Slashdot Mirror
US Not Training Enough Cybersecurity Experts
graychase writes "Homeland Security's cybersecurity director, Richard Marshall, warns that universities aren't turning out enough cybersecurity experts and urges greater scholarship funding. 'Look at all the great football and basketball programs. They're all on scholarships. They're not playing for fun — they're playing for money.'"
Shouldn't they be recruiting them from the trenches or simply luring script kiddies into the evil clutches of our federal government with promises of "no bedtimes", "free games, pizza & soda" and "no one here will make fun of you because everyone here will be like you"?
Nice try, but the public prefer jock-sniffing to everything else.
Besides, why train more people and drive down the wages of those who had the initiative to learn on their own? Businesses exist to fuck over their employees, so said employees should not dilute their advantage.
Your only "job security" is hoarding knowledge.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
We'll just recruit our cybersecurity from the obvious source: China.
I, er, hear they may have some relevant experience.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I'm sure the US can just hire some of those well-trained and eager Chinese cybersecurity experts who seem friendly and anxious to come across on H1 visa.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Working in the industry and hiring new Cyber talent on a weekly basis, I'd say that the author's aren't looking in the right place. We find the best, most talented folks are coming out of the military. These ladies and gentlemen are very disciplined, highly trained and have real (very real) experience not only within the ranks of military cyber operations, but most also have a good deal of experience in the intelligence community. They all have a great deal of experience (and preference) with open source tools, but understand the proper application and integration of COTS products as well. Anyway, my two cents.
...is state subsidized computer "crime" education.
Israel has had state sponsored training for decades and looky looky they have plenty of forensic experts...
In the US we threaten anybody that touches these tools with prison and let the mpaa sue Professors that attempt to study anything remotely like security.
Wherever You Go, There You Are
Starting salary at IBM is about $50k.
Additional Compensation:
---Employee Stock Purchase Plan.
---401k
---Options (maybe)
Pre-requisites: Atleast 4 years of college, optional advanced degrees. Experience with security and engineering solutions.
Starting Salary of Lebron James: ~$4m per year.
Additional Compensation:
---$90m Nike Contract
Pre-requisites: Ability to dribble and score with a basketball better than any other kid in high school.
Which would you choose?
If the universities fail to produce enough security experts, ISC2 is happy to convert your tech support guy into a CISSP for the low rate of $600, and $200 a year thereafter! If you order now, you can also get a CAP certification along with a free toaster.
At my current university, there are two undergraduate networking courses and one undergraduate security course. There's one network course in the graduate curriculum, but that's meant as a recap of the two undergrad ones if you didn't get your undergrad here. I would love to load up on network and security classes, but there's simply none being offered.
"It's a reverse vampire...they....they crave the sun!"
Unless the US government is planning on becoming a university booster, then I would expect that sports programs will continue to get the scholarships. He is right, they are playing for money... college sports is big bucks for the school.
when the government and industry decide to move away from making systems and software increasingly more secure and instead focus on draconian laws with punitive sentences that start at a decade for benign acts regardless of intent or whether you informed the target of their weakness and how to correct it.
Security through sentencing.
How are cybersecurity experts really trained? In universities? Private industry is on the cutting edge of computing, not academia.
So, what about private industry? Would anyone really want their son, daughter, nephew or niece to to go into any field that would prepare them to be cybersecurity experts? Outside of jobs that require security clearances, it seems that there is a pretty good chance of getting offshored or at least oursourced. Who wants that kind of job security?
Funny, despite all the comments universities, when earning an "advanced" degree in computer science (where many of the students could not program their way out of a wet paper bag), the US government gave me no tax breaks whatsoever with the hefty tuition. In my case, I did not overly care, but in general, the incentives for earning academic credentials in computer science seem somewhat limited.
The Gov has had this program going for over 10 years:
"The Federal Cyber Corps Program
The Cyber Corps Program is open to students currently completing their junior year of undergraduate school or first-year of graduate school. In addition to a stipend of approximately $1,000 per month, the Program pays for each student's tuition for two years, room and board, and travel to conferences.
