A Human Capital Crisis in Cybersecurity
In 2010, Franklin Reeder and Karen Evans, both former Chief Information Officers for the entire federal government, wrote a deep analysis about the shortage of technically proficient cybersecurity professionals in the United States. Their report, entitled A Human Capital Crisis in Cybersecurity, was prepared under the auspices of the Center for Strategic and International Studies in Washington, DC. The report was requested by the two members of the U.S. House of Representatives who co-chaired the Commission on Cybersecurity for the 44th Presidency.
The following excerpts are from the Executive Summary of the report.
Crisis in Cybersecurity
“The cyber threat to the United States affects all aspects of society, business, and
government, but there is neither a broad cadre of cyber experts nor an established cyber
career field to build upon, particularly within the Federal government.”
Evidence continues to build showing our information infrastructure is vulnerable to threats not just from nation states but also from individuals and small groups who seek to do us harm or who wish to exploit our weaknesses for personal gain.
Where We Are
The nation and the world are now critically dependent on the cyber infrastructure that is vulnerable to threats and often under attack in the most real sense of the word. Military and nuclear energy systems are under continuous attack, experiencing large losses. For at least the past six years the U.S. Department of Defense, nuclear laboratory sites and other sensitive U.S. civilian government sites have been deeply penetrated, multiple times, by other nation-states. As stated by Gen. William Lord, Chief of Warfighting Integration and Chief Information Officer in the Office of the Secretary of the U.S. Air Force, "China has downloaded 10 to 20 terabytes of data from the NIPRNet (the sensitive, but unclassified U.S. military network). There is a nation-state threat by the Chinese." 2
Terrorists and organized crime groups are actively exploiting weak U.S. security and extorting money used for criminal purposes and to buy terrorist bombs. In October 2008, for example, Express Scripts, one of the nation’s largest processors of pharmacy prescriptions, reported extortionists had threatened to disclose personal and medical information on millions of Americans if the company failed to meet payment demands.
A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build and staff the defenses and responses. And that is, by many accounts, the area where we are the weakest. According to interviews conducted with Jim Gosler, NSA Visiting Scientist and founding director of the CIA’s Clandestine Information Technology Office, "there are about 1,000 security people in the United States who have the specialized security skills to operate effectively in cyberspace; however, the United States needs 10,000 to 30,000". 3
The problem is both of quantity and quality, especially when it comes to highly skilled “red teaming” professionals. We not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.
The cybersecurity workforce to which we speak in this report consists of those who self-identify as cybersecurity specialists as well as those who build and operate our systems and networks. That workforce includes not only workers on government payrolls, but also those contractors who operate as part of the extended government workforce. It also includes those who build and maintain the critical infrastructure on which the public and private sectors have come to rely.
Where We Need to Go
Having the right number of people with the requisite technical skills matters and there are four elements of any strategy to deal with this challenge.
- Promote and fund the development of more rigorous curricula in our schools.
- Support the development and adoption of technically rigorous professional certifications that include a tough educational and monitored practical component.
- Use a combination of the hiring process, the acquisition process and training resources to raise the level of technical competence of those who build, operate, and defend governmental systems.
- Ensure there is a career path as with other disciplines like civil engineering or medicine, rewarding and retaining those with the high-level technical skills.
It is the consensus of the Commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security for the following reasons:
- Individuals and employers are spending scarce resources on credentials that do not demonstrably improve their ability to address security-related risks; and
- Credentials, as currently available, are focused on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in actually reducing risk through identification, prevention and intervention.
In many ways, cybersecurity is similar to 19th century medicine – a growing field dealing with real threats with lots of self-taught practitioners, only some of whom know what they are doing. The evolution of the practice of medicine mandated different skills and specialties coupled with qualifications and assessments. In medicine, we now have accreditation standards and professional certifications by specialty. We can afford nothing less in the world of cybersecurity. We need to develop a culture of professionalism – and set the right goals – for the cybersecurity workforce. Doing so will help prevent, detect, and/or respond to intentional or unintentional compromises involving both federal and other critical infrastructure systems.
We are unified by a shared objective to help protect our critical infrastructure by detecting, responding to and ultimately preventing cyber attacks and accidents. Technology alone can’t solve the problem. We need good people. The Commission found that, while a number of initiatives and efforts are underway, much remains to be done. The recommendations in this paper are designed to accelerate reaching two goals: (1) expanding the number and quality of highly skilled cybersecurity professionals, and (2) giving those who hire those workers or who buy their services even better indicators of the skill levels of those whom they are engaging. While much is being done, our adversaries are growing in number and capability. We must redouble our efforts.
- Center for Strategic and International Studies, “Securing Cyberspace for the 44th Presidency,” December 2008, p. 72, http://csis.org/files/media/csis/pubs/081208_securingcyberspace_44.pdf.
- Dawn S. Onley and Patience Wait, “Red storm rising,” Government Computer News, August 17, 2006, http://gcn.com/articles/2006/08/17/red-storm-rising.aspx.
- Jim Gosler, “Cybersecurity Shortage Threatens U.S. Security,” NPR Morning Edition, July 19, 2010. https://www.npr.org/transcripts/128574055?storyId=128574055?storyId=128574055.
Read the report summary: