Slashdot Mirror

← Back to Stories (view on slashdot.org)

RAND Study: Looser Civil Service Rules Would Ease Cybersecurity Shortage

Posted by timothy on from the rand-can't-help-seeming-creepy dept.

New submitter redr00k (3719103) writes with a link to the summary of a RAND Corporation study addressing "a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace." One of the key findings: waive the Civil Service rules. (The NSA can already bypass those rules; RAND's authors say this should be extended to other agencies.)

16 of 97 comments (clear)

  1. RAND totally misses it by Anonymous Coward · · Score: 4, Interesting

    1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
    2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
    3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

    1. Re:RAND totally misses it by Shakrai · · Score: 2

      Good cyber people won't put up with the insane government clearance bullshit.

      There's plenty of Government agencies that need talented IT people (*cough* HHS *cough*) where you don't need to deal with 'insane government clearance bullshit'.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    2. Re:RAND totally misses it by Anonymous Coward · · Score: 5, Interesting

      I don't think that you're fully considering point 3).

      Have you ever actually worked with any autodidacts?

      Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with.

      They may have a surface-level knowledge of a particular topic, but they just don't have the depth or breadth that somebody with more formal training tends to have. But that's not even the worst part.

      The worst part is that they often have absolutely no idea how much they don't know, thus they think that the little they do know is sufficient. At least people with even just some academic background will know that there's a whole helluva lot they don't know, even after years of study and experience.

      If you've had to deal with Ruby or JavaScript programmers you'll probably know what I mean. They're often young, totally self-taught, and are often high school dropouts. They can create simplistic web apps, but that's pretty much where it ends. The moment it moves beyond that, they're either creating really big messes or they're moving on to their next "opportunity". If you confront them about the messes that they're creating due to a lack of knowledge and understanding, they'll just label you an "academic snob" and dismiss you without a second thought.

      While somebody with college training isn't guaranteed to be better, in practice they usually are, or at least they understand their level of knowledge better. They're much better people to work with, and the work they produce tends to be a lot better. I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.

    3. Re:RAND totally misses it by Anonymous Coward · · Score: 2, Interesting

      Have you ever actually worked with any autodidacts?

      Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with....

      The worst part is that they often have absolutely no idea how much they don't know,

      Yes.

      This is the real problem with autodidacts; their knowledge is patchy and has huge holes, whole areas of study that they are ignorant of. Far too often, you have to spend a few hours educating them just to get them to the point where they understand what they don't know.

    4. Re: RAND totally misses it by Anonymous Coward · · Score: 5, Insightful

      So in other words you believe your perception, backed up by nothing, to be actual fact and you intend to conduct your professional life accordingly. I can tell you if I had to choose between you and almost anybody else who would get the interview.

      Here's a hint to work on your thinking a bit: you know anything about government employees because it is possible to learn things about them. You know nothing about the fraud, waste, and abuse rampant in the private sector because their records are not open, their employees' records are not accessible, and their everyday decisions don't have to be made knowing some armchair quarterback will criticize your every move. So you move carefully.

      Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.

    5. Re: RAND totally misses it by Anonymous Coward · · Score: 2, Insightful

      I never said my impression was backed up with nothing. I've worked with federal government employees on projects. Before I knew better, I even interviewed for a few federal jobs and saw first hand a little of what goes on there. I know people who work for the government who have related their experiences to me. I even know more than a few people who are completely incompetent and have managed to rake in six figures for decades working for the federal government, and they are obviously aware and proud of their exploits I might add. I assure you that my beliefs are not simply imagined.

      You are incorrect about the private sector being opaque. Most of the largest companies in this country are publicly traded enterprises. That means the companies must disclose their finances publicly in the form of SEC filings. And regardless of whether a company is publicly held and required to report or privately held, almost any company that wastes money like the federal government will eventually cease to exist. If you think the federal government is transparent, try obtaining employee records from the Department of Defense, for example.

      The federal government doesn't have to worry about doing much of anything efficiently. It is a bottomless pit of waste that operates like it has access to an infinite amount of money. For-profit corporations can't do that; when they run out of money, they go bankrupt (that is unless the federal government deems them worthy of a bailout).

      And don't worry about having to choose between me and someone else for an interview. I would never want to work for someone as out of touch with reality as you apparently are.

    6. Re:RAND totally misses it by Shoten · · Score: 2

      1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
      2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
      3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

      Point #1 is a generalization, and incorrect. When you get into a lot of the higher-level work in cyber, you have to deal with background checks anyways, even outside of a government clearance. While the highest of the high clearances (like a TS/SCI for the NSA) will be like walking across hot coals, the overwhelming majority of clearances are not that hard a process to endure. And the report functionally states, "lower the amount of clearance bullshit and more people will be hireable." So yeah, Point #1 is just plain wrong.

