Slashdot Mirror
Cyberwarrior Shortage Threatens US Security
An anonymous reader writes "US security officials say the country's cyberdefenses are not up to the challenge. In part, it's due to a severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries. The protection of US computer systems essentially requires an army of cyberwarriors, but the recruitment of that force is suffering. 'We don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time,' says James Gosler, a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency, and the Energy Department."
The USA has a bad habit of arresting anyone with the skills and curiosity to perform such tasks. Instead of arresting and jailing "hackers" they should employ them, and then maybe we'd have enough people for the "cyberwar" they are talking about
If telephones are outlawed, then only outlaws will have telephones.
if there is such a shortage of talent maybe we can offshore this responsibility? Maybe to China? As a bonus it will be less expensive.
Trolling: When you do it right, nobody realizes you've done anything at all.
The US treats anyone with the least bit of curiosity or know-how with suspicion.
Maybe it's because we call anyone with even the smallest amount of computer knowledge a witch^H hacker, and burn them at the stake^H^H^H^H^H^H put them in jail (or detention, for the juveniles) while banning them from using computers?
It's pretty simple, guys. If you ban model rockets, you won't get a generation of rocket scientists. If you ban chemistry kits, you won't get a generation of chemical engineers. If you ban playing around with computer systems, you won't get a generation of hackers.
It is all about perception. I see high school advisors telling kids to stay away from computer science because they will be fighting for jobs against the whole world (programmers from India, sysadmins from the Bay Area, etc.) Instead, they tell them to go law because "there is no such thing as an unemployed lawyer."
Russia and China, it is different. There, their security guys doing blackhat/white work are viewed with similar respect as Special Forces guys are viewed here, as heroes for their country. Here in the US, a CS/IT person is looked at as someone who is going to be unemployed as soon as the PHB finds some offshore firm.
Change the perception, make it cool to be a CS/IT person. THEN you will have your "cyberwarriors" that are on par with the Russian/Chinese blackhats. Otherwise, the CS students will be taking their CS degree into law or business school.
Maybe if the country wasn't so obsessed with computer crime that it looks for black-hat hackers in ridiculous places, we wouldn't have this problem.
Chemistry sets and other "gateway drugs" to the sciences and engineering are also not as easily available any more. And isn't "creativity" declining too?
Yes. I know what they should do. Bring back photon and use it as a recruitment tool http://en.wikipedia.org/wiki/Photon_(TV_series)
Who in their right mind would join up with a organization which wants to call you a Cyber Warrior?
I mean, i get it from the perspective of appropriating money that should be used for better causes and justifying your 6 figure salary and all. But this whole thing is laughable.
A big part of the problem is that those jobs are very unappealing. First the applicants have to get a security clearance, which weeds out all non-citizens and a good deal of other applicants, then they are forced to work in secure facilities that feel like caves or underground bunkers, and on top of that they aren't allowed to discuss what they do in anything but the most general terms. Taking a job doing cyber ops for the government is volunteering to put a giant gap in your resume that you can't discuss.
"We don't have sufficiently bright people moving into this field"
Yet we have sufficiently bright people who can create a system that rapes the stock market.
Which one pays better?
the growth in cynicism and rebellion has not been without cause
...is legal and cultural. The US penalizes innovation and experimentation more than anyone. The US government is responsible for the DMCA and massive efforts to punish people for hacking their own hardware and software, ludicrous prison terms, and so forth. On top of that you have a move away from generic, "hackable" computers to walled garden, Apple style technologies. That kind of culture doesn't really nurture a generation of future hackers. We don't encourage youth people to explore technology, we want them to play by the rules and keep their noses clean. With hacking hardware and software so stubbornly discouraged, it's no wonder that not very many people have the desired skill set.
As an educator, specifically a computer science educator in higher education, I have to say that this is a shortage that the US has created. Let's see, if we outsource all IT jobs, and then allow various industry groups to sue the snot out of people based on their IP address; let's tell all potential students that jobs in this area can be done overseas, and that there is no reason to go into this area; let's pay low, low wages, and accept low-quality work from people who rose through the ranks due to politics rather than ability; let's reward people for paper certificates that they obtained through cram sessions and cheat sheets; let's do everything within our power to make this an unattractive field of study. And now, when bright, curious, intelligent people are needed in this field, let's wonder why they're not there.
Cynicism - the last refuge of those people who want to simply say, "Well, duh!"
In part, it's due to a severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries.
Based on my own experience, I would argue that there is a severe shortage of computer security specialists and engineers with the skills and knowledge and desire to do battle against would-be adversaries. Whether it's a personal financial concern or a personal ethical concern, there are lots of great reasons for skilled and knowledgeable experts to seek employment elsewhere.
Slashdot? Oh, I just read it for the articles.
The fact that we are using the ridiculous term "cyberwarrior" suggests that, at the very least, the people writing the PR playbooks don't have a fucking clue.
