Shortage of trained experts leaves doors open for cyber attacks

WASHINGTON — Cyberattacks against U.S. companies and government bodies are driving demand for security experts beyond the numbers that the nation’s training schools and partnerships programs can provide.

Last week’s leak of Democratic National Committee communications was just the latest in a string of incidents raising public consciousness around this emerging issue. The DNC hack, allegedly carried out by Russian agents months ago, may represent a new wrinkle in geopolitical cyberwarfare with nation-states attempting to influence U.S. domestic politics through well-timed releases of previously undisclosed information. Just a few days after Wikileaks released the DNC communications, even the White House acknowledged the growing threat and frequency of cyber attacks.

In recent years, both private companies and public groups – Target, Sony, even the federal government – have experienced some type of cyberattack. While the goals for each individual incident may differ, one thing remains certain.

The demand for information security specialists will only increase.

The Bureau of Labor Statistics reports industry employment to expand by 18 percent by 2024, far outpacing average job sector growth.

While technology does increase efficiency and automation, updating systems, creating software and troubleshooting issues still requires a substantial human workforce. Entry into this industry often necessitates extensive cyber-knowledge, on-the-job experience and years of education, too.

Some academics, such as Barbara Endicott-Popovsky, a University of Washington professor and executive director at the Center for Information Assurance and Cybersecurity, are trying to bridge the gap.

The center, headquartered in Tacoma, is one of around 200 schools in the country designated as a National Center for Academic Excellence in Cyber Defense (CAE). The program, a joint effort by the National Security Agency and the Department of Homeland Security (DHS), is an attempt by the federal government to create an employment pipeline, Endicott-Popovsky said.

“They want to hire cybersecurity experts and they are not getting them,” Endicott-Popovsky said. “So in self-defense, they put this program together.”

However, the designation does not guarantee funding and output has been inadequate.

“We don’t have enough schools,” Endicott-Popovsky said. “We are not producing enough graduates.”

Endicott-Popovsky sees a role for the federal government, particularly providing increased government funding for the CAE program. She is less supportive of federal legislation, which, according to her, is often authored by folks with limited cyber knowledge.

University programs aside, there are also certifications options, such as the Certified Information Systems Security Professional (CISPP) program, a 250-question test designed by an independent nonprofit to help standardize industry-wide credentialing. But programs like CISPP are far from perfect, some experts say.

“Do we really want to rely on a multiple choice examination to qualify these people? Because that’s what it is,” Michael Hamilton, a cyber expert and founder of the Seattle-based firm Critical Informatics said. “We are going to stock the ranks of cyber security professionals with people who are extraordinarily good guessers.”

For Hamilton, apprenticeship programs and job-training partnerships have potential for success. But those programs take time to develop.

As government-sponsored programs and industry initiatives continue, legislators are also struggling to avoid partisan divides in cyber defense efforts.

In Washington state, for instance, Representative Zach Hudgins, a state legislator who worked at Amazon before entering politics, introduced several cyber-related bills with little success. Cyber, Hudgins said, is an esoteric issue with limited use on the campaign trail.

“We are very reactive and we’re very cost-conscious and worrisome. When you are talking about levees and dams and floods, people get that,” Hudgins said. “When you are talking about cybersecurity attacks, it’s a little tougher for people to understand well what do you have to do.”

As technological advancement continues to infect more and more industries, the interconnectedness of society will continue to cross jurisdictions and involve many public and private bodies. There is not a clear group, then, with sole responsibility for cyberdefense, further slowing any adequate preparation. Until recently, Endicott-Popovsky said, many private businesses shied away from investing in cyber defense, citing the burdensome cost of retrofitting systems and employee training.

“For a long time, you had the private sector saying ‘Wait a minute, cyber security? nation attacks? The federal government is responsible for that,’” Endicott-Popovsky said. “They are going ‘See no evil, hear no evil, it’s your problem.’”

Given the obstacles, Endicott-Popovsky believes a catastrophic attack may be the only catalyst for adequate cyber response and preparation.

“Our democracy lags,” Endicott-Popovsky said. “…until we get whacked upside the head.”