[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
REVIEWING FEDERAL IT WORKFORCE CHALLENGES AND POSSIBLE SOLUTIONS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
APRIL 4, 2017
__________
Serial No. 115-6
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
______
U.S. GOVERNMENT PUBLISHING OFFICE
25-717 PDF WASHINGTON : 2017
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
Committee on Oversight and Government Reform
Jason Chaffetz, Utah, Chairman
John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland,
Darrell E. Issa, California Ranking Minority Member
Jim Jordan, Ohio Carolyn B. Maloney, New York
Mark Sanford, South Carolina Eleanor Holmes Norton, District of
Justin Amash, Michigan Columbia
Paul A. Gosar, Arizona Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee Stephen F. Lynch, Massachusetts
Trey Gowdy, South Carolina Jim Cooper, Tennessee
Blake Farenthold, Texas Gerald E. Connolly, Virginia
Virginia Foxx, North Carolina Robin L. Kelly, Illinois
Thomas Massie, Kentucky Brenda L. Lawrence, Michigan
Mark Meadows, North Carolina Bonnie Watson Coleman, New Jersey
Ron DeSantis, Florida Stacey E. Plaskett, Virgin Islands
Dennis A. Ross, Florida Val Butler Demings, Florida
Mark Walker, North Carolina Raja Krishnamoorthi, Illinois
Rod Blum, Iowa Jamie Raskin, Maryland
Jody B. Hice, Georgia Peter Welch, Vermont
Steve Russell, Oklahoma Matt Cartwright, Pennsylvania
Glenn Grothman, Wisconsin Mark DeSaulnier, California
Will Hurd, Texas John Sarbanes, Maryland
Gary J. Palmer, Alabama
James Comer, Kentucky
Paul Mitchell, Michigan
Jonathan Skladany, Staff Director
Rebecca Edgar, Deputy Staff Director
William McKenna, General Counsel
Sean Brebbia, Counsel
Michael Flynn, Counsel
Kiley Bidelman, Clerk
David Rapallo, Minority Staff Director
------
Subcommittee on Information Technology
Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair Robin L. Kelly, Illinois, Ranking
Darrell E. Issa, California Minority Member
Justin Amash, Michigan Jamie Raskin, Maryland
Blake Farenthold, Texas Stephen F. Lynch, Massachusetts
Steve Russell, Oklahoma Gerald E. Connolly, Virginia
Raja Krishnamoorthi, Illinois
C O N T E N T S
----------
Page
Hearing held on April 4, 2017.................................... 1
WITNESSES
Mr. Steven Cooper, Former Chief Information Officer, U.S.
Department of Commerce
Oral Statement............................................... 4
Written Statement............................................ 6
Ms. Elizabeth Hyman, Executive Vice President, Public Advocacy,
Comptia
Oral Statement............................................... 12
Written Statement............................................ 14
Ms. Lisa Depew, Head of Industry and Academic Outreach, McAfee
Oral Statement............................................... 23
Written Statement............................................ 25
Mr. Dan Waddell, Managing Director, (ISC)2
Oral Statement............................................... 34
Written Statement............................................ 36
Mr. Nick Marinos, Director, Information Technology, U.S.
Government Accountability Office
Oral Statement............................................... 41
Written Statement............................................ 43
Ms. Debora Plunkett, Strategic Advisory Board Member,
International Consortium of Minority Cybersecurity
Professionals
Oral Statement............................................... 63
Written Statement............................................ 65
APPENDIX
Statement for the Record of Steven Weber Faculty Director, UC
Berkeley Center for Long-Term Cybersecurity, Jesse Goldhammer,
Associate Dean, UC Berkeley School of Information and Betsy
Cooper, Executive Director, UC Berkeley Center for Long-Term
Cybersecurity, submitted by Mr. Hurd........................... 86
REVIEWING FEDERAL IT WORKFORCE CHALLENGES AND POSSIBLE SOLUTIONS
----------
Tuesday, April 4, 2017
House of Representatives,
Subcommittee on Information Technology,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittee met, pursuant to call, at 2:30 p.m., in
Room 2154, Rayburn House Office Building, Hon. Will Hurd
[chairman of the subcommittee] presiding.
Present: Representatives Hurd, Kelly, Raskin, Connolly, and
Krishnamoorthi.
Mr. Hurd. The Subcommittee on Information Technology will
come to order. And without objection, the chair is authorized
to declare a recess at any time. But I don't think we're going
to have to today, which is rare for once, right? And I want it
say good afternoon to everyone. Thanks for being here.
We are at a very pivotal time in our Nation's history. As
technology becomes more and more a part of our lives, our
society and institutions must keep pace. But the technology
itself is only half the equation, as all of you know.
Technology still requires people--people to monitor, upgrade,
inspect, and safeguard the technology.
That is why we are here today: to discuss the human element
and the policies we as a Congress need to advance the Federal
IT workforce and make sure it is comprised of qualified IT and
cybersecurity professionals.
Right now, Federal agencies are facing a shortage of IT and
cybersecurity professionals in a highly competitive
marketplace. During one of our last hearings on this subject,
one witness testified that 209,000 cybersecurity jobs went
unfilled in 2015. That's a pretty large number.
That's why I've been advancing the idea of a Cyber National
Guard, which was first brought up to us at a field hearing in
Chicago. So thank you, Robin Kelly. And this is really a way to
talk about how do we recruit and hire qualified individuals to
the Federal IT workforce and then retain their skills in the
future on a rotational basis.
It's real simple. Most of these hearings I usually know the
answer to the questions that I'm going to ask. This is one
where I do not.
And the idea is this: What are the gaps in the CIOs'
offices from GS-13 below. We have to figure out what that gap
is, right, and we are working to do that so that we can figure
out what are those jobs that we are trying to target. Do we do
it by giving high school kids scholarships to go to college? Do
we do it by forgiving debt for people that have the jobs who
need to go into those positions that we need? If it is giving
scholarships, where do we find the money?
So that's the first piece. Once we identify the need, the
first step is, how do we get young people into their first step
being the Federal Government and the dot-gov space?
The second piece is, how do we, once they come and work for
the government and they go out in the private sector, how do we
get them back in on a rotational basis? What are the jobs that
would be achieved through that rotational basis? The jobs are
going to be different than the ones that we're trying to target
by creating some kind of scholarship program.
The concept is actually quite simple. And then once we
figure out how we get these people back in on a rotational
basis, how often will they do that? You know, the National
Guard is the proverbial 1 weekend a month, 2 weeks a year, but
does that have enough--that's going to impact business
processes at that company. Is it 10 days a quarter? Is it 15
days every 6 months? And what are those jobs that those people
can be coming back into and working on?
These are the steps in the process, I see it three phases,
once we identify what jobs we're going to target, and hopefully
we have some time to explore these ideas here today.
And with that, it is my honor and my privilege to introduce
not only the ranking member of this committee, but my good
friend, Robin Kelly, from the great State of Illinois.
Ms. Kelly. Thank you, Mr. Chairman, and welcome to the
witnesses. Mr. Chairman, thank you for calling today's hearing
concerning the challenges to hiring IT professionals in the
Federal Government.
In 2016, GAO said that the persistent cyber threat
presented a risk to our national security. We should understand
that the inability to attract and retain qualified cyber
professionals throughout the government threatens our ability
to address cyber threats. So the workforce issue this hearing
is concerned with has the potential to impact the safety of
each and every American and the stability of our country.
America's leading companies are facing a similar situation.
(ISC)2 projects a shortage of 1.8 million cyber professionals
across both the public and private sector by 2022. We obviously
face similar challenges in hiring.
Both the public and private sectors face sophisticated
cyber threats. Last month, the Justice Department charged two
Russian intelligence officers with orchestrating a hack that
stole data from 500 million Yahoo users, of which I was one. I
shouldn't have to remind anyone that in January of this year
our intelligence agencies also found that the Russian
Government orchestrated a sustained campaign against our
elections using various weapons, including cyber attacks on
political parties.
While we view the public and private sector as separate,
cyber criminals and nefarious state actors do not care about
those distinctions. For instance, the data stolen from the
Yahoo attack was used to spy on both bank executives and White
House employees.
Addressing the threat requires that government and the
private sector both succeed in finding qualified individuals.
For one thing, we desperately need to expand the pool the
talent that we are both joining from and keep the professionals
that are so critical to protecting the security of our Nation.
Talented women and minorities are not just being hired.
Currently, women hold 28 percent of science and engineering
jobs. Hispanics and African Americans hold 6 percent and 5
percent of those jobs, respectively. We need to improve these
numbers as we grow the number of available IT professionals.
Another problem was created by the President himself. The
President's hiring freeze is obviously a barrier to recruiting
and hiring the IT professionals the government needs. Nextgov
points out that the hiring freeze sends a message that IT
professionals are not valued in the Federal Government. These
highly desired candidates could instead choose to go to the
private sector where they are heavily recruited.
