Somedays I feel like people are reading this blog and getting ideas that they turn around and steal.  Then I take my pills and my semi-narcisistic feelings go away.  =)

So anyway, B|A|H threw me for a loop this afternoon.  They released a report on the cybersecurity workforce.  You can check out the article on The Register or you can go get the report from here.  Surprise, we don’t have anywhere near enough security people to go around.  I’ve been saying this for years, I think B|A|H is stealing my ideas by using Van Eck phreaking on my brain while I sleep.

 Some revelations from the executive summary:

• The pipeline of potential new talent is inadequate.  In other words, demand is growing and the amount of people that we’re training is not growing to meet the demand.
• Fragmented governance and uncoordinated leadership hinders the ability to meet federal cybersecurity workforce needs.  Nobody’s so far been able to articulate how we build an adequate supply of security folks to keep up with demand and most of our efforts have been at the execution level.
• Complicated processes and rules hamper recruiting and retention efforts.  It takes maybe 6 months to hire a government employee, this is entirely unsatisfactory.  My current project I was cleared for for 3 years, took a 9-month break, and it took me 6 months to get cleared again.
• There is a disconnect between front-line hiring managers and government’s HR specialists.  Since the HR folks don’t know what the real job description is, hiring information security people is akin to buzzword bingo.

These are all the same problems the private sector deals with, only in true Government stylie, we have it on a larger scale.

He’s Part of the Workforce photo by pfig.

Now for the things that no self-respecting contractor will admit (hmm, what does this say about me?  I’m not sure yet)….

If you do not have an adequate supply of workers in the industry, outsourcing cybersecurity tasks to contractors will not work.  It works something like this:

• High Demand = High Bill Rate.
• High Bill Rate = More Contractor Interest
• More Contractor Interest + High Bill Rate +  Low Supply = High Rate of Charlatans

Contractors do not have the labor pool to tap into to satisfy their contracts.  If you want to put on your cynic hat (all the Guerilla-CISO staff have theirs permanently attached with wood screws), you could say that the B|A|H report was trying to get the Government to pump more money into workforce development so that they could then hire those people and bill them back to the Government.  It’s a twisted world, folks.

Current contractor labor pools have some of the skills necessary for cybersecurity but not all.  More info in future blog posts, but I think a simple way to summarize it is to say that our current workforce is “tooled” around IT security compliance and that we are lacking in large-scale attack and defense skills.

Not only do we need more people in the security industry, but we need more security people in Government.  There is a set of tasks called “inherent government functions” that cannot be delegated to contractors.  Even if you solely increase the contractor headcount, you still have to increase the government employee headcount in order to manage the contractors.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• Where For Art Thou, 60-Day Review
• When the Feds Come Calling
• “Machines Don’t Cause Risk, People Do!”

April Fools Day pranks aside, I’m wondering what happened to the 60-day Cybersecurity Review.  Supposedly, it was turned into the President on the 17th.  I guess all I can do is sigh and say “So much for transparency in Government”.

I’m trying hard to be understanding here, I really am.  But isn’t the administration pulling the same Comprehensive National Cybersecurity Initiative thing again, telling the professionals out in the private sector that it depends on, “You can’t handle the truth!”

And this is the problem.  Let’s face it, our information sharing from Government to private sector really sucks right now.  I understand why this is–when you have threats and intentions that come from classified sources, if you share that information, you risk losing your sources.  (ref: Ultra and  Coventry, although it’s semi-controversial)

Secret Passage photo by electricinca.

Looking back at one of the weaknesses of our information-sharing strategy so far:

• Most of the critical infrastructure is owned and operated by the private sector.  Government (and the nation at-large) depends on these guys and the resilience of the IT that these
• The private sector (or at least critical infrastructure owners and operators) need the information to protect their infrastructure.
• Our process for clearing someone to receive sensitive information is to do a criminal records investigation, credit report, and talk to a handful of their friends to find out who they really are.  It takes 6-18 months.  This is not quick.
• We have some information-sharing going on.  HSIN and Infragard are pretty good so far–we give you a background check and some SBU-type information.  Problem is that they don’t have enough uptake out in the security industry.  If you make/sell security products and services for Government and critical infrastructure, you owe it to yourself to be part of these.
• I’ve heard people from Silicon Valley talk about how the Government doesn’t listen to them and that they have good ideas.  Yes they do have some ideas, but they’re detached from the true needs because they don’t have the information that they need to build the right products and services, so all they can do is align themselves with compliance frameworks and wonder why the Government doesn’t buy their kit.  It’s epic fail on a macromarket scale.

In my opinion, Government can’t figure out if they are a partner or a regulator.  Choose wisely, it’s hard to be both.

