Former Official: Throwing More Bodies Into Cybersecurity Won’t Help

When asked, many government leaders say one of the major impediments to a strong cybersecurity posture in the U.S. is the lack of trained cyber professionals. But at least one former federal cybersecurity leader says this thinking is backward and is doing more damage than the workforce gap itself.

Federal agencies are in the midst of tallying up their cybersecurity workforce needs for reports due to the Office of Personnel Management by April. Concerns within government mirror those of the private sector, with reports claiming a shortage of some 3 million needed cyber professionals worldwide, 500,000 in North America alone.

That focus puts the onus on users, rather than attacking the source of the problem more globally, according to Steven Chabinsky, a partner at White and Case who formerly served as deputy assistant director of the FBI Cyber Division and as a senior cyber adviser to the director of national intelligence.

“That’s like having an arsonist in the neighborhood and saying, ‘We don’t need to get the arsonist, let’s get more firefighters,’” Chabinsky said during a discussion of a tabletop exercise and report from the Foundation for Defending Democracies.

“Or looking at another analogy: What happened in Flint, Michigan, where you have water that is not potable—no one can drink it,” he said. “Is the response, ‘Let’s have every business and home have a filtration system and the capability to use it?’ Of course not. You go to the reservoir at the pipe level; you don’t make everybody responsible for it.”

Instead of throwing more people at the problem, Chabinsky suggested the government and private sector should have already come together to fix the larger threat, especially when it comes to protecting critical infrastructure like energy and communications.

“The largest problem with all of cybersecurity is that we recognize that the private sector is on the front lines but we have not empowered, in any way, shape or form, economically, the private sector to do what needs to be done with the government to resolve this at a higher level,” he said. “Every person, every business should not be on the front lines of a national security problem. It’s crazy. We’ve allowed that to occur instead of figuring out, what is the higher level—through an internet ecosystem where the government and the telecommunications services and internet providers and the main services—how could they all work together so that this threat doesn’t reach every end user?”

“We’ve instead said that we need more workforce—a crazy response to a problem,” he added.

Chabinsky said the current way of approaching the cybersecurity problem—trying to protect individual systems and endpoints—necessitates a larger cyber workforce. However, a more holistic approach, he argued, would free resources to properly compensate the workforce that is needed.

“As long as we approach it backwards, we need too many people in order to resolve it instead of making sure that we’re doing it efficiently and that we’re paying those who need to be on the front lines of cybersecurity to have that national security approach,” he said.