Also, constant calls to cut the Federal workforce and strip
them of protections will not help attract needed talent. Who
would want to work for an employer that publicly criticizes
them and constantly questions the need for them? Candidates
with numerous options certainly would not.
I look forward to hearing the witnesses' ideas to address
this issue and expand the pipeline of diverse, qualified, and
valued candidates. It is important that the candidates we
recruit to address the next generation of challenges are
representative of our population at large.
I'm glad you came to Chicago and got that idea. Thank you,
Mr. Chairman.
Mr. Hurd. Thank you, Ranking Member Kelly.
I'm going to hold the record open for 5 legislative days
for any members who would like to submit a written statement.
Now we are going to recognize our panel of expert
witnesses.
I'm pleased to welcome Steven Cooper, the former CIO for
the U.S. Department of Commerce, not a stranger to this
committee.
Ms. Elizabeth Hyman, executive vice president of public
advocacy for CompTIA.
Thanks for being here, Elizabeth.
Ms. Lisa Depew, head of industry and academic outreach for
Intel.
You guys, I was just down in your facility in Austin.
Dan Waddell, managing director for (ISC)2.
Nick Marinos, director of information technology at the
U.S. Government Accountability Office.
Thanks for being here, Nick.
Finally, Ms. Debora Plunkett, a Strategic Advisory Board
member for the International Consortium of Minority
Cybersecurity Professionals.
Welcome to you all. And pursuant to committee rules, all
witnesses will be sworn in before you testify. So please rise
and raise your right hand.
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth, and nothing
but the truth, so help you God?
Thank you, and please be seated.
Let the record reflect that the witnesses answered in the
affirmative.
To allow ample time for discussion, I would appreciate if
you would limit your opening remarks to 5 minutes, and your
entire written statements have been made part of the record. So
I appreciate that.
We are going to start off with Mr. Cooper for your opening
remarks for 5 minutes.
WITNESS STATEMENTS
STATEMENT OF STEVEN COOPER
Mr. Cooper. Chairman Hurd, Ranking Member Kelly, members of
the subcommittee, thank you for inviting me to appear before
you today. I am honored to join this panel to offer a few ideas
regarding the Federal IT workforce.
Having been trained by the best government lawyers, I would
like to state at the outset that the opinions and ideas I will
share are my own and not offered on behalf of any government
agency or industry organization.
Mr. Hurd. So noted.
Mr. Cooper. Thank you.
I have had the privilege of serving as a public CIO in
three different departments over the last 15 years before
retiring in January as the CIO of the Department of Commerce. I
am honored to have served as an appointee in both Republican
and Democratic administrations--and as a career govie--all at
the senior executive level. I share this background because I
strongly believe in improving the skills, capability,
effectiveness, and esprit de corps of the Federal IT workforce
is a bipartisan issue.
I have directly addressed many of the challenges we will
likely discuss today and have experienced success in overcoming
many, but not all, of these challenges and can share my
experience and learning with the subcommittee.
I can't cover all that I'd like to in my opening remarks,
so I want to highlight three persistent challenges which may
not be as visible or well known to members of the subcommittee,
industry, and the GAO.
First, position descriptions. A position description, or
PD, is required before any recruiting action can occur. Human
resources reviews and approves all PDs before a position can
even be posted.
Very few IT personnel, including myself, are trained and
skilled at writing robust PDs. The current library of IT PDs
within an agency or available from OPM do not adequately
reflect the skills needed by today's workforce, much less what
is coming at us in the next few years. Too many are obsolete.
Even more concerning to me, PDs don't even exist for
emergent roles related to digital forensics, data science,
artificial intelligence, the internet of things, drone
technology, autonomous vehicles. I think you get my point.
In my experience, not having an up-to-date HR-approved PD
cause delays of up to 6 months in the recruiting process. One
idea to fix this, with collaboration from OMB, the Federal CIO
Council, and the Federal Chief Human Capital Officers Council,
tasked OPM as the lead agency to develop a PD library of
preapproved current and emerging IT roles available for use by
any Federal agency. I'd even toss in State and local
government.
Second, promotions. When an individual's first hired into
the Federal workforce, the position they fill carries a grade
level for pay and promotion purposes. In many agencies the
person cannot be promoted to a higher grade without competing
for that position because there is no approved way to do what I
think of from the private sector and referred to in government
sometimes as an in-line promotion without competition,
particularly for supervisory positions. Competition is good,
and the best do rise to the top.
And here is the unintended consequence of this process. I
had some of my most qualified cyber employees leave my offices,
either for industry or for another department, because we did
not have open positions for which they could compete to be
promoted at a time they are were ready; or they were not
selected and then chose to leave for another agency who could
offer a promotion.
My idea to fix this? Again, task OPM as the lead agency to
create and standardize career ladders by role to allow in-line
promotions for qualified employees when they are ready for
promotion. You can kind of get a lot of information about this
from the private sector.
Third, filling cybersecurity positions. When I left
Commerce in January, there were 10 cyber vacancies in my
office. With a continuing resolution and the hiring freeze in
place, those positions remain empty as I speak.
How do we address this shortage? Chairman Hurd has spoken
previously about the concept of the Cyber National Guard. I
fully support the concept of having trained, skilled cyber
personnel at the ready who can be put into service with very
short notice, much like the FEMA disaster corps, another model.
Another service model could reflect a formal agreement or
contract like the military reserves. This Cyber Reserve Corps
could drill each month alongside their government counterparts
and could be activated for longer periods of time to assist
agencies in response to a breach or to assist in deployment of
new security patches. Those are just two examples.
I've also spoken previously about a loan employee program,
similar in concept to the IPA program with academia, which
could provide skilled IT managers and technical professionals
for up to 2 years.
In closing, I know I have not addressed all the challenges
facing the Federal IT workforce in my opening statement.
However, I am confident that with the leadership of the
committee members and the GAO, solutions to existing problems
can be found in a collaborative partnership between government
and industry.
I look forward to your questions.
[Prepared statement of Mr. Cooper follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Cooper. I look forward to asking
you questions.
Ms. Hyman, you're now recognized for 5 minutes.
STATEMENT OF ELIZABETH HYMAN
Ms. Hyman. Terrific. Thank you.
Good afternoon and thank you, Mr. Chairman, Ranking Member
Kelly, for inviting us here today. I'm here on behalf of
CompTIA, which is a nonprofit tech trade association. We
represent approximately 2,000 member companies, 3,000 academic
and training partners, and 100,000 registered users for our
organization.
Government and the private sector have a shared challenge:
to have in place the right skilled workforce to utilize
technology, enhance productivity, and mitigate and manage
security threats. And this is what I'd like to discuss briefly
today.
In many ways the creation of CompTIA certifications--and I
should add that we are the leading global provider of vendor-
neutral IT workforce certifications, and we in many ways have
created a de facto framework, along with our brethren
certification bodies. CompTIA provides a route from entry to
advanced-level skills called the cybersecurity career pathway
recommendation, and it takes a beginner in IT and it equips
them with 5 to 10 years of the equivalent knowledge, skills,
and abilities needed by all cybersecurity professionals.
We have sought to share the lessons that we've learned in
developing and deploying these certifications with the
government as it has sought to create frameworks and standards
to train and validate government employee IT skills, and
particularly in cybersecurity.
A few successful public-private partnerships for your
consideration today. The Department of Defense has worked
closely with the training and certification community as they
developed its 8570 and successor 8140 initiatives. These
require that DOD personnel and contractors with information
assurance responsibilities in their job roles have to have
industry-recognized certifications.
Also of note and a part of the fiscal year 2016 omnibus
appropriations bill is the Federal Cybersecurity Workforce
Assessment Act, and it directs the Federal Government to take
stock of the certifications held by the existing cyber
workforce to determine what skills may be missing currently in
that workforce.
NIST has also collaborated with CompTIA and our partner
Burning Glass to develop a real-time heat map for supply and
demand of cybersecurity workers in the United States. This is
called CyberSeek, it is available at CyberSeek.org.
CompTIA is also supportive of the DHS National Initiative
for Cybersecurity Careers and Studies, the NICCS portal, and
the National Initiative for Cybersecurity Education. And in my
comments I discuss those--the written testimony--at greater
length.
I'd also like to share that CompTIA as a certifying body
regularly conducts research gauging the value and impact of
certifications. Our research confirms that testing after
training helps to set a baseline of expertise among staff,
provide career path guidance, improve the performance of a
team, retain talented staff, and helps to evaluate staff with
promotions or career development.
There's no question that technology sector jobs are
growing. Nevertheless we struggle to fill job openings every
year with roughly a million job postings in the IT sector. This
is not to say that every job posting must or will be filled,
but with nearly 800,000 tech workers expected to retire through
2024, this only adds to what we call the skills gap. Therefore,
we will all need to focus on innovative ways to attract more
people to tech careers, and particularly in the area of
cybersecurity, and there's a few areas that I'd like to
highlight.
