Agencies offer guidance on cyber diplomacy, workforce
- By Chase Gunter, Derek B. Johnson
Federal agencies with cybersecurity portfolios transmitted reports this week to President Donald Trump required under a 2017 executive order that called for a full-spectrum analysis of cybersecurity threats.
One longstanding issue familiar to government technology watchers is the shortage of skilled personnel to take cybersecurity jobs – particularly in the face of private-sector competition.
A 52-page report from the Departments of Homeland Security and Commerce stresses the challenge the government is facing on the workforce side. Key is the fact that in government, "cybersecurity pay is below the level needed to attract the necessary talent."
To attract and get people in their positions faster, the report urges OPM and federal agencies to expand use of direct hire authorities and compensation incentives. It also suggests federal and state governments and private sector should consider paying off student debt or subsidizing cost of cybersecurity education. The report also recommends using long-term legislative vehicles to authorize and fund sustained efforts to train and hire the needed cybersecurity workforce.
Moreover, it urges government to speed up its security clearance process by hiring more background investigators, using more interim clearances and increasing automation. The department heads also recommend that the executive branch coordinate federal plans tools to assess cybersecurity career aptitude and technical readiness.
The State Department released two documents on May 31 providing guidance around how best to achieve U.S. objectives for cyberspace in the global arena and on crafting a cyber deterrence framework.
State is calling on policymakers to reestablish norms in the international arena and develop a "menu of options" to impose escalating consequences on bad actors. The department characterizes the U.S. and other democracies as locked in a battle to shape global norms around cyber policy against states who "seek intergovernmental regulation of cyberspace to diminish the role of stakeholders" and exploit Internet wedge issues like censorship and the flow of data.
On the deterrence front, the department recommends the U.S. start from square one by creating a formal policy to outlines consequences for nation states that engage in malicious cyber activity.
Such a policy must be publicly communicated for it to act as an effective deterrent. Representative Ted Yoho (R-Fla.) introduced legislation in April that would outline a formal process for responding to nation-state cyber attacks, and the Trump administration recently delivered its cyber doctrine to Congress, but that report is currently designated as classified.
The State Department report goes on to say that policymakers should develop a range of "swift, costly and transparent consequences" following a cyber attack. However, that is easier said than done, as challenges remain around speedily and accurately attributing cyber attacks to specific nations.
Megan Stifel, former director of international cyber policy on the National Security Council, told FCW in a May 15 interview that while the U.S. is getting better at attribution by pairing technical forensic analysis with more-traditional intelligence sources, it can still take months or even years to arrive at a high-confidence assessment about who was responsible. Even if faster methods are available, it may be risky for the U.S. to telegraph its knowledge that quickly.
"If we can do attribution at mission speed, probably those are not capabilities that we want to disclose publicly," Stifel said.