Agencies need younger, more experienced hackers
- By Derek B. Johnson
- Aug 04, 2020
With a 17-year-old Tampa student charged with last month's Twitter hack, it’s becoming clear that in the digital domain, practical experience quickly outstrips age and even credentials in importance.
Federal agencies could do much to improve their cybersecurity talent pool if they moved away from restrictive General Schedule hiring practices and were more open to bringing on younger candidates, according to Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency.
"You know at this point, particularly in cyber, I'm not sure it matters if you're 45 or 17, which speaks to the ways that we need to evolve our hiring practices," Krebs said during an Aug. 3 online discussion hosted by the Wilson Center.
"I'm getting, 17, 18-year-olds that apply for a job and [they] have six years of practical -- operational effectively -- experience in security research," Krebs said. "So, they've been online white hat hackers since they could … turn on a computer."
The federal government’s General Schedule hiring system doesn't credit the skills and experience of younger hackers. The current standards are "based on a system from 1929, almost a clerical hiring approach … that really prioritizes experience in a professional setting" such as graduate and post graduate degrees, Krebs said. That approach, where higher levels of credentialing and experience dictate higher performance, is "just not how cyber works," he said.
It's a recurring argument for the agency. In a budget hearing last year, Krebs complained that he couldn't appropriately compensate younger job candidates who had all the skills needed to excel but don't meet traditional educational and credentialing milestones. The result is that CISA and the federal government may be losing out on candidates at the same time it and the private sector are in fierce competition for an increasingly shrinking pool of cyber talent.
The solution, he argued, lies in diversifying STEM education, both in K-12 education and expanding technology trade schools so that two-year degrees replace "the equivalent of … having to go to law school."
The Office of Personnel Management, meanwhile, plans to revamp the hiring process to eliminate "unnecessary obstacles" to federal employment by focusing on skill assessments over credentials like college degrees. Draft changes to General Schedule qualification policies will be issued by Aug. 21.