Facing a shortage of cyber talent, the White House is proposing to share security professionals among federal agencies under a far-reaching reform plan from the Office of Management and Budget.
A mobile, cyber-savvy workforce would be "useful during a major cybersecurity incident, allowing agencies to surge capacity for incident response activities," OMB said yesterday in a sweeping set of recommendations to reshape the U.S. government.
The White House office called for reviewing whether the cyber reservists could help the private sector respond to hacks "affecting critical infrastructure."
OMB said it would coordinate any reservist program with existing cyber services offered by the departments of Homeland Security and Defense. For instance, state governors can already draw on support from the National Guard in the event a cyberattack overwhelms defenses at vital companies like electric utilities or chemical plants.
The reservist program would cap off a wider effort to reform federal hiring practices for in-demand cyber specialists, according to OMB.
But the fate of the Trump administration’s overall vision for the federal government — which also includes controversial plans to merge the departments of Labor and Education and blend research and development offices at the Department of Energy — will in large part hinge on congressional action. Several lawmakers and nonprofit groups slammed many of President Trump’s proposals yesterday, including a renewed push to sell off federal energy assets like those managed by the Tennessee Valley Authority
(E&E News PM, June 21).
Margaret Weichert
, OMB’s deputy director for management, acknowledged that her office’s plan is more of an "art of the possible exercise" but said some parts could move forward without lawmakers’ approval.
"This reform plan will not be implemented overnight, but rather can be used to frame the public discourse over the coming years," she said on a conference call with reporters.
Workforce hurdles
The OMB’s cyber workforce recommendations may be less politically contentious, though they will still face headwinds for implementation. The Department of Commerce and DHS estimated last month that there are nearly 300,000 active job openings for cybersecurity-related positions throughout the U.S. And while the agencies noted in their report to the president that sharing pools of skilled workers could be an "obvious part of the cybersecurity workforce solution," they also pointed out that scant data exist to support scaling up the idea.
"The workforce issue continues to be a major challenge for government, as well as industry," said Emma Garrison-Alexander, vice dean of cybersecurity and information assurance at the University of Maryland University College and former chief information officer of the Transportation Security Administration.
Garrison-Alexander pointed out in a recent interview that private companies keep some competitive edges over federal agencies when it comes to winning over information technology talent, such as the ability to undercut the "daunting" federal hiring process by extending quick job offers to candidates.
"The government loses people during that process, because they say, ‘Hey, I have a job in one hand, and the promise of a job in the other,’" she said.
The new White House report calls for DHS to lead a governmentwide review of the most "critical" cybersecurity vacancies, and work to quickly hire or retrain employees to fill them by next fall.
Mutual assistance
The North American energy industry has assembled a cyber-sharing effort within its own ranks, running a "cyber mutual assistance program" through the Electricity Subsector Coordinating Council
. More than 140 investor-owned utilities, natural gas companies and electric cooperatives now participate, according to the ESCC.
The program is modeled off voluntary aid agreements for responding to severe weather, which see competing power companies share line workers, trucks and other equipment to speed up recovery.
The White House plans to enable agencies to tap into extra cyber expertise during a major incident by the end of 2019. OMB’s embrace of cyber mutual assistance stands in contrast to other parts of the federal government.
DHS and DOE, for instance, have cast doubt on the effectiveness of the energy industry’s mutual aid program in a recent report to Trump (Energywire, May 31). The report found that such assistance efforts may be "stressed" by the "widespread and unexpected" nature of a major attack and technical differences among individual companies’ networks.
"As cyber incidents may impact disparate systems across the country, the impacted owner-operators may not be familiar with each other’s systems and procedures," DHS and DOE said.