      Point #2 is kind of right. Jessup isn't a great place, but you don't have to live there...just work there. You can easily work at Jessup but live in, say, Takoma Park or Columbia or any of the other really nice neighborhoods that are within 30 minutes. Where you work != where you live.

      Point #3 is dead-on right. Cyber people who are excellent are all autodidacts, in my experience...and the rapid and violent nature of change in the industry demands such.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    7. Re:RAND totally misses it by DoofusOfDeath · · Score: 2

      Good cyber people won't put up with the insane government clearance bullshit.

      There's plenty of Government agencies that need talented IT people (*cough* HHS *cough*) where you don't need to deal with 'insane government clearance bullshit'.

      When I worked at at DoD lab, the clearances weren't the problem, the soul-crushingly inept, capricious IT systems were. I'm easily twice as productive now that I've come back to the private sector.

    8. Re:RAND totally misses it by dcooper_db9 · · Score: 2

      I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.

      Of course. Here's a list of some of the other autodidacts whose contributions we can dismiss: Leonardo da Vinci, Frederick Douglass, Thomas Edison, Michael Faraday, Benjamin Franklin, Buckminster Fuller, Jimi Hendrix, Abraham Lincoln, Booker T. Washington, Frank Lloyd Wright and Wilbur Wright.

      --
      I do not block ads. I do block third party scripts.
  2. And how many do they need? by plover · · Score: 2

    So how many of these people are actually needed in the federal government? It's not like having an extra cyber security guy in the FBI helps make Joe's Dry Cleaning a safer business. Security isn't transitive.

    --
    John
    1. Re:And how many do they need? by currently_awake · · Score: 2

      Numbers depend upon the OS you use. It is well known that Linux (or BSD) takes 1/10th the number of administrators to run. How about switching to a lower maintenance OS, and paying off Microsoft for backdooring Windows in some other way?

  3. A lot of cybersecurity contractors by dunkindave · · Score: 5, Informative

    Let me summarize: if you are a federal employee then you are a civil servant and paid according to the GS (General Service) scale. This is what people mean when they say someone is a GS-12 or GS-15. These scales are published by the US Office of Personnel Management and dictated by the President or by Congress. Unfortunately, these pay levels are below what a decent cybersecurity person expects to be paid, and do not compete with private industry. The result is that the cybersecurity people in federal positions are there either because of a sense of duty, or because they didn't cut it in the private sector. This is the classic image of a postal worker. In order to attract better candidates, they need to be paid better which means exempting them from the GS schedule. This is also why a lot of agencies use contractors for these positions because they can pay a contractor a lot more than an employee and thereby get better people in the job.

    Yes, I know I have greatly simplified certain details, but that covers the basics of the problem.

  4. So train them. by Animats · · Score: 4, Interesting

    Read the entire paper, not the summary. There are some interesting points there. One is that NSA does not have a shortage of cybersecurity experts. That's because they train them. It takes three years of full-time training. The agencies that complain that they can't find anybody aren't investing in their people in the way that NSA does. Other agencies don't invest in their people like that.

    This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.

    One unexpected item from the paper: "One operating system, having been installed in almost a billion devices, has yet to attract malware in any significant way -- although it is falls short of being provably secure." What are they talking about? QNX? VxWorks?

    1. Re:So train them. by JimSadler · · Score: 2

      I hate the employers that whine that they can't get good help. The reality is that most employers are not able to pay for skilled or reliable workers. People with tremendous skills and good work habits are available but they do demand real pay. The cabinet shop that wants to hire workers for $10. per hour has a big problem. The cabinet shop that pays $60. per hour gets an entirely different type of worker. Offer $200. per hour and you can create world class cabinets.

  5. Transitive security [Re:And how many do they need? by Geoffrey.landis · · Score: 2

    Security isn't transitive.

    But lack of security is transitive.

    Your system is only as secure as the weakest point in the connection.

    --
    http://www.geoffreylandis.com
  6. The problem is 18 months to get clearance. by gelfling · · Score: 2

    No one will hire anyone w/o clearance and no one will pay someone not to work for the up to 18 months it can take to get clearance. So the community of people with clearance get rehired over and over and over and over

    Which is why you have Edward Snowden. It's easier to hire an angry ex square-badge high school dropout with clearance than to get someone better vetted.

    BTW under Obama the amount of material labeled 'classified' or higher has exploded. It's pretty much everything everywhere.