Risk
7/21/2010
12:59 PM
50%
50%

Cybersecurity Expert Shortage Puts U.S. At Risk

Presidential commission proposes overhauling certifications to increase cybersecurity professional quality and quantity.




Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The United States faces a chronic shortage in the quality and quantity of its cybersecurity experts, leaving the nation unprepared to defend itself against increasingly sophisticated online attacks.

"A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build, and staff the defenses and responses. And that is, by many accounts, the area where we are the weakest."

So says "A Human Capital Crisis in Cybersecurity," a new study into computer security manpower challenges and potential solutions released by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th President. The CSIS is a bipartisan public and foreign policy think tank in Washington.

According to the commission's report, "we not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate, and reconstitute from damage due to system failures and malicious acts."

Those warnings were echoed by Jim Gosler, a fellow at Sandia National Laboratory, National Security Agency visiting scientist, and the founding director of the CIA's clandestine information technology office. Speaking to National Public Radio, he said that "we don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time."

Gosler has previously estimated that the United States requires 10,000 to 30,000 people who are highly skilled at cybersecurity but that currently, only about 1,000 are available.

To help the country beef up its cybersecurity prowess, the CSIS notes that pursuing the Comprehensive National Cybersecurity Initiative to attack the problem across multiple domains -- including education and R&D -- should help.

The commission also recommends creating better cybersecurity certifications. Interestingly, it found that "the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security," because certifications focus "on demonstrating expertise in documenting compliance with policy and statutes, rather than expertise in actually reducing risk through identification, prevention, and intervention."

Alan Paller, director of research for SANS, seconded those certification findings and noted that the issue isn't to do with mistakes in designing certification, but simply that the requirements have changed. "Certifications mostly measured soft skills, and that was all that you needed 25 years ago in security," he said. "But as the nation states started using it for military purposes, and organized crime groups started using it for financial crime, it suddenly became serious, and very technical."

Unfortunately, certifications haven't kept up. "If you take any of the common security certifications for auditors or security professionals, you could quite comfortably pass it. But then if I asked you to reverse-engineer the malware used in this Siemens attack, you'd look at me like I was crazy." Today, however, the U.S. desperately needs those technical security experts.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

CVE-2015-6266
Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

CVE-2015-5367
Published: 2015-08-27
The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00.15.1803 on EliteBook, ElitePad, Elite, ProBook, Spectre, ZBook, and mt41 Thin Client devices allows local users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.