RAND Study: Looser Civil Service Rules Would Ease Cybersecurity Shortage

New submitter redr00k (3719103) writes with a link to the summary of a RAND Corporation study addressing "a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace." One of the key findings: waive the Civil Service rules. (The NSA can already bypass those rules; RAND's authors say this should be extended to other agencies.)

RAND totally misses it

1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

Re:RAND totally misses it

[Shakrai]

Good cyber people won't put up with the insane government clearance bullshit.

There's plenty of Government agencies that need talented IT people (*cough* HHS *cough*) where you don't need to deal with 'insane government clearance bullshit'.

Re:RAND totally misses it

I don't think that you're fully considering point 3).

Have you ever actually worked with any autodidacts?

Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with.

They may have a surface-level knowledge of a particular topic, but they just don't have the depth or breadth that somebody with more formal training tends to have. But that's not even the worst part.

The worst part is that they often have absolutely no idea how much they don't know, thus they think that the little they do know is sufficient. At least people with even just some academic background will know that there's a whole helluva lot they don't know, even after years of study and experience.

If you've had to deal with Ruby or JavaScript programmers you'll probably know what I mean. They're often young, totally self-taught, and are often high school dropouts. They can create simplistic web apps, but that's pretty much where it ends. The moment it moves beyond that, they're either creating really big messes or they're moving on to their next "opportunity". If you confront them about the messes that they're creating due to a lack of knowledge and understanding, they'll just label you an "academic snob" and dismiss you without a second thought.

While somebody with college training isn't guaranteed to be better, in practice they usually are, or at least they understand their level of knowledge better. They're much better people to work with, and the work they produce tends to be a lot better. I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.

Re:RAND totally misses it

Have you ever actually worked with any autodidacts?

Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with....

The worst part is that they often have absolutely no idea how much they don't know,

Yes.

This is the real problem with autodidacts; their knowledge is patchy and has huge holes, whole areas of study that they are ignorant of. Far too often, you have to spend a few hours educating them just to get them to the point where they understand what they don't know.

Re: RAND totally misses it

So in other words you believe your perception, backed up by nothing, to be actual fact and you intend to conduct your professional life accordingly. I can tell you if I had to choose between you and almost anybody else who would get the interview.

Here's a hint to work on your thinking a bit: you know anything about government employees because it is possible to learn things about them. You know nothing about the fraud, waste, and abuse rampant in the private sector because their records are not open, their employees' records are not accessible, and their everyday decisions don't have to be made knowing some armchair quarterback will criticize your every move. So you move carefully.

Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.

Re:RAND totally misses it

Damn those people like Jeri Ellsworth.

http://en.wikipedia.org/wiki/Jeri_Ellsworth

     

Re:RAND totally misses it

[dreamchaser]

Very good points, especially the part about autodidacts. That one hits home since I am self educated. I've held jobs that 'require' an MBA/MIS degree, CS degrees, etc. In private industry (I work for a small IT security firm currently) I can easily make six figures in jobs that 'require' a degree. The government can shove it as far as I'm concerned.

Re: RAND totally misses it

[ZG-Rules]

Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.

I wish I could hug you right now AC.

Re: RAND totally misses it

I never said my impression was backed up with nothing. I've worked with federal government employees on projects. Before I knew better, I even interviewed for a few federal jobs and saw first hand a little of what goes on there. I know people who work for the government who have related their experiences to me. I even know more than a few people who are completely incompetent and have managed to rake in six figures for decades working for the federal government, and they are obviously aware and proud of their exploits I might add. I assure you that my beliefs are not simply imagined.

You are incorrect about the private sector being opaque. Most of the largest companies in this country are publicly traded enterprises. That means the companies must disclose their finances publicly in the form of SEC filings. And regardless of whether a company is publicly held and required to report or privately held, almost any company that wastes money like the federal government will eventually cease to exist. If you think the federal government is transparent, try obtaining employee records from the Department of Defense, for example.

The federal government doesn't have to worry about doing much of anything efficiently. It is a bottomless pit of waste that operates like it has access to an infinite amount of money. For-profit corporations can't do that; when they run out of money, they go bankrupt (that is unless the federal government deems them worthy of a bailout).

And don't worry about having to choose between me and someone else for an interview. I would never want to work for someone as out of touch with reality as you apparently are.

Re:RAND totally misses it

Some fucked up generalization you have. You may say the same thing about CS graduates. They think they know something, but in reality, they know very little too.

While somebody with college training isn't guaranteed to be better, in practice they usually are

What does that even mean? Someone with unrelated college training? Someone in some related field?

If you are saying someone with "some CS" is better than someone without a degree, sorry. CS is only ever interesting in the 4th year anyway, and only a few classes. Most of rest involves "how to write Hello World".

