The Department of Homeland Security (DHS), struggling to find enough cybersecurity talent to meet its needs, says it is going to groom the next generation of cybersecurity pros starting in kindergarten.
But several security experts say while better education and training is fine, there is plenty of talent out there now -- it just comes in the form of people who government hiring managers tend to reject because they are, in the words of Hacker Academy founder Aaron Cohen, "socially awkward."
Security consultant Winn Schwartau made much the same point this week at the Hacker Halted conference in Miami. Network World quoted Schwartau as saying, "[Human resources departments] frown on conditions such as attention deficit disorder and autism, or obsessive-compulsive personalities, which are typical of computer geeks willing to focus on an issue through the night."
[Bill Brenner in Salted Hash: CSO Security Standard - DHS wants you (for a little while, at least)]
Geeks don't get past "hiring rules and legal niceties that often categorize them as undesirables. 'We do not fit the mold. We are at the outer limits of normal,'" Schwartau said.
John Felker, a retired Coast Guard captain and vice president of cyber programs at SCI Consulting Services, agrees with Schwartau. "Government hiring is broken," he said. "The government puts all these requirements, like degrees and a CISSP, for jobs that the folks out there don't have, but they're better than the people who do have the qualifications."
And so far, understanding geek culture does not appear to be on the DHS agenda. DHS Secretary Janet Napolitano called for a more standard education and recruitment effort in a blog post last week.
She said her agency is "working to develop the next generation of leaders in cybersecurity while fostering an environment for talented staff to grow in this field. We are building strong cybersecurity career paths within the Department, and in partnership with other government agencies."
And the National Initiative for Cybersecurity Education (NICE), in its strategic plan issued last month, listed as one of its major goals, "Increase exposure to cybersecurity in preK-12 education by emphasizing connections to science, technology, engineering, and mathematics (STEM) education and the role of mathematics and computational thinking in cybersecurity."
Bill Pennington, chief strategy officer at WhiteHat Security, said that is not the way to go. "More and more, the people who are really interested in STEM fields are quickly discovering that they don't need school. I can sit at home and build great software and start a great company with little or no college education," he said.
"All the information is out on the Internet, and on top of that, what they are teaching at some universities is at least two to three years behind the curve. Why would I go to college and spend $100,000 to $200,000 to learn three-year-old technology?"
Exactly what do the DHS and other agencies like the Department of Defense need? Defining that is part of the problem, according to U.S. Army Maj. Gen. John Davis, senior military adviser for cyber to the undersecretary of defense.
Davis, speaking last week at the Center for Strategic and International Studies (CSIS) in Washington, noted that the gap between supply and demand of cybersecurity expertise begins with defining the need itself.
Amber Corrin reported at FCW that Davis told his audience, "We don't have all the capacity and the right sets of skills that we need to do all that's required. In the department we are still struggling to fully define and empower the cyber workforce. It's a big challenge, just to define the techniques."
But Davis said they include "analytics, forensics, training, testing and evaluation, engineering, operational planning, leadership roles, legal, law enforcement -- there's a very wide range that all go into the mix we're calling the cyber workforce."
Pennington agrees. "DHS does not have specific need -- they need a lot of everything. Defenders for sure -- loads of them -- but they also need a good mix of attackers (even just to test their own systems) as well as good software security people," he said.
There are at least some calls in government for encouraging the personality types that would gravitate toward cybersecurity. Corrin reported that Karen Evans, national director of the U.S. Cyber Challenge, said the State Department is promoting "nerd camps" that promote STEM learning.
But an anonymous commenter on the story was dubious that "nerd" is an effective recruiting tool. "Churning out STEM degrees is not hard and the education system can certainly handle it with current funding," he wrote. "[But] as a culture, maybe referring to efforts like 'nerd camps' is counterproductive. Maybe it makes a difference to some middle-school student who is beginning to wake up to what they want to do with their life.
"Why choose a field where everywhere STEM professions are seen as weird, nerdy, geeky, etc.?" they asked.
Cohen said that even if skilled but "awkward" applicants get through the door to a government agency or contractor, those in management don't understand them or how to communicate with them. "[Managers are] not geeks themselves, they're business people," he said. "That's the approach government takes. They want somebody running the place who will make a budget fit rather than secure the infrastructure."
"I don't think government wants the most talented people," he said. "It wants the most culturally acceptable."
Paul Rosenzweig, founder of Red Branch Law & Consulting and a former DHS assistant secretary for policy, said a related reason for the shortage of cybersecurity talent is the work environment offered by government. "My real suspicion is that it is much more interesting and cool to build new stuff in Silicon Valley than it is to toil doing cybersecurity for DHS," he said.
Schwartau agrees, telling CSO Online, "You have to be able to cater to that culture. Some of them are really simple things. Let them go to a lot of hacker conventions. They perform really well at those conventions."
"[And at the office] give them a hospitable area to work. You provide a hack suite, so they've got stuff to hack. The only way to learn how to defend is to attack," Schwartau said.