The Justice Department has one of the most important and high profile cybersecurity missions in government, but like many other agencies, it struggles to attract and retain cyber specialists.
The department’s “Comprehensive Cyber Review” released this week runs through DOJ’s recent work to investigate and prosecute cybercrime, including initiatives aimed at ransomware, the illicit use of cryptocurrency, contractor fraud, and other digital forms of malfeasance.
“The department continues to play a unique and critical role in addressing almost every cyber threat,” the report states.
But even DOJ’s reputation for high-quality cyber work can’t overcome compensation challenges and other issues that make it difficult for the agency to recruit and retain system engineers, cyber prosecutors and other experts, according to the review.
The number of cyber-specialized attorneys at DOJ has remained roughly the same over the past 15 years. The department’s Computer Crime and Intellectual Property Section has employed approximately the same number of attorneys — 37 — since 2010, despite the rising tide of cyber incidents over the past decade.
In general, DOJ’s attorneys are typically paid less than their private sector counterparts, but the report notes the problem is “particularly acute” for cyber-specialized lawyers, where even relatively junior attorneys can secure a significant salary increase by jumping to the private sector.
“The department’s other cyber-related personnel, including special agents, analysts, computer scientists, and IT and information security personnel, face similar compensation disparities between the department and other employers,” the review states. “If not addressed, this problem will result in the department effectively becoming a temporary waystation for cyber talent, rather than a viable long-term career option.”
And DOJ says the private sector isn’t the only competition.
“The risk of personnel attrition is heightened by the fact that other departments within the U.S. government have recently begun to offer more competitive salaries to cyber experts,” the review states. “In many cases, hiring offices within the department do not appear to be aware of similar authorities.”
It specifically highlights the Defense Department’s Cyber Excepted Service, instituted in 2016, that allows DoD to hire cyber experts outside of the traditional civil service system, often at much higher salaries. And it notes the Department of Homeland Security’s new Cyber Talent Management System, introduced in November, also allows DHS to offer salaries as high as the vice president’s in some cases.
“Those pay scales highlight that the department’s ability to compensate its cyber-specialized workforce lags behind not only the private sector, but also the public sector,” the review states.
‘Equal footing’ for agencies
The widening gap between agency authorities for cyber hiring has caught the attention of White House leaders.
During a hearing held by the House Committee on Oversight and Reform subcommittee on government operations on Thursday, Office of Personnel Management Director Kiran Ahuja said OPM wants to work with lawmakers to streamline innovative hiring programs.
“We also want to work with Congress to develop a government wide cyber workforce plan that puts agencies on equal footing when competing for cyber talent,” she said.
Later on in the hearing, Ahuja said there is now “competition within and among our agencies” for cyber experts. She specifically called out DHS’s Cyber Talent Management System.
“That has now become kind of the king of programs within the federal government and other agencies are having to compete with that,” she said.
Jason Miller, the deputy director for management at the White House Office of Management and Budget, said implementing the federal zero trust strategy will require more “in-house” cyber talent. Earlier this week, the White House hosted a cyber workforce summit where officials pointed to more than 700,000 open cybersecurity jobs across the United States.
“This is a place that is a challenge for the federal government. It’s a challenge for a lot of employers,” Miller said. “There’s a shortage across the country.”
DOJ contemplates cyber hiring strategy
Even without additional programs, the DOJ review found the department could be doing more to take advantage of existing authorities for hiring tech talent. The main issue appears to be that many offices aren’t aware of existing hiring flexibilities, or are hesitant to use them due to budget concerns, according to the review.
“These reservations, however, similarly apply to other U.S. agencies who have nonetheless implemented new, enhanced recruitment incentives in recent years,” it adds.
For instance, DOJ could use existing direct hire authority for General Schedule-9 through GS-15 positions in IT management, as well as special pay rates for both entry- and developmental-level computer engineers, computer science and IT specialists.
DOJ can also offer recruitment and relocation bonuses for certain “hard-to-fill” positions, and it could seek approval for “superior qualifications” and “special needs pay-setting” authorities for new GS-level hires. Other tools include relocation pay, college loan repayment programs, and increased leave accrual for non-federal and military experience.
“Although these incentives are available across agencies, department managers and employees are often unaware of their existence, unsure of their requirements, and lack guidance regarding their application in recruitment and retention efforts,” DOJ’s review states.
It ultimately calls on DOJ to develop a hiring and retention strategy to attract a “best-in-class cyber workforce.” It calls for an internal campaign to educate hiring managers and others on existing incentives and authorities.
“Over a longer term, the department should establish a cross-component working group to explore collaboration with Congress to create new types of federal civil service positions for the department’s cyber-related workforce,” the review states.