Re:RAND totally misses it

I have some friends who work in national security / defense sector IT and they actually make very good money. The pay is good b/c the skills are in demand and the clearance process is challenging. Location is another challenge, but they will pay to relocate you for some positions.

Re:RAND totally misses it

[mjwalshe]

SIS (Mi6) at Bletchy park did ok with a bunch of autodidacts in ww2 in fact they taught the NSA most of what they know

Re:RAND totally misses it

[mjwalshe]

wont get an interesting job at a List X firm then - I know of major tech companies where for some projects lead devs have to have DV (TS) Clearance

Re:RAND totally misses it

[mjwalshe]

Quite I had a Graduate say "oh 3db isn't that much" :-)

Re: RAND totally misses it

If you think government spending isn't at least equally as corrupt... Well I see a big difference between working for some black budget agency and something like the EPA or local city council. Even then, some city councils have pulls some stunts as well.

Re:RAND totally misses it

[mjwalshe]

*cough* *cough* Stack ranking and similar disastrous HR policies plus fetishization of CS degrees

Re:RAND totally misses it

[Shoten]

1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

Point #1 is a generalization, and incorrect. When you get into a lot of the higher-level work in cyber, you have to deal with background checks anyways, even outside of a government clearance. While the highest of the high clearances (like a TS/SCI for the NSA) will be like walking across hot coals, the overwhelming majority of clearances are not that hard a process to endure. And the report functionally states, "lower the amount of clearance bullshit and more people will be hireable." So yeah, Point #1 is just plain wrong.

Point #2 is kind of right. Jessup isn't a great place, but you don't have to live there...just work there. You can easily work at Jessup but live in, say, Takoma Park or Columbia or any of the other really nice neighborhoods that are within 30 minutes. Where you work != where you live.

Point #3 is dead-on right. Cyber people who are excellent are all autodidacts, in my experience...and the rapid and violent nature of change in the industry demands such.

Re:RAND totally misses it

Sounds like she's one of the "one or two good autodidacts" that the other AC was talking about. There's an exception to every rule, after all.

Re: RAND totally misses it

He's obviously either a government employee or a troll. Who else would defend the federal government's track record on attracting quality talent and spending money wisely?

Re:RAND totally misses it

[DoofusOfDeath]

Good cyber people won't put up with the insane government clearance bullshit.

There's plenty of Government agencies that need talented IT people (*cough* HHS *cough*) where you don't need to deal with 'insane government clearance bullshit'.

When I worked at at DoD lab, the clearances weren't the problem, the soul-crushingly inept, capricious IT systems were. I'm easily twice as productive now that I've come back to the private sector.

Re:RAND totally misses it

...
The worst part is that they often have absolutely no idea how much they don't know, thus they think that the little they do know is sufficient. At least people with even just some academic background will know that there's a whole helluva lot they don't know, even after years of study and experience. ...

I have actually found the worst offenders of this are not the self taught, but the ones with master degrees and PhDs. They usually do not understand the entire system, and let their ideology cover good sense. And I have yet to see that work out.

Re: RAND totally misses it

I posses a security clearance. It is not hard to get. You just need not to be a criminal or a dirtbag. I just wanted to point out that I am an average guy with no drug convictions and no criminal record. You need to have manageable debt, most of mine is from college. Do not freak out about how hard it is to get a clearance, when you don't know anything about the process.

Re:RAND totally misses it

If they suck, arguably they failed at the self-teaching, and therefor are not autodidacts.

Re: RAND totally misses it

The federal government doesn't have to worry about doing much of anything efficiently. It is a bottomless pit of waste that operates like it has access to an infinite amount of money. For-profit corporations can't do that; when they run out of money, they go bankrupt (that is unless the federal government deems them worthy of a bailout).

These companies are probably being reimbursed by the bottomless pit of federal money, or they are contracters, and I wouldn't be surprised to find out there's stipulations in the contract that if the company exceeds the price, and it is successful/useful they get refunded, plus bonus money.

I think you failed to understand the previous comment, in the private sector companies can get away with making money disappear and there is no way other then some stepping forward from within the company (whistle blower) to know whats going on, any and all employees, and especially those in the upper ranks can keep all information about their company and employees secret. By the way, private companies are very good and smart on how to get away with anything, so unless the whistle blower has physical proof and inside knowledge to backup their claims the company will get away with it.

However the Feds do exactly the same... I have no idea what the commenter went on about with Federal employees, just about any form of government has, and tries to keep secret anything they can, the area I live in the News Papers have to file FOIA's to get local governments to release documents that shouldn't have been kept from the public, even more pathetic the papers are redacted. The lower ranking federal employees are easy to find out about but the upper ranks are very difficult to search. And if commenter doesn't think the SEC and other regulatory bodies can't be bought off to look the other way, until the press/media starts widely reporting about suspected corruption he/she better think again..

