FBI Seeks New Crop of Good-Guy HackersCyber Special Agents Face Dangers Other InfoSec Pros Don't
The FBI is seeking to expand its roster of special agents with cybersecurity expertise. But the federal law enforcement agency confronts a number of challenges that recruiters in the private sector don't face. Those include offering relatively low salaries as well as potentially dangerous assignments.
See Also: The Global State of Online Digital Trust
Though compensation for some entry-level positions is competitive with many businesses, the FBI can't match the compensation the private sector offers for more experienced cybersecurity specialists.
In addition, the responsibilities of special agents go far beyond core technology duties to include various law enforcement tasks, such as participating in arrests, search warrants, raids and other dangerous assignments that "pose the risk of personal bodily harm," according to a current job posting for special agent/cyber.
Atypical IT Security Job
"Nobody should think that it's all about making forensic images of computers and sitting behind a desk; that's not an FBI agent's job," say Tim Ryan, a former FBI special agent and supervisor who oversaw the bureau's largest cybersquad.
"We want them to have all these computer skills, but you got to want them to understand coming in: you're an FBI agent," says Ryan, who's now managing director and cyber-practice leader at risk management adviser Kroll. "You'll carry a gun, be trained to defend yourself, defend others. And, when other people are running away from planes going into buildings, your job is to run toward that. You're not going to learn that in a SANS class or a computer science class."
The push to increase the FBI's roster of special agents with cybersecurity expertise comes at a time when a growing number of investigations involve cyber in some capacity. The FBI considers protecting America against cyber-based attacks as its No. 3 priority - after terrorist attacks and foreign espionage - and is actively engaged in the investigation of the nation's most notorious IT security breaches, including Sony Pictures Entertainment, Target and Home Depot.
"Cyber permeates every aspect of what we do, whether it's counterterrorism, criminal investigations or traditional cyber-attacks, as we've seen in the recent past," says Robert Anderson Jr., executive director for the FBI's Criminal, Cyber, Response and Services Branch. "That's why these type of people are so important to get into the pipeline and come into our organization."
In an FBI video, Robert Anderson Jr. discusses the special agent/cyber recruiting program.
The current job posting for special agents/cyber - the FBI expects to recruit fewer than 100 in this round of hirings - emphasizes situations and skills not normally found in private-sector IT security jobs. First, the hiring process is lengthy, taking up to a year. Once hired, rookie agents spend 19 weeks in training in Quantico, Va., away from their families. When training is done, the new agents will be assigned to one of 56 field offices located throughout the United States, including Puerto Rico. And, throughout their careers, special agents must be available for temporary duty assignments anywhere in the world. The minimum work week is 50 hours, and agents must be on call 24x7, including holidays and weekends.
"FBI employees work hard," says former FBI Deputy Assistant Director for Cyber Steve Chabinsky, general counsel and chief risk officer at CrowdStrike, a provider of endpoint security wares. "Still, applications to join the FBI always far outnumber the actual job vacancies. The FBI is a cool place to work because FBI employees have the satisfaction of working on the most important investigations, with access to the most sensitive information, and the ability to stop massive attacks."
The FBI's Anderson says the bureau's mission is unlike anything a cybersecurity expert would face in the private sector, focusing on national security cyber-investigations or major, complex criminal probes with a cyber nexus. "The biggest thing you can offer to anyone that comes to work at the FBI is the mission and the scale of investigations that you work inside the FBI," Anderson says. "It doesn't matter where you go, it doesn't matter who you work for, you can't get that anywhere else but the FBI."
Kroll's Ryan says the FBI can offer its cyber special agents something that the private sector can't: experience combining in-person and electronic investigations. "It's not just conducting computer forensics, but how to do [live] investigations as well, which can be different. You're just not going to get that kind of investigative experience outside the FBI."
Tim Ryan explains how his FBI training helps him solve cases at Kroll.
To become an agent, recruits must be physical fit and pass a medical exam and endure a rigorous background investigation, credit checks and a polygraph in order to obtain a top-secret security clearance.
No one will get rich being an FBI special agent with a cybersecurity specialty. The job posting for special agent/cyber lists a pay range of $59,340 to $76,568. According to a survey conducted earlier this year by the SANS Institute, which offers IT security training, the average annual income of a forensic investigator is $67,273 for someone with zero to three years of experience and $83,624 for those with four to six years of experience (see Why InfoSec Pay Shows Lackluster Gains). The same survey reveals a security engineer earns an average of $70,238 a year with zero to three years and $97,128 with four to six years of experience.
"While it will be harder to sway senior cyber engineers and technicians from their jobs, the bureau's call will appeal to those who are trying to get real, boots on the ground skills and those looking to deepen the type of working they are doing," says Christopher Pierson, chief security officer at the secure invoicing and payments network Viewpost and former president of the Phoenix chapter of InfraGard, an FBI-private sector partnership that shares threat information.
Kroll's Ryan says he expects many of the applicants will be individuals with cyber expertise who have long wanted to join the FBI or other law enforcement agencies. Indeed, he says an underlying message of the current job posting is that individuals who want to become FBI agents should not major in criminal justice but rather select a field that the bureau seeks, such as cybersecurity.