Cybersecurity and Cyberwar (40 page)

Insurance by itself simply transfers risk from the covered firm to the underwriter and then reshapes the incentives behind the standard approach to security. Former national counterintelligence executive
Joel Brenner explains
, “Insurers play an important role in raising standards because they tie premiums to good practices. Good automobile drivers, for example, pay less for car insurance.” The insurers have a natural incentive to minimize the likelihood and cost of a security incident and will push the firm to invest in defenses. The underwriters can compete by identifying the most efficient protections to impose on their portfolio, lowering the costs of compliance while they also lower premiums. Over time, insurance companies will accrue lots of data on defenses and breaches, developing and propagating best practices. This is the theory, at least. So far though, we have a long way to go for the insurance market to align incentives for better security.

Finally, this links to an important point: the individual user cannot be left off the hook. We've repeatedly seen how human fallibility represents the largest single vulnerability in cyberspace. The problem is that it can be hard for an individual to understand the connection between a single wrong click today and the consequences of a subsequent attack that only came to light much later.
Larry Clinton
, the head of a cross-sector industry group in favor of market solutions for cybersecurity, observed, “Many consumers have a false
sense of security due to their belief that most of the financial impact resulting from the loss of their personal data will be fully covered by corporate entities (such as the banks).” In reality, the cost of poor decisions is borne by all of us. As the 2009
Cyberspace Policy Review put it
, “People cannot value security without first understanding how much is at risk. Therefore, the Federal government should initiate a national public awareness and education campaign.” In 2010, the “STOP. THINK. CONNECT.” campaign was launched by the Department of Homeland Security, but too few in the wider public noticed.

In sum, given the strong evidence for a market failure, a buildup of accountability mechanisms is needed to drive good security decisions, from the individual Internet user all the way up to the CEO of a utility company. If we don't want only a prescriptive regime of rules and standards, imposed from above, to define the architecture of information systems, then we must also incentivize an approach to risk management from below that emphasizes the importance of security. Sometimes the sunshine of transparency can be enough to drive more responsible security behavior. In other contexts, the threat of actual punishment may be needed.

This takes the story full circle. After their embarrassing disclosure of nonenforcement, the healthcare regulators mentioned at the beginning of this section began to put some teeth behind the data security standards. In 2012, for instance, a Harvard Medical School teaching hospital was fined $1.5 million after regulators found “a long-term, organizational disregard for the
requirements of the security rule
.” That is the actual meaning of “rigorous enforcement,” which hospitals took notice of and began to change their practices.

Richard “Dickie” George served at the National Security Agency for over three decades in roles that ranged from cryptology mathematics (code making and breaking) to Director for Information Assurance, where he was responsible for the security of its most secretive communications. One of his biggest concerns in cybersecurity, however, is not merely the advancing threats in cyberspace but how we are going to find the people to respond to them. For this reason, he has often served as a “talent scout” for the NSA, seeking out top young
recruits everywhere from universities to the BlackHat hacker convention. The problem he explains, though, is that when it comes to top talent, “It's a small pool and there are a lot of people hiring from it.… We're all looking at
the same resumes
.”

The scope of the problem that George talks about is best illustrated by numbers. While the highly classified NSA doesn't release its staffing details, the Department of Homeland Security does. In 2008, it had just forty people working on cybersecurity issues full-time. By the end of 2012, the force had grown to more than four hundred. Another 1,500 cyber contractors were also working for the agency. But even as the force has grown nearly fifty times over, it still was viewed as not enough; the agency plans to
add another
six hundred more in just the next year.

Take what is happening at DHS and multiply it across all the other government agencies, private corporations, nongovernmental organizations, and so on who have understandably become concerned about cybersecurity, and you quickly see an emerging policy problem. This cybersecurity issue is not a question of what or how, but who. As
one industry consultant explained
, “The cyberwarfare market has grown so fast that it outstripped available labor pools.”

So how big is the gap? No one is exactly sure, but in a report entitled
A Human Capital Crisis in Cybersecurity
, the Center for Strategic and International Studies argued that the US government had only
3 to 10 percent
of the cybersecurity professionals it actually needs. Interestingly, Jim Gloser, a fellow at Sandia National Lab and former director of the CIA Clandestine Information Technology Office, made a similar estimate arguing that the government still had a need for
tens of thousands more
cyber experts. If the federal government, even with its massive amounts of cyber spending, has such a gap, the same can be expected of various other global, national, state, and local government agencies, as well as corporations, organizations, and other institutions that also now see needs in this field.
By one estimate
, as many as one million or more new cybersecurity workers will be needed by 2017 and beyond.

The cyber people problem, however, is not just one of raw numbers. As Ralph Langner, our
cybersecurity expert
who unearthed Stuxnet, explains, “Right now the cyber arms race is about talent.” Indeed, one survey of chief information security officers
and IT hiring managers at government agencies found that
only 40 percent
were satisfied with the quality of applicants for cybersecurity jobs.

It's not just that cybersecurity needs are growing but that demand for the skill set is growing beyond the people who work directly on cybersecurity day to day. “Even the managers now need hands-on skills in order to manage the newly emerging technical people,”
explains Alan Palmer
, research director for the SANS Institute, a leading Internet security training firm.

The classic answer to a labor crunch is to throw money at the problem, and the same has happened in cybersecurity. For those with the skills, it has been a very good time to be in the field. Salaries for IT security specialists have skyrocketed in recent years;
a 2011 study
found roughly half make $100,000 or more. This good news for the labor force, however, is bad news for the organizations paying them, which repeatedly find themselves bidding against each other for skills in short supply.