Re: RAND totally misses it

NARC!

Re:RAND totally misses it

[Cinnamon+Beige]

... The worst part is that they often have absolutely no idea how much they don't know, thus they think that the little they do know is sufficient. At least people with even just some academic background will know that there's a whole helluva lot they don't know, even after years of study and experience. ...

I have actually found the worst offenders of this are not the self taught, but the ones with master degrees and PhDs. They usually do not understand the entire system, and let their ideology cover good sense. And I have yet to see that work out.

From the sound of it, you either want the handful of self-taught who will actually are actively seeking to improve their skills, or somebody who stopped at a bachelors. You're unlikely to get the first group staying long in a CS program, though--have you any idea how mind-numbing it is to sit there with very little to do most of the time, waiting in hope of this week finally finding something new?

Re:RAND totally misses it

Its the government: they are only looking for warm bodies. All information is compartimentalized on purpose due to security. No one with any desire to learn is going to stay in a government job, unless they get brain damage (since their desire to learn makes them a hazard to themselves and others, a security risk). So, while everything looked "soul-crushingly inept", that was by design. Medocrity helps the pursuit of stability, since everything needs to be redundant with limited value. The main purpose of government is stability, so doing things this way helps to keep things stable.

Re: RAND totally misses it

I think you are the one missing the point.

If you fit their narrowly chosen parameters, sure you get your clearance.

But deviate from the norm one bit, say - be a known homosexual - and suddenly you are on the blacklist.

See "High tech gays"
http://en.wikipedia.org/wiki/High_Tech_Gays_v._Defense_Industrial_Security_Clearance_Office

Re:RAND totally misses it

A lot of university graduates I know think they know everything there is to know about their subject because they have a degree. On balance they're nice enough people I suppose, but they can be quite insufferable regarding their field of study. And worse, some of them even step into other fields they have no expertise in, thinking their degree makes them universally competent or something.

Re:RAND totally misses it

[flappinbooger]

1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

I'd be happy to be a government cyber warrior as long as I can do it in my mom's basement and get paid in hot pockets and star trek dvds.

Re:RAND totally misses it

You learned all this about autodidacts yourself - or? oh wait....

Re:RAND totally misses it

Practically the definition of a PhD in physics.

Re:RAND totally misses it

[DoofusOfDeath]

I hereby declare you as having no idea what you're talking about.

Re:RAND totally misses it

The other aspect of it is that all degrees are not equal, and perception of the importance of certain knowledge isn't always the same. I was in a conversation at work the other day where the attitude seemed to be that once you get into the real world the academic stuff doesn't matter (the question was specifically about linked lists).

I am partly autodidact, though I studied a lot of computer science in high school, took some data structure and algorithms courses in my undergrad, and have spent a considerable amount of time over the years really thinking about software design and architecture. That being said, I know there are a lot of areas where my knowledge falls short - my memory of algorithms is quite weak.

IMO, the more important difference that autodidact vs formally taught is that of whether you care about writing good code. Perhaps it is because I don't have a CS degree (I did EE) I feel constantly insecure about my code and am driven to do better. We have a guy at work who has a masters degree in CS and some of his sloppiness makes me cringe sometimes. I have to assume that is the exception and not the rule though.

Re:RAND totally misses it

you realize that this works the same for a victim of any education path independently of exit level?

Re:RAND totally misses it

"Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with."

If you've worked with several hundred of anyone who are "among the worst people to deal with" sounds like there might be a whole different kind of problem...you.

Re:RAND totally misses it

[dcooper_db9]

I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.

Of course. Here's a list of some of the other autodidacts whose contributions we can dismiss: Leonardo da Vinci, Frederick Douglass, Thomas Edison, Michael Faraday, Benjamin Franklin, Buckminster Fuller, Jimi Hendrix, Abraham Lincoln, Booker T. Washington, Frank Lloyd Wright and Wilbur Wright.

Re:RAND totally misses it

Your point about autodidacts is a gross generalization. I've worked with plenty of formally "studied" people who didn't know shit but thought they knew it all because they held a piece of paper saying "I know all."

A true autodidact will have far greater knowledge than someone who is "formally" trained because their own curiosity propels them further and deeper into most subjects. For what it's worth I am an autodidact that forced himself through University. I've seen enough people graduate from Computer Science knowing sweet fuck all, while I and other autodidacts spent countless hours in the labs exploring concepts beyond the formal course. Don't be prejudice. It really doesn't take much, as you say, to seperate those that know how to create a simple app and those that really know their stuff. Trust me, that piece of paper doesn't necessitate knowing their stuff any more than some dropout claiming he's a 1337 coder.

