Cyberwarrior 1000: The U.S. is not Sparta
There is an interesting article over at NPR that a shortage of Cyberwarriors threatens U.S. security. The article states that James Gosler, a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency and the Energy Department, “… estimates there are now only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyberdefense tasks. To meet the computer security needs of U.S. government agencies and large corporations, he says, a force of 20,000 to 30,000 similarly skilled specialists is needed.”
Who are these 1,000 people and what exactly are these most demanding cyberdefense tasks?
The current state of computer security is pretty straightforward:
1. Secure and patch everything and wait for some piece of hardware or software to generate an alarm.
2. An alarm triage team reviews the alarms and additional network forensic data, and makes a preliminary determination if a compromise may have occurred.
3. Someone close to the device collects forensic evidence and sends the information to a forensic expert.
4. The forensic expert analyzes all available information and makes a determination if a compromise has indeed occurred.
5. If a compromised has occurred, another analyst determines the scope and impact of the compromise, generates a report and as far as the incident response side of the house is concerned, the incident is closed.
6. The report goes back to whomever can best address the issue that resulted in the compromise and that team implements whatever measures are necessary to prevent the incident from occurring again.
Tens of thousands of people are already doing this each and every day. Following-up on alarm-based compromise leads isn’t the easiest thing to do, but the core concepts of what needs to be done is well-documented. The primary challenges are ensuring that organizations have the right security architecture, are properly instrumented to generate alarms, and have competent personnel on staff that know how to analyze and follow-up on alarms.
The “other” type of computer security work that isn’t so easy to do involves finding hackers that don’t generate alarms. This is not something people can be trained to do. These types of forensic analysts have a sixth sense that makes it possible for them to “see” things that others don’t see. They think like offender profilers and approach security and finding hackers from a completely different perspective. They also assume that everyone doing security is incompetent and what most people think is impossible is actually plausible. They are cybersecurity’s “Spartan” elite.
If Mr. Gosler is implying that the U.S. needs 20,000-30,000 Spartans, I can tell you that those slots are not going to be filled any time soon. Even if someone could scrounge up this many candidates, it doesn’t mean that any of them are capable enough to do the work. What’s the ratio of capable individuals now?
High school and college students have no idea what it’s like to defend something as large and complex as corporate America, the U.S. government or the DoD. While cyberchallenges definitely help students learn about offensive and defensive techniques, these challenges don’t come close to the type of challenges that present themselves in a real world environment. Hacking and defending something in a controlled environment is very different from dealing with professional and Top Tier hackers on production networks. If learning to defend a network were as easy as participating in cyberchallenges, the world would have solved the hacking problem years ago.
Most people doing security today are doing the best they can given the technology and resources available to them. If they didn’t grow up Spartan, there is no way to turn them into Spartans overnight by sending them to a bunch of classes and having them participate in cyberchallenges. It’s definitely possible to make people smarter, which will certainly improve the security posture of the systems and networks they are protecting, but to expect anymore than that is completely unrealistic.
If the U.S. is truly dependent on quantity of cyberwarriors to defend itself, then time is its greatest enemy. Is filling 30,000 cyberwarriors positions with highly qualified individuals really the best approach to addressing cybersecurity? I don’t think so.
Are you fascinated by all of this? Want to learn what really needs to be done to address cybersecurity issues? Read my book!