Good-Guy Government Hackers Fear The Worst From Trump’s Hiring Freeze
Networks are easy to attack if no one's there to defend them. One former official said there'll be 'hell to pay'
It’s long been difficult for the federal government to hire and keep top cybersecurity employees. But thanks to President Donald Trump’s decision to freeze new hires and raises for most federal agencies, officials worry that government computers and networks are now more vulnerable than ever before.
“Cybersecurity professionals are in extremely high demand, which means that the government is competing with the private sector, who is paying a premium for this talent,” Dan Jacobs, the cybersecurity program coordinator at the Government Services Administration, told Vocativ.
“It’s hard enough already to retain talent. This will make it that much harder,” one information technology staffer at a federal agency, who was not authorized to speak on behalf of her department, told Vocativ.
Government computers are often woefully out of date, and federal networks face a never-ending stream of cyberattacks from a range of sources, including government and independent criminal hackers. Major breaches are relatively rare, but can be devastating when they do occur.
When the government’s equivalent of a human resources department, the Office of Personnel Management, was hacked in 2015, the results were disastrous. The attackers acquired the background checks of employees with critical national security jobs. And some 21.5 million Social Security Numbers were leaked, leading to the Defense Department spending some $500 million in identity theft insurance programs.
Trump’s hiring freeze makes the tough job of tech recruitment significantly tougher, said Ann Dunkin, who was until recently chief information officer of the Environmental Protection Agency. On Jan. 20, like a number of federal CIOs, she resigned at Trump’s request.
“There are some very critical security contracts in process at EPA right now, so that is deeply scary,” Dunkin told Vocativ.
“The federal government is trying very, very hard, and has been making some really great progress” in hiring tech personnel, she said. “And then you basically put the brakes on it, and potentially people start going backwards.”
Across agencies, the issue is twofold. First, a hiring freeze puts serious pressure on the pipeline of employees. Between security clearances and government bureaucracy, hiring a tech or cybersecurity staffer can often take nine months to a year between a successful interview and start date.
“You often find people who say ‘yes I want to serve my country,’” Dunkin said. But they often find another job while they wait to start. “There is a job market, they’re looking, they find something else. They graduated from college and they need to be employed,” she said.
Second, when it comes to government cyber jobs, the money just isn’t there. Cybersecurity is a rapidly growing industry, with one 2016 study estimating one million unfilled jobs worldwide.
According to the U.S. Bureau of Labor Statistics, computer and information systems managers made an average salary of $131,600 in 2015, a number that’s likely still increasing, given the industry’s skyrocketing trajectory. But figures provided to Vocativ by the federal Office of Personnel Management show that federal information technology management employees — excluding certain departments, including the NSA and CIA — were making $99,527 a year as of September 2016.
And that’s still not the full story, according to Jake Williams, founder of the information security firm Rendition Infosec. From 2008 to 2013, Williams hunted for vulnerabilities on behalf of the Department of Defense. The pay was low enough for the industry, he said, that he began making almost as much money by using his personal days to take on side jobs.
“There was a point where the math no longer worked out,” Williams said. “I loved the mission … but as I kept looking around, consistently there was just bad talent beside me and I kept watching good talent walk out the door.”
The best employees, Williams said, would consistently get poached for significantly higher pay, creating a brain drain environment where many of the employees who weren’t tempted by huge salaries weren’t as skilled as those who left.
“The thinning of the herd unfortunately happens at the top of the skill divide. At the bottom of it are the folks who can’t hang, who know they don’t have the skills. They end up staying on,” he said.
Eventually, Williams created his own company, where he’s already hired two employees from DOD. “I have several more I am actively targeting right now, and I suspect if you talk to me in a year I’ll have hired another six or seven,” he said. “As a citizen, I’m concerned. As a business owner, I couldn’t be happier.”
Trump’s decision to enact the freeze is controversial in the cybersecurity world for reasons besides the additional hassle for government professionals. A previous Government Accountability Office report on federal hiring freezes enacted by presidents Jimmy Carter and Ronald Reagan found they were ineffective, disrupted agency operations, and in some cases cost the government money.
“I hope [the new administration] quickly understands how vulnerable everyone is, and how important it is to keep our guard up. I suspect folks who are calling the shots will see that,” said one recent senior cybersecurity official of a major federal agency, who was also asked to resign on the day Trump took office. (The official requested their name and department not be named to not draw negative attention to former coworkers.)
“If they don’t, it’s gonna be hell to pay,” the official said. “That whole field is a cruel teacher.”