Re:RAND totally misses it

[Grishnakh]

Relocation is helpful, but only to an extent. If the job is located in Bumfuck, Louisiana, how many tech people actually want to live in a place like that, even if the cost of living is cheaper and relo is compensated?

Re:RAND totally misses it

[Grishnakh]

What level of autodidactism are we talking about here anyway? High school dropouts, or people with slightly different degrees to what they're currently working in?

Remember, a university education is not a training course. It's supposed to give you the fundamentals so you have a broad education and a starting point to learn more on your own later. It doesn't replace specialized knowledge gained through experience, and never will. Ruby and JavaScript are not languages normally taught at the university level; those are things you're supposed to learn on your own, after learning more general concepts in a university program. Same goes for web apps; someone who earned a CS degree in 1992 is not going to have any formal training on such a thing, but they'll have learned all the general concepts behind how computers work and behind programming, algorithms, data structures, etc. which they need to learn how to program web apps on their own.

Re:RAND totally misses it

[Grishnakh]

This is one of the problems with some PhDs. It's probably not much of a problem with Bachelor's degree holders; with a BS, you learn enough to learn how to learn more later on, and you learn how little you really know, but you don't get so specialized that you think you're an expert.

Re:RAND totally misses it

[Grishnakh]

Point #2 is kind of right. Jessup isn't a great place, but you don't have to live there...just work there. You can easily work at Jessup but live in, say, Takoma Park or Columbia or any of the other really nice neighborhoods that are within 30 minutes. Where you work != where you live.

Not really. You can only realistically commute so far; most people don't want to spend more than 1 hour in each direction, and that's kinda pushing it. So yeah, you don't have to live right in Jessup, but you're still stuck in Maryland or maybe northern Virginia (if you can stomach driving on the beltway every day--that's a pretty hellish thought). Not everyone is OK with living there; it's a totally different local culture than, say, NYC or Boston or the Bay Area or Seattle or San Diego. Someone who wants to be able to go surfing on the weekends, for instance, will not want to live there. Someone who likes West Coast city culture will not want to live there. Heck, someone who doesn't want to live in a place totally dominated by government workers won't want to live there.

Re: RAND totally misses it

[lucien86]

So in other words you believe your perception, backed up by nothing, to be actual fact and you intend to conduct your professional life accordingly. I can tell you if I had to choose between you and almost anybody else who would get the interview.

Here's a hint to work on your thinking a bit: you know anything about government employees because it is possible to learn things about them. You know nothing about the fraud, waste, and abuse rampant in the private sector because their records are not open, their employees' records are not accessible, and their everyday decisions don't have to be made knowing some armchair quarterback will criticize your every move. So you move carefully.

Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.

Most of that drumbeat comes from the evil empire of the Murdock's. They have done everything they can to corrode and corrupt and destroy government power and democracy in countries throughout the world, especially in the US and UK. Every bit of venomous hate towards the US government, the psychotic conspiracy theory mind-set, the actual birth of the neo-cons themselves, the election of at least half the presidents since Carter - they are behind it all.
They've done exactly the same damage here in the UK, both countries are little more than burnt remnants of what they once were. Remember that the Murdocks don't care whether you live or die, whether the whole of America is crushed and destroyed, and it really does resemble a third world country - like Detroit but worse.
They are the real aliens. Remember that Murdock = Fox, but it certainly doesn't end at Fox and has tendrils everywhere. Probably in most TV and other media networks. Murdock even looks a little like the elder Emperor Palpatine from Star Wars.

Re:RAND totally misses it

[PJ6]

I agree that too many people get into the field that shouldn't, but you're out of line using your example to generalize to all autodidacts. The most brilliant people in any field are by definition autodidacts, because what education offers falls short of their capabilities.

Also, CS teaches absolutely nothing about good real-world design. The most perverse architectures I've seen have come from the highly educated - and I say that being highly educated myself. To borrow an old military cliche, many with high degrees fall into the "diligent but stupid" camp.

Re:RAND totally misses it

As an autodidact myself (well, to be fair, quite many of my competences come from more senior peers I've worked with over the years), it looks like you're describing general problems with junior developers. When you're junior you obviously see mostly what you know of - which is why it's important at this point to remain humble and try to learn from others.

If you confront them about the messes that they're creating due to a lack of knowledge and understanding, they'll just label you an "academic snob" and dismiss you without a second thought.

