Assets | Owners |
+ U.S. Department of Homeland Security |
2022: US Department of Homeland Security was able to hire only one information security specialist in six months
By the end of May 2022, the U.S. Department of Homeland Security (DHS) had spent seven years building a dedicated personnel system to attract and hire cybersecurity professionals. However, for six months of the work of the new system, only one employee began work in the department. Writes about this edition FCW.
DHS plays a key role in the US government's cybersecurity industry, responding to major cybersecurity incidents, helping to secure critical infrastructure, etc. For the first time, the authority to create the Cybersecurity Talent Management System (CTMS) was obtained from Congress in 2014. It was commissioned in November 2021.
The first new employee hired using this system began work on May 23, 2022, another should start work soon. Overall, the department conducted 15 to 20 "selections" of candidates, according to Travis Howdley, director of innovation at DHS's Office of Chief Human Capital Officer.
The goal is to have 150 candidates selected by the end of the fiscal year in September 2022. This first group will work for the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Chief Information Officer (CIO).
We expected that by this point we would make more staff appointments and hire more people, but DHS is sticking to the 150-person target nonetheless, Howdley said in an interview. |
Speaking about the reasons for the low hiring rate, the agency pointed to the need to raise awareness of CTMS among DHS hiring managers and human resources employees, and noted that market pressure is having an impact on hiring within and outside government, and that intense competition for cybersecurity talent also plays a role.
The biggest challenge with CTMS so far has been to "convince people how healthy it is," CISA Deputy Director Nitin Natarajan told FCW. CISA is working to educate job seekers and hiring managers on how the new system works. |
Hiring is expected to "accelerate" over the summer, Howdley said.
So far, the department has reviewed about 2,000 applications. Most came from people already in the federal government as federal employees or contractors, and 10% to 15% are current DHS employees.
Nearly half of the candidates are seeking entry-level positions in the department, Howdley said, though of the 150 employees targeted by DHS, less than half are expected to be entry-level.
DHS also wants to fill advanced technical and leadership positions, which will require "more active work on our part," Howdley said.
Still, the department is considering connecting to the DHS "other components" system after hiring the first 150 employees at CISA and the CIO office, expecting those "other components" to start hiring toward the end of the fiscal year, Howdley said.[1]
2021
Launch a program to pay $5,000 for found holes in IT systems
On December 14, 2021, the US Department of Homeland Security (DHS) announced the launch of a program in which it offers a monetary reward for finding flaws and vulnerabilities in its IT systems.
As part of the initiative, ethical hackers will receive from $500 to $5,000 for identifying vulnerabilities, depending on their severity. The department will review the deficiencies within 48 hours and correct them within 15 days, and in case of complex errors, develops an action plan during this period.
We are focused not only on protecting and improving the cybersecurity of the private sector and the federal government as a whole, but of course we as a department have to lead by example, and so we are very focused on identifying vulnerabilities and fixing these vulnerabilities, "Majorkas said. |
DHS later than some other federal agencies joined the trend of encouraging error finding Ministry of Defense : (DOD) initiated the "Hack" pilot program back in Pentagon 2016. IRS in the same year, she began the first civilian program of the federal agency to encourage the detection of vulnerabilities.
In January 2019, the president Donald Trump signed legislation directing DHS to develop a bug detection reward program within six months. While Majorkas did not say how much money "Hacking DHS" would cost, the Congressional Budget Office estimated that one year of the pilot program under that legislation would cost $250,000.
We do invest a lot of money and also focus on this program, "Majorkas said of the potentially ongoing initiative. The program will run through fiscal 2022, which began in October 2021, according to a DHS announcement. |
According to statistics, DOD has received more than 29 thousand vulnerability reports during its existence, 70% of which were confirmed by the Ministry of Defense.[2]
The wage level of IB-specialists of the ministry is brought closer to the salary of the vice president
In mid-November 2021, the US Department of Homeland Security announced a new system that will help recruit, develop and retrain cybersecurity specialists in the country's federal government. The salary range has a lower threshold for the vice president's salary of $255 thousand.
The new recruitment system, called the Cybersecurity Talent Management System (CTMS), is being launched amid a tight labor market for information security professionals, who are in extremely high demand in the market and therefore can receive large salaries. Information security is just one federal department, but it plays a special role in responding to major cyber attacks on critical US infrastructure. The ministry hopes that the new system will help it find and retain talented specialists in critical positions, with the goal of hiring 150 priority specialists in 2022.
As a message from the Department of Homeland Security suggests, CTMS will allow you to fill critical cybersecurity positions by selecting candidates based on demonstrated competencies, competitive employee compensation, and reducing the time needed to recruit to the department. The first positions to be filled by the system will be high-priority positions at the Cybersecurity and Infrastructure Security Agency and at the US General Directorate of Information Security. Then, in 2022, Cybersecurity Service vacancies will be available from several agencies.
As our country continues to face a changing landscape of threats, we cannot rely solely on traditional recruitment tools to fill critical vacancies. This new CTMS system will allow our department to better compete for cybersecurity professionals and remain flexible enough to meet the requirements of our critical cybersecurity mission, "said Anna Neuberger, director of cybersecurity at the US National Security Agency. |
The salary range from the CTMS system has a lower salary threshold for the country's vice president in the amount of $255 thousand in 2021, and the upper threshold will be $332 thousand. For November 2021, the ministry is recruiting for a variety of cybersecurity-related roles, including incident response, risk analysis, vulnerability identification and assessment, intelligence and investigations, network and systems engineer, forensic scientist and software security specialist.[3]
2020: Buying location data for millions of mobile phones
In February 2020, it became known that the US Department of Homeland Security and controlled agencies are using a huge repository of data on the location of millions of mobile phones for immigration control.
According to The Wall Street Journal (WSJ), the American authorities bought geolocation information from Venntel, which, according to the newspaper, has been cooperating with the government since at least 2017.
Venntel did not collect the data on its own, but purchased it from marketing agencies, which, in turn, allegedly received it from games, e-commerce services and weather tracking systems, which asked users for permission to register their location during installation.
Venntel confirmed to the publication that the US Department of Homeland Security is one of the clients, but declined to provide informative comments.
According to the WSJ, arrests were made based on information received from Venntel. Geodata helped the special services find out where the border was crossed and track specific people. The publication notes that American intelligence agencies often use commercial databases to track the movements of people near the border with Mexico.
In 2018, the US Supreme Court ruled that the US government has no right to track people's movements by their mobile phone position without a court order. So the Trump government has found, in collaboration with Venntel and other similar companies, a legal loophole to keep getting information.
A spokesman for US Customs and Border Protection told the WSJ that phone location data is "not being recorded en masse."[4]
2019: US MNS demands civilian institutions create vulnerability disclosure policies
The US Department of Homeland Security has published a project called Binding Operational Directive (BOD), which obliges civilian agencies to create programs to work with outsourced security researchers to find and fix vulnerabilities in software on websites and v applications[5][6].
According to the draft order, civilian departments need to form vulnerability disclosure policies (VDP) within six months after the publication of the document. These policies are common in the private sector, but are practically not found in government organizations.
"Seeking public discussion, we also understand that the requirement for individual enterprises to adhere to vulnerability disclosure policies has never been met before and, of course, not on this scale," said CISA Deputy Director for Cybersecurity Jeanette Manfra. |
These changes in the work of civilian departments will also be coordinated by the US Administrative and Budgetary Office, which has issued its own guidance for institutions preparing for the formation of the VDP.
2018: Launch of the Cyber Defense Center for Critical Infrastructure
On July 31, 2018, the US Department of Homeland Security announced the creation of the National Risk Management Center, whose task will be to protect national banks, energy companies and other industries from serious cyber attacks that could harm critical infrastructure. Read more here.
2017: Cybersecurity agency set up in US
The Cybersecurity and Infrastructure Security Agency will be formed in the United States. The corresponding draft law was adopted by a majority vote in December 2017 by the House of Representatives[7].
The structure will be created on the basis of individual units of the US Department of Homeland Security. The document notes that "the main task of the agency will be to protect and improve the security and sustainability of US cybersecurity, emergency communications and critical infrastructure."
The head of the department, Kirstjen Nielsen, commenting on the adoption of the draft law, stressed that the formation of such a structure is now more relevant than ever before. "I urge the Senate to pass similar legislation. As the events (the explosion in New York) show, the critical infrastructure of our country can often be the main target for various enemies of the United States, including terrorists, foreign states and other non-state actors, hackers and ordinary criminals, "she said.
- ↑ Seven years in the making, DHS's new cyber talent system boasts just one hire
- ↑ DHS establishes its own bug bounty program, offering outsiders $500 to $5K for discovering flaws
- ↑ The US government just launched a big push to fill cybersecurity jobs, with salaries to match
- ↑ Federal Agencies Use Cellphone Location Data for Immigration Enforcement
- ↑ IMPROVING VULNERABILITY DISCLOSURE TOGETHER
- ↑ MNS requires civilian institutions to create vulnerability disclosure policies
- ↑ [1]