Cybersecurity Expert Shortage Puts U.S. At RiskPresidential commission proposes overhauling certifications to increase cybersecurity professional quality and quantity.
The United States faces a chronic shortage in the quality and quantity of its cybersecurity experts, leaving the nation unprepared to defend itself against increasingly sophisticated online attacks.
"A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build, and staff the defenses and responses. And that is, by many accounts, the area where we are the weakest."
So says "A Human Capital Crisis in Cybersecurity," a new study into computer security manpower challenges and potential solutions released by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th President. The CSIS is a bipartisan public and foreign policy think tank in Washington.
According to the commission's report, "we not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate, and reconstitute from damage due to system failures and malicious acts."
Those warnings were echoed by Jim Gosler, a fellow at Sandia National Laboratory, National Security Agency visiting scientist, and the founding director of the CIA's clandestine information technology office. Speaking to National Public Radio, he said that "we don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time."
Gosler has previously estimated that the United States requires 10,000 to 30,000 people who are highly skilled at cybersecurity but that currently, only about 1,000 are available.
To help the country beef up its cybersecurity prowess, the CSIS notes that pursuing the Comprehensive National Cybersecurity Initiative to attack the problem across multiple domains -- including education and R&D -- should help.
The commission also recommends creating better cybersecurity certifications. Interestingly, it found that "the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security," because certifications focus
"on demonstrating expertise in documenting compliance with policy and statutes, rather than expertise in actually reducing risk through identification, prevention, and intervention."
Alan Paller, director of research for SANS, seconded those certification findings and noted that the issue isn't to do with mistakes in designing certification, but simply that the requirements have changed. "Certifications mostly measured soft skills, and that was all that you needed 25 years ago in security," he said. "But as the nation states started using it for military purposes, and organized crime groups started using it for financial crime, it suddenly became serious, and very technical."
Unfortunately, certifications haven't kept up. "If you take any of the common security certifications for auditors or security professionals, you could quite comfortably pass it. But then if I asked you to reverse-engineer the malware used in this Siemens attack, you'd look at me like I was crazy." Today, however, the U.S. desperately needs those technical security experts.