I've been into this situation where a junior developed just graduated from university started to call me "mom" (I'm a male subject) after I had to give few "friendly suggestions" regarding his technical solutions which were ignoring few relevant factors. The problem is clearly with ignorance and forgetting lack of own knowledge (sure, statistically this might occur more to autodidacts than graduated "professionals"). I've mentioned this to be typical problem of junior developers. However this obviously happens with seniors as well (which tends to be worse thanks to their higher authority) - "I've been doing this for n+1 years, I know better than you how this should be done" - ignorance can be acquired later as well.

Luckily I've been working with programming languages (C/C++/etc) rather than scripting languages (rb/js/etc) - I'd assume technical incompetence within that population is greater as scripting is considered to be easier to learn (more these kind of autodidacts you mentioned can acquire a scripting-related position). I can only imagine the horrors of incompetence in the scripting world.

And how many do they need?

[plover]

So how many of these people are actually needed in the federal government? It's not like having an extra cyber security guy in the FBI helps make Joe's Dry Cleaning a safer business. Security isn't transitive.

Re:And how many do they need?

[currently_awake]

Numbers depend upon the OS you use. It is well known that Linux (or BSD) takes 1/10th the number of administrators to run. How about switching to a lower maintenance OS, and paying off Microsoft for backdooring Windows in some other way?

Re:And how many do they need?

[trdtaylor]

Government is an enterprise like any other.

It's users are arguably less technically savvy.

Can you imagine the cost with establishing a secure 1 million user network, where Linux isn't an OS but more probably some disease that was eradicated back in the 1800s. Training would cost so god damn much, take a year or two.

Sure, probably don't need IIS servers. But users need to be on Windows.

Re:And how many do they need?

[geoskd]

It's users are arguably less technically savvy. Can you imagine the cost with establishing a secure 1 million user network, where Linux isn't an OS but more probably some disease that was eradicated back in the 1800s. Training would cost so god damn much, take a year or two. Sure, probably don't need IIS servers. But users need to be on Windows.

But every couple of years, MS hands out a perfect reason to convert: New versions.

The cost of retraining to use Windows 8 for example is probably going to be on par with retraining to use Ubuntu or Debian. It could probably even be reduced for Ubuntu or Debian by using a more windows 7 like GUI to help keep the environment as familiar as possible. Any organization that cites conversion retraining costs as their primary cost justification for staying with MS now is either lying (to cover a conflict of interest, bribe, etc...), or incompetent at doing cost analysis.

Re:And how many do they need?

Government is different from other enterprises. Governments don't have to worry about doing things cost effectively or on time. As long as a government can manage to maintain power, it gets as many do-overs as it wants.

Therefore, the cost is of establishing a secure one-million user network for the government is very different than any other enterprise. I wouldn't be surprised if the cost per user is an order of magnitude higher for the government versus private enterprise.

Re:And how many do they need?

[mjwalshe]

FBI cyberguys are provably more on the contra espionage / secret side /CNI protection

"cybersecurity"

Is a bunch of horse shit, a term used by people like the RAND corporation (who have been raping the taxpayer overtly for many decades, and have huge ties to our corrupt to the bone military industrial complex), to enslave human beings even more.

The RAND corporation is certainly a direct arm of the CIA.

RAND totally misses it

I concur 100%.

Not only do I not want any part of the government clearance bullshit, I don't want any part of the general government bullshit. I don't want to go without a paycheck when the government randomly shuts down. I don't want to be stuck with a crappy GS pay grade. I want to work in the private sector where multiple employers compete with each other other to hire me and I can pick where I want to live.

Besides, government jobs are a haven for the mediocre. I've always had the impression that government jobs are for lazy and incompetent people, a place where they can get an easy job with perceived job security and good benefits. There's a reason why certain people end up working for the federal government. If I were in charge of hiring and had resumes of two seemingly equally qualified people except that one had a background working for the government, who do you think would get the interview?

I didn't read the report, but did RAND identify anything wrong with autodidacts other than claiming Snowden is one? Thinking like that is what makes the government a magnet for unmotivated workers.

Too little, too late

What is this report about, drug tests and McCarthyist "background checks"?

If so, this report aims to solve the problems of two years ago, not those of today. I don't think anyone competent enough to have a choice of employer wants to work for unaccountable smarm-bags on the project of universal surveillance and the destruction of his own democracy. I sure hope they don't. I'd like to think hackers are somewhat of a profession who would shun today's spook-shops the way doctors shun Josef Mengele.

