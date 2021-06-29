For as long as I’ve been involved in and tracking cybersecurity issues there have been two fundamental truths about the problems created by digital scofflaws. First, the primary reason that the bad guys keep scoring points is that security relies on we people above all else. Sure, there are anti-virus programs, multi-factor authorization schemes, and password protocols that all help mitigate the risks inherent to conducting life online. There are laws and regulations meant to introduce protections. Other factors are in play as well. But, when it all boils down to the primary mode of defense, it’s on you and me. Ask any security expert what contributes most to incidents of breach and their response will be “users,” or some other label given to us. We ignore the password best practices. We click into those malicious links in an email. We share too much information without realizing the risks. Take us out of the equation and many problems go away.
The other fundamental truth about what’s giving way to the continual hacks, breaches, and ID theft issues also points to we humans. Simply put, there are too few of us skilled or schooled in cyber-defense. Study after study for years and years has shown that the talent gap is far from being cinched up. I’m likely exaggerating my history, but it seems like five or 10 years ago the reports reflected that some hundreds of thousands of IT security people were needed to address the problems. Today … the same. CyberSeek, an organization that partners with the federal government to track this talent gap, currently reports that 464,000 jobs need to be filled in defense of cybercrimes, frauds, and other abuses. There are just under one million currently employed in that field. The supply is rated at “Very Low,” which is unsurprising considering that one-third of the necessary defenders’ desks are vacant. In Kentucky alone there are around 2,500 related jobs. In California, around D.C., or in Texas there are 50,000 or more openings unfilled.
As to the first truism—faulty users—I do my level best as an educator to help rectify it, albeit indirectly through building up servant-leaders who will add to the workforce of cyber-defenders. Most of those students already understand the best practices, and won’t click the tempting yet dangerous link in some phishy email. My hope is that they go into the workforce and through osmosis and training help bolster defenses by honing users’ practices.
As to the second issue—the talent gap—I’m also somewhat involved in its cure, inch by inch, commencement by commencement, filling the empty desks. That trickle won’t saturate the market’s drought though. For that, we rely on bigger platforms than a 30-seat classroom. Enter Congress.
Last week Sens. Maggie Hassan, D-N.H., and John Cornyn, R-Texas, introduced a new bill known as the Federal Cybersecurity Workforce Expansion Act to be considered by Congress. The Act is intended to facilitate a greater influx of cybersecurity defense experts, hopefully shoring up the half-million position deficit. While those who may benefit from the two main programs within the Act could go forth and serve corporate America, its real aim is to fill the gaps within the federal government, the largest cybersecurity employer and therefore the one most in need, as per usual.
The Act describes two programs sharing similar goals of building up talent. One focuses on veterans and current servicepersons soon transitioning into civilian life, and the other is a broader apprenticeship program.
The apprentice program would be the responsibility of the government’s Cybersecurity and Infrastructure Security Agency, the hub of all things cyber in governmental operations. If passed, the Act requires that CISA create an apprenticeship within the next two years. Apprentices would be trained to defend at a level incumbent to CISA, itself, a high bar to pass, though apprentices wouldn’t be relegated to government work. As I’m prone to write, the defense of the information superhighway, the network of billions of interconnected devices, requires that all stakeholders bear security responsibility. Just one unlocked door may lead to the entire internet’s vulnerabilities. Thus, the Act provides that if apprentices opt for the private sector then those positions must be certified by CISA to be integral to national cybersecurity. That’s not going to be hard to comply with, again, because the internet connects us all to each other, ultimately.
The other program focuses on armed services devotees, whether still active or veterans in status. The Act gives Defense one year to implement this program, which would be a pilot to train said servicepersons in cyber-defense tactics. There needs to be both hands-on labs and lessons as well as a virtual platform for trainees throughout the world. At the end of the training in this arena the graduates, as they may be, would receive a certificate, or degree, license, or some other so-called portable credential that would reflect them as a subject matter expert in cyber-defense.
While Hassan and Cornyn point acutely at SolarWinds as being symbolic of the urgencies, with state-sponsored hacking efforts disrupting critical infrastructure, we all can easily recognize that long before that Russian exploit the need for talent has been outpaced by the acts of bad guys.
I’m mainly an educator though have a hat rack more expansive than that. Because of my teaching vocation, it seems glaringly obvious that more education in cyber-defense is needed. We cannot fill classroom seats quickly enough. We cannot build the academic infrastructure quickly enough even if the market demand—i.e., 500,000 prospective students applying for admission—came banging on our doors. It takes contemporary textbooks and labs and exercises and teachers, all alongside the physical plant and bandwidth needed to support a population of learners intent on filling the talent gap. With the Federal Cybersecurity Workforce Expansion Act’s potential, this time I welcome more government.
