government is struggling to fill its cybersecurity workforce is that there are few opportunities for private-sector technologists to work for the government without having to relocate to Washington, DC to take a permanent government job,” they said.
They also proposed a solution: A cyber workforce incubator based in Silicon Valley that would provide a friendly environment for government and private sector collaboration. This would provide a way to leverage IT talent to address high-impact government challenges without forcing them to trade the salaries and laid-back lifestyles of California for the federal 9-to-5 and a rush-hour commute on the Capitol Beltway.
East vs. West
There has been some improvement in federal IT hiring. OMB reported that agencies hired more than 7,500 cybersecurity and IT workers in 2016, 2,400 more than in 2015. But it’s hard to say if this is enough. Agencies cannot determine the size of their cybersecurity workforce because there are no standard definitions for the jobs and roles.
And the improvement doesn’t change the fact that government is working under handicap. “The federal hiring process is often an impediment,” GAO’s Marinos said. “It makes it difficult for agencies and managers to obtain the right people with the right skills, and applicants can be dissuaded from public service because of the complex and lengthy procedures.”
According to Berkeley’s Center for Long-Term Cybersecurity, this lengthy, bureaucratic decision-making process has created a cultural disconnect between “West Coast” and “East Coast” work styles. Risk-averse government bureaucracies that delay use of new technology coupled with poor work environments in aging government buildings are real turn offs. On top of this, workers spending too much time in government are likely to find their skills deteriorating.
The situation is not likely to get better in the foreseeable future. The current administration’s focus on cost cutting and workforce reduction is not creating welcoming environment for IT (or other) workers. Nor is it a rewarding environment for those who would like to perform public service.
The Berkeley team says the choice between private and public-sector work does not serve the nation well. The proposed Silicon-Valley based incubator would be an independent 501(c)(3) on the model of In-Q-Tel, the CIA’s venture capital arm, funded jointly by the government and private sectors. It could identify promising solutions to difficult problems through public and private sector collaboration. This structure would also allow it to work on problems that come under different authorities.
The cybersecurity incubator, they say, would be a “low-risk, high-impact, and organizationally proven way to leverage top talent.”
Divorcing government cybersecurity from Washington and public service from government employment sounds like a way to make them more efficient and more attractive. Would it work? It’s hard to say. After all, even private sector cybersecurity is pretty spotty. On the other hand, it’s hard to see how it could make things in government any worse.