A lot of cybersecurity contractors

[dunkindave]

Let me summarize: if you are a federal employee then you are a civil servant and paid according to the GS (General Service) scale. This is what people mean when they say someone is a GS-12 or GS-15. These scales are published by the US Office of Personnel Management and dictated by the President or by Congress. Unfortunately, these pay levels are below what a decent cybersecurity person expects to be paid, and do not compete with private industry. The result is that the cybersecurity people in federal positions are there either because of a sense of duty, or because they didn't cut it in the private sector. This is the classic image of a postal worker. In order to attract better candidates, they need to be paid better which means exempting them from the GS schedule. This is also why a lot of agencies use contractors for these positions because they can pay a contractor a lot more than an employee and thereby get better people in the job.

Yes, I know I have greatly simplified certain details, but that covers the basics of the problem.

Re:A lot of cybersecurity contractors

[mjwalshe]

the same is true of all technical civil service roles both in the Uk and USA

Re:A lot of cybersecurity contractors

[mjwalshe]

I know in the UK I looked at some big data contractor roles and for a full year you would be earning 40% more the Prime Minister

Re:A lot of cybersecurity contractors

All those public sector unions are clearly not pushing the government hard enough during the annual budget and co-operation talks.

Re:A lot of cybersecurity contractors

If you're employed directly by the Federal government (a GSer as you say) the old model still seems to apply: You accept lower pay in exchange for more job security.

I don't think this necessarily means you "don't cut it". Disclosure: I could take this as an insult to my late father who took the Navy, DoD career path. I grew up during his GSer phase, and while money was tight at times (especially in the early years) it was considered unlikely that he would ever get laid off. That was the post-war era. He retired in the mid-80s and had relatively short private sector experience. I wouldn't consider him a "geek". He was in an administrative position, managing several people. This inevitably led him to experience the onset of office automation. The equipment changed; but job security meant that the people were allowed to remain. I occasionally got to visit some of these offices and see some of the equipment. There was one hard drive they had that took some time to spin down. My Dad shows me this refrigerator-sized box and he's like, "see when I push this it starts to go off, but we can't leave until it's fully shut down". I'm not sure if I actually believed him when he told me what was inside--a giant spinning wheel full of electronic files that took time to slow down....

At some point my mother worked for the government also. She had an "in" perhaps from having been a WAVE. Their office was one of the unfortunate purchasers of the Apple Lisa. Oh, the stories...

Re:A lot of cybersecurity contractors

Don't disgree, but re:

The result is that the cybersecurity people in federal positions are there either because of a sense of duty, or because they didn't cut it in the private sector. This is the classic image of a postal worker.

Government is perceived safer, in the sense that companies go out of business or merge and so forth all the time.

I am not saying this is true, I am saying this is why some people choose government. Do you really think there are many people with a sense of duty? Please. People want safety. What is safer, protesting in the street, or putting on your badge and keeping your mouth shut? The other side of "didn't cut it" is "got sick of constantly being at risk of being cut because someone else around the world was cheaper" -- again, that is not cut and dry, government outsources all the time too, that is a prevailing perception, however.

You think government employees are loyal? No, they are there for the money, same as anyone else, anywhere else. Exceptions are not the rule.

There is no difference between the public and private sector anymore. They merged long ago. There is "legal" and "illegal" and that's about it. There is no right or wrong, good or bad, skilled or unskilled. There is just expansion of power or going under. No different than a private company. Governments ARE a company. And private companies ARE governments of sorts.

They are one and the same, my friend.

Re:A lot of cybersecurity contractors

This is the classic image of a postal worker. In order to attract better candidates, they need to be paid better which means exempting them from the GS schedule. This is also why a lot of agencies use contractors for these positions because they can pay a contractor a lot more than an employee and thereby get better people in the job.

Not really. Contractors are frequently used so benefits do not have to be paid, so there is no retirement plan, and it is easy to get rid of people when they are no longer needed. No different than why the private sector uses contractors. So they can pay more? LMAO.

If you think "get better people" is what anyone wants, you are delusional. Government wants to stay in business, companies want to stay in business (make money). Better people rarely is a concern in either of those. Stability is much more important than anything else. "Better people" LMAO.

Re:A lot of cybersecurity contractors

If you are a top professional your skill IS your job security. I've got a hot set of skills right now and a great background (but not in cyber security). I get offered a few 100k+ jobs every WEEK. When you are in demand "job security" is silly. That's the problem - anybody top notch has the best possible security on account of being top notch and being able to prove it.

If you want cutting edge people that's what you need, and the GS and all that doesn't cut it at all. Only second (or third, fourth, fifth...) rate people would see that as a reasonable tradeoff.

Re:A lot of cybersecurity contractors

[anynomous_coward43]

Several of the civil service fields in the DoD are exempted from the GS scale. I can say from many years experience it does not help. The study was spot on, the combination of managers not wanting to pay highly skilled labor more than they think themselves are worth kills it. Also just because they are exempted does not mean they actually pay more or have the budget to do so. Add to that the total lack of leadership competency, which the study also addresses, and voila there's a bi-modal distribution of people in the department. Young and close to retirement; all your mid career engineers leave.

translation

"Looser Civil Service Rules" = suck up old conservative assholes, you might have to hire some stoners instead of your coke head mba buds.

