Risk
7/21/2010
12:59 PM
Connect Directly
RSS
E-Mail
50%
50%

Cybersecurity Expert Shortage Puts U.S. At Risk

Presidential commission proposes overhauling certifications to increase cybersecurity professional quality and quantity.




Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The United States faces a chronic shortage in the quality and quantity of its cybersecurity experts, leaving the nation unprepared to defend itself against increasingly sophisticated online attacks.

"A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build, and staff the defenses and responses. And that is, by many accounts, the area where we are the weakest."

So says "A Human Capital Crisis in Cybersecurity," a new study into computer security manpower challenges and potential solutions released by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th President. The CSIS is a bipartisan public and foreign policy think tank in Washington.

According to the commission's report, "we not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate, and reconstitute from damage due to system failures and malicious acts."

Those warnings were echoed by Jim Gosler, a fellow at Sandia National Laboratory, National Security Agency visiting scientist, and the founding director of the CIA's clandestine information technology office. Speaking to National Public Radio, he said that "we don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time."

Gosler has previously estimated that the United States requires 10,000 to 30,000 people who are highly skilled at cybersecurity but that currently, only about 1,000 are available.

To help the country beef up its cybersecurity prowess, the CSIS notes that pursuing the Comprehensive National Cybersecurity Initiative to attack the problem across multiple domains -- including education and R&D -- should help.

The commission also recommends creating better cybersecurity certifications. Interestingly, it found that "the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security," because certifications focus "on demonstrating expertise in documenting compliance with policy and statutes, rather than expertise in actually reducing risk through identification, prevention, and intervention."

Alan Paller, director of research for SANS, seconded those certification findings and noted that the issue isn't to do with mistakes in designing certification, but simply that the requirements have changed. "Certifications mostly measured soft skills, and that was all that you needed 25 years ago in security," he said. "But as the nation states started using it for military purposes, and organized crime groups started using it for financial crime, it suddenly became serious, and very technical."

Unfortunately, certifications haven't kept up. "If you take any of the common security certifications for auditors or security professionals, you could quite comfortably pass it. But then if I asked you to reverse-engineer the malware used in this Siemens attack, you'd look at me like I was crazy." Today, however, the U.S. desperately needs those technical security experts.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.