RAND Study: Looser Civil Service Rules Would Ease Cybersecurity Shortage 97
New submitter redr00k (3719103) writes with a link to the summary of a RAND Corporation study addressing "a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace." One of the key findings: waive the Civil Service rules. (The NSA can already bypass those rules; RAND's authors say this should be extended to other agencies.)
RAND totally misses it (Score:4, Interesting)
1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.
Re: (Score:2)
Good cyber people won't put up with the insane government clearance bullshit.
There's plenty of Government agencies that need talented IT people (*cough* HHS *cough*) where you don't need to deal with 'insane government clearance bullshit'.
Re: (Score:3)
Good cyber people won't put up with the insane government clearance bullshit.
There's plenty of Government agencies that need talented IT people (*cough* HHS *cough*) where you don't need to deal with 'insane government clearance bullshit'.
When I worked at at DoD lab, the clearances weren't the problem, the soul-crushingly inept, capricious IT systems were. I'm easily twice as productive now that I've come back to the private sector.
Re: (Score:2)
I hereby declare you as having no idea what you're talking about.
RAND totally misses it (Score:1)
I concur 100%.
Not only do I not want any part of the government clearance bullshit, I don't want any part of the general government bullshit. I don't want to go without a paycheck when the government randomly shuts down. I don't want to be stuck with a crappy GS pay grade. I want to work in the private sector where multiple employers compete with each other other to hire me and I can pick where I want to live.
Besides, government jobs are a haven for the mediocre. I've always had the impression that governme
Re: RAND totally misses it (Score:5, Insightful)
So in other words you believe your perception, backed up by nothing, to be actual fact and you intend to conduct your professional life accordingly. I can tell you if I had to choose between you and almost anybody else who would get the interview.
Here's a hint to work on your thinking a bit: you know anything about government employees because it is possible to learn things about them. You know nothing about the fraud, waste, and abuse rampant in the private sector because their records are not open, their employees' records are not accessible, and their everyday decisions don't have to be made knowing some armchair quarterback will criticize your every move. So you move carefully.
Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.
Re: (Score:1)
Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.
I wish I could hug you right now AC.
Re: (Score:2, Insightful)
I never said my impression was backed up with nothing. I've worked with federal government employees on projects. Before I knew better, I even interviewed for a few federal jobs and saw first hand a little of what goes on there. I know people who work for the government who have related their experiences to me. I even know more than a few people who are completely incompetent and have managed to rake in six figures for decades working for the federal government, and they are obviously aware and proud of the
Re: (Score:1)
So in other words you believe your perception, backed up by nothing, to be actual fact and you intend to conduct your professional life accordingly. I can tell you if I had to choose between you and almost anybody else who would get the interview.
Here's a hint to work on your thinking a bit: you know anything about government employees because it is possible to learn things about them. You know nothing about the fraud, waste, and abuse rampant in the private sector because their records are not open, their employees' records are not accessible, and their everyday decisions don't have to be made knowing some armchair quarterback will criticize your every move. So you move carefully.
Add to that the constant media drumbeat designed to reinforce your perceptions because government properly run is the ONLY effective countermeasure to corporate excess and you have, well, you.
Most of that drumbeat comes from the evil empire of the Murdock's. They have done everything they can to corrode and corrupt and destroy government power and democracy in countries throughout the world, especially in the US and UK. Every bit of venomous hate towards the US government, the psychotic conspiracy theory mind-set, the actual birth of the neo-cons themselves, the election of at least half the presidents since Carter - they are behind it all.
They've done exactly the same damage here in the UK, bot
Re: (Score:2)
Relocation is helpful, but only to an extent. If the job is located in Bumfuck, Louisiana, how many tech people actually want to live in a place like that, even if the cost of living is cheaper and relo is compensated?
Re: (Score:2)
Re:RAND totally misses it (Score:5, Interesting)
I don't think that you're fully considering point 3).
Have you ever actually worked with any autodidacts?
Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with.
They may have a surface-level knowledge of a particular topic, but they just don't have the depth or breadth that somebody with more formal training tends to have. But that's not even the worst part.
The worst part is that they often have absolutely no idea how much they don't know, thus they think that the little they do know is sufficient. At least people with even just some academic background will know that there's a whole helluva lot they don't know, even after years of study and experience.
If you've had to deal with Ruby or JavaScript programmers you'll probably know what I mean. They're often young, totally self-taught, and are often high school dropouts. They can create simplistic web apps, but that's pretty much where it ends. The moment it moves beyond that, they're either creating really big messes or they're moving on to their next "opportunity". If you confront them about the messes that they're creating due to a lack of knowledge and understanding, they'll just label you an "academic snob" and dismiss you without a second thought.
While somebody with college training isn't guaranteed to be better, in practice they usually are, or at least they understand their level of knowledge better. They're much better people to work with, and the work they produce tends to be a lot better. I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.
Re: (Score:2, Interesting)
Have you ever actually worked with any autodidacts?
Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with....
The worst part is that they often have absolutely no idea how much they don't know,
Yes.