We ourselves have put forward a proposal to be included in
the fiscal year 2018 NDAA for a ``Service to Cyber Warriors''
program that would provide a stipend for veterans and members
of the Armed Forces to cover the expenses of IT training,
materials, certifications, and other employment-seeking
services.
We also supported the introduction of the State Cyber
Resiliency Act, which on the workforce front encourages States
to develop cyber resiliency plans to fulfill the essential
functions of mitigating talent gaps in the State government
cybersecurity workforce.
The DOD Cyber Scholarship Program Act and the Cyber
Scholarships Opportunity Act were recently introduced in
Congress. The overarching goal of these legislative proposals
is to build a robust cybersecurity workforce. These proposals,
in our view, could only be strengthened by recognizing training
and industry-recognized certifications as yet another pathway
in addition to 2- and 4-year college opportunities.
Finally, CompTIA also supports apprenticeships and
vocational models for building out our Nation's IT workforce
and cybersecurity workforce. We are now working with a number
of House and Senate offices on a legislative proposal, not yet
introduced, which is called the Championing Apprenticeships for
New Careers and Employees in Tech Act, with the goal of scaling
up the number of apprenticeships in our country.
In summary, we are grateful that you've raised this topic
today. We strongly believe that the Federal Government can be a
leader in building the tech workforce. It can do so by
continuing to support the great work that has already been done
by DOD, NIST, and other agencies, by insisting that educational
pathways include not only 2- and 4-year college educational
programs, but also industry-recognized certifications and
experiential learning, and by developing and resourcing
innovative programs that will encourage more people to enter
into a tech and cybersecurity career through the government.
And I thank you for the opportunity to share this with you
and look forward to your questions.
[Prepared statement of Ms. Hyman follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you.
And, Ms. Depew, I think I incorrectly identified--it's a
new thing, right? That is McAfee rather than Intel. But I would
like to thank you and your colleagues at Intel for planting the
seed in Chicago on this important topic. And now you're
recognized for 5 minutes in your opening remarks.
STATEMENT OF LISA DEPEW
Ms. Depew. Good afternoon, Chairman Hurd, Ranking Member
Kelly, and distinguished members of the subcommittee. Thank you
for the opportunity to testify today.
I am Lisa Depew, head of industry and academic outreach for
McAfee. I've spent nearly 20 years in the technology industry
in a wide range of engineering positions, focusing the last few
years on cybersecurity.
I am pleased to address the committee on Federal IT
workforce challenges, an important issue McAfee understands
well. My testimony will briefly describe the problem, offer
some specific solutions, and recommend cultural changes to
mitigate our cybersecurity skills shortage.
In 2016, Intel Security and the Center for Strategic and
International Studies undertook a study titled ``Hacking the
Skills Shortage,'' based on global survey of IT professionals.
Eighty-two percent of those surveyed reported a lack of
cybersecurity skills within their organization, 71 percent
agreed that the talent shortfall makes organizations more
vulnerable to attackers, and 25 percent say that the lack of
sufficient cybersecurity staff has actually contributed to data
loss or theft and reputational damage.
The cybersecurity workforce shortage is projected to reach
1.8 million by 2022, according to the most recent Global
Information Security Workforce Study. We see a significant lack
of diversity in the workforce as well. Bureau of Labor
Statistics numbers indicate in North America women constitute
only 14 percent of the information security workforce and
African Americans comprise only 3 percent of information
security analysts in the U.S.
The cybersecurity skills shortage is particularly acute in
the Federal Government. Tony Scott, the Federal Government's
former CIO, indicated an estimated 10,000 openings in the
Federal Government for cyber professionals that couldn't be
filled because the talent supply simply wasn't available.
McAfee would like to make the following recommendations for
closing the skills gap.
First, expand the current CyberCorps program. The
CyberCorps Scholarship for Service program is designed to
increase and strengthen the cadre of Federal information
assurance specialists that protect government systems and
networks by supporting collegiate students with funding,
internships, and work opportunities.
Policymakers should expand funding for this initiative. For
context, $40 million pays for roughly 1,500 students to
complete the scholarship program. We recommend extending
funding to the $180 million range. Supporting 6,400-plus
scholarships would make a significant dent in the estimated
10,000-worker Federal cyber skills deficit.
Additionally, government should consider creating a
complementary community college program. A strong security
operation requires multiple levels of skills, not all of which
require 4-year or graduate degrees. Having a flexible
scholarship program at a community college, including practical
skills training and ability to earn a transferable 2-year
cybersecurity certificate, could benefit a wide variety of
applicants, while providing the profession with additional
necessary skills.
Private companies could partner with local community
colleges to establish cybersecurity-focused curricula and offer
private sector practitioners as guest lecturers. The Federal
Government could fund all or part of the tuition remission for
students, with students again working the number of years in
Federal service equal to time spent in the program.
Community colleges tend to attract a variety of students,
including recent high school graduates, but also returning
veterans and other adults who have pursued alternate careers.
The community college option could also further ethnic and
racial diversity. A community college program should not
substitute, but rather complement the existing CyberCorps
program.
In addition to workforce development programs, we must make
systemic cultural changes to close the cyber skills gap. First,
we must increase cyber safety awareness. Practicing cyber
safety must become as routine to America's youth as washing
hands and putting on their seat belts.
Additionally, we need to make cybersecurity accessible and
appealing to a broader range of potential professionals.
Graduation rates of female engineers are highest in biomedical
and environmental engineering, fields where students can draw a
direct correlation to helping humanity. If we better articulate
the value of cybersecurity in protecting people's personal and
professional lives, we have a target-rich environment of highly
skilled girls and women who could be joining the ranks to fill
that 1.8 million-person deficit.
In conclusion, there is much we can do to close the
cybersecurity skills gap. It will take a true public-private
partnership, expansion of funding and programs, and a
fundamental shift in cyber safety awareness and the perception
of cybersecurity as a profession.
Thank you, and I will be happy to answer any of your
questions.
[Prepared statement of Ms. Depew follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you.
Mr. Waddell, you are recognized for 5 minutes.
STATEMENT OF DAN WADDELL
Mr. Waddell. Thank you, sir.
Chairman Hurd, Ranking Member Kelly, and distinguished
members of the subcommittee, let me begin by thanking you for
inviting me to speak on this very important issue. On behalf of
the (ISC)2, we will look forward to working with you in the
coming years to help ensure our country is safe, secure, and
resilient against cyber attacks and other risks.
As a matter of introduction, (ISC)2 stands for the
International Information System Security Certification
Consortium. We are the largest nonprofit membership body of
certified cyber, information, software, and infrastructure
security professionals, with over 123,000 members worldwide, of
which many are currently employed at or contracted by our
Federal Government.
We are known for our certified information systems security
professional, or CISSP. When employees earn their CISSP or any
of our other certifications, it shows they have the knowledge
and skills in order to perform in this field. Ideally, through
our continuing professional educational requirements, they will
be qualified throughout their lifetimes. Through our
certifications, our training and education offerings, and our
research, internet safety, and scholarship programs, we
encourage cybersecurity students and professionals to help
achieve our vision: to inspire a safe and secure cyber world.
However, accomplishing this vision is made more difficult
when there is a lack of qualified cybersecurity professionals.
You've heard the numbers and our study referenced here today,
the Global Information Security Workforce Study. The 2017
version of this biannual study took place from June 2016
through September 2016 via a web-based survey and over 19,000
cybersecurity professionals from over 170 nations responded.
And you can find more information on this at iamcybersafe.org.
We've heard the numbers, 1.8 million by the year 2022, as
far as a talent gap is concerned. So what can we do
collectively to solve this crisis?
Recently, the (ISC)2 executive management team gathered
recommendations that we believe will be critical to the success
of the cybersecurity workforce. Specifically, during a
gathering in December 2016, members of (ISC)2's U.S. Government
Advisory Council hosted former Federal Chief Information
Security Officer Greg Touhill and a group of Federal agency
CISOs and executives to discuss what was necessary to ensure
the continuation of progress for the new administration.
As a result of that discussion, we offered several
recommendations. I will briefly summarize three of them now.
The entire list can be found in my written testimony.
One, harden the workforce. Everyone must learn
cybersecurity. We have to break the commodity focus of simply
buying technology and stopping there, without focusing on
training all users. People need patching too. From the intern
to the CEO, the mindset needs to be cybersecurity is everyone's
job. To achieve this, we need to encourage cybersecurity cross-
training to promote cyber literacy across all departments
within Federal agencies.
Two, incentivize hiring and retention. In today's world a
sense of mission doesn't always override good pay. Incentives
work. For example, following the cybersecurity hiring
authorities passed by Congress in 2014, DHS NPPD provided pay
incentives at 20 to 25 percent above an employee's annual pay
to motivate and retain cybersecurity hires. The practice of
incentive pay needs to be replicated throughout the Federal
Government in order to attract experts from the private sector.