After one year of training, students complete a summer internship in a federal agency, learning first-hand about computer security issues and putting into practice what they've learned in class. By the end of the second year students earn an undergraduate or graduate degree in computer science in addition to multiple federal-level computer security certificates as endorsed by the Committee on National Security Systems (CNSS)."
http://www.justice.gov/jmd/ocio/cybercorps.htm
There are lots of people out there interested in cyber security. "Hackers" are in all the movies and are kind of cool. But the ability to become a legitimate security expert is limited, partly because the government which hires tons of people to perform physical investigations and fire guns, has failed to keep up with the times. Look at the military, for example. If you want to be a well paid cyber security expert, or even an important one, you basically have to go into the private sector. You're sure never getting promoted within the ranks of the armed forces, or even well paid so why deal with being constantly undervalued? And their focus is completely wrong. First unlike the private sector they care about how physically fit you are much more than about how competent you are. Second, they care a lot more about credentials and conformity than the industry does. Computer, especially computer security is a young field. I've worked with lots of network security experts that had a PhD and wore a suit, but I've worked with just as many that had no degree (or a degree in jazz) and wore lewd t-shirts or dressed like The Cure. Industry considers this latter category to be a huge asset and even makes sure to show them off to clients; we have those quirky genius types on staff. The government just writes them off as not real experts because they didn't give up a $100k job doing real security to go back and get a degree they don't need.
And frankly, while the industry has respect for the NSA, it has pretty much written off the rest of the government as a lost cause when it comes to security. They're too firmly in the pockets of corporate interests, useless contractors, and bureaucratic nonsense. How many competent security experts have refused or quit working for homeland defense saying it was impossible to do the job given the resources and idiotic policies?
Seriously, if the government does not think there are enough experts, start handing out scholarships and setting up internships. The NSA already does so. Better yet, start hiring security people with actual authority and discretion, like experts in some other fields have. Put security experts in charge of hiring, retaining, promoting, and running security, instead of being beholden to superiors who want to run them like they do the motor pool.
DHS has a small scholarship/fellowship program (http://www.orau.gov/dhsed/), but the fellowship program is on hold this year (http://www.orau.gov/dhsed/2010pages/fellowship.html).... Now the DHS cybersecurity guy is complaining and saying "more scholarship money!". Go figure.
Universities are lagging not just in security tech but systems tech in general, and systems administration in particular. Network engineering training programs do a a much better job, and software engineering programs do a fair job addressing security. The missing component is systems administration.
Security is only as good as its weakest link. If you are focused on communications, or focused on code, and ignore the larger picture (i.e., systems) vulnerabilities will be inevitable.
Another problem is financial. Bean counters and stock holders are focused on the short term whereas security requires a long-term perspective. Because new features can be implemented quickly, without taking time to implement security (see any Microsoft OS for the most obvious examples) they often are. Only high-level input from systems analysts (i.e., senior systems administrators) can address this/ This is also why a lot of applications are coded in scripting languages like PHP and Perl which don't provide for strong compile-time code checking or have good run-time security profiles.
When universities have Unix/Linux Systems Administration degree programs we will see better computer and communications security, especially if those programs are run by experienced sysadmins (as opposed to PhDs or career academics). When systems administion graduates have a seat at table alongside project managers, software engineers, requirements analysts, hr and accounting you will see better security.
Until then it will continue to be the same ol' same ol', with lots of activity in Bugtraq and CERT, and lots of time wasted on software upgrades.
At my university athletic scholarships are funded in part by dedicated donors only interested in athletic programs ("No, I won't give anything to the university as a whole, but I will buy red turf for the football field." Really.) And much of the shortfall is made up by student "activity fees" about half of which goes straight to the athletic department and a big chunk of that to scholarships.
There are plenty of people graduating with computer security degrees these days; I'm one of them. There are quite a few programs already offered by various colleges to attract more security students to their program. RIT, for example, offers what essentially amounts to a free ride for anyone who is willing to work for the NSA after they get out. I live in Texas, so I know from personal experience that Texas A&M, UTSA, and a plethora of smaller universities and community colleges are cranking out security graduates non-stop. The CCDC (Collegiate Cyber Defense Competition) is a pretty big deal in this area.
