Debate swirls on overhauling cybersecurity certifications

Most cybersecurity professionals oppose the idea of restructuring training to boost workforce levels, according to a survey a trade association released on Wednesday, two days after a dueling report by a Washington security think tank called current certification programs inadequate.

The Wednesday poll, conducted by (ISC)², a nonprofit group that certifies and trains information security professionals, found 69 percent of cyber personnel do not believe a government-run board of examiners should be established to change existing certification programs. This finding is at odds with recommendations the Center for Strategic and International Studies unveiled in July and detailed in a Nov. 15 paper that directs the government to create a "governance body" to administer certifications in specialty areas and develop criteria for evaluating existing certification programs.

Both groups are trying to shape pending legislation in Congress aimed at overhauling federal and industry cybersecurity rules in the wake of cyberattacks foreign governments allegedly orchestrated.

"Our organization has worked closely with government and anytime that they believe they need a more technical, specific credential, we sit down and build it," said (ISC)² Executive Director W. Hord Tipton, a former Interior Department chief information officer. "The [CSIS] report also casts aspersions at least to me and people who have credentials."

CSIS and the 700 professionals (ISC)² surveyed did agree on one thing: there is a shortage of federal government cyber experts. Former federal officials have estimated there are only 1,000 U.S. security specialists with the skills necessary to operate in cyberspace -- and the country needs about 10,000 to 30,000 such professionals.

But CSIS' Commission on Cybersecurity for the 44th Presidency in Monday's paper on technical proficiency issues condemned the credentials of today's federal cyber practitioners. "It is the consensus of the commission that the current professional certification regime is not merely inadequate, it creates a dangerously false sense of security" because the credentials do not improve employees' skills, wrote Karen Evans, a former administrator for e-government and information technology at the Office of Management and Budget, and Frank Reeder, a former chief of information policy at OMB.

Current credentials focus too much on demonstrating expertise in documenting security compliance rather than expertise in preventing and responding to attacks, they added.

The evaluation body CSIS proposed would be created as a nonprofit with representatives from the private sector, academia and the federal government. Long-term recommendations included an independent board of information security examiners to administer professional certifications for specialty areas such as software development, forensics and network operations. "In medicine, we now have accreditation standards and professional certifications by specialty," Evans and Reeder wrote. "We can afford nothing less in the world of cybersecurity."

(ISC)² officials said CSIS did not provide data to support the claim that there are flaws in the current certification environment. "It makes criminals out of people who practice security," Tipton said. (ISC)² found 52 percent of cyber professionals do not think emphasizing specialty certifications will reverse the workforce shortage. In addition, the majority of respondents -- 54 percent -- said investing in technical skills training and certification will not solve the nation's security problems.

Tipton said uprooting the current certification system would undo hard-won progress in educating the cyber workforce and exacerbate what already is a human capital crisis. Professionals polled said one of the main causes of the shortage is the lack of a defined career path. Several trade groups, including (ISC)², Information Systems Security Association and CompTIA, are asking Congress to take advantage of existing training programs to grow the cyber workforce.

Most of the major cyber bills in Congress are silent on the issue of professional certifications for federal employees, including the bipartisan 2010 Protecting Cyberspace as a National Asset Act (S. 3480), sponsored by Sen. Joe Lieberman, I-Conn., chairman of the Homeland Security and Governmental Affairs Committee. But the 2009 Cybersecurity Act (S.773), introduced by Sen. John D. Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, would require all government or critical infrastructure cybersecurity professionals to be certified under a national program within three years.

Major legislation is not anticipated to pass anytime soon, but Tipton said he is concerned a certification provision might be tagged onto an unrelated, must-pass bill, in the way federal information security clauses were inserted into the House version of the 2011 National Defense Authorization Act (H. R. 5136).