This perk also plays a key role in retaining cybersecurity
talent. According to the Pew Research Center, millennials
recent surpassed Gen X as the largest generation in the U.S.
workforce. And our study found that paying for professional
memberships and training are key drivers in job satisfaction
with this demographic.
Three, civil service reform. The civil service system is
broken and does not meet the government's needs. In our best
effort to attract and retain top cyber talent, we are
handicapped by the government's antiquated GS classification
and pay system that makes it difficult to promote high
achievers and reposition nonachievers.
We've talked about the Cyber National Guard concept, which
would allow the Federal Government to repay student loans of
both STEM and STEAM graduates who agree to work for a number of
years in a Federal agency before returning to the private
sector. This will serve as a natural extension to the existing
Scholarship for Service program and will help to broaden the
broader workforce development initiative.
Through these recommendations and the programs that we
offer (ISC)2 hopes to establish an open avenue of communication
with you, your staff, and others in Congress as we all work
toward strengthen cybersecurity throughout the Federal
Government, both now and in the future. We see this time of
transition as an opportunity for our members to be a
stabilizing force during an intrinsically uncertain process.
(ISC)2 would like to offer its ongoing support to you and the
other organizations represented here today by providing
resources, research, and community.
Thank you, and I look forward to your questions.
[Prepared statement of Mr. Waddell follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, sir.
Mr. Marinos, you're now recognized for 5 minutes.
STATEMENT OF NICK MARINOS
Mr. Marinos. Thank you, sir.
Chairman Hurd, Ranking Member Kelly, and members of the
subcommittee, thank you for inviting GAO to testify on
challenges facing the Federal IT and cybersecurity workforce.
For context, it's important to note that the Federal
Government and the Nation's critical infrastructures continue
to face an ever-increasing and evolving array of cyber threats.
As the committee's aware, the GAO has designated this as a
high-risk area for the government for 20 years now.
It's clear that having a qualified, well trained
cybersecurity workforce is critical to mitigating these
threats, and we also know that there is a persistent shortage
in cyber talent affecting both the public and private sectors.
Today, I'd like to highlight three key challenges to
building the government's cyber workforce. The first is
workforce planning, the second is recruiting and retaining
talent, and the third is navigating the government's hiring
process.
As for workforce planning, the Federal Government hasn't
always taken a strategic approach. We and others have reported
over the last several years about difficulties agencies have
had in assessing the gaps between what skills their workforce
has today and where they need to be to address current and
future threats.
Second, the Federal Government has had a hard time
recruiting and retaining talent. In recent surveys we conducted
of Federal chief information officers and chief information
security officers this was consistently identified as a top
challenge. In discussions with these officials we heard
concerns over limitations that agencies had in offering
competitive salaries and also difficulties in losing top
government staff to higher-paying jobs outside government.
Third, we all recognize that the Federal hiring process can
be lengthy and complex and doesn't always match candidates with
open positions. We recently reported that agencies may not be
leveraging the right hiring authorities when working to
expedite the hiring process.
Collectively, the three challenges I just described are
also reasons why GAO has kept strategic human capital
management as another governmentwide high-risk area since 2001.
Now I'd like to mention a few of the ongoing efforts within
the Federal Government aimed at tackling these issues.
As for the executive branch, in July of last year the
Office of Management and Budget and the Office of Personnel
Management jointly issued the Federal cybersecurity workforce
strategy. This set goals and milestones for agencies to
identify cybersecurity workforce needs, expand the workforce
through education and training, recruit and hire highly skilled
talent, and retain and develop the existing workforce. If
implemented in full, the strategy could help executive branch
agencies determine what critical skills they need and how to
fill those gaps more quickly.
In addition, Congress has demonstrated its commitment to
addressing cyber workforce challenges by holding agencies
accountable through recent legislation. These laws require
Federal agencies to, for example, identify cybersecurity
positions of critical need and mitigate shortages. Legislation
also tasks GAO with monitoring agencies' progress in meeting
these workforce planning requirements. And in fact, we've
recently initiated that review in response to this requirement
and expect to report back to Congress later this year.
There are also governmentwide efforts underway working to
increase the supply of qualified cyber professionals. As
several of the panelists have noted, the CyberCorps scholarship
program provides tuition assistance to students who are
studying cybersecurity at the now over 70 participating
universities in exchange for commitment to Federal service.
In conclusion, recruiting, developing, and retaining a
qualified and competent cybersecurity workforce remains a
critical challenge to the Federal Government. If effectively
implemented, recent efforts by the executive branch and by
Congress could help in addressing these issues. We look forward
to reporting back in the near future on whether progress has
been made.
This completes my prepared remarks, and I look forward to
your questions.
[Prepared statement of Mr. Marinos follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, sir.
Ms. Plunkett, you are now recognized for 5 minutes.
STATEMENT OF DEBORA PLUNKETT
Ms. Plunkett. Chairman Hurd, Ranking Member Kelly, and
distinguished members of the subcommittee, it is my pleasure to
appear before you today as a member of the Strategic Advisory
Board of the International Consortium of Minority Cybersecurity
Professionals, a grassroots, not-for-profit organization
established in 2014 which has contributed to efforts to address
the great cybersecurity diversity divide. Ultimately, with
scarce talent and high demand, it is even more critical to
focus efforts on increasing capacity.
The cybersecurity workforce shortfall should be of much
consternation given that cyber crime and information theft, to
include cyber espionage, are among the most serious economic
national security challenges that our country faces. In fact,
as we speak, there are discussions in this Congress regarding
the potential role that Russia may have played in our recent
Presidential elections. There is an urgent need for more
capacity to address this, as well as other current day cyber
threats.
It has been reported that the underparticipation by large
segments of our population represents a loss of opportunity for
individuals, a loss of talent in the workforce, and a loss of
creativity in shaping the future of cybersecurity. Not only is
it a basic equity issue, but it threatens our global economic
viability.
According to Frost & Sullivan's 2017 Global Information
Security Workforce Study, there is a projected shortfall of 1.5
million people during the next 5 years. Today, however, women
represent only 11 percent of the total cybersecurity workforce
and the percentage representation of African Americans and
Hispanics in cybersecurity has been reported at approximately
12 percent combined. This data takes on added meaning when we
consider the projected growth of the U.S. minority population
over the next few decades.
The cybersecurity workforce shortfall and the growing
diversity gap in the United States also reflect the broader
challenge that the U.S. faces in STEM programs in our schools.
Until we can get more students matriculating with STEM-related
degrees these shortfalls will persist. We must be laser focused
on quality and retention in middle and high school STEM
programs as these formative years determine the future talent
pipeline for the cybersecurity workforce. Strategies and
programs are needed to provide significantly more
opportunities, to include an infusion of resources to support
everything from curriculum and faculty development to tuition
support.
We also need to develop programs that not only provide
financial incentives, but that also provide the flexibility to
move into and out of government and industry more seamlessly
without the threat of a loss of forward career progression.
ICMCP has developed five key objectives to address the
cybersecurity diversity divide that include increasing the
number of scholarship, internship, and employment opportunities
for minority STEM students and facilitating increased
attraction, retention, and professional development and
advancement.
Since 2016, ICMCP has awarded almost $200,000 for
scholarships, certifications, and development, and placed
dozens of aspirants into internships, cybersecurity positions,
and/or with mentors.
Finally, we are very excited to have launched a Security
Operations Center at an academic institution aimed at ensuring
students graduate with hands-on skills to augment their
classroom learning.
There are also several government-led initiatives, and I
will just highlight one because others have already been
mentioned. The CyberCorps Scholarship for Service program is a
phenomenal program. There is legislation pending to increase
funding and I would urge you to support it.
In conclusion, the efforts to date to address the
cybersecurity workforce shortfalls are commendable, but clearly
insufficient. More must be done and with the sense of urgency
commensurate with our understanding of the capabilities and
intentions of nation-states, as well as other bad actors.
Sadly, however, with over 200,000 unfilled jobs in cyber
and with the dismal representation of women and minorities in
the cybersecurity field, there is much more than can and must
be done. Several studies have proven that diverse teams win,
and specifically diversity has been shown to positively impact
bottom line revenues.
The greatest tragedy could be our failure to recognize the
potential for all Americans to contribute to this workforce
deficit. The time is now to act decisively and courageously, to
resource efforts, establish new initiatives, and closely track
progress towards narrowing this gap.
Thank you for the opportunity to participate, and I look
forward to your questions.
[Prepared statement of Ms. Plunkett follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Ms. Plunkett.
And before I recognize Robin Kelly for her opening
questions, I ask unanimous consent that a statement from UC
Berkeley on the cybersecurity workforce talent be entered into
the record. Without objection, so ordered.
Mr. Hurd. I would now like to recognize Ranking Member
Kelly for 5 minutes.