The real problem is that very few 20-somethings in this field want to work for the government, let alone the DHS of all places. Anyone who is coming out with a security degree is obviously going to be active on the internet every day, and I shouldn't have to explain the general feeling towards government cyber-security practices among the internet crowd on Slashdot, of all places. Even here in south Texas, where you'd expect the most support for agencies such as the DHS, I've never met a security major that is at all interested in working for the government, despite what essentially amounts to begging and pleading to take a job there. I know that I probably couldn't look myself in the mirror every day if I worked for the DHS or NSA as a security expert. Protecting our nation's computer infrastructure is one thing, but there is no one in the field who believes that's actually all that our government does with its security staff.
One problem with IT in general, and especially its little niche subfields, is the lack of formal training. Skilled trades get apprenticeships to teach newbies the ropes on the job. Professions like medicine, pharmacy, engineering, etc. have standard accredited training and licensure requirements.
We have none of that. The field is still so wild-westy that vendors largely control training and education. Universities provide grads a CS or a "vocational" IT degree, but it's all theory. Lots of us didn't even go to school. I'm a science guy by education, and wound up here. Other people I know were educated in something not even close to IT. Still others took the "Get Certified and Make $100K In 10 Days!!!!" training courses.
When a software developer or IT guy gets out in the real world, the education side of things is usually left up to vendors, who are desperately trying to push their latest product. It takes a new guy a long time to realize that (a) VendorX doesn't have a completel lock on FieldY, and (b) VendorX is trotting out the exact same thing as 10 years ago, this time with an improved support structure. (Example: VDI is "OMG -drool- brand new hot technology" but VMs have been around in the mainframe world for eons, and thin clients have been...OK...for years. The difference now is that bandwidth is cheap and fast, which it wasn't 10 years ago.)
So what do the Feds want as "cybersecurity experts?" Are they thinking of capturing virus writers and forcing them to work for us? Are they thinking the guy installing Symantec Antivirus from vendor instructions is an expert? And what could universities possibly do about it? Courses like "CYS 425 - Introduction to SQL Injection Attacks?" In my mind, anyone who really belongs in the "IT profession" should be grounded so well in the fundamentals that they can be crafty enough to find security flaws in their own software. If they're systems guys (like me,) they should be smart enough to test vendor assertions.
Instead of just giving scholarships for CS degrees, I think the profession should rally around making sure everyone is qualified for an IT job at the level they're working at. And I think that some of this needs to be general enough to transcend vendors. Someone should know "operating systems" instead of "Windows" or "Linux". it shouldn't be an absolute culture shock to take a person working in a Windows environmnent and put them in front of RHEL with a small amount of introduction. How many of you guys work in Windows-centric place that has one Linux box everyone is afraid to touch? THAT'S what we have to fix!
Of course people aren't going into this field. Look who's in charge.
This Richard Marshall, "Director of Global Cyber Security Management, Departent (sic) of Homeland Security", is a lawyer. From LinkedIn, his undergraduate degree, from The Citadel, is in history, English & political science. He then went to Creighton and Georgetown University law schools.
The last person in that job who knew what he was doing was Amit Yoran, who had a computer science degree. He kept saying that Microsoft operating systems were the big problem, and was sidelined for that. He was replaced by Cisco's lobbyist.
What we have now is a lawyer making policy recommendations that effectively mean doing nothing. That's "Homeland Security".
Extremely well said.
If we don't have enough cybersecurity experts, why are we passing a law requiring licensing, which will only bar more people from the field?
