The Pentagon plans to triple its cybersecurity staff by 2016, U.S. Secretary of Defense Chuck Hagel announced recently.
A few days later, FBI Supervisory Special Agent Charles Gilgen said at a conference on cybercrime that his agency’s cyber division plans to hire 1,000 agents and 1,000 analysts in the coming year.
Just those two agencies are looking for 6,000 people with cybersecurity skills in the next two years. That’s a very tall order. A look at one way the government has tried to build and recruit such talent—offering university scholarships—shows why.
The biggest such program, called CyberCorps, or Scholarship for Service, started in 2000. The scholarship covers tuition, books, and professional development and includes a cash stipend of $20,000 to $30,000 a year, depending on whether the student is pursuing a bachelor’s, a master’s, or a doctorate. After school, recipients serve in government for the same length of time as they received funding, two to three years, usually. Unlike many government programs, it has seen its budget triple to $45 million a year in the past three fiscal years, says Victor Piotrowski, lead program director for CyberCorps at the National Science Foundation. As of January, CyberCorps had produced 1,554 graduates, with 463 more currently in school.
“You would think, with all those benefits and a hot area, cybersecurity, that people would just be pouring into the program,” says Piotrowski. “We have a very, very tiny pipeline.”
One hurdle is that participants must be U.S. citizens. Right off the bat, that eliminates more than 70 percent of those receiving master’s degrees in computer engineering at U.S. schools, he says.
Another factor: The government can’t offer as much pay as the private sector. An online posting for a cyber-analyst job at the Federal Bureau of Investigation in early 2013—there aren’t any more current listings on the federal government’s job site—advertised a salary of $33,979 to $54,028.
A listing this month for an information security specialist in the U.S. Marine Corps’s cybersecurity division gave a range of $89,924 to $116,901 a year.
That’s just not competitive, particularly for people with in-demand technical skills in malicious software analysis and reverse engineering, according to Golden Richard, a professor with the University of New Orleans Information Assurance Program.
“If you couldn’t break $100,000 as a starting salary, I think you’d have trouble attracting those guys,” he says. Richard said one of his students got a government scholarship to fund his master’s degree but was quickly lured away from his government job by a private company offering him about $150,000 a year.
The government also hurts its chances by allowing contractors who do cybersecurity work for federal agencies to offer higher salaries than the government does for similar jobs, says Seymour Goodman, co-director of the Georgia Tech Information Security Center at the Georgia Institute of Technology.
Even for those interested in serving their country, rather than selling their services to the highest bidder, there’s a mismatch between government bureaucracy and the culture of cybersecurity researchers, Richard says.
“They tend to want to work alone and be independent and work on what they want—and they have that option,” he says. “I don’t see those people being really happy locked in a room unable to talk about what they’re doing.”
Finally, there’s the Edward Snowden problem: Snowden’s leak of top-secret documents on the National Security Agency’s spying activities has created a reputational issue that Piotrowski of CyberCorps worries about. The NSA is the program’s biggest client, taking 142 of its graduates from fiscal year 2007 to 2012.
“Now part of this tiny community we created will turn back, because they’ll say, I don’t want to spy on U.S. citizens,” Piotrowski says.
It’s too early to see any reflection in the program’s numbers, but Piotrowski said he has heard of at least one student who dropped out and cited Snowden’s revelations.
It’s not just government agencies that are desperate for cybersecurity specialists. Almost four in 10 IT security positions went unfilled in 2013, according to a survey of more than 500 organizations by the Ponemon Institute, which studies privacy, data protection, and information-security policy. The figure was almost six in 10 for senior security jobs.
“Market forces aren’t happening fast enough in security,” says Art Gilliland, general manager of enterprise security products at Hewlett-Packard (HPQ), which funded the Ponemon research. “The typical security person is paid the same as a typical IT person, and yet the demand is way higher. The salaries are not increasing fast enough to attract more people.”