Ms. Kelly. Thank you. And thanks to the witnesses.
Events of the past few years have made clear how vitally
necessary it is to protect our public and private institutions
from cyber threats. Attacks against critical infrastructure,
such as electric grids and nuclear facilities around the world,
prove that highly skilled and determined enemies are attacking
real targets all the time, and we need talented people to
defend against these attacks. It is alarming that as our
critical need to seriously build and develop a world-leading
cyber workforce grows, we face a shortage of the very people
that we need to accomplish this work.
And I guess to all of you first, whoever wants to answer,
why don't you think, especially from the young folks, that we
have more interest, when you think about all the games and
this, that, and the other, why do you think from younger people
that this is not one of their, I guess, aspirations, to get
into this market? And we're talking about cyber, but as I speak
to my manufacturers even about advanced manufacturing, they
need technology. They are suffering also. So it's tech in
general.
Ms. Hyman. I'm happy to reply in brief.
So CompTIA has a philanthropic arm, it is called Creating
IT Futures, and they recently did some research with the group
IDEO, out of Chicago actually, looking at this exact issue,
because we are very focused on trying to get younger people
into the tech pipeline.
A lot of it has do with exposure to mentors, believe it or
not, that have good jobs that are interesting to them and that
they can share that sense of excitement with young people. I
know that sounds sort of simplistic, but in fact research bears
it out.
Recently, we launched something called the NextUp program
through our philanthropic arm. The idea is to try and match
young people grades 6 through 10 with mentors throughout the
tech community so that they're disabused of the idea that a
tech career is some guy in a hoodie in a basement, but it is
actually a very multifaceted, colorful career opportunity. And
we are doing this by partnering with other groups. So we just
gave, I believe, $150,000 to Tech-Girls, for a program in
Chicago, in fact, to try and bring together those mentorship
opportunities.
So that's one piece of the puzzle, but in fact, in our
view, a very important one.
Ms. Kelly. Thank you.
Mr. Cooper. Let me add a perspective, kind of from inside
government, although everybody knows I'm retired and not
officially inside government. But I want to combine a lot of
what Ms. Plunkett said along with what Ms. Hyman just said.
I think a significant part of the problem that directly
addresses how come more younger folks don't come into this
field, particularly in government, because we in government
don't do a good job of making it attractive.
Let me use an example from when I was in the private sector
with Eli Lilly. We had a very, very formal program that placed
recruiting teams on a regular basis with the Historically Black
Universities and Colleges. It was extremely successful. There
were three or four team members who remained in place, a lot of
them were alumni of these organizations, joint with other Lilly
managers and senior people, that visited campuses on an ongoing
basis to identify early rising talent, the best students coming
out.
Lilly then did a number of things, but they had an 80
percent hire rate of those students identified through that
program and about a 60 percent career retention rate of those
people. It included scholarships and things like that.
So I think a whole lot of it--there is nothing like that
that I'm aware of in government. I didn't do it, shame on me,
when I was in government. But we've got to make folks more
aware of the opportunities, particularly in cyber, in the
Federal enterprise.
Ms. Kelly. Yes.
Mr. Waddell. I just wanted to piggyback on Elizabeth's
comments from CompTIA. I absolutely agree with what she said.
At (ISC)2 we are actually trying to get them a little bit
earlier. We have actually partnered with Garfield, believe it
or not, to address the 1 through 6 grade level. And it is
really just going into schools and having a dialogue with these
kids, because a lot of times they have this impression of the
hacker in the hoodie and the cyber job that is really all about
just being behind the keyboard.
But cybersecurity has so many different roles to play, and
we found that through this program just by simply inducing
videos and comic books about just basic internet safety it
starts the dialogue.
I've been in schools in Prince William and Fairfax County
and I've talked to these kids. And they come up and they say,
``Wow, what do you do for a living? I want to do that. How do I
get involved?''
So just by using that character Garfield, believe it or
not, it really starts that conversation.
Ms. Kelly. I'm so glad to hear the comments that all of you
had, because I think it is so important to start young and to
go into the schools. Because in my district, which is urban,
suburban, and rural, so the thing that I have to deal with that
everyone talks about Chicago. But there is a--I'm glad you do--
but there is the south suburbs, I have a rural part of my
district, and they tend to lose out because they are kind of
competing with the big city, and they don't have the
transportation and those kind of things.
But I do think, like you said, people don't even think
about doing these things and we have to put it on their minds.
And then some of my school districts, they don't even--I just
helped get one area of my district the internet so they could
go on the world wide web. So, I mean, they don't even have
that, your phone or your GPS doesn't work. Now it does, but it
didn't work.
So we really do need to have that personal relationship and
whatever your companies can do would be fantastic.
I'm over time.
Mr. Hurd. Mr. Raskin from Maryland is recognized.
Mr. Raskin. Thank you very much, Mr. Chairman.
And thanks to all the witnesses for your excellent
testimony.
I'm someone who is quite perturbed and disturbed about the
Russian cyber hacking and sabotage of the 2016 election. And
the best that I can tell is that Vladimir Putin figured that he
was no military match for the United States, but he could
launch something like a Manhattan Project for cyber attacks and
then figure out a way to unleash mayhem in the U.S., Brexit,
France, Italy, all over the world. And so it seems to me you
guys are on the front lines of the real defense of America
against the big threats today.
But I wonder if you think that the allocation of our
resources corresponds to the reality of the threats against us.
President Trump has suggested slashing $56 billion from the
domestic budget from NIH and from Peace Corps and from HUD and
Community Development Block Grants, which I think is
independently a misallocation of our priorities.
But put that $56 billion directly into the Pentagon and I'm
wondering if you think if the money is spent the way we have
traditionally spent it that addresses the threats that are
really facing the country or if we have to think of the defense
budget as something that puts cybersecurity right at the heart
of it now.
So I don't know if anybody wanted to volunteer to take that
one.
Mr. Cooper.
Mr. Cooper. I'll take a shot at it. I can kind of talk--I
can color outside the lines a little bit as opposed to joining
you in previous hearings.
First of all, I think that the approach we're taking to
hiring cyber talent is well intended but it gets in the way of
actually filling an awful lot of these vacancies across the
Federal enterprise and retaining that talent. Specifically,
here is what I'm talking about. And please don't hear this as
criticism, it is not intended this way, it is feedback.
Appropriations bills require CIOs to spend that taxpayer
dollars that have been approved within, in my example most
recently, the Department of Commerce. What if I could pool some
of that money with fellow CIOs most in need in the Cabinet
departments and with the Department of Defense to do a couple
things?
First of all, why not use pooled hiring? Why do I have to
end up competing with other CIOs? DHS is more sexy, DOD
attracts a heck of a lot more people than the Department of
Commerce, speaking very candidly. It is not a negative, it is
just reality. But if we could team up and if we could kind of
have a recruiting team, you guys figure out where it might be
placed, possibly GSA, possibly OPM, possibly DHS, or possibly
DHS, DOD combined, but let them do all the hiring for these
folks.
Go after the skill sets we need, and that's where these
folks can give you a lot of detail about the different scope
and breadth and depth of hiring what talent is required. But I
couldn't find forensic analysts. I just couldn't compete. There
was no way in hell.
Mr. Raskin. But let me come back to something----
Mr. Cooper. And then take those people and deploy them to
the highest risk.
Mr. Raskin. Gotcha. As the departments request their help
on particular things or creating interagency initiatives for
cybersecurity.
So let me come back to something that you actually started
with, which was the hiring freeze. To what extent does this
blanket categorical hiring freeze in fact undermine the ability
to hire and to get in the people we need in the cybersecurity
field, maybe on an emergency basis?
Mr. Cooper. Well, my answer is simple. Right now, it's
having a pretty significant adverse impact.
Mr. Raskin. Others want to weigh in?
Mr. Waddell.
Mr. Waddell. I would say that the impact is not only on the
agencies themselves because of the open positions, but the
impact on the cyber workforce that's already there. So now
you're asking the cyber workforce that's doing their 9 to 5 job
to now pick up other duties and skills just to help cover it.
So I think we also need to think about the current folks that
are there. This shortage is really draining the resources of
those people.
I like to use the sports analogy. I think we have too many
coaches and not enough players, and in order to play defense,
we need more players. So we need that pathway to help get these
folks in without the threat of sequestration and hiring freezes
and the like.
Mr. Raskin. And as you sweat the people who are there
harder, it drives them out and then you can't fill their
positions.
Mr. Waddell. Right, exactly.
Mr. Raskin. So you're in a destructive downward cycle
there.
Mr. Chairman, thank you very much.
And I appreciate your testimony.
Mr. Hurd. Mr. Krishnamoorthi, you're recognized for 5
minutes.
Mr. Krishnamoorthi. Thank you, Mr. Chairman.
First of all, thank you all for coming today. I really
appreciate Congressman Raskin's line of questions. I'd like to
build a little bit on what I've heard so far.
