Home > Computer Security > Cyberwarrior 1000: The U.S. is not Sparta

Cyberwarrior 1000: The U.S. is not Sparta

There is an interesting article over at NPR that a shortage of Cyberwarriors threatens U.S. security.  The article states that James Gosler, a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency and the Energy Department, “… estimates there are now only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyberdefense tasks. To meet the computer security needs of U.S. government agencies and large corporations, he says, a force of 20,000 to 30,000 similarly skilled specialists is needed.”

Who are these 1,000 people and what exactly are these most demanding cyberdefense tasks?

The current state of computer security is pretty straightforward:

1. Secure and patch everything and wait for some piece of hardware or software to generate an alarm.

2. An alarm triage team reviews the alarms and additional network forensic data, and makes a preliminary determination if a compromise may have occurred.

3. Someone close to the device collects forensic evidence and sends the information to a forensic expert.

4. The forensic expert analyzes all available information and makes a determination if a compromise has indeed occurred.

5. If a compromised has occurred, another analyst determines the scope and impact of the compromise, generates a report and as far as the incident response side of the house is concerned, the incident is closed.

6. The report goes back to whomever can best address the issue that resulted in the compromise and that team implements whatever measures are necessary to prevent the incident from occurring again.

Tens of thousands of people are already doing this each and every day.  Following-up on alarm-based compromise leads isn’t the easiest thing to do, but the core concepts of what needs to be done is well-documented. The primary challenges are ensuring that organizations have the right security architecture, are properly instrumented to generate alarms, and have competent personnel on staff that know how to analyze and follow-up on alarms.

The “other” type of computer security work that isn’t so easy to do involves finding hackers that don’t generate alarms. This is not something people can be trained to do. These types of forensic analysts have a sixth sense that makes it possible for them to “see” things that others don’t see. They think like offender profilers and approach security and finding hackers from a completely different perspective. They also assume that everyone doing security is incompetent and what most people think is impossible is actually plausible.  They are cybersecurity’s “Spartan” elite.

If Mr. Gosler is implying that the U.S. needs 20,000-30,000 Spartans,  I can tell you that those slots are not going to be filled any time soon. Even if someone could scrounge up this many candidates, it doesn’t mean that any of them are capable enough to do the work.  What’s the ratio of capable individuals now?

High school and college students have no idea what it’s like to defend something as large and complex as corporate America, the U.S. government or the DoD. While cyberchallenges definitely help students learn about offensive and defensive techniques, these challenges don’t come close to the type of challenges that present themselves in a real world environment.  Hacking and defending something in a controlled environment is very different from dealing with professional and Top Tier hackers on production networks. If learning to defend a network were as easy as participating in cyberchallenges, the world would have solved the hacking problem years ago.

Most people doing security today are doing the best they can given the technology and resources available to them. If they didn’t grow up Spartan, there is no way to turn them into Spartans overnight by sending them to a bunch of classes and having them participate in cyberchallenges.  It’s definitely possible to make people smarter, which will certainly improve the security posture of the systems and networks they are protecting, but to expect anymore than that is completely unrealistic.

If the U.S. is truly dependent on quantity of cyberwarriors to defend itself, then time is its greatest enemy.  Is filling 30,000 cyberwarriors positions with highly qualified individuals really the best approach to addressing cybersecurity? I don’t think so.

Learn more

Are you fascinated by all of this? Want to learn what really needs to be done to address cybersecurity issues? Read my book!

  1. red
    July 22, 2010 at 8:29 pm

    You make some interesting points, and I would agree with most of them. What do you think the answer is to the problem if given the fact that no “cybersecurity Spartan elite” are available, and the 30,000 cyberwarriors positions with highly qualified individuals don’t foot the bill?

    • July 23, 2010 at 6:28 am

      I’m really not sure what the government’s answer is going to be to that question. Consider where the U.S. is at with respect to the war on drugs, counterfeiting, illegal immigration, human trafficking and organized crime. Would 30,000 extra bodies make any of those problems go away? Is law enforcement saying that they can solve any of these problems with 30,000 more bodies? If the government took all the troops that went to Iraq and Afghanistan, and put them on the streets of America, would crimes suddenly disappear?

