The Department of Homeland Security can’t ensure it’s prepared for increasing national cybersecurity threats because it has yet to complete a thorough workforce assessment, according to an inspector general report.
DHS failed to submit complete, annual workforce assessments on time the last four years, as required by the Federal Cybersecurity Workforce Assessment Act of 2015.
The agency also failed to submit a complete annual cyber workforce strategy during the same period.
“You can’t ensure than any of our federal systems are truly secure or at risk if you do not have the ability to confidently say the workforce is ready — properly staffed and properly trained,” said Simone Petrella, CEO at CyberVista, which runs training initiatives for federal agencies.
Petrella said DHS’s failure to comply with the law is “fairly unsurprising” considering the department was cobbled together from 22 “historically disparate” agencies in 2002 — making coordination difficult. The Secret Service’s cyber mission and mandates differ from the U.S. Computer Emergency Readiness Team’s, for instance.
The IG found the 2015 law created “overlapping and new requirements” that hindered DHS’s ability to meet the data call, much like the Department of Defense between 2007 and 2014, when it was tasked with creating cyber training requirements.
DOD got as far as revising a directive on compliance measures three years ago but never published a corresponding manual fleshing out the details because, by then, DHS had taken point on cyber workforce issues, Petrella said.
“For DHS, it makes sense from a homeland security perspective to have oversight over critical cybersecurity functions,” she added.
DHS responded to the 2015 law by creating a Cybersecurity Statutory Authority Program team within its Office of the Chief Human Capital Officer. Upon its creation in 2016, the team consisted of only four federal staff and eight contractors.
In response to the IG report’s recommendation that DHS assign more staff resources to complete cyber workforce assessments and strategies on time, OCHCO increased those numbers to 16 federal staff and more than 100 contractors in 2019. The agency plans further increases to 35 federal employees and additional contract support by 2021.
The IG also found that DHS struggled with the mandates because cyber workforce data wasn’t readily available.
“The biggest step they need to take is to apply a common measure of assessment across the entirety of the workforce,” Petrella said.
That involves coding roles as cyber versus cyber-enabled.
A purely cyber role is directly involved in security a majority of the time, whether that’s network defense, monitoring or incident investigation and response. Cyber-enabled roles fall in the information technology realm, but security is a secondary responsibility — as with application developers.
Because DHS didn’t have job codes created, it would have been forced to audit the cyber funding it received to determine if the money did, in fact, go toward cyber roles, Petrella said.
“You’re doing that all in the retrospective, almost forensically,” she said. “In order to track data you need to understand the roles in your organization.”
DHS’s lack of a cyber workforce strategy presents another problem, according to the report: the agency can’t plan for future needs.
“These issues are exacerbated by the department’s rising vacancy rate in civilian cybersecurity positions, which increased from 9% in March 2017 to 12% in November 2018,” reads the report. “Hiring and recruiting efforts will become more critical as the department faces a retirement surge in coming years.”
Despite the inherent challenges, DHS isn’t absolved of all responsibility, Petrella said.
The agency had the chance to implement mitigations to capture cyber workforce data and didn’t.
“This is not a new issue that only arose in the last year,” she said.