You know, Chairman Hurd has put forth some really good
ideas about increasing collaboration between the public and
private sectors. Ms. Depew, you have called for an expansion of
the CyberCorps program and I wanted to ask you a couple of
questions about that. One is that my understanding is that--is
the CyberCorps program limited to folks with a 4-year degree?
Ms. Depew. I believe at this time it is focused on juniors
and seniors in a 4-year cybersecurity-focused degree.
Mr. Krishnamoorthi. Okay. What do you think about
potentially opening it up to folks in community colleges who
might specialize in a cybersecurity degree? I'm just concerned
that perhaps we're limiting our supply of people for these open
positions by basically excluding people who might specialize in
a 2-year degree, but possess the requisite skills to do the
job. I mean, what are your comments on that?
Ms. Depew. Oh, absolutely. We highly recommend that it be
expanded to include community colleges. There are a breadth of
skills necessary to effectively run a Security Operations
Center and some of those skills can absolutely be obtained via
certifications, 2-year degrees. It's not just about 4-year or
advanced degrees to develop those skills and that talent.
Mr. Krishnamoorthi. I see a lot of heads nodding in
agreement, including Mr. Waddell from--what an interesting
name, I think ISC, in parens, squared.
Mr. Waddell. (ISC)2, yes.
Mr. Krishnamoorthi. Okay. That seems like a very
mathematical name there. So please, what are your thoughts?
Mr. Waddell. I couldn't agree more. I think that--and I
think limiting it to just the STEM folks, I think, leaves a lot
of the liberal arts and the communication pieces of the
cybersecurity job. Look no further than the OPM breach, where I
think there was just a communication gap between the folks that
were on the keyboards, and the folks kind of at the top. But
the folks at the top didn't understand what was the risk of not
patching these systems. What was the risk of these
vulnerabilities? And that message just did not get filtered up
for whatever reason. So, absolutely, couldn't agree more.
We could--not all positions require a college degree. It's
a great thing to have, but you can certainly tap into high
school, a 2-year college and have training and certifications
to help augment and validate those skills.
Mr. Krishnamoorthi. Go ahead, Ms. Hyman.
Ms. Hyman. Yes. I just want to reiterate everything that's
been said. We share (ISC)2's position as being a certifying
body. And we've been working for a long time with the
government to try and suggest that this is a very good
government way of spending money is to make sure that if you're
going to have training, you need to have some way to validate
what that training was about. And so even if you don't have a
2- or 4-year college degree, there are certifications that an
individual can take to get them into the beginning of the
cybersecurity career. And on top of it, I would point out
there's something called the Government Employ Training Act,
GETA, which obviously says that it's okay for money to be spent
for training, but it doesn't explicitly say that it should be
used for testing. And so when we go to talk to various
agencies, we learn that, well, they are not specifically
authorized to use that funding for the purpose of testing.
Therefore, we're not validating the skills that we've spent
government money on to make sure an individual understands what
their cybersecurity responsibilities are.
So I would commend all of to you address GETA and try to
make that a more explicit piece within that particular piece of
law.
Mr. Krishnamoorthi. That's a great point.
I think, Chairman Hurd, perhaps we should take a look at
that.
I just believe very strongly in vocational, technical
education, community college education being kind of
potentially the pathway forward in filling a lot of these open
technical positions in our country. And so, I think we're--this
year we're going to be reauthorizing the Carl D. Perkins Career
and Technical Education Act in the Education and the Workforce
Committee. I think this is something, perhaps, we should look
at there as well.
Ms. Depew, what is the current investment into the
CyberCorps program?
Ms. Depew. I believe it was $45 million 2 years ago, $50
million last year, and it's proposed at $70 million this year.
Mr. Krishnamoorthi. I mean, what's your thought? Is that
sufficient to address the shortages that we're seeing in the
workforce?
Ms. Depew. So $40 million funds about 1,500 scholarships.
If there's a 10,000-person deficit, that puts a small dent, but
not a significant enough one. So I do think we do need to
investigate at a heavier level. And that could be a combination
of both a traditional program or expanding to community
colleges.
Mr. Krishnamoorthi. Great.
Final question, what level of funding do you think is
required?
Ms. Depew. I think on the order of $180 million would be
necessary to put a sufficient dent in the problem.
Mr. Krishnamoorthi. Okay. Thank you very much.
Thank you, Chairman.
Mr. Hurd. I want to recognize myself for my line of
questionings.
First question goes to you, Mr. Marinos and Mr. Cooper. Why
is it hard for a CIO to tell me how many positions they don't
have--that they haven't been able to hire for?
Mr. Marinos. So, I think, like I mentioned in my statement,
I see three issues, but I'll probably focus less on the
recruiting and retention, which others have mentioned. So the
first one is on strategic planning. It has been a high-risk
area since 2001 for a reason. Part of the difficulty with
cybersecurity in particular is that, obviously, with the threat
constantly changing, so are the needs themselves as well. So--
--
Mr. Hurd. I get that. But why can't they tell me what they
need today? Right? Let's start with today----
Mr. Marinos. Sure.
Mr. Hurd. --and the difficulty. I would think that I should
be able to go to any agency head and call them on the phone,
and they should be able to produce how many positions that they
have billets for that are unfilled. Is that a--is that a--is
that a yeoman's work to pull that number out of there?
Mr. Marinos. So, I think they are working off of an old
system. I throw it out there. We've got three job series that
are set up to classify IT and cybersecurity. In that old
system, it doesn't really provide you much granularity. So
let's say you want to know how many people do I need in my SOC?
How many people do I need on incident response? Well, if you're
looking to hire up, or you're looking to express to the
committee, to Congress, exactly what you need, you don't have a
lot to work off of.
More recently, NIST has put out an updated framework, which
is supposed to give agencies that ability. I would point out,
though, that it's a long-term goal, even with the law that was
mentioned earlier, Federal Cybersecurity Workforce Assessment
Act, tasked agencies with getting there by 2019. So I think
it's a real concern that I would share with you, Chairman, that
I think, ultimately, asking the question up front as to what
are agencies doing now to shore themselves up is of major
concern.
Mr. Hurd. Good copy.
Mr. Cooper.
Mr. Cooper. I'm going to give you a little bit more direct
answer.
I think it varies a little bit by agency, and quite
frankly, it varies by CIO. I believe you know, I could give you
the answer to your question. I still can, even though I'm not
there. And I think you will find----
Mr. Hurd. What was the number when you were there?
Mr. Cooper. The total--in my particular office, when I
walked in the door, I learn a little bit of research, there
were 16 cyber-specific vacancies. Okay? Three years later,
there are 10; but there were another 10 that were not funded.
So 20 is the need. 10 is officially what the number is that I
shared with you this morning.
Mr. Hurd. Got you.
Mr. Cooper. Additionally, across the entire Department, so
all 12 bureaus, that number increased, particularly--remember,
we're coming up on the 2020 decennial Census, so it's a big
driver. But that number increased to about 97 across the entire
Department.
Mr. Hurd. And, Ms. Depew, you said a number has been used
multiple times. 10,000 is what we think the estimation is in
the Federal Government of IT professionals. Is that correct?
Ms. Depew. Yes, that's the number we referenced, yes.
Mr. Hurd. Mr. Marinos, would you agree with that estimate?
Mr. Marinos. No. Though I would point out that there have
been varying estimates out there. I would say that last year,
there was a goal, I think, around about 7,000, and as of
January, when OMB provided its report to Congress on FISMA
compliance, it did report that it met that goal.
Mr. Hurd. So if we're looking to fill a gap, start saying,
Hey, we need to get near 10K, 10,000 people, that's good enough
for--because if we try to produce something that only produces
10, you know, graduates that can go into jobs, that's not going
to make a dent. So we need--the magnitude that we're talking
about is--is around 10,000.
Next question: So--and, Mr. Cooper, I'm going to start with
you. Ms. Hyman, I love your perspective. And, Mr. Waddell, and
if anybody else has perspectives, just please raise your hand,
and I'll ask you that--this idea of rotational IT workforce,
and you alluded to it in your opening remarks, what kinds of
jobs could they be working on, and how would you--how--what are
the hurdles that we're going to have in making sure CIO has the
authority to task this rotational workforce? Right?
Because when I think of rotational, it's you have three
people for 10 days working on a project, or you can have one
person for 10 days, and you are able to plan in advance, and
maybe you get three people to do that. So a project that takes
30 man-days can be filled by three people.
What are some of those kinds of projects? And as a former
CIO, would you have wanted to use--would you want to have that
kind of capability?
Mr. Cooper. All right. Let me first clarify. I may have
accidentally confused members of the subcommittee or even maybe
colleagues on the panel. I apologize if I did that. Let me
clarify.
When I use the term ``rotational,'' here's what I'm
actually talking about. I'm talking about a longer period of
time, 6 months to up to 2 years. That's what I mean when I say
``rotational.''