This is the real problem with autodidacts; their knowledge is patchy and has huge holes, whole areas of study that they are ignorant of. Far too often, you have to spend a few hours educating them just to get them to the point where they understand what they don't know.
Re: (Score:2)
Re: (Score:1)
... The worst part is that they often have absolutely no idea how much they don't know, thus they think that the little they do know is sufficient. At least people with even just some academic background will know that there's a whole helluva lot they don't know, even after years of study and experience. ...
I have actually found the worst offenders of this are not the self taught, but the ones with master degrees and PhDs. They usually do not understand the entire system, and let their ideology cover good sense. And I have yet to see that work out.
From the sound of it, you either want the handful of self-taught who will actually are actively seeking to improve their skills, or somebody who stopped at a bachelors. You're unlikely to get the first group staying long in a CS program, though--have you any idea how mind-numbing it is to sit there with very little to do most of the time, waiting in hope of this week finally finding something new?
Re: (Score:2)
This is one of the problems with some PhDs. It's probably not much of a problem with Bachelor's degree holders; with a BS, you learn enough to learn how to learn more later on, and you learn how little you really know, but you don't get so specialized that you think you're an expert.
Re: (Score:1)
"Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with."
If you've worked with several hundred of anyone who are "among the worst people to deal with" sounds like there might be a whole different kind of problem...you.
Re: (Score:3)
I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.
Of course. Here's a list of some of the other autodidacts whose contributions we can dismiss: Leonardo da Vinci, Frederick Douglass, Thomas Edison, Michael Faraday, Benjamin Franklin, Buckminster Fuller, Jimi Hendrix, Abraham Lincoln, Booker T. Washington, Frank Lloyd Wright and Wilbur Wright.
Re: (Score:2)
What level of autodidactism are we talking about here anyway? High school dropouts, or people with slightly different degrees to what they're currently working in?
Remember, a university education is not a training course. It's supposed to give you the fundamentals so you have a broad education and a starting point to learn more on your own later. It doesn't replace specialized knowledge gained through experience, and never will. Ruby and JavaScript are not languages normally taught at the university lev
Re: (Score:2)
Also, CS teaches absolutely nothing about good real-world design. The most perverse architectures I've seen have come from the highly educated - and I say that being highly educated myself. To borrow an old military cliche, many with hi
Re: (Score:2)
Very good points, especially the part about autodidacts. That one hits home since I am self educated. I've held jobs that 'require' an MBA/MIS degree, CS degrees, etc. In private industry (I work for a small IT security firm currently) I can easily make six figures in jobs that 'require' a degree. The government can shove it as far as I'm concerned.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.
Point #1 is a generalization, and incorrect. When you get into a lot of the higher-level work in cyber, you have to deal with background checks anyways, even outside of a government clearance. While the highest of the high clearances (like a TS/SCI for the NSA) will be like walking across hot coals, the overwhelming majority of clearances are not that hard a process to endure. And the report functionally states, "lower the amount of clearance bullshit and more people will be hireable." So yeah, Point #
Re: (Score:2)
Point #2 is kind of right. Jessup isn't a great place, but you don't have to live there...just work there. You can easily work at Jessup but live in, say, Takoma Park or Columbia or any of the other really nice neighborhoods that are within 30 minutes. Where you work != where you live.
Not really. You can only realistically commute so far; most people don't want to spend more than 1 hour in each direction, and that's kinda pushing it. So yeah, you don't have to live right in Jessup, but you're still stuck i
Re: (Score:2)
1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.
I'd be happy to be a government cyber warrior as long as I can do it in my mom's basement and get paid in hot pockets and star trek dvds.
And how many do they need? (Score:3)
So how many of these people are actually needed in the federal government? It's not like having an extra cyber security guy in the FBI helps make Joe's Dry Cleaning a safer business. Security isn't transitive.
Re: (Score:3)
Re: (Score:2)
Government is an enterprise like any other.
It's users are arguably less technically savvy.
Can you imagine the cost with establishing a secure 1 million user network, where Linux isn't an OS but more probably some disease that was eradicated back in the 1800s. Training would cost so god damn much, take a year or two.
Sure, probably don't need IIS servers. But users need to be on Windows.
Re: (Score:2)
Transitive security [Re:And how many do they need? (Score:3)
Security isn't transitive.
But lack of security is transitive.
Your system is only as secure as the weakest point in the connection.
Re: (Score:2)
Ah Users you mean
Re: (Score:2)
A lot of cybersecurity contractors (Score:5, Informative)
Yes, I know I have greatly simplified certain details, but that covers the basics of the problem.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Don't disgree, but re:
The result is that the cybersecurity people in federal positions are there either because of a sense of duty, or because they didn't cut it in the private sector. This is the classic image of a postal worker.
Government is perceived safer, in the sense that companies go out of business or merge and so forth all the time.
