A Human Capital Crisis in Cybersecurity

Technical Proficiency Matters

"The cyber threat to the United States affects all aspects of society, business, and government, but there is neither a broad cadre of cyber experts nor an established cyber career field to build upon, particularly within the Federal government."

Evidence continues to build showing our information infrastructure is vulnerable to threats not just from nation states but also from individuals and small groups who seek to do us harm or who wish to exploit our weaknesses for personal gain.

Where We Are

The nation and the world are now critically dependent on the cyber infrastructure that is vulnerable to threats and often under attack in the most real sense of the word.

"Military and nuclear energy systems are under continuous attack, experiencing large losses. For at least the past six years the US Department of Defense, nuclear laboratory sites and other sensitive US civilian government sites have been deeply penetrated, multiple times, by other nation-states. 'China has downloaded 10 to 20 terabytes of data from the NIPRNet (the sensitive, but unclassified US military network). There is a nation-state threat by the Chinese.'"

Terrorists and organized crime groups are actively exploiting weak U.S. security and extorting money used for criminal purposes and to buy terrorist bombs. In October 2008, for example, Express Scripts, one of the nation’s largest processors of pharmacy prescriptions, reported extortionists had threatened to disclose personal and medical information on millions of Americans if the company failed to meet payment demands.

A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build and staff the defenses and responses. And that is, by many accounts, the area where we are the weakest.

"There are about 1,000 security people in the US who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000."

The problem is both of quantity and quality especially when it comes to highly skilled “red teaming” professionals. We not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.

The cybersecurity workforce to which we speak in this report consists of those who self-identify as cybersecurity specialists as well as those who build and operate our systems and networks. That workforce includes not only workers on government payrolls, but also those contractors who operate as part of the extended government workforce. It also includes those who build and maintain the critical infrastructure on which the public and private sectors have come to rely.

Where We Need to Go

Having the right number of people with the requisite technical skills matters and there are four elements of any strategy to deal with this challenge.

  • Promote and fund the development of more rigorous curricula in our schools. 
  • Support the development and adoption of technically rigorous professional certifications that include a tough educational and monitored practical component.
  • Use a combination of the hiring process, the acquisition process and training resources to raise the level of technical competence of those who build, operate, and defend governmental systems. 
  • Ensure there is a career path as with other disciplines like civil engineering or medicine, rewarding and retaining those with the high-level technical skills. 

It is the consensus of the Commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security for the following reasons:

  • Individuals and employers are spending scarce resources on credentials that do not demonstrably improve their ability to address security-related risks; and
  • Credentials, as currently available, are focused on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in actually reducing risk through identification, prevention and intervention.

In many ways, cybersecurity is similar to like 19th century medicine--a growing field dealing with real threats with lots of self-taught practitioners only some of whom know what they are doing. The evolution of the practice of medicine mandated different skills and specialties coupled with qualifications and assessments. In medicine, we now have accreditation standards and professional certifications by specialty. We can afford nothing less in the world of cybersecurity. We need to develop a culture of professionalism and goal orientation for the cybersecurity workforce; doing so will help prevent, detect, and/or respond to intentional or unintentional compromises involving both federal and other critical infrastructure systems.

Conclusion

We are unified by a shared objective to help protect our critical infrastructure by detecting, responding to and ultimately preventing cyber attacks and accidents. Our analysis indicates there are many initiatives and efforts underway. As included in the President’s Cyberspace Policy Review, the CNCI initiatives are mutually reinforcing and are designed to help secure the United States in cyber space. The goal “to strengthen the future cybersecurity environment by expanding cyber education…” can be achieved by implementing the recommendations included in this paper. We are beginning now.

Karen Evans and Franklin Reeder