Contrast that, or compare it with the cyber National Guard
or the concept of shorter periods of time, both are valuable.
Which--which would you prefer me to address?
Mr. Hurd. The shorter period.
Mr. Cooper. All right. Okay. The shorter period. The types
of positions that would be very, very valuable for skilled
people--and there are a whole lot of these folks who are in the
contractor workforce that support most of the CIO offices
across the Federal agencies, take something as simple as
deploying testing and deploying vendor security patches.
That's--that's something that skilled people and people who are
trained through some of these programs at a 2-year level, by
the way--I fully agree. This could be done by community college
graduates. It would be a tremendous opportunity to build a
workforce to do that. That's something that people can step in
and add real value for however much time they are able to do
that.
So, literally, that could be 3 days, 2 weeks. If I've got
somebody skilled, I will take them. And I will take as many as
those people as I can get, as long as I have some way to know
that they're skilled, and that's where I fully support all of
the colleagues sitting to your right around rigorous
certification. That's terribly, terribly important. Because,
otherwise, I don't know these people, and I don't know whether
their skills are right. You give me as many of those people
short term, I will take them all.
Ms. Hyman. Yes. Great question. And I agree in terms of the
short-term purposes. I think maybe in--I'm going to defer to
some of the true experts on the panel, but also looking at some
of the cybersecurity--excuse me--logs on a continual basis, so
long as you have an opportunity--if you are there for 2 or 3
days, and you're looking at some of the patterns there, there's
some sort of system to capture that. I don't know if that's
possible short term. But I was thinking about that. Because
that is introductory industry analyst type position.
The other thing, frankly, is using some of these people to
train your remaining noncybersecurity workforce. The amount of
human error that contributes to cybersecurity breaches, it's
usually about 50 percent or higher. And so you could, on a very
short-term purpose, use some of these individuals to deliver,
you know, quick training for the regular workforce along those
lines.
Mr. Hurd. So, as Mr. Waddell says, harden the workforce.
Ms. Depew, do you have any comments?
Ms. Depew. Two thoughts that come on top of head--on top of
mind are specific coding projects. We always have a multitude
of ideas that we would like to flesh out. So if somebody had
advanced coding skills, there are contained projects we could
do on a short-term basis that I think would be really valuable.
Another thing I would love to do is put folks with government
experience in front of some of our products and tell us what we
need to improve and why they don't work as effectively as we
need to in your infrastructure. So that would be very
advantageous to us as well.
Mr. Waddell. Two things jump out at me for the short-time
assignments. One is like a site assessment. When I was a
contractor with the DOD, I was on a 2-week rotation with the
Army where we went to MetCom and the military entrance
processes command and tested all the sites. That was a 2-week
rotation. We went in. We red-teamed. We threw everything we
could against that site, interviewed the people, did a bunch of
pin tests, and then cranked out a report and left. I think
that's probably a really good one for that short-term
assignment.
The second one was also a breach response forensics, say,
for example, you know, some agency organization got hacked, and
they needed to do forensics on a hard drive, maybe come in and
just do a real quick recovery of that and then rotate to the
next breach.
Mr. Hurd. Ms. Plunkett.
Ms. Plunkett. So I'd agree with everything that has been
said. Areas like research and development, developing
mitigations, product testing, and some level of forensics, I
think would be ripe. The other areas that would be more
difficult would be real-time response, because you want to have
some a priority understanding of the network. It's not
impossible, particularly if you have someone that's rotating in
on a regular basis to the same place. But if it really is a
ready reserve where they would go anywhere, it would be
difficult to send someone in just to address a threat when they
don't know the infrastructure and they are not up on the
current vulnerabilities.
Mr. Hurd. So, Mr. Marinos, what are the difficulties going
to be if let's--you know, we have these different kinds of work
requirements that a short-term rotational workforce could
address. Help me think in advance of, you know, the problems
that we're going to see in trying to introduce that into the
Federal Government? Is that a fair question, these incidents?
Mr. Marinos. Absolutely. I think the quickest answer is
coordination. So--I hate to tell you. You know, and you all are
champions of empowering the CIOs who are doing work for you and
enforcing FITARA, we're looking at that area very carefully.
When you think about that, you are thinking a lot about CIO and
CFO working hand in hand to procurement, working with the CIO.
Here, you've got a whole different story. You've got the chief
human capital office working with the CIO and the chief
information security officer at individual agencies having to
work together. So, you know, I just kind of throw that out as a
potential paying point in terms of the coordination.
If you're thinking about where this fits within the Federal
Government too, thinking about what DHS' mandate is, the
National Cybersecurity Communications Integration Center is
increasing in its--you know, its level of assistance to other
agencies. That might be a location to consider in terms of
whether they are going to need assistance to be able to help
other agencies out.
But I would go back to what Mr. Cooper has expressed at
previous hearings as well, which is that if the CIO is not
actively engaged, then the help may not be going to the right
places.
Mr. Hurd. Let's do a quick lightning round. Okay? We'll
just go down the panel. Where should this cyber National Guard
sit? And ``I don't know'' is a valid question.
Mr. Cooper.
Mr. Cooper. Okay. So the truth is----
Mr. Hurd. Lightening round.
Mr. Cooper. The truth is I don't know, but I would argue
DHS plus OPM plus DOD.
Ms. Hyman. I don't know, but I would add that there should
be information back from the Federal cybersecurity workforce
assessment process so that you could figure out where gaps are
and what agencies really need to be invested.
Ms. Depew. I don't have an answer for the National Guard,
but for the expansion of the scholarship program, we do think
that the NSF is an appropriate place, because it's
nonregulatory and it has great respect with the private sector.
Mr. Hurd. Got you.
Mr. Waddell. I would say a mix of DHS and DOD.
Mr. Marinos. I'll add in--I think it's really important for
the Office of Management and Budget. We had the Federal CIO in
the previous administration. I think it's important for there
to be a proactive involvement from that office.
Mr. Hurd. Okay. Ms. Plunkett.
Ms. Plunkett. I'd say in a place where there's a real-time
current cybersecurity mission, it can't be just a place to
deploy, because that won't--they won't have the right
understanding of the types of skills that are needed for a
specific situation. It's got to be in a place where there's
active cybersecurity mission going on.
Mr. Hurd. Next question, lightening round. I'm going to
start with you, Ms. Plunkett. I'm going to go down this way.
Expand the cyber--so CyberCorps--CyberCorps is only 4-year
institutions.
Is that correct, Ms. Depew?
Ms. Depew. That is my understanding.
Mr. Hurd. Okay. So is it focused on getting scholarships to
high school kids that go to college forgive debts? And I would
say not college--when I say ``college,'' I mean 2- or 4-year
institutions. So is it to forgive debt or is it people that
have already gone to school, or do we focus on trying to give
scholarships to high school kids who go to school, or something
else?
Ms. Plunkett. I think it's all of the above. And in
addition, we need to invest in those high school students while
they're in high school. We need to look at investigating in
areas like----
Mr. Hurd. What gives us the quickest result?
Ms. Plunkett. To address the immediate need, it's likely
more for scholarship for service, to get folks who are at the
end of their degree program through more quick--through debt
forgiven, get them into the workplace.
Mr. Hurd. Good copy.
Mr. Marinos. So as the one current government guy here, I
can say from GAO's perspective, we've recruited, and we still
have CyberCorps folks there after decades. So I think there's
an importance at the undergraduate and graduate level, but I
think it couldn't hurt if there was an extension of that.
Mr. Waddell. I quickest I would consider cohort programs
that retrain folks that are already in another vertical and
retrain them quickly through a 16-week program and get them in
entry level. That's the quickest.
Ms. Depew. I agree the quickest is to leverage what exists
now and potentially pump up more existing scholarship programs.
But if you are going to systemically fix the problem, you have
to start deeper in the pipeline and do something with middle
school and high school students.
Ms. Hyman. Same thing, but I would also say, upscaling is
crucial. And to take that existing workforce pipeline and
provide not only, again, certifications, but identify a career
path for these individuals to continue within government
service with opportunities for training, education, and
progression.
Mr. Cooper. Most immediate impact and easiest to implement
right away, 2-year community college-based degrees plus a
year's of service Federal obligation. The other stuff I agree
with, but the most impactful right now, people trained out of
2-year colleges hit the ground right now, but they require an
obligation on years of service.
Mr. Hurd. Ms. Kelly, you're now recognized.
Ms. Kelly. I have to ask this question, since it's Women's
Equal Pay Day. When you talk about recruitment and retention,
what have you seen as far as a difference in pay between men
and women? Because from something I read, I saw there was like
a 15- to $16,000 difference.
Mr. Cooper. I can address that directly. There was a
disparity. I took a look at it. I tried to do something as best
I could, but--but I didn't tackle it directly male, female. I
did it on an equity-based basis around roles, and that was more
palatable to my HR counterparts.