I am not saying this is true, I am saying this is why some people choose government. Do you really think there are many people with a sense of duty? Please. People want safety. What is safer, protesting in the street, or putting on your badge and keeping your mouth shut? The other side of "didn't cut it" is "got sick of constantly being at risk of being cut because someone e
Re: (Score:1)
GS can be decent pay (Score:2)
http://www.opm.gov/policy-data... [opm.gov]
A GS-15 in Atlanta's starting pay is $120034 and they top out at $156043. Now, that's the top level, but you can make decent money as a gevernment employee.
Your basic FBI/DEA/ICE/Secret Service agent is a GS13. Their range is $86,355-112,261. I'm sure some people on here make more than that, but I bet a the majority don't. If you go here (http://www.whatsmypercent.com/), it states someone making $100k is in the 96%. That is the entire US workforce, but should paint a releve
My opinion on what is wrong with our CyberSecurity (Score:1)
This is just my opinion but the problem with cybersecurity is the Information Security people do not have the proper technical background. Around where I live, most of the Information Security people come from a management or project management backgrounds and get very basic Information Security training like how often to force password changes and learning why patching is so important.
In my opinion if an individual does not know how to configure a firewall, do basic packet sniffing/analyzing and fully und
So train them. (Score:5, Interesting)
Read the entire paper, not the summary. There are some interesting points there. One is that NSA does not have a shortage of cybersecurity experts. That's because they train them. It takes three years of full-time training. The agencies that complain that they can't find anybody aren't investing in their people in the way that NSA does. Other agencies don't invest in their people like that.
This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.
One unexpected item from the paper: "One operating system, having been installed in almost a billion devices, has yet to attract malware in any significant way -- although it is falls short of being provably secure." What are they talking about? QNX? VxWorks?
Re: (Score:2)
Android is on pace to surpass one billion users across all devices in 2014. By 2017, over 75 percent of Android's volumes will come from emerging markets. Source: http://www.gartner.com/newsroo... [gartner.com]
Re: (Score:2)
Read the entire paper, not the summary. There are some interesting points there. One is that NSA does not have a shortage of cybersecurity experts. That's because they train them. It takes three years of full-time training. The agencies that complain that they can't find anybody aren't investing in their people in the way that NSA does. Other agencies don't invest in their people like that.
I think that's really an unfair comparison. Do other agencies have the insane funding that NSA has? The lack of accountability (and by that I mean they don't have to justify their spend as much). Also, as the article noted, the NSA is except from these pay scales.
This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.
And this goes to show that you missed the points of the report. Most federal agencies are forbidden from paying decent wages because they have to use the pay scales that the government sets.
If you want to make the point that the government pays shi
Re: (Score:3)
Re: (Score:2)
I hate the employers that whine that they can't get good help. The reality is that most employers are not able to pay for skilled or reliable workers. People with tremendous skills and good work habits are available but they do demand real pay. The cabinet shop that wants to hire workers for $10. per hour has a big problem. The cabinet shop that pays $60. per hour gets an entirely different type of worker. Offer $200. per hour and you can create world class cabinets.
I suspect that many employers are able, but not willing, to pay for skilled and reliable workers. I recently spent 9 months at a temp job with a large and wealthy employer, demonstrating my skill and work ethic to the hiring manager. At the end of the job he offered me a permanent position, but at $20 to $25 per hour. I would have been willing to take the job if I could have been compensated for my 900 miles per week commute. However, the policies of the institution did not permit him to do that, or, eq
Re: (Score:1)
Re: (Score:1)
Correct. Mod up. .gov worker, I see plenty of contractors NOT training up .gov staff on the 'easy stuff' . Their contracts say they should train, impart knowledge, the managers say the do , but it is not true. A contractors brains/experience/brilliance is only used 5-10% of the time.
As a
Contractors do like to shirk, or shave time to win their next big assignment/contract. Or curry favor fixing noticeable issues not in their statement of work.
Therefore, there can be massive improvements in outcomes and busin
Weed? (Score:1)
So basically we're talking about weed here, right? Those dominoes are falling.
My main objection to the process I went through to get my TS was the fucking "lie detector" test. Junk science is going to tell them if I'm "solid" or not? Please.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
They know the lie detector isn't reliable. It's an intimidation tool. They hope it will psych you out and prevent you from doing something wrong (espionage, etc.) or that it will cause you to get nervous, sweat bullets, and that they can notice your nervousness as suspicion you're hiding something.
Re: (Score:2)
Looser? Stricter! (Score:2)
Can they become more looser with the likes of Keith Alexander?
The problem is 18 months to get clearance. (Score:2)
No one will hire anyone w/o clearance and no one will pay someone not to work for the up to 18 months it can take to get clearance. So the community of people with clearance get rehired over and over and over and over
Which is why you have Edward Snowden. It's easier to hire an angry ex square-badge high school dropout with clearance than to get someone better vetted.
BTW under Obama the amount of material labeled 'classified' or higher has exploded. It's pretty much everything everywhere.
Re: (Score:2)
Very good point. It used to take six months. Also, a TS lasted for five years, now, I think, it only lasts for two.
Just more massive government inefficiency.
who would want to? (Score:1)