Risk
7/21/2010
12:59 PM
Connect Directly
RSS
E-Mail
50%
50%

Cybersecurity Expert Shortage Puts U.S. At Risk

Presidential commission proposes overhauling certifications to increase cybersecurity professional quality and quantity.




Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The United States faces a chronic shortage in the quality and quantity of its cybersecurity experts, leaving the nation unprepared to defend itself against increasingly sophisticated online attacks.

"A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build, and staff the defenses and responses. And that is, by many accounts, the area where we are the weakest."

So says "A Human Capital Crisis in Cybersecurity," a new study into computer security manpower challenges and potential solutions released by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th President. The CSIS is a bipartisan public and foreign policy think tank in Washington.

According to the commission's report, "we not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate, and reconstitute from damage due to system failures and malicious acts."

Those warnings were echoed by Jim Gosler, a fellow at Sandia National Laboratory, National Security Agency visiting scientist, and the founding director of the CIA's clandestine information technology office. Speaking to National Public Radio, he said that "we don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time."

Gosler has previously estimated that the United States requires 10,000 to 30,000 people who are highly skilled at cybersecurity but that currently, only about 1,000 are available.

To help the country beef up its cybersecurity prowess, the CSIS notes that pursuing the Comprehensive National Cybersecurity Initiative to attack the problem across multiple domains -- including education and R&D -- should help.

The commission also recommends creating better cybersecurity certifications. Interestingly, it found that "the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security," because certifications focus "on demonstrating expertise in documenting compliance with policy and statutes, rather than expertise in actually reducing risk through identification, prevention, and intervention."

Alan Paller, director of research for SANS, seconded those certification findings and noted that the issue isn't to do with mistakes in designing certification, but simply that the requirements have changed. "Certifications mostly measured soft skills, and that was all that you needed 25 years ago in security," he said. "But as the nation states started using it for military purposes, and organized crime groups started using it for financial crime, it suddenly became serious, and very technical."

Unfortunately, certifications haven't kept up. "If you take any of the common security certifications for auditors or security professionals, you could quite comfortably pass it. But then if I asked you to reverse-engineer the malware used in this Siemens attack, you'd look at me like I was crazy." Today, however, the U.S. desperately needs those technical security experts.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.