Cybersecurity’s Human Side: How Can We Solve Our People Problem?

REDPIXEL.PL/Shutterstock.com

First, stop undermining our own efforts to fill crucial jobs. Second, cast a wide net for useful lessons.

The challenge in building cybersecurity resilience is that it is not only about software and legal code, but also about people. This is where there is concern about the new administration’s planned cybersecurity executive order; the last drafts to circulate online lacked any strategic effort to solve looming workforce challenges.

Across government and industry, the growing need for cybersecurity professionals is outstripping the supply. At last report, 40 percent of the cybersecurity positions at the FBI remained unfilled, leaving many field offices without expertise. The consultancy Frost and Sullivan estimates that worldwide by 2020, there will be 1.5 million more security jobs than skilled people to fill them.

Diversity is also a problem. Some 11 percent of cybersecurity professionals are women, lower than the already dismal rates in the broader IT world. Even worse, they are on average paid lower wages than men at every single level of the field. How can we fill key gaps if we are only recruiting from less than half the population?

So what can Congress do—and with an executive branch that has been, shall we say, unsteady so far on cybersecurity issues?

The first step is to not reinvent the wheel. The Obama administration created a “Cybersecurity Human Resources Strategy” (the link has since disappeared from the White House website) that should serve as the basis of any move forward. Congress should oversee implementation of the strategy, or its descendant, making sure milestones are hit and targeting gaps with scholarship programs and other incentives.

Congress should also task the Education Department to report on where it can best aid states and cities—where education policy sits in the U.S.—to start to develop genuinely effective cybersecurity education and workforce strategies to fill needed national, state and local gaps, as well as steer students toward this valuable and well-paying field. 

Filling the human resources pipeline is a long-term challenge. Of immediate concern is the executive branch’s federal hiring freeze, which has stopped the government from filling vital cybersecurity positions. This has been described as causing “disarray” in many areas.

For example, in the U.S. CyberCorps, the scholarship program the serves as a ROTC-like feeder for cybersecurity positions, students do not know whether they can still be hired and meet their scholarship obligations. Even more urgently, IT/cybersecurity positions are going unfilled across the government, from Treasury to the Office of Personnel Management.

One official said there will soon be “hell to pay” in its near and long-term effects. Congress should make clear to the executive branch that cybersecurity-related positions should be excluded from the hiring freeze, given the critical nature of the field. Put in terms of dollar and cents, whatever savings might be gleaned from freezing cybersecurity positions will inevitably, and soon, be overwhelmed by the costs of dealing with security breached.

Any human resources strategy, however, will fail if it only puts new people in old organizational boxes, using the same pipelines.

Attracting more talented civilian expertise into the government though new channels will be a key to supporting a “deterrence by denial” strategy across our broader networks. Consider, for instance, that after the embarrassment of the HealthCare.gov rollout, the government created a Digital Service to bring young Silicon Valley innovators into government to do things like fix the federal health care website design and help the Veterans Affairs Department build user-friendly apps.

Even after the OPM debacle, however, there is no parallel effort to shore up cybersecurity. One approach is to simply expand the U.S. Digital Service to include cybersecurity recruiting as part of a larger extension of the program to 2026. Additionally, as Adam Segal of the Council on Foreign Relations has recommended, the government should establish a cyber version of the Center for Disease Control and Prevention’s Epidemic Intelligence Service. Both moves would seek to provide government with a flexible pool of in-house talent and expertise that can help train people and prevent and mitigate breaches.

Another area where Congress can help—and do so by in a way that transcends traditional partisan lines—is to jumpstart more best practices that bring together the public and private sector. A good illustration is the Pentagon’s adaption of a “bug bounty” program. This is a program used by many top companies that offers small rewards to encourage a crowd-sourced solution to cybersecurity.

In essence, it enlists the ingenuity of citizens in the open marketplace to find the holes in our security before the bad guys do. The Pentagon’s pilot program offered rewards from $100 to $15,000 for finding multiple security gaps. Its first bug reports arrived just 13 minutes after the program began. After just one month, 1,410 outside hackers had submitted 1,189 reports to help to spot and fix vulnerabilities in the Pentagon’s websites.

The cost was $150,000, an order of magnitude cheaper than if the task had been contracted out. But the gains of the program were also about identifying and building out ties to cybersecurity talent beyond government. For example, one of the hackers who helped defend our military’s IT systems via this program was a teenager who helped protect the Pentagon during his high school AP exams. Congress could play a powerful role in aiding and encouraging the spread of such “bug bounty” programs throughout DOD, as well as to other federal government agencies. It should also create incentives for similar programs across state and local government partners and private industry.

Similarly, innovations are needed in our military organizational models. Several National Guard units have been retasked to focus on cybersecurity. They have performed admirably, even besting some active-duty Cyber Command units in wargames. But the new units are not enough, nor can they ever be enough. They only serve as a means to organize talent already serving in the military.

There is a far deeper and wider pool of talent outside the military that is simply not going to be accessed by this effort, either because the individuals are unwilling to meet the various obligations that come with military service (IT techs in the National Guard, for example, are still legally obligated to serve in any mission they are ordered to, whether it be a cyber 911, Haiti earthquake response, or Iraq war) or because they are unable to meet the various physical or legal requirements for joining the military.

Here again, there are lessons to be learned from the past not usually part of our present-day cyber deterrence discussions. During the Cold War, nations like Switzerland or China chose an “active defense” model based on deterring attack not by massive retaliation, but by mobilizing their citizenry for broader national defense. The United States was in a far different position in the Cold War and so this model was not an apt one for us in the nuclear age.

Today, in the new issue of cybersecurity, there is much to learn from others, past and present, as they wrestle with similar problems. Estonia’s Cyber Defense League, for example, is a particularly good model. Rather than a traditional military reserve, it is a mechanism for Estonian citizens to volunteer their expertise for cybersecurity. It is made up of a security-vetted volunteers, who aid the government in everything from “red teaming”—finding vulnerabilities in systems and activities before the bad guys can exploit them—to serving as rapid response teams to cyberattacks.

Notably, the members are not just technical experts, as the needed expertise that lies outside of government is about far more than just computer coding. For example, to defend the national banking system from cyberattack, a mix of hackers and bankers is better than just bankers or hackers.

These efforts have helped turn Estonia from one of the first victims of a state-level cyberattack, when Russian hackers partially shut down the country in 2007, to now being perhaps the best-equipped nation in the world to weather cyber threats. Estonia may not have the same capabilities as the National Security Agency and Cyber Command, but it does have deterrence by denial and an involved populace—giving it arguably better cybersecurity than the United States.

While the Minutemen from the Revolutionary Era is the historic U.S. parallel to Estonia’s approach, today, the most apt parallel today would be the U.S. Civil Air Patrol-Air Force Auxiliary, where citizens can build up their own aviation skills, but also volunteer to aid government in anything from aviation-related emergencies to training exercises. CAP also serves as a useful recruitment and feeder program for future U.S. military pilots. Congress should establish a U.S. cybersecurity parallel program to the Estonia’s Cyber Defense League and U.S. Civil Air Patrol-Air Force Auxiliary, designed to draw upon our nation’s wider technology talent and sense of volunteerism.

We need to stop looking for quick and easy answers in cybersecurity policy discussions. Instead, we have to recognize this seemingly technical realm is also a people problem. As the saying goes, the most important space is between keyboard and chair.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.