[Infowarrior] - U.S. struggles to recruit computer security experts

[Richard Forno]

As attacks increase, U.S. struggles to recruit computer security experts
By Ellen Nakashima and Brian Krebs
Washington Post Staff Writer
Wednesday, December 23, 2009; A01

http://www.washingtonpost.com/wp-dyn/content/article/2009/12/22/AR2009122203789_pf.html
The federal government is struggling to fill a growing demand for  
skilled computer-security workers, from technicians to policymakers,  
at a time when network attacks are rising in frequency and  
sophistication.

Demand is so intense that it has sparked a bidding war among agencies  
and contractors for a small pool of special talent: skilled  
technicians with security clearances. Their scarcity is driving up  
salaries, depriving agencies of skills, and in some cases affecting  
project quality, industry officials said.

The crunch hits as the Pentagon is attempting to staff a new Cyber  
Command to fuse offensive and defensive computer-security missions and  
the Department of Homeland Security plans to expand its own "cyber"  
force by up to 1,000 people in the next three years. Even President  
Obama struggled to fill one critical position: Seven months after  
Obama pledged to name a national cyber-adviser, the White House  
announced Tuesday that Howard Schmidt, a former Bush administration  
official and Microsoft chief security officer, will lead the nation's  
efforts to better protect its critical computer networks.

The lack of trained defenders for these networks is leading to serious  
gaps in protection and significant losses of intelligence, national  
security experts said. The Government Accountability Office told a  
Senate panel in November that the number of scans, probes and attacks  
reported to the Department of Homeland Security's U.S. Computer  
Emergency Readiness Team has more than tripled, from 5,500 in 2006 to  
16,840 in 2008.

"We know how we can be penetrated," said Sen. Benjamin L. Cardin (D- 
Md.), chairman of the Judiciary subcommittee on terrorism and homeland  
security. "We don't know how to prevent it effectively."

Indeed, the protection of critical computer systems and sensitive  
data, said former National Security Agency director William Studeman,  
may be the "biggest single problem" facing the national security  
establishment.

Agencies under attack
One evening in May 2006, a U.S. embassy employee in East Asia clicked  
on an innocent-looking e-mail attachment that opened the door to the  
most significant cyberattack the State Department has yet faced,  
allowing attackers operating through computers in China to send  
malicious computer code into the department's networks in the region.

State's cyber-emergency response team immediately went into action,  
working round-the-clock for two weeks to isolate the harmful code and  
craft a temporary patch that officials said prevented a massive data  
theft.

The department's response to the attack highlights how skills matter,  
experts said. In 2000, State had hired technicians -- the vast  
majority contractors -- who custom-built an intrusion detection system  
and trained people to identify malicious software and reverse-engineer  
it to determine an attack's goals and methods. As a result, department  
technicians in 2006 were able to contain the attack quickly, said Alan  
Paller of the SANS Institute, who has analyzed the case for the Center  
for Strategic and International Studies.

Unlike State, most government agencies and private companies lack the  
skills and resources to muster a robust containment effort.

Two months after the East Asia intrusion, the Commerce Department  
detected a similar attack -- but only after a deputy undersecretary  
was unable to log on to his computer. Contractor technicians were  
never able to identify the initial date of penetration into the  
computers of the Bureau of Industry and Security, which controls  
sensitive exports of technology that has both commercial and military  
uses.

It took eight days once the attack was discovered for technicians to  
install a filter to prevent leaks, and then they installed the wrong  
kind of filter, said Paller, sharing previously undisclosed findings  
about the incident, first reported in The Washington Post in October  
2006.

Because of "operational security concerns," the Commerce Department  
declined to comment for this article. But a senior Commerce official  
told a House Homeland Security panel in 2007 that the agency had no  
evidence that data were compromised. Still, the department replaced  
hundreds of workstations and blocked employees from regular Internet  
use for more than a month.

Commerce is trying to improve, but it can take years to put the  
people, processes and technology in place to wage an effective  
defense, said Mischel Kwon, former director of the Department of  
Homeland Security's readiness team. For years, she said, most civilian  
agencies were forced by federal law to spend their cyber-funds on  
security audits as opposed to crafting a strong security program.

And most federal information technology managers do not know what  
advanced skills are needed to combat cyberattacks, said Karen Evans,  
information technology administrator in the Bush administration.

"Skills," Paller said, "are much more important than hardware."

The federal pay gap
A pillar of the federal government's effort to develop talent is the  
National Science Foundation's Scholarship for Service program, which  
pays for up to two years of college in exchange for an equal number of  
years of federal service. However, the program has placed fewer than  
1,000 students since its inception in 2001.

The career of a 30-year-old computer scientist named Brian Denny shows  
how the government is often outbid by the private sector in recruiting  
cyber-warriors.

Denny earned a computer science masters degree in 2004 from Purdue  
University on an NSF scholarship. In return, he spent two years at the  
National Security Agency, identifying novel security flaws in computer  
systems and software. Then Booz Allen Hamilton, a major intelligence  
contractor, hired him at a 45 percent pay raise.

Today, Denny works for a small employee-owned firm that has federal  
government and private-sector contracts, and his pay is higher still.  
"You can still do a lot of cool national-security-related work as a  
contractor," said Denny, chief security architect for Ponte  
Technologies in Ellicott City, Md., near the NSA. "The pay difference  
is so dramatic now," he said, "you can't ignore it."

Recently, a military officer with 20 years' cybersecurity experience  
and a coveted security clearance sauntered out of a job interview with  
Northrop Grumman, a major defense contractor that is making an  
aggressive play for potentially billions of dollars in government  
cyber-business.

"It's mind-roasting," said the officer, who is about to retire. "I've  
had people call my house, recruiters for defense contractors . . .  
probably 20 calls."

The labor shortage is torquing up salaries, a cost that often gets  
passed on to the government. Some young people with three years'  
experience and a clearance are commanding salaries above $100,000.  
"Companies are paying people to jump from one company to another,"  
said Ed Giorgio, a former NSA official and Ponte Technologies co- 
founder. The job-hopping can undermine the firm's performance on a  
contract, he said.

Philip Reitinger, deputy undersecretary of Homeland Security's  
National Protection and Programs Directorate, conceded that the  
government generally cannot match industry pay scales. "But in  
government, one can have a bigger ability to effect change at an  
earlier place in your career than anywhere else," he said. "And --  
your country needs you."

Homeland Security officials acknowledged that hiring 1,000 people will  
be difficult, so they are also looking at training people already in  
the federal government.

Cybersecurity lawyers, researchers and policymakers are also in short  
supply. The Pentagon, for instance, lacks a career path to develop  
"expert decision-making in the cyber field," said Robert D. Gourley, a  
former Defense Intelligence Agency chief technology officer. "The  
great cyber-generals are few and far between."