12:59 PM

Cybersecurity Expert Shortage Puts U.S. At Risk

Presidential commission proposes overhauling certifications to increase cybersecurity professional quality and quantity.

Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The United States faces a chronic shortage in the quality and quantity of its cybersecurity experts, leaving the nation unprepared to defend itself against increasingly sophisticated online attacks.

"A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build, and staff the defenses and responses. And that is, by many accounts, the area where we are the weakest."

So says "A Human Capital Crisis in Cybersecurity," a new study into computer security manpower challenges and potential solutions released by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th President. The CSIS is a bipartisan public and foreign policy think tank in Washington.

According to the commission's report, "we not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate, and reconstitute from damage due to system failures and malicious acts."

Those warnings were echoed by Jim Gosler, a fellow at Sandia National Laboratory, National Security Agency visiting scientist, and the founding director of the CIA's clandestine information technology office. Speaking to National Public Radio, he said that "we don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time."

Gosler has previously estimated that the United States requires 10,000 to 30,000 people who are highly skilled at cybersecurity but that currently, only about 1,000 are available.

To help the country beef up its cybersecurity prowess, the CSIS notes that pursuing the Comprehensive National Cybersecurity Initiative to attack the problem across multiple domains -- including education and R&D -- should help.

The commission also recommends creating better cybersecurity certifications. Interestingly, it found that "the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security," because certifications focus "on demonstrating expertise in documenting compliance with policy and statutes, rather than expertise in actually reducing risk through identification, prevention, and intervention."

Alan Paller, director of research for SANS, seconded those certification findings and noted that the issue isn't to do with mistakes in designing certification, but simply that the requirements have changed. "Certifications mostly measured soft skills, and that was all that you needed 25 years ago in security," he said. "But as the nation states started using it for military purposes, and organized crime groups started using it for financial crime, it suddenly became serious, and very technical."

Unfortunately, certifications haven't kept up. "If you take any of the common security certifications for auditors or security professionals, you could quite comfortably pass it. But then if I asked you to reverse-engineer the malware used in this Siemens attack, you'd look at me like I was crazy." Today, however, the U.S. desperately needs those technical security experts.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-06
libstagefright in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 21335999.

Published: 2015-10-06
Bluetooth in Android before 5.1.1 LMY48T allows attackers to remove stored SMS messages via a crafted application, aka internal bug 22343270.

Published: 2015-10-06
mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a denial of service (process crash) via unspecified vectors, aka internal bug 22954006.

Published: 2015-10-06
The Runtime subsystem in Android before 5.1.1 LMY48T allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23050463.

Published: 2015-10-06
libstagefright in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 23213430.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.