My opinion on what is wrong with our CyberSecurity

This is just my opinion but the problem with cybersecurity is the Information Security people do not have the proper technical background. Around where I live, most of the Information Security people come from a management or project management backgrounds and get very basic Information Security training like how often to force password changes and learning why patching is so important.
In my opinion if an individual does not know how to configure a firewall, do basic packet sniffing/analyzing and fully understand TCP/IP networking then they really should not be in Information security because the people that are trying to get into your systems usually know all of these things plus more.

So train them.

[Animats]

Read the entire paper, not the summary. There are some interesting points there. One is that NSA does not have a shortage of cybersecurity experts. That's because they train them. It takes three years of full-time training. The agencies that complain that they can't find anybody aren't investing in their people in the way that NSA does. Other agencies don't invest in their people like that.

This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.

One unexpected item from the paper: "One operating system, having been installed in almost a billion devices, has yet to attract malware in any significant way -- although it is falls short of being provably secure." What are they talking about? QNX? VxWorks?

Re:So train them.

[transporter_ii]

Android is on pace to surpass one billion users across all devices in 2014. By 2017, over 75 percent of Android's volumes will come from emerging markets. Source: http://www.gartner.com/newsroo...

Re:So train them.

>This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.

The NSA undoubtedly can extract the cost of the training out of the employee's hide if they wash out or leave before recouping their costs.

Re:So train them.

[squisher]

Read the entire paper, not the summary. There are some interesting points there. One is that NSA does not have a shortage of cybersecurity experts. That's because they train them. It takes three years of full-time training. The agencies that complain that they can't find anybody aren't investing in their people in the way that NSA does. Other agencies don't invest in their people like that.

I think that's really an unfair comparison. Do other agencies have the insane funding that NSA has? The lack of accountability (and by that I mean they don't have to justify their spend as much). Also, as the article noted, the NSA is except from these pay scales.

This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.

And this goes to show that you missed the points of the report. Most federal agencies are forbidden from paying decent wages because they have to use the pay scales that the government sets.

If you want to make the point that the government pays shit, then you should phrase that differently...

Re:So train them.

[JimSadler]

I hate the employers that whine that they can't get good help. The reality is that most employers are not able to pay for skilled or reliable workers. People with tremendous skills and good work habits are available but they do demand real pay. The cabinet shop that wants to hire workers for $10. per hour has a big problem. The cabinet shop that pays $60. per hour gets an entirely different type of worker. Offer $200. per hour and you can create world class cabinets.

Re:So train them.

[der_pinchy]

I believe they referring to this: http://en.wikipedia.org/wiki/T...

Re:So train them.

Correct. Mod up.
As a .gov worker, I see plenty of contractors NOT training up .gov staff on the 'easy stuff' . Their contracts say they should train, impart knowledge, the managers say the do , but it is not true. A contractors brains/experience/brilliance is only used 5-10% of the time.
Contractors do like to shirk, or shave time to win their next big assignment/contract. Or curry favor fixing noticeable issues not in their statement of work.

Therefore, there can be massive improvements in outcomes and business and capability, IF non-trainers do what they are paid to do

Re:So train them.

[John_Sauter]

I hate the employers that whine that they can't get good help. The reality is that most employers are not able to pay for skilled or reliable workers. People with tremendous skills and good work habits are available but they do demand real pay. The cabinet shop that wants to hire workers for $10. per hour has a big problem. The cabinet shop that pays $60. per hour gets an entirely different type of worker. Offer $200. per hour and you can create world class cabinets.

I suspect that many employers are able, but not willing, to pay for skilled and reliable workers. I recently spent 9 months at a temp job with a large and wealthy employer, demonstrating my skill and work ethic to the hiring manager. At the end of the job he offered me a permanent position, but at $20 to $25 per hour. I would have been willing to take the job if I could have been compensated for my 900 miles per week commute. However, the policies of the institution did not permit him to do that, or, equivalently, offer me $35 per hour. I reluctantly turned down the job.

Weed?

[Frosty+Piss]

So basically we're talking about weed here, right? Those dominoes are falling.

My main objection to the process I went through to get my TS was the fucking "lie detector" test. Junk science is going to tell them if I'm "solid" or not? Please.

Re:Weed?

Fortunately a drug test is not required for a clearance, not even a TS.
But you do have to say you haven't used any illegal drugs.

Re:Weed?

