Shortage of adequately trained cyber pros puts US at risk

In testimony this year before the Senate Judiciary Committee’s Crime and Terrorism Subcommittee, Gordon Snow, assistant director of the FBI’s Cyber Division, said the number and sophistication of cyberattacks have increased dramatically during the past five years and are expected to continue to grow.

Although that paints a pretty bleak picture, what he said next caught the attention of cybersecurity professionals around the world.

MORE FROM THE DIGITAL CONFLICT BLOG

Private sector needs way to submit cyber threat tips

Kevin Coleman's Digital Conflict blog

“The threat has reached the point that given enough time, motivation and funding, a determined adversary will likely be able to penetrate any system that is accessible directly from the Internet,” he said.

If you think that is bad, hold on — there is more, and it gets worse. He went on to say, “The FBI has identified the most significant cyber threats to our nation as those with high intent and high capability to inflict damage or death in the U.S.; to illicitly acquire assets; or to illegally obtain sensitive or classified U.S. military, intelligence or economic information.”

He went on to warn that the threat posed by cyber criminals and the potential economic losses were only part of this huge risk. He included in his threat description the FBI’s serious concerns about attacks on our critical infrastructure, the theft of intellectual property and disruption of supply chains.

Snow is not one to make rash statements, and he chooses his words carefully. So when I read this testimony, I felt for the first time that most people are underestimating this threat.

Given the importance of the FBI’s role in cybersecurity, I became even more concerned after reading a report by the Justice Department inspector general. This report came out shortly after Snow’s testimony, and in the report, Justice issued an unflattering report about the FBI’s ability to properly investigate cyber intrusions that rose to the level of national security threats.

Based on the audit results, the report states that only 64 percent of the FBI agents assigned to national security-related cyber investigations had the expertise needed to investigate these types of cases. The Justice IG report goes on to explain that because national security intrusions are highly technical, they require special skill sets and missed the requirement for continuing education because of the rapid change of this threat environment.

The audit also found that in four of the 10 FBI field offices visited, agents said during interviews that they had been assigned cyber cases that exceeded their technical capabilities. It is worth noting that the report states that in fiscal 2009, FBI cyber agents spent 19 percent of their time on national security intrusion investigations.

The one area presenting the most challenge for the FBI is the old issue of information sharing among members of the National Cyber Investigative Joint Task Force. Anyone with a security clearance who has handled classified intelligence knows of this problem. It has been around for a long time and there is no solution. This is not just an FBI issue. It is an issue across the entire cyber intelligence and protection communities. One participant in the study noted information sharing depends on the individuals involved — no truer statement was ever spoken.

Some will read the audit results and say what a bad job the FBI is doing. The fact is there is a severe shortage of adequately trained and experienced cyber professionals. That should not surprise anyone. A number of studies, articles and blogs have all reported on this during the past few years. It appears that this critical resource shortage will not go away anytime soon. The FBI and the National Cyber Investigative Joint Task Force have an extremely difficult job and shoulder the huge responsibility of investigating threats against our critical infrastructure. They cannot be held responsible for the significant shortage of cyber professionals.