Ms. Hyman. We don't have the data specifically on that
question, but I will say, obviously, women are underrepresented
in the tech fields. And I think we have to pay attention to
getting more women in so that we can also drive up salaries.
Ms. Kelly. Right. Because they are underrepresented, that
might be one of the reasons why they are not going to get equal
pay.
Then the other question is, I know we're talking about how
to get young people involved. But when people are laid off from
a career they've had, some people--you know, we always say, we
should put them back into training and skills and blah, blah,
blah. And some people would say, oh, people that get laid off
in their 40s or 50s, they don't want to go back in and learn
something.
Have you found that, or do you have many people that you
work with, Mr. Waddell, Ms. Hyman, that are older, but younger
than me?
Ms. Hyman. Yes. Talking a little bit about our
philanthropic arm, they also have developed something called
the IT-Ready program, and it looks at folks that have been
displaced, put out of work, as well as younger people in
underrepresented populations.
I don't have specific numbers for you, but what I can say
is that these types of programs, it's not just a simple matter
of retraining somebody.
The--when we take somebody on for the IT-Ready program,
we've assessed them, whether there's an aptitude for
technology. There's a good 8 weeks to 10 weeks of training.
There's support services that go with it. How do you interview
for your job? And then we place them into an internship or
apprenticeship, so that there's an opportunity then to turn
that into a full-time job.
We've had, I believe, over 85 percent success rate with
this program, but the issue is scaling it up. We probably have
about 800 people annually. You know, we have a lot of work to
do.
Mr. Waddell. Yes. I just wanted to give you some facts,
some figures, from our 2017 report specifically about the wage
gap.
The wage gap of women at the director level and above has
narrowed from salaries reported in 2015; however, women are
still paid 3 percent less than men in equivalent roles. At the
manager level, the gap has remained relatively the same, with
women earning 4 percent less than men. The gap at the
nonmanagerial level has widen to 6 percent from 4 percent in
2015.
Ms. Plunkett. You know, what we found is that we actually
have been successful at retraining folks who are either laid
off, or are looking for a career change. And the answer has
been a combination of, certainly, academic training, but then,
exposure to operational cybersecurity capabilities as we might
find in the ESOC or the SOC or the ICMCP has been piloting,
where they've had some hands-on experience in an academic
experience. So that when they go into the workplace, they've
touched the code; they've touched the machines; they have
touched in, an operational kind of way, systems, so they can
hit the ground running.
Mr. Hurd. Mr. Raskin is now recognized.
Mr. Raskin. Mr. Chairman, thank you. Just one final
question.
If Members of Congress, like members of this panel, wanted
to do a job fair or a higher education fair, college fair,
career opportunities fair, who is the best person to contact
about creating a cybersecurity careers presence there? Do you
guys do that?
Mr. Waddell. Yes. We do. I think all of us on here do some
sort of job fair. I'll just give you an interesting, very quick
story. I offered a table at our career fair to DHS, US-CERT a
couple of years ago, and the deputy director at the time, Brad
Nix, said, I'd love to come, but by the time we get there, all
the positions--all the folks would be gone, and we wouldn't
have an opportunity to capture them, because it just takes them
so long to get them into the system. Average is at about 6
months. So I don't know if the problem is the career fair
themselves. It's just--we need to streamline the onboarding and
hiring process to get those folks in quickly--quicker.
Mr. Raskin. Yes, Ms. Plunkett.
Ms. Plunkett. Can I just add, the process by which we
actually match aspirants or candidates with good jobs is an
area that could use some help. And, certainly, ICMCP would be
absolutely willing to participate in a job fair. We have lots
of young people coming to us looking for those opportunities.
Mr. Raskin. That's great. Well, I'll definitely take your
information. And I don't know whether you are deterred by the
hiring freeze in terms of doing this, but I suppose it makes
sense in any event to go forward and do it.
Mr. Hurd. Well, I'd like to notify my colleague, in places
like DOD, the IT professionals are considered must-haves, and
so the hiring freeze is not impacting them.
Mr. Raskin. Okay.
Mr. Hurd. And many of the other Federal agencies could have
that same interpretation.
Mr. Raskin. Thank you, Mr. Chairman.
Mr. Hurd. Ms. Hyman, can your cybersecurity career path
positions descriptions, could they be used as the foundation
for Mr. Cooper's idea of working with the Federal CIO counsel
and OPM on having pre-approved positions?
Ms. Hyman. Yes. So what we've done with our certifications
is that we've mapped them to the National Initiative for
Cybersecurity Education, which looks at knowledge, skills, and
abilities across different uses for cybersecurity. And the 8140
program, the successor to the DOD 8570 program, which is their
information assurance requirements, they're actually going to
be mapping many of their requirements to the 81--to the NICE
initiatives. So what you're starting to see is, across
different government agencies, sort of a similar lexicon about
what cybersecurity knowledge, skills, and abilities are. And
we're not the only certifying body that has mapped our
certifications to NICE.
Mr. Hurd. Good copy.
Mr. Cooper, 18F and USDS, can their business model be used
to address some of these--how would I best say it?
Mr. Cooper. Some the shortcomings?
Mr. Hurd. --some of the shortcomings, yes.
Mr. Cooper. Yes, I actually believe it could.
I think they've done a lot of learning from their first
approach, or first foray, through U.S. Digital Services, I
think it has been a positive learning. I would support that,
and I think that you could probably pull that group together
with a Federal CIO when named, and the Federal CIO counsel
appropriate interaction with the HR community. But, yes, I do
think that could work.
Mr. Hurd. Ms. Depew, the Cyber--I don't know why I can't
remember that--CyberCorps program, my understanding is that the
funds go to the universities, and the universities are the ones
that are the selecting individuals to potentially receive that.
Is that a correct understanding of the program?
Ms. Depew. I would--yes.
Mr. Hurd. So my question is--and is that restricting us by
having just those participant--the schools that are
participating in that, and the only other option would be, you
have some entity in the Federal Government that administers
these programs, which I'm always circumspect about whether we
can pull off something like that in order to have kids apply
and go to the school of their choice--their choosing. Am I--am
I thinking about this problem the right way?
Ms. Depew. I think that's fair. I would have to--I'm
curious how they choose which schools if the schools opt in or
if they were targeted. I was looking through the list myself,
looking for which schools were near some of our campuses,
because it would be nice to be able to offer some local
teachers. And I didn't see a multitude in the States and cities
where our campuses were, which is another reason a community
college-based program would open that aperture and have more
availability to a broader----
Mr. Hurd. Got you.
Mr. Cooper.
Mr. Cooper. One quick thought, which honestly just occurred
to me listening to our conversation, it might be interesting to
talk to the military academies about adding kind of a cyber
curriculum. They have the basics, but with a goal of actually
training cyber officers who don't necessarily go through direct
military. They are in the military, but they come back to, you
know, not just DOD, civilian agencies as well, might be an
interesting thing to explore.
Mr. Hurd. 10 seconds, final question. Everybody gets 10
seconds, final statement: What should we be walking away here
or something that we haven't--we haven't discussed or you
haven't been able to bring up?
Ms. Plunkett, I'm going to start with you.
Ms. Plunkett. I'd say let's not--I recommend you not focus
on what's working. Scholarship for service is working. Needs
more resources. Focus on capacity at lower levels, middle
school, high school. Focus on 2-year colleges. Focus on SOC
experiences where folks can get operational experiences and
then jump right into the workforce.
Mr. Hurd. 10 seconds.
Mr. Marinos. I think your continued focus of oversight is
really important here. We can't afford to wait, and I'm
concerned about the longer term focus of where our initiatives
are going.
Mr. Hurd. Thank you.
Mr. Waddell. Scale up fine pockets of excellence of things
that are working such as the cyber pay incentive program at
DHS, MPPD that has been shown to attract and retain talent.
Ms. Depew. The threat landscape is always changing. It's
not like certain degrees where they fix routine process, so you
need to consider that when you're recruiting your diverse
workforce and training them for how to think not what the
differing knowledge is.
Ms. Hyman. It might also be useful to take a look at the
current National Guard personnel that are actually certified in
cybersecurity capabilities just to get a sense of what that
rotational workforce might look like.
Mr. Cooper. Set up a new program along the line of what we
talked about for veterans and unemployed workers, jointly
funded, public-private partnership, graduates of 2-year, 4-year
program, whatever, rigorous certification. Companies that hire
these people receive additional acquisition points in
competitive procurements, based upon the number of people they
are hiring out of this program and competitive solicitations.
Mr. Hurd. I'd like to thank our witnesses for taking the
time to appear before us today.
I ask unanimous consent that members have 5 legislative
days to submit questions for the record.
Without objection, so ordered.
And if there's no further business, without objection, this
subcommittee stands adjourned.
[Whereupon, at 3:55 p.m., the subcommittee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]