Audit finds huge cyber skills gaps at US Department of Homeland Security

By on 07/10/2019 | Updated on 24/09/2020
Kevin McAleenan, acting secretary of the US Department of Homeland Security, inspects security at Miami airport. The auditor has warned that the department’s cyber security needs much closer attention. (Image courtesy: DHS/Tara Molle, flickr).

Officials at the US Department of Homeland Security (DHS) lack the data to assess the strengths and weaknesses of their cyber personnel and are more than two years late in delivering a promised workforce strategy, an internal watchdog has found.

An audit by the Homeland Security inspector general found that the department has fallen behind because it does not have consistent, detailed, readily-available information on its cybersecurity workforce.

To fulfil the requirements of the Cybersecurity Workforce Assessment Act, the DHS – which leads most of the civilian government’s cybersecurity operations, and employed roughly 14,000 cyber personnel as at December 2017 – must submit two comprehensive reports a year: an updated workforce planning strategy, and an assessment of its employees’ capabilities and skills gaps. However, the inspector general’s report found that the department has missed every reporting deadline since the Act came into force four years ago.

It has only submitted one workforce planning strategy report, in 2016, and according to auditors this did not include critical information “pertaining to the readiness, capacity, recruitment, and training of its cybersecurity workforce”.

As for its next strategy report, Homeland Security officials told auditors in February 2019 that they were still working on the 2017 strategy.

Ever-expanding cybersecurity threats

Without a complete workforce assessment and strategy, DHS “is not well positioned to carry out its critical cybersecurity functions in the face of ever-expanding cybersecurity threats,” the auditors said, adding that the DHS “cannot provide assurance that it has the appropriate skills, competencies, and expertise positioned across its components to address the multifaceted nature of DHS’ cybersecurity work”.

It also found that the DHS “may not have an understanding of its future hiring or training needs to maintain a qualified and capable workforce to secure the nation’s cyberspace”.

The inspector attributed the department’s reporting shortcomings to both internal and external factors, and made clear that they weren’t entirely the fault of the agency.

It said burdensome legal requirements – Congress passed three different but overlapping laws mandating workforce reporting in a short timeframe – and far-flung data sources are hindering the agency’s efforts to plan for the workforce’s future.

The auditors recommend the DHS chief human capital officer assign necessary staff resources to complete the required assessments and strategies in a timely manner; establish a coordinated approach to compiling the cybersecurity workforce data needed to fulfil reporting requirements; and foster and oversee department-wide commitment to fulfilling the requirements.

Poor cyber hiring

The audit comes after the DHS was reprimanded for poor cyber hiring in early September by the chair of the House of Homeland Security Committee’s cybersecurity subcommittee and its lead Democrat, as reported by the Federal Times.

The committee chair, Texas Republican John Ratcliffe, said that the DHS needs to overcome the usually slow federal hiring process to build up its cyber workforce, while Democrat Cedric Richmond accused DHS of lagging behind the FBI, National Security Agency and other cyber-focused agencies in attracting cyber talent.  

Richmond said Homeland Security needs to be more forward-looking to appeal to cyber specialists’ desires for professional development and a flexible work culture, and that recruitment and retention programmes should be promoted.

McAfee chief technical strategist Scott Montgomery – who cited one estimate placing the number of unfilled federal cybersecurity positions at 10,000, and described the skills gaps as “disquieting” – recommends that the government consider offering cyber specialists retirement packages and the ability to move up federal pay grades quicker than usual, in a bid to compensate for the higher salaries offered by the private sector.

The inspector general’s report comes as the DHS prepares to roll out a new system for building and managing its cybersecurity workforce, according to NextGov. The Cyber Talent Management System, set to debut in early 2020, will give Homeland Security officials more flexibility in the jobs, salaries and benefits they can offer to cybersecurity personnel. The DHS says the system will also make it easier to determine which employees are serving in a cyber role, assisting the agency in consolidating its workforce data.

About Mia Hunt

Mia is a journalist and editor with a background in covering commercial property, having been market reports and supplements editor at trade title Property Week and deputy editor of Shopping Centre magazine, now known as Retail Destination. She has also undertaken freelance work for several publications including the preview magazine of international trade show, MAPIC, and TES Global (formerly the Times Educational Supplement) and has produced a white paper on energy efficiency in business for E.ON. Between 2014 and 2016, she was a member of the Revo Customer Experience Committee and an ACE Awards judge. Mia graduated from Kingston University with a first-class degree in journalism and was part of the team that produced The River newspaper, which won Publication of the Year at the Guardian Student Media Awards in 2010.

Leave a Reply

Your email address will not be published. Required fields are marked *