Partnership for Public Service and Booz Allen Hamilton – Cyber In-securIty II Closing the Federal Talent Gap, April 2015.

“Technology has changed our lives. Individuals can email, text and talk to each other, take pictures, get directions, watch television, control their home appliances, read the news, play games and manage their schedules using a device that fits in their pockets. The government uses computers and the Internet for every aspect of its work, from handling crucial information about our national and economic security to managing the air traffic control system, interacting with citizens and processing benefits. The financial system, the electric grid, our nation’s com- merce and communications systems are dependent on computer networks. While these innovations have transformed society, the technology has exposed us to new vulnerabilities, and these dangers continue to grow and evolve. According to James Clapper, the director of national intelligence: “Cy-ber threats to U.S. national and economic security are in- creasing in frequency, scale, sophistication, and severity of impact.”1 In 2014 alone, there were tens of thousands of cyber break-ins adversely affecting the private and public sectors, including 67,168 intrusions into federal systems alone, a 1,121 percent increase from 2006.2 In one instance, intruders from China broke into the U.S. weather system and satellite network, potentially comprising disaster planning, aviation, shipping and other critical uses; while in another case, the top security clearance application files of thousands of federal employees were breached. At JP Morgan Chase, the nation’s largest bank, hackers from overseas gained access to the names, addresses, phone numbers and emails of 76 million customers and seven million small businesses, while the Obama admin- istration blamed North Korea for the crippling computer attack against Sony Pictures Entertainment. Mike McConnell, formerly director of national intel- ligence and the National Security Agency (NSA), noted: “There are two kinds of organizations: those that have been penetrated and are aware, and those that have been penetrated and are unaware.” Protecting communication and information net- works is the responsibility of public- and private-sector organizations, but as President Obama recently stated, “The cyber world is the wild, wild west and to some de- gree [the federal government] is asked to be the sheriff.” All sectors rely on sophisticated technology and soft- ware to defend their data and networks, but more impor- tantly they depend on highly skilled workers capable of dealing with complex and emerging cyber threats. Without these individuals, even state-of-the-art security controls will be of limited value. There is a nationwide shortage of highly qualified cybersecurity experts, and the federal government in particular has fallen behind in the race for this talent – individuals who are essential to protecting our nation’s critical public and private information technology infrastructure. The Partnership for Public Service and Booz Allen Hamilton first examined this problem in a 2009 report entitled “Cyber In-Security: Strengthening the Federal Cybersecurity Workforce,” finding that agencies were having a difficult time recruiting, hiring, retaining and properly training skilled workers in the cybersecurity field. We found that the government did not even know the size and competencies of the workforce let alone what would be needed in the future, and it had no plan to address this problem. During the past five years, the federal government has taken some positive steps, but the same basic prob- lems outlined in our 2009 report have grown more acute as the threat has multiplied. In short, the government still lacks the cyber workforce it needs and still does not have a comprehensive, enterprise-wide strategy to recruit and retain that workforce. Today, just as in 2009, federal agencies are left to fend for themselves in the hypercompetitive market for top cyber talent. Some agencies—like the NSA and FBI—fare better than others, partly because of their mission and partly because they have more personnel flexibilities than their sister agencies. That agency-centric, “have versus have-not” approach has resulted in a federal cyber workforce that in 2015 is uneven at best, especially when compared with top-tier private sector organizations. This stovepipe approach to cyber talent has another, even more serious problem. Our interconnected world requires a seamless team of cyber defenders to protect our networks. Those defenders must be able to operate quickly and collaboratively in ways that cut across both private and public organizations. The cyber talent crisis has persisted long enough. Our nation is at risk as the number and sophistication of cyber-attacks continue to grow, but the government has failed to act with urgency.”