A particular problem for the government is that it often pays for the creation of talent that it then loses to the private sector. A typical US government salary for a starting specialist in cybersecurity was around $60,000 in 2013. But with five years of experience and training on the government side, that same person could leave to join a private contractor for double the salary, perhaps even triple or more if the person is a real pro with security clearances. The movement of the more experienced talent to the private sector also means that many of the “cool jobs” inside government agencies (like the “incident response” teams, which are like SWAT teams for cyber emergencies) go to outside contractors, further driving internal talent to exit.

There's also a cultural issue. Even with interesting problems, many talented young people will be turned off by the inflexibility and environment of the federal government or traditional corporate bureaucracy. Beyond a preference for cargo shorts and a T-shirt over khakis and a tie, the culture of a high-tech firm will always be more dynamic. Culture extends into politics. Much of cybersecurity work is classified, and there is a lack of trust between the intelligence and defense establishment and the hacker community (NSA leaker Edward Snowden has much higher approval numbers in your average computer science lab than in most government agencies).

There's no one silver bullet solution to these problems, so the approach has to come from multiple directions.

One step is to build better means for the private sector and the public sector to collaborate at the human level, as well as cover the seams between the two. After suffering from cyberattacks in the mid-2000s, in 2010, Estonia pioneered a new model of defense known as “Küberkaitseliit,” the Cyber Defense League. In essence, it was a cyber militia, allowing private citizens to volunteer to aid public efforts. The group includes everything from IT specialists to lawyers, and they have been used in roles that range from providing backup in cyber emergencies to helping as a “red team” in important national efforts, such as electronic voting.

Notably, though, the group is not like a national guard, in that there are no physical standards, nor are the participants putting themselves under military law, liable to be deployed to Iraq or whatnot, or asking for military pay and benefits. Instead, joining the league is voluntary, and then applicants are vetted for expertise and trustworthiness, which builds cachet. Members of the league both enjoy the work and think it beneficial beyond the cool factor, building knowledge and connections useful to their day jobs.

Nor is the group like a patriotic hacker community, in that it is formalized and transparent to the world, as there is no desire to keep it secret. In fact, it's just the opposite; the nation is trying to show that its defense extends beyond its official resources. In many ways this is the opposite of the model of cyberwar that we saw in the
Part II
focus on the US and Chinese strategies. Rather than arms racing toward MAD, it's more akin to how nations like Switzerland or Sweden planned to weather the Cold War with a strategy of “total defense” that applied the wider range of a nation's people and resources to its defenses.

The next step is to better enable governments to compete with the private sector. Recent proposals at DHS, for instance, have sought to give the traditionally bureaucratic government more flexibility in its hiring, such as allowing the leadership to change pay scales rapidly or provide additional benefits or incentives for cyber talent, including paying for additional
education for free
. To help the revolving door
swing back, there is also the concept of an Information Technology Exchange Program. This would allow industry and government to swap cyber professionals for short stints, akin to a student exchange or
fellowship program
.

The bigger payoff, though, may not come just from more effective competition over the existing pool of professionals. Instead, we should widen the pool and build a bigger pipeline to tap it. For the United States, many of the difficulties in sourcing effective cyber talent come from systemic problems in science and mathematics education. American high school students rank 23rd in science and 31st in math among wealthy nations, and 27th in college graduates with degrees in science and math. Indeed, the trends are getting worse even at the university level. In 2004, the number of American computer science majors was 60,000. In 2013, it had shrunk to 38,000. Notably, the number of computer science majors was only half the number of journalism majors, despite the field being far more
vibrant for job prospects
.

A worthy approach is to link broader efforts to reverse these tends to specific needs and opportunities in cybersecurity. One concept is to play NICE, short for the National Initiative for Cybersecurity Education. Designed to take a national-level approach to increasing the cyber talent pool, among some of the ideas are a fellowship program that targets “Emerging Leaders in Cybersecurity,” to help steer them into cybersecurity degree programs, and the DHS's Secretary's Honors Program for Cybersecurity Professionals, which recruits college students into ten-week internships at one of its cybersecurity programs and then offers them a
full-time job after graduation
. A similar program in Israel provides such opportunities as early as the tenth-grade level, seeking to find and excite kids before they even get to college.

Many major companies are discovering that they also have to set up similar programs to keep pace with their growing needs. Northrop Grumman, for instance, set up an internal Cyber Academy that will train well over one thousand employees a year. Its competitor Lockheed has a similar-sized Cyber University. These numbers sound enormous until one recalls the fact that it's not just the cyber warriors or IT professionals who increasingly need these skills. At Lockheed, only
about 25 percent
of the
people who get the cybersecurity training actually work directly in cybersecurity jobs.

Building out this pipeline also requires us to rethink who and where we recruit.
Lynn Dungle
, president of Raytheon's Intelligence and Information Systems, describes this as one of the major problems of securing cyberspace today. “We are looking for talent in all the wrong places. And the organizations and companies that most need this type of talent will be the least likely to attract it.”

Not only is talent scarce, but it often doesn't fit the same mold. Despite cybersecurity's relative youth as a field, many organizations approach it in the same old ways, which Dungle describes as too often “overreliant on historical learning methods and processes and have a real prejudice toward people who work 9 to 5, are willing to contain their personal time off to three weeks, and to charge their time in
6-minute intervals
.” Her own firm, Raytheon, is one of the leading defense and aerospace firms in the world. Like many other businesses, it understandably is biased toward college grads who show up at job fairs in a suit and tie, intending to join the firm at a junior level and then make a career of it by gradually moving up the ranks. They've discovered, though, this isn't always the best way to get the top cybersecurity talent.