In the American culture, its the norm to take someone who was born at the right time of the year (for hockey thats January, Febuary or March, for Baseball thats August or September), realise that these kids "are so much bigger than other kids in their grade"...because they are, they were born at the right time of year, give them more playing time and encourage them to play, give them better coaching and better equipment and the next year its the same (still bigger than a kid 10 or 11 months younger than they are) and give them more opportunities, then give them scholorships to go to college, and then pay them crazy amounts of money on the job. In computers, people pay their way the whole way, they may get labelled 'geek' in school (and not in any kind of good way), they encourage those in sports to attack them at school and bully them 'to help with the sports players self image'. Then the 'geeks' finish school, they take on manual labor jobs to pay for higher education. They are berated because they are not as fast nor as strong as the 'athletic' employees. They persevere, go to college, put out 50 resumes to get 1 call back working in something still menial 'clean the computer' vacuum the dust out of them, etc. But hey its a start. They can then start paying off the student loans for college (loans plus interest). After graduating from computer janitor to actually doing something to affect the operation of the computer, they can expect to be berated by staff for the staff members mistakes, and be paid accordingly. Who wouldn't want to jump in and be an overworked, underpaid, unappreciated security guy, who can be blamed for 'ruining the company'? And after 'saving the company' be told 'if you had done your job in the first place we wouldn't have to pay you overtime, so we won't'. I can see guys lining up for this. Ready and waiting to be quizzed "Do you save security 2.10A with extra extension.?" Those without the extra extension need not apply! And the latest software upgrades (the ones that came out last week), you should have 5 years experience with them!
Most of these stories are puff pieces done for or due to the FUD big consulting companies like CSC, Lockheed, Northup put out to the Bureaucrats in order to keep billing rates high. I have over 10 years of networking experience and a MS in Info Sec from a DHS sponsored school. I have applied multiple times to various positions and have never received a response back.
EGOTIST, n. A person of low taste, more interested in himself than in me.
You think we can get AIPAC to help us out with that? They do a lot of work with Israel already...
You have to define Cyber Security. Do you mean Code Hacking, Network Sniffing, Biometric Algorithm Creation, new Theoretical Application Creation, Compliance Program Expert, Firewall Manager, etc. Each different job requires a different skill set. If you want someone that can do all of these, then you have to pay the proper salary for that person, wait 10 years after they graduate so they have the skills to do each of those jobs, etc. Currently the Cyber jobs I look for want all of those things, plus 10 years experience, when the fields have only existed for a few years. Define Cyber Security - and then define what you are willing to compensate and define the requirements then you will be able to make broad statements about enough people in the field to fill a job requirement.
DHS has lots of Cybersecurity job postings.
Here's the catch:
If you have spent the last 20years of your post-college professional IT life working in different combinations over time of systems administrator, network engineer, IT project manager, programmer on security, security-ish, and non-security projects and day-to-day IT work, then the you - the 40+ year old - are deemed to be to fucking old to take a new job at DHS/USGOV as as an IT Security Specialist.
So, that cuts the pool of those available to USGOV by 40-60%.
For months now, I have seen a campaign in the press to present the USA as defenseless, weak, and exploitable as far as our networking infrastructure goes. We are in a crisis of not enough experts to secure our networks. The demand is for huge sums to be given to education (including certifying apparently the entire Pentagon staff with that worthless CEH junk) in the hopes that some day, we can catch up. For now, we're wide open. So, badniks, here we are, caught off-guard by the security crisis. Please attack us! Show us who you are and where you come from and what areas of our network interest you. Hurry, this crisis won't last forever. (A real military analogy of what's going on is counter-sniper fire. A soldier pokes his helmet up over the parapet of his trench, while another solider notes where the sniper is firing from.)
why not use the hackers in jail to work for gov so they can help us and not just take up lockup space?
About 20% of the best people I know employed as Security Researchers did not even graduate high school, including myself. I see this trending downward as more and more schools now have something of a security curriculum, but its still very much an industry of self-motivated voodoo programming. Universities have always been decent at training operational security people (configuring/monitoring security appliances and policy issues), but I've yet to hear of a school with a good program on vulnerability discovery, exploitation, and reverse engineering code. For me, at least, its much more of a mindset thing more than a skillset thing, which is a lot harder to teach.
My company simply outsourced IT security to Nigeri~a &'`~7;% GET V1AGRa Fr33!
Table-ized A.I.
There are plenty of cybersecurity experts in the us. We just don't do drug testing and put up with invasive, privacy busting background checks. Not to mention the fact that the us govt doesn't pay worth a crap.
http://strydehax.blogspot.com/2010/03/where-have-all-hackers-gone.html