Another year, another set of folks who think they’ve cracked the nut on how to address the government’s cybersecurity staffing woes.

It’s not that leveraging the whole of society to address these issues isn’t a good idea, but the road to hell is paved with realities that cannot be abstracted away. This is not an academic problem, yet for 20+ years all we seem to put forth is theory.

Rick Forno published his ideas on how to staff, train, and equip a cyber force back in 1998. Ever since then people have bastardized it in part because they recognized that retooling -INTers into a “cyber” force was going to take decades (it did). Easier to try to augment the then information assurance types with the requisite skills on a part-time basis.

The main problem is that while we knew there were people out there who could do the work, they already had jobs. While the veracity of ratios varies, it is generally accepted that we have more jobs than people to fill them. These people don’t have spare time to go work on your intrusion, they’ve got their own to worry about.

It also didn’t help that the government wanted people on the cheap. ‘Join the fight’ but your company is going to keep paying you. I’m not aware of any commercial concern that is keen to pay full freight for someone they get no benefit from. Also: whatever skills or knowledge they picked up can’t be shared, because, you know, ‘secrets’…

Which leads to another problem: security clearances. The Internet might be unclassified, but doing work for DOD or DHS isn’t going to be. Work the incident in your home lab? Ha! The US security system doesn’t like granting clearances to people who don’t use them on a regular basis. The flip side of that coin? There isn’t exactly a line around the block of people who are willing to alter their lifestyle every day on the off chance they might get called upon to deal with a crisis someday.

I could go on but you get the point: there are very practical reasons why these ideas don’t work, but dusting off and polishing up old, failed legislation beats putting in the work required to move the ball forward.

What might work?

Fix the personnel/HR system. The people you are looking for are not lifers. Your one-size-fits-all book of how to have a career doesn’t apply. Create and plan on the liberal use of waivers. For. Everything. If you think there is a legitimate security concern, be prepared to invest in extra monitoring. If you can’t get over this hump, stop here. There’s not point in going on.

Allocate adequate funding for the expertise you need. The talent you are looking for makes as much if not more than someone with 30 years as a fed. Get your mind right about what the General Schedule is, which is to say, not an indicator of “rank.” Don’t let the opinions of the lifers who spend half their days napping in the agency library weigh on you one iota.

Staff for the right fight. The government can’t meet its own security standards. A lot of the work required to get compliant isn’t specialized or even about ‘security.’ Its basic, grunt sys admin work. Not sexy, but essential. Breaches and hacks become ‘unprecedented’ because the holes are so big it often takes very little to have a massive impact. You don’t need a CISSP or a GIAC to address that.

Stop pretending. People whinge on about the size of the civilian contractor market but conveniently ignore the fact that Congress is the outfit that puts caps on agency (employee) headcount. Unless you’re a security agency there is nothing ‘inherently governmental’ about security. Contract it out and do it properly: short term, clear deliverables that meet the standards, O&M that the lifers can handle.

I’ve been doing this a long time, and in all that time, there has never been a time when we haven’t been shorthanded. I’ve heard this same pitch close to a dozen times and it never goes anywhere because of some very obvious and fundamental flaws once you get past the rah-rah rhetoric. Absent some original thinking on the issue, I think we’ve reached the ‘acceptance’ stage of the Kubler-Ross model of cybersecurity staffing in the federal government.