GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
WASHINGTON — At a time of increasing threats of cyberattacks on critical infrastructure, the Department of Homeland Security is having trouble recruiting much-needed computer experts because it cannot match the pay of the private sector and does not have the same allure as intelligence agencies.
Recent disclosures that Iranian hackers with ties to the government in Tehran had launched a cyberattack against a dam in New York highlighted the need for the department, which is charged with protecting government and private systems from cyberintrusions, to have a staff capable of responding to sophisticated enemies.
“We are competing in a tough marketplace against a private sector that is in a position to offer a lot more money,” Jeh Johnson, the Homeland Security secretary, told senators at a hearing last month. “We need more cybertalent without a doubt in D.H.S., in the federal government, and we are not where we should be right now, that is without a doubt.”
Concern about the potential for cyberattacks on infrastructure was heightened after a Dec. 23 hack of the Ukrainian power grid that caused a blackout for 225,000 customers. The department, which helped Ukrainian officials investigate the case, confirmed that it was a cyberattack.
But officials said the attack in 2013 on the small dam in New York, which lies less than 20 miles north of New York City and is used mostly for flood control, was alarming, because it underscored that foreign hackers were targeting the nation’s infrastructure. Seven men said to be working for two Iran-based computer security companies on behalf of the Islamic Revolutionary Guards Corps, a branch of the Iranian military, were charged in the attack.
Preet Bharara, the United States attorney for the Southern District of New York, who is prosecuting the case, called the attack a “frightening new frontier for cybercrime” during a news conference last month announcing the indictment.
The cyberattack on the dam, with its antiquated computer system, has raised the specter of similar attacks on power grids, pipelines and the air traffic control system, since many of these systems are also run on outdated hardware and software.
According to federal data, nearly 300 attacks were reported on critical infrastructure last year, up from just under 200 in 2012. The data shows attempted attacks on a wide variety of targets, including in the health care and manufacturing fields.
The reports say the nature of the attacks shows a level of sophistication beyond the ability of most casual hackers. Over all, nearly 600,000 cybersecurity incidents involving government and private computer systems were reported to the department in 2014, the most recent year for which data was available.
To counter these intrusions, the Obama administration and Congress approved the Cybersecurity Enhancement Act of 2014, which among other things emphasized recruitment of a cybersecurity work force for the government.
But the Department of Homeland Security, even with 691 people staffing its cybersecurity division, has not been able to recruit a work force to match the threat.
The Office of Personnel Management, with the approval of Congress, has given the department the authority to hire up to 1,000 workers by June 30.
“It’s up to D.H.S. to use that new authority to achieve its mission,” said Senator Ron Johnson, Republican of Wisconsin and chairman of the Senate Homeland Security Committee.
In addition to pressure from the private sector, department officials say they also find themselves competing against government agencies like the National Security Agency and the Department of Defense for top talent.
“The deck is stacked against us a little bit,” said Phyllis Schneck, deputy under secretary for cybersecurity and communications at the Department of Homeland Security. “So what we are pitching to people is to explore a hybrid: Do a private sector career and then come and do some time in government. It can be a positive experience in both areas.”
Candy Alexander, a board member at the Information Systems Security Association, a trade group of cybersecurity professionals, said many cybersecurity professionals avoided working for the government, particularly the Department of Homeland Security, because it was not seen as cutting edge.
“For a lot of people who do this work, it is about who gets the coolest toys first,” she said. “And D.H.S. doesn’t come across as a place where that is going to happen.”
Robert Lee, the chief executive and a founder of Dragos Security, a cybersecurity company that focuses on critical infrastructure, sees a more basic problem.
“People are looking for meaningful work and flexibility, and nothing about government screams flexibility,” Mr. Lee said.
“Countering our adversaries and keeping them from disrupting our critical infrastructure can be just as exciting,” he said. “But the D.H.S. is seen as a large bureaucracy, and nothing about it screams change and innovation.”
Ms. Schneck, who was formerly chief technology officer of McAfee, now known as Intel Security, said that the department is trying to change the perception it is not innovative, and that it is making an aggressive push to hire talent by, among other things, changing the long hiring process.
“I work with some of the smartest people I have ever worked with, and the work is important and fulfilling,” she said.