Just join the Scientologists, first. They get *massive* training on manipulating lie detector tests.

                      http://en.wikipedia.org/wiki/E-meter

Re:Weed?

They know the lie detector isn't reliable. It's an intimidation tool. They hope it will psych you out and prevent you from doing something wrong (espionage, etc.) or that it will cause you to get nervous, sweat bullets, and that they can notice your nervousness as suspicion you're hiding something.

Re:Weed?

[mjwalshe]

Mi5 tested lie detectors back in 50's the 35% plus false positive rate got that that idea was dropped

Re:Weed?

[mjwalshe]

I think it is required

Re:Weed?

[dunkindave]

You are not required to take a drug test to get a clearance, though most or all of the employers that need people with TS clearances have company policies that require a drug test. I think you are confusing who asked for the test and why.

Re:Weed?

You are not required to take a drug test to get a clearance, though most or all of the employers that need people with TS clearances have company policies that require a drug test. I think you are confusing who asked for the test and why.

Actually, having held a TS clearance, I knew of a person who had admitted to using weed within the last 10 years (which is one of the questions the investigator asked him, and myself when I had my interview), as a result, he was required to take random drug tests as a condition of keeping his clearance, but that was the issuing agency's rule, not the company we were both working for at the time.

We both left for the private sector in less than 3 years, due to the fact that the advancement issues are pretty much nil, and you don't have to put up with the B.S. in the private sector that you do in gov't work, which is mindless procedures and crap (clearances not withstanding).

Though the Target Data Breach happened due to stupidity, you can find that in any organization, private or government.

Transitive security [Re:And how many do they need?

[Geoffrey.landis]

Security isn't transitive.

But lack of security is transitive.

Your system is only as secure as the weakest point in the connection.

Looser? Stricter!

[Mister+Liberty]

Can they become more looser with the likes of Keith Alexander?

Re:Looser? Stricter!

Inwebster looser means one having watery stools or lacking moral restraint - both def fit.

RAND totally misses it

I also concur, but don't expect your view to be popular on Slashdot. What do you think a lot of those lazy government folks do to pass the time? Could they be Slashdot commenters? LOL!

Re:Transitive security [Re:And how many do they ne

[mjwalshe]

"our system is only as secure as the weakest point in the connection."

Ah Users you mean

Transitive security [Re:And how many do they need?

The makers of SSL-enabled web browsers would disagree...

Age discrimination, no mention of consultants

I was disappointed when I read the full report that RAND emphasized wanting 20-somethings to work in cyber-security, ignoring the body of older people who could fill those slots now, at least on a contractor basis. I find nothing wrong with growing a cyber-force from newly-graduated people. I do think, though, that Rand is short-sighted in its recommendations to not include older people already versed in the arts. As for the problem with attracting great people into the Civil Service System, which celebrates the mediocure, I say "good luck" with that. NSA does it by ignoring the GSA schedule. The DOD used to deal with this issue with contracts. So let's see what happens.

Loosing my respect for RAND

"Looser" Civil Service Rules? There is no need for childish name calling here.

The problem is 18 months to get clearance.

[gelfling]

No one will hire anyone w/o clearance and no one will pay someone not to work for the up to 18 months it can take to get clearance. So the community of people with clearance get rehired over and over and over and over

Which is why you have Edward Snowden. It's easier to hire an angry ex square-badge high school dropout with clearance than to get someone better vetted.

BTW under Obama the amount of material labeled 'classified' or higher has exploded. It's pretty much everything everywhere.

Re:The problem is 18 months to get clearance.

[walterbyrd]

Very good point. It used to take six months. Also, a TS lasted for five years, now, I think, it only lasts for two.

Just more massive government inefficiency.

Re:The problem is 18 months to get clearance.

Still 5 years. I have a whole staff of TS and TS/SCI folks working for me.

Re:The problem is 18 months to get clearance.

SSBI investigations (the kind you get for a TS) are still good for five years.

GS can be decent pay

[MooseTick]

http://www.opm.gov/policy-data...

A GS-15 in Atlanta's starting pay is $120034 and they top out at $156043. Now, that's the top level, but you can make decent money as a gevernment employee.

Your basic FBI/DEA/ICE/Secret Service agent is a GS13. Their range is $86,355-112,261. I'm sure some people on here make more than that, but I bet a the majority don't. If you go here (http://www.whatsmypercent.com/), it states someone making $100k is in the 96%. That is the entire US workforce, but should paint a relevent picture.

So first you made sure only imigrants

People who did not grow up here have a clean record as they avoided the police state for most of their life.
Then you complain you have no workers as everyone has a record if you dig deep enough.

Got it.

who would want to?

[AndyKron]

Who the fuck wants to work for the government except unemployable fucked up alcoholics?