The challenge in building cybersecurity resilience is that it is not only about software and legal code, but also about people. This is where there is concern about the new administration’s planned cybersecurity executive order; the last drafts to circulate online lacked any strategic effort to solve looming workforce challenges.
Across government and industry, the growing need for cybersecurity professionals is outstripping the supply. At last report, 40 percent of the cybersecurity positions at the FBI remained unfilled, leaving many field offices without expertise. The consultancy Frost and Sullivan estimates that, worldwide by 2020, there will be 1.5 million more security jobs than skilled people to fill them.
Diversity is also a problem. Some 11 percent of cybersecurity professionals are women, lower than the already dismal rates in the broader IT world. Even worse, they are on average paid lower wages than men at every single level of the field. How can we fill key gaps if we are only recruiting from less than half the population?
So what can Congress do—and with an executive branch that has been, shall we say, unsteady so far on cybersecurity issues?
The first step is to not reinvent the wheel. The Obama administration created a “Cybersecurity Human Resources Strategy” (the link has since disappeared from the White House website) that should serve as the basis of any move forward. Congress should oversee implementation of the strategy, or its descendant, making sure milestones are hit and targeting gaps with scholarship programs and other incentives. The Congress should also task the Department of Education to report on where it can best aid states and cities—where education policy sits in the U.S.—to start to develop genuinely effective cybersecurity education and workforce strategies to fill needed national, state, and local gaps, as well as steer students towards this valuable and well-paying field.
Filling the human resources pipeline is a long-term challenge. Of immediate concern is the executive branch’s federal hiring freeze, which has stopped the government from filling vital cybersecurity positions. This has been described as causing “disarray” in many areas. For example, in the U.S. CyberCorps, the scholarship program the serves as a ROTC-like feeder for cybersecurity positions, students do not know whether they can still be hired and meet their scholarship obligations. Even more urgently, IT/cybersecurity positions are going unfilled across the government, from Treasury to the Office of Personnel Management. One official said there will soon be “hell to pay” in its near and long-term effects. Congress should make clear to the executive branch that cybersecurity-related positions should be excluded from the hiring freeze, given the critical nature of the field. Put in terms of dollar and cents, whatever savings might be gleaned from freezing cybersecurity positions will inevitably, and soon, be overwhelmed by the costs of dealing with security breached.
Any human resources strategy, however, will fail if it only puts new people in old organizational boxes, using the same pipelines.
Attracting more talented civilian expertise into the government though new channels will be a key to supporting a “deterrence by denial” strategy across our broader networks. Consider, for instance, that after the embarrassment of the healthcare.gov rollout, the government created a Digital Service to bring young Silicon Valley innovators into government to do things like fix the federal health care website design and help the VA build user-friendly apps. Even after the OPM debacle, however, there is no parallel effort to shore up cybersecurity. One approach is to simply expand the USDS to include cybersecurity recruiting as part of a larger extension of the program to 2026. Additionally, as Adam Segal of the Council on Foreign Relations has recommended, the government should establish a cyber version of the Center for Disease Control and Prevention (CDC)’s Epidemic Intelligence Service. Both moves would seek to provide government with a flexible pool of in-house talent and expertise that can help train people and prevent and mitigate breaches.
Another area where Congress can help — and do so by in a way that transcends traditional partisan lines — is to jumpstart more best practices that bring together the public and private sector. A good illustration is the Pentagon’s adaption of a “bug bounty” program. This is a program used by many top companies that offers small rewards to encourage a crowd-sourced solution to cybersecurity. In essence, it enlists the ingenuity of citizens in the open marketplace to find the holes in our security before the bad guys do. The Pentagon’s pilot program offered rewards from $100 to $15,000 for finding multiple security gaps. Its first bug reports arrived just 13 minutes after the program began. After just one month, 1,410 outside hackers had submitted 1,189 reports to help to spot and fix vulnerabilities in the Pentagon’s websites.
The cost was $150,000, an order of magnitude cheaper than if the task had been contracted out. But the gains of the program were also about identifying and building out ties to cybersecurity talent beyond government. For example, one of the hackers who helped defend our military’s IT systems via this program was a teenager who helped protect the Pentagon during his high school AP exams. Congress could play a powerful role in aiding and encouraging the spread of such “bug bounty” programs throughout DoD, as well as to other federal government agencies. It should also create incentives for similar programs across state and local government partners and private industry.
Similarly, innovations are needed in our military organizational models. Several National Guard units have been retasked to focus on cybersecurity. They have performed admirably, even besting some active-duty Cyber Command units in wargames. But the new units are not enough, nor can they ever be enough. They only serve as a means to organize talent already serving in the military. There is a far deeper and wider pool of talent outside the military that is simply not going to be accessed by this effort, either because the individuals are unwilling to meet the various obligations that come with military service (an IT tech in the National Guard, for example, is still legally obligated to serve in any mission they are ordered to, whether it be a cyber 911, Haiti Earthquake response, or Iraq war) or because they are unable to meet the various physical or legal requirements for joining the military.
Here again, there are lessons to be learned from the past that are not usually part of our present-day cyber deterrence discussions. During the Cold War, nations like Switzerland or China chose an “active defense” model that was based on deterring attack not by massive retaliation but by mobilizing their citizenry for broader national defense. The United States was in a far different position in the Cold War and so this model was not an apt one for us in the nuclear age.
Today, in the new issue of cybersecurity, there is much to learn from others, past and present, as they wrestle with similar problems. Estonia’s Cyber Defense League, for example, is a particularly good model. Rather than a traditional military reserve, it is a mechanism for Estonian citizens to volunteer their expertise for cybersecurity. It is made up of a security-vetted volunteers, who aid the government in everything from “red teaming”—finding vulnerabilities in systems and activities before the bad guys can exploit them—to serving as rapid response teams to cyberattacks. Notably, the members are not just technical experts, as the needed expertise that lies outside of government is about far more than just computer coding. For example, to defend the national banking system from cyberattack, a mix of hackers and bankers is better than just bankers or hackers.
These efforts have helped turn Estonia from one of the first victims of a state-level cyberattack, when Russian hackers partially shut down the country in 2007, to now being perhaps the best-equipped nation in the world to weather cyber threats. Estonia may not have the same capabilities as the NSA and Cyber Command, but it does have deterrence by denial and an involved populace—giving it arguably better cybersecurity than the United States.
While the Minutemen from the Revolutionary Era is the historic U.S. parallel to Estonia’s approach, today, the most apt parallel today would be the U.S. Civil Air Patrol-Air Force Auxiliary, where citizens can build up their own aviation skills, but also volunteer to aid government in anything from aviation-related emergencies to training exercises. The CAP also serves as a useful recruitment and feeder program for future US military pilots. The Congress should establish a US cybersecurity parallel program to the Estonia’s Cyber Defense League and U.S. Civil Air Patrol-Air Force Auxiliary, designed to draw upon our nation’s wider technology talent and sense of volunteerism.
We need to stop looking for quick and easy answers in cybersecurity policy discussions. Instead, we have to recognize that this seemingly technical realm is also a people problem. As the saying goes, the most important space is between keyboard and chair.
This article is adapted from Singer’s recent testimony for the House Armed Services, “Cyber-Deterrence And The Goal of Resilience: 30 New Actions That Congress Can Take To Improve U.S. Cybersecurity.”