  2. July 23, 2010 at 3:53 pm

    I have spent the better part of the last decade working in the antimalware field and can attest to the fact that real tallent is extremely rare. Those that rise to the level of your “Spartan elite” (in my experience) have been the A-type self-starters with a vision and the force of will to work towards a goal to the exclusion of (almost) everything else. This focus leads to unique skill sets where the “Spartan” can basically pick and choose what projects they work on and are often those who end up starting their own businesses rather than working for someone else (focused personalities can be difficult to control and work with at the best of times).

    Given this, the government is going to have to “make it work” with the resources available. Where this can become effective is using the “Spartans” to train these warriors in the unique skill sets they have aquired in a type of master/aprentice approach. This could also improve recruitment and retention based on the reputation of the “master” in question. Being able to mold those who come after you is a strong incentive that can be more important than outright monetary return for those who rise to elite status…

    • July 24, 2010 at 2:35 am

      The three biggest challenges to mentoring are: (1) Finding the master that can and wants to mentor, (2) Taking the master away from the real work to train the Padawans, and (3) The sheer number of people that need to be mentored. The numbers don’t look good at all.

      Like you said, the government will have to make due with the talent that it can find. In addition to people, there are a myriad of other issues that need to be addressed, including architecture, tools, process, funding and of course everyone’s favorite – politics! The next 12 months are going to be extremely challenging for anyone that gets involved.

      Thanks for commenting.

  3. red
    July 23, 2010 at 6:26 pm

    I think we both understand that if the troops were pulled/re-assigned from Afghanistan to the streets of America crime wouldn’t decrease. I believe we need to think deeper into this subject with regards to the governments actions towards cyber security.

    IMHO the only reason why the above examples haven’t been resolved by the government is because they don’t directly effect daily operations. While they effect other important “bubbles” including the economy, individuals, and groups the government will keep kicking. I would bet that if everyone in the current administration started using cocaine daily and it caused an problem things would change – FAST.

    Cyber Security I believe is essential for the government to get involved in, and fast. Without it the infrastructures and services we depend on are at risk (like now). Unfortunately big corporations and educational institutions aren’t in business to secure services or communication channels but instead in the business to make money. I don’t think anyone else in the USA has the money or drive to attempt tackling the problem that we all have ignored for too long.

    Lets face it nobody cares about security except for the unfortunate victims, security professionals, and attackers. Until we change this mindset, its the same cake with different frosting. 😉

    • July 24, 2010 at 2:03 am

      Lets face it nobody cares about security except for the unfortunate victims, security professionals, and attackers. Until we change this mindset, its the same cake with different frosting.

      True words. Like other types of crime, if it’s out of sight, it’s out of mind.

      We’ll have to see how things play out between now and the end of the year. It will be interesting to see what metric the government uses, if any, to measure “progress.” Thanks for commenting.

  4. July 24, 2010 at 7:36 pm

    Well, the governments will need some kind of “force muliplier” to extend the limited infosec resources that they have, since 1000 can’t do the work of 20 or 30 thousand.

    But I think those numbers are skewed higher than they need be due to the broken security model. Changing that and allowing infosec resources to work alongside operations people could reduce the shortfall.

    • July 24, 2010 at 10:56 pm

      I don’t think the numbers are too inflated. If you break 30K down into 3 shifts, that works out to 10K per shift. Break that down by 50 states and you get 200 per state, per shift, but I’m sure that needs to be adjusted based on quantity of assets that need to be monitored. If you take into consideration how much time and effort it takes to “properly” monitor and follow-up on each lead based each team’s monitoring zones (teams span shifts) in an expeditious manner, 30K would be the absolute minimum.

  5. July 24, 2010 at 11:25 pm

    Sorry, was not clear. I don’t think the numbers are inflated and agree that they are a minimum based on the status quo. What I was suggesting was that an improved security model could reduce the number of people required.

  6. July 27, 2010 at 4:02 pm

    Interesting take on the NPR feature, Mister Reiner. Speaking of cyberchallenges, it seems the UK has just launched one of its own:


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: