does the government hire hackers

Introduction：

1、Cybersecurity Workforce： Departments Need to Fully Implement Key Practices

2、DOD Expands Hacker Program to All Publicly Accessible Defense Information Systems

Cybersecurity Workforce： Departments Need to Fully Implement Key Practices ♂

　　The Office of Personnel Management's (OPM) Workforce Planning Guide outlines a five-step process for workforce planning efforts: (1) setting the strategic direction, (2) conducting workforce analyses, (3) developing workforce action plans, (4) implementing and monitoring workforce planning, and (5) evaluating and revising these efforts. Within the five steps are 15 applicable practices that are central to effectively managing the cybersecurity workforce. Of the 15 applicable practices, the Department of Homeland Security fully implemented 14 of them. However, the other four selected departments were not as consistent in their implementation of the practices (see figure).

　　Most of the selected departments reported that they had not fully implemented all 15 practices due, in part, to managing their cybersecurity workforces at the component level rather than the departmental level, as intended by OPM. Until the departments implement these practices, they will likely be challenged in having a cybersecurity workforce with the necessary skills to protect federal IT systems and enable the government's day-to-day functions.

　　Officials at the five selected departments cited three primary types of cybersecurity workforce management challenges: inadequate funding, difficulties with recruitment, and difficulties with retention. The departments described actions taken to mitigate these challenges. However, none of the departments had evaluated their actions taken to determine the extent to which they had been effective in addressing the challenges. Without evaluating the effectiveness of their mitigation actions, department officials will not know the extent to which their actions are addressing identified challenges and strengthening the cybersecurity workforce.

DOD Expands Hacker Program to All Publicly Accessible Defense Information Systems ♂

　　The program grew out of the success of the "Hack the Pentagon" initiative that began in 2016. That initiative enabled the Defense Digital Service to offer a "bug bounty" program and engage with hackers. There really was no way for hackers to interact with DOD even if they spotted a vulnerability before this program. "Because of this, many vulnerabilities went unreported," Brett Goldstein, the director of the Defense Digital Service, said. "The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."

　　The original policy was limited to DOD public-facing websites and applications. The expansion announced today allows for research and reporting of vulnerabilities related to all DOD publicly-accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more, Goldstein said. "This expansion is a testament to transforming the government's approach to security and leapfrogging the current state of technology within DOD," he said.

　　The DOD Cyber Crime Center oversees the program. The expansion was the next logical step, Kristopher Johnson, director, Vulnerability Disclosure Program, said. "The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," he said.