Federal officials are looking at ways to prevent an "electronic Pearl Harbor," or a sneak cyberattack on the U.S. But in a situation somewhat parallel to the plight of the undermanned and unprepared U.S. military in the 1930s, the federal government is facing a tremendous shortage of people needed to fight any future cyberwar.
During the next seven years, the government will have to replace more than 32,000 information technology workers -- almost half the 71,000 IT workers employed by federal agencies, said a recent study by the federal Chief Information Officers Council. Much of the turnover is the result of a rise in the number of employees eligible for retirement.
The greatest need is for IT employees with information security skills, according to that report, which also urged the creation of a massive intrusion detection system to protect federal and critical private systems such as energy, telecommunications and transportation against cyberattacks.
Low salaries and incentives make it difficult for federal agencies to compete with the private sector. Government IT workers often start at less than US$25,000 a year (compared with $36,000 in the private sector), and the federal security plan recommends improving pay. There's "fierce competition" for IT workers with security skills, said Timothy Grance, manager of systems and network security at the National Institute of Standards and Technology. But a pay-for-performance salary program and the promise of working on research projects have been hiring incentives, he said.
The national cyberprotection plan recommends funding information security programs at universities and offering scholarships to students in exchange for a commitment to work at federal agencies. Such programs may ultimately benefit private companies.
Only a few universities now offer programs in information security. "Security hasn't made it into the mainstream of academe," said Lance J. Hoffman, a professor of computer science at George Washington University in Washington.
So most IT students study to become programmers or Windows NT experts, while security specialists tend to get their training on the job, said Paul Jansen, manager of information security at USA Group Inc., a 2,800-employee loan guarantor and administration company in Indianapolis. When he hires, "I'm hiring other companies' security people," he said.
If more universities offer security training, "I'm going to get people who have a better understanding of what our profession is all about," Jansen said.
Throughout the industry, firms are having a tough time hiring IT workers with security skills. "I consider the need dire," said Richard Power, editorial director at Computer Security Institute in San Francisco.