As a regulator, we just establish the standard and, in theory anyway, the private sector folks don’t need to know the reasoning behind the standard.   It’s fairly easy to manage but not very flexible–you don’t get much innovation and new technology if people don’t understand the business case.  This is also a more traditional role for Government to take.

As a partner, we can share information and consequences with the private sector.  It’s more flexible in response but takes much more effort and money to bring them information.  It also takes participation from both sides–Government and private sector.

Now to tie it all off by going back to the 60-Day Cybersecurity Review….  The private sector needs information contained in the review.  Not all of it, mind you, just the parts that they need to do their job.  They need it to help the Government.  They need it to build products that fit the Government’s needs.  They need it to secure their own infrastructure.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 4
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• The World Asks: is S.773 Censorship?
• Surprise Report: Not Enough Security Staff

A favorite subject for me this week: personnel security, clearances, and being fingerprinted. For those of you who have yet had the joy of being fingerprinted (a task that we reserve for criminals and people who work with/in the Government), you need to adopt a similar pose to what our lolcat is doing.

Oh yeah, the part that they don’t tell you is that they have cool flatbed scanners that don’t require you to get all inked up, they just have to be approved for use.

• Government Akountability Office
• IKANHAZFIZMA and Transparency
• Look Out, Sir Bruce, IKANHAZFIZMA is Coming for You
• Cyber-Ninja Lolcats Caught on Film
• Lolcats and QR Codes

Another pair of client agencies, another pair of clearance forms to fill out….

Want to talk about fraud, waste, and abuse?  I’m in my mid-30’s (not ~85 like Alex and Mortman think I should be) and I’ve gone through the clearance process about 3 times a year since 2002 (and once in 1992 and once in 1996), mostly because each agency insists on having their own clearance requirements.

So let’s look at the economics of managing clearances at the agency level, I figure I’m a pretty average when it comes to this:

• ~2 days of filling out SF-86 and other clearance forms 16 hours x $150 = $800
• ~1 day for fingerprinting and corrections 8 hours x $150 = $400
• Salaries for cleared personnel = +$15K over “market value” (yes, dear readers, that has become the market value)
• 3 clearance runs/year for contractors $1200 billable hours x 3 times/year = 3600/year
• All this times a bazillion contractors supporting the Government
• ~2 months before somebody can actually be given any information that they can actually use to do the job.

The “Who Moved my Personnel Security Cheese?” Problem

This is the real crux of the problem: every agency thinks that they are special–that Commerce has a different level of a need for trustworthy people than Health and Human Services.  We have a phrase for how we’re managing clearances right now: Not Invented Here.

News flash: trustworthy people are trustworthy people and dirtballs are dirtballs.  Honestly, what can the civilian agencies require that trumps  what having a Department of Defense Top Secret clearance can’t?  What we need is an esperanto for clearances.  My opinion is that DoD should trump all, but I’m obviously biased.  =)

Oh, but here’s the keystone to this argument:  all of the clearance processing (forms, background checks, investigations, and fingerprints) is done by the exact same people: Office of Personnel Management (OPM).

Clearance 12 Feet 4 Inches photo by Beige Alert.

Don’t get me wrong, life is not all gloom and doom.  OPM has this wonderful website now with the clearance forms called Electronic Questionnaires for Investigations Processing (e-QIP).  The best part: it remembers your details so you don’t have to fill them out every time.  Clearance paperwork has now become as simple as updating your contact information and job details on a social networking site.  And it does validation of your filing information so that you don’t have a different way of doing things from agency to agency.

Benefits of Centrally-Managed Universal Clearances

Why am I arguing for managing clearances centrally?  Well, I’m both a taxpayer and a contractor.  This is my line of thought:

• Cheaper because of reduces redundancy (object lesson on the Federal Enterprise Architecture)
• Reduces “switch costs” for throwing out one contractor in favor of another. (heh, bring me in instead)
• Quicker onboarding for both govies and contractors
• More career options for cleared personnel
• Unified standard of accep
• Helps us get to one unified Government ID card (ack, HSPD-12)
• It’s just plain smarter Government!

Deus Ex Barry O?

Oh yeah, it’s Presidential transition time.  This means that everybody with an opinion comes out of the woodwork with their expert analysis on what the Government should do.  While we’re throwing ideas around, I would like to throw my hat in the ring with just a couple:

1. Appoint an executive-branch CIO and CISO. (already covered that)
2. Fix the clearance process so that there’s one authoritative set of clearances that apply everywhere.

Problem as I see it is that left to their own devices, the agencies have to “roll their own” because as downstream consumers of OPM, they don’t have a unifying standard.  As much as I hate getting mandates from OMB, this might be one that I’m willing to support.  And yes, I probably crossed some sort of political threshold somewhere along the line….

• Clearances and Economy of Scale
• It’s a Problem of Scale!
• Security Assessment Economics
• Cloud Computing and the Government
• The CyberArmy You Have…