For better or worse, films tend to be a prism through which we can view the values and topics that interest our society. So I think it’s a positive trend that two of the biggest blockbuster releases of 2014 gave cybersecurity the Hollywood treatment.
The more modern setting was found in the movie Blackhat, starring People Magazine’s reigning “Sexiest Man Alive,” Chris Hemsworth, as a convicted hacker working with American and Chinese agencies to capture a cyber-criminal who was attempting to cripple the international banking network. Sure, we can raise an eyebrow at the casting of Thor as a cyber-genius with firearms training, but there’s a bigger picture at play here.
[For InfoSec professionals, the truth is much more interesting than the fiction portrayed in Blackhat, The Movie: Good, Bad & Ridiculous]
The Academy of Motion Picture Arts and Sciences has looked even more favorably on the Internet’s “sexiest man alive,” Benedict Cumberbatch, for his portrayal of Alan Turing, the father of modern computing. In The Imitation Game, which garnered eight Oscar nominations, including Best Picture, and a win for Best Adapted Screenplay, Cumberbatch plays the WWII hero and cryptanalyst who successfully led the British effort to decode the German military’s Enigma encryption machine. The cryptography and mathematics expertise that led to Turing’s code breaking is the stuff of legend, and sharing this story with the masses was long overdue.
So why is it significant that these two movies were made in the same year? While Hollywood studios tend to oversimplify security stories, they do know a thing or two about generating publicity. In the midst of a cybersecurity hiring crisis, compounded by a skills shortage, could these big-budget motion pictures renew interest in Science, Technology, Engineering and Mathematics (STEM) education and create the next Turing or the next generation of white-hat hackers?
It’s no big secret that one of the biggest problems facing the cybersecurity industry is that it is nearly impossible to keep pace with the growing volume and complexity of cyber-attacks launched by covert foreign government agencies, organized crime syndicates, and hacktivists. Exacerbating this problem is the fact that fewer students are interested in computer science.
Look at the numbers: According to ISACA’s 2015 Global Cybersecurity Status Report, a global survey of more than 3,400 ISACA members in 129 countries, 86 percent of respondents see a global cybersecurity skills gap, and 92 percent of those planning to hire more cybersecurity professionals this year say they expect to have difficulty finding a skilled candidate.
The Bureau of Labor Statistics also projects a massive shortage in the IT workforce by 2020: There will be 1.4 million openings, but only 400,000 computer science graduates with the necessary skills to fill the positions.
Figures on the extent of the cybersecurity professional shortage differ, but reports estimate that the U.S. has only one-thousand top-class cyber pros across the private sector, the military, and the civilian government. By comparison, China has nearly 10 times that many trained cyber warriors according to a 2013 USA Today op-ed by Alan Paller, founder of the SANS Institute cyber training school, and George Boggs, president emeritus of the American Association of Community Colleges.
So, in addition to hoping that Hollywood will help increase the sex appeal of cybersecurity careers, what else can be done to stoke the educational fires? Here are two steps I think are most important:
Step 1: Create an academic pipeline for cybersecurity experts, starting in grade school, not high school. More STEM investment, earlier, means there will be a better chance of creating the next Turing.
Step 2: Consistently define career opportunities for students, and help them understand the various kinds of roles that may be available to them: penetration testers, vulnerability researchers, malware researchers, forensic specialists, cryptography engineers, etc. Progress is being made on this front, including:
- ISSA (Information Systems Security Association) has developed the Cybersecurity Career Lifecycle (CSCL).
- The US Department of Energy will provide $25 million in grants over the next five years to support a cybersecurity education consortium consisting of 13 Historically Black Colleges and Universities and two national labs.
- The National Initiative for Cybersecurity Education (NICE) does a great job of creating a framework and running workshops.
While simply throwing more manpower at cybersecurity may still not be enough, there was a lesson in what Turing created. He knew that in order to break the automated Enigma codes that changed daily, he would need to design a machine that could match that automation, because it would simply take too long for his human team to break them. Who knows where the next great mind will come from, and more importantly, what kind of technology one person may develop that could swing the cyber war in the good guys’ favor?