The U.S. needs much more than the recent $14 billion cybersecurity budget increase to keep up with the bad guys.
Darren Guccione is CEO of Keeper Security.
Recently, the Internal Revenue Service revealed the data breach that happened in May via the agency’s “Get Transcript” program affected three times as many users as originally reported -- 334,000 accounts in all. The new information was discovered in a deeper analysis over a wider time period, and taxpayers who were potentially exposed will get letters from the IRS over the coming days.
This announcement comes on the heels of the massive OPM breach, shining a spotlight on the government’s failure to protect its networks. While the quantity of records hacked in the IRS breach pales in comparison to OPM, the type of information exposed is potentially just as damaging -- Social Security numbers, taxpayer ID numbers, work history, income sources -- all of these are available on IRS tax forms.
In both the OPM and IRS breaches, the government’s “lag-time” in fully discovering the impact was extremely drawn-out. The extent of the IRS data breach is just now becoming clear three months after it happened, while the OPM breach took the government four months to detect any hint of malicious activity. While thinking about these breaches, it’s important to look at the greater issue at hand: We are in the midst of a cyberwar and the bad guys are winning.
Recently, businesses and governments all over the world have acknowledged this disturbing fact with “quick fixes” that haven’t yet addressed the larger problem. We live in a world with hackers who are capable of breaking into all but the most highly sophisticated systems. Much like the United States on the morning of Dec. 8, 1941, the day after Pearl Harbor, businesses and governments have had to acknowledge they’ve been caught by surprise and are unprepared to defend themselves in cyberwarfare.
For evidence that the U.S. government is undermanned against hackers, we can look to the fact that the unemployment rate for cybersecurity professionals in Washington is 0 percent. This might seem like a great thing for people in this line of work, but it’s a warning that the good guys simply don’t have enough troops to win this war.
Outside the nation’s capital, the state of cybersecurity manpower is no better. The Cisco 2014 Annual Security Report found that the shortfall of cybersecurity personnel is at 1 million openings. By 2019, the number of opening is expected to rise to 1.5 million.
Just how bad is the job shortage and what does it mean for the nation’s cybersecurity?
Let’s start with the 0 percent unemployment statistic. As any economist will tell you, a 0 percent unemployment rate is not a good sign. It means the job market for cybersecurity professionals is out of whack, which leads to inflated salaries for the employees themselves and less productivity for the economy overall.
It also means cyber professionals are hopping from one job to another, leaving gaps in how their systems are protected, also increasing the likelihood of attacks. Finally, businesses are forced to train or hire unqualified employees to fulfill their cybersecurity needs.
It’s no wonder 86 percent of organizations believe there’s a shortage of skilled cybersecurity professionals and just 38 percent believe their organization is prepared for a cyberattack, according to a January survey from ISACA, an international professional association focused on IT governance.
The fear crosses over to government agencies as well, as we’ve seen with several high-level cyberattacks. For this reason, President Obama has been quietly recruiting top tech talent from companies such as Google and Facebook to increase the number of qualified cyber talent in Washington.
The top-paying cybersecurity job is a security software engineer with an average annual salary of $233,333, according to CSO magazine. In areas with lower employment rates (such as Washington, D.C.), salaries are inflated even higher, because everyone is competing for the same pool of potential applicants.
I reached out to a friend of mine, Terry Kurzynski, senior partner at HALOCK Security Labs, who confirmed this.
“The fact that hacking can generate huge profits for a relatively unskilled, unethical hacker has created a market whereby the companies have to pay a premium for the skills and professionalism of the good-guy ethical hackers,” he stated. Companies are not only paying a premium for top cybersecurity professionals and ethical hackers, but also pouring money into training for less-experienced hires.
At one level, we should expect the market will self-correct. The government has a number of educational initiatives designed to introduce and train students for a cybersecurity career. A study from RAND Corporation concluded, “as the supply of cyber professionals currently in the educational pipeline increases, and the market reaches a stable, long-run equilibrium,” much of the shortage will disappear.
Again, we must accept we are at war and we can’t afford to wait for natural market forces to eventually increase the supply. Every week brings yet another high-level cybersecurity breach. In most cases, these are directed at commercial entities, with the object of stealing personal identifiable information to sell on the black market. But not all.
Many are directed at government agencies with the direct goal of stealing secrets that could compromise national security. For instance, the data breach at OPM is now believed to have been carried out by hackers in China. Cyberwarfare is very much a clear and present danger.
Even though the recent cybersecurity budget increase to $14 billion is a small step in the right direction, much more is required if we’re ever going to keep up with the bad guys.
Here are three critical things that need to happen to address the cyber workforce shortage:
‘Fast-track’ the hiring process for cybersecurity professionals in the public sector.
The RAND study notes that several government rules and regulations make it difficult to quickly hire cybersecurity professionals, even as certain agencies, such as the National Security Agency, are able to circumvent these laborious processes. The NSA standard, if not the identical waiver, should be expanded across all levels of government.
Emphasize cybersecurity at all education levels.
Students as young as first or second grade should be taught the importance of cybersecurity. As they progress in their education, the lessons and skills they learn should increase as well. Colleges and universities should also mandate a cybersecurity course for all incoming freshman, not just to teach lifelong cyber skills, but also to highlight the new threats and trends in what is an exciting, fast-paced and quite lucrative field.
Initiate a comprehensive, robust public-awareness campaign across all media channels.
State and federal governments should coordinate with private entities to launch public-awareness campaigns that highlight the tremendous job opportunities available in the cybersecurity field. For example, October is Cybersecurity Awareness month, which is an ideal time to blanket the airwaves with a concerted, aggressive public-awareness effort.
In the winter of 1942, the United States couldn’t wait for market forces to increase its production of war machines and soldiers. The government had to coordinate efforts with private enterprises to turn the nation on to a war footing. We are at a similar moment and if we are to beat the enemy, we need to recognize that nothing less than our national security is at stake.
(Image via Sangoiri/ Shutterstock.com)