In addition to being corny as hell, "cyberwarrior" implies a dangerously literal application of traditional military doctrines(ie. you have the civilians, who do whatever, and then you have an army that stands between them and the bad guys and blows things up) to computer security. With networked computers, aside from the specific case of DOD sysadmins, virtually all of "computer security" is about making sure that the (overwhelmingly civilian) software and systems are properly designed and built. That isn't something that you are going to do by having a few "cyberwarriors" to hack through the enemy's code walls, or whatever. That is only doable by, more or less, massively increasing the status(and cost, sorry MBAs...) of programmers, software engineers, sysadmins, etc.
Obviously, there will be some need for near-black-hats to spook around hostile networks in the service of various sinister three letter agencies; but the vast majority of "computer security" is much closer to being analogous to a civil engineering or public health question than it is to being a military one. Trying to solve "cybersecurity" with a relatively small number of "elite cyberwarriors" is rather like trying to keep a population from dying of cholera by building a few world-class research hospitals(with bed space for like 1% of the cases), rather than having civil engineers knock together a water system...
Go look for the idiot that started the Hacker's Crackdown in th 90's. The result of this attitude was to either push some kids to the edge where the russian mob recruited them in on form or another, or plain make them corpodrones, albeit very good at typing crap into a cisco console, but perfectly worthless in the underlining of the net.
Bravo, idiots, might I remind you that here in the net, we forsaw and told you about this. And now you come complainin....
NO SIG
Anyone who has ever worked in government IT knows that it is the last place for a competent person. The average bureaucrat considers IT to be one of the easiest ways to launder kickbacks for party supporters. Competence ONLY gets in the way. Worse, they'll even try to get you to make that slop work. Fall on your swords now, "cyberwarriors". (snort!)
necessary to do battle against would-be adversaries. The protection of US computer systems essentially requires an army of cyberwarriors
Who is the enemy? If you think its a nebulous "them", then you're wrong, its us.
"security" where I work is primarily focused on giving as many employees parking tickets as possible, monitoring our every move (although car breakins are of course not monitored), protecting the company from downsized employees, and generally being bullies.
I can assure you that "leet cyberwarriors" are not going to be used against enemy nation of the week, but against Americans. Against people with the mistaken idea they live in a free country. Against anyone standing in the way of the big corporations that pay for our elections. Against anyone whom does not understand they exist to serve the govt, not the other way around.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
There are plenty of people who know how is just that the knowledge leads to suspicion by law enforcement and practice of said skills are illegal.
It's the same thing if this guy said, "There aren't enough people who know how to murder and our spy agencies are having a hard time finding assassins! "
RIP America
July 4, 1776 - September 11, 2001
I'm less concerned about the cheesy term scaring away hardcore techies(they can always just mock it in the break room).
I'm concerned about managerial decisions, program planning, and the like. It is hard to think correct thoughts with broken language, and "cyberwarrior" is broken language(except, again, in the specific context of l33t black-ops haxx0rs for the NSA who play offense. They may or may not like the term; but they are at least structurally somewhat analogous to various flavors of elite-and-slightly-irregular forces that have been used in the past.)
My concern, essentially(in addition to the fact that "cyberwarrior" is an invitation to the quiet militarization of just about anything turing-complete and network connected, all in the name of "security") is that this sloppy use of language will(and already is) lead to sloppy, incorrect thinking on the part of politicians and planners and the like. You'll get roughly one of two outcomes:
Outcome one: The "guard the borders" interpretation. This is the analogy extension of "cyberwarrior" that anybody whose worldview is steeped in the classic American quasi-isolationism(that comes quite naturally from having an ocean on each side, and largely untroublesome borders) will come up with. Basically, civilians get to be the soft chewy center, and go about their business however they like, and the military stands guard at the edges and occasionally goes overseas and kills some nazis or communists.
This interpretation, will the better of the two, is largely useless. With modern internet interconnection, pretty much any sort of electronic attack will fly right past the border and into the ghastly mess that is civilian systems with ease. Even fairly petty criminals will not have much trouble, and some hostile nation's targeted attackers even less. Also, because of "COTS" fever, low-bidder private sector code will be all over military critical systems as well. Hurray.
Outcome two: Super sinister, and not necessarily much more useful than Outcome one. This is the bad analogy extension of "cyberwarrior" that will be arrived at by either retro "total war" theorists, or their contemporary counterparts who have been hitting the "9/11 changed everything, new kind of war, assymetric undefined battlefield, war on abstract concepts!!" pipe pretty hard. Here, the thinking will roughly be as follows: 1. There is a state of "cyberwar" 2. "Cyberwarriors" must be used to win the cyberwar. 3. All internet connected systems are strategic resources, and/or strategic targets, and are therefore under the just jurisdiction of the "cyberwarriors" until such time as the cyberwar should end(ie. never).
Basically, this outcome will mean massive militarization(and some super-juicy contractor food) of previously civilian areas; because, there is a cyberwar on, so if you are on the internet, you are territory...
So, is it "We don't have sufficiently bright people," or is it "our people aren't performing with sufficient brilliance"? The difference is nuanced, but significant in both causes and effects. Sufficiently bright people will tend to seek an environment where they are afforded opportunities to excel. Highly bureaucratic organizations where politically ambitious leadership (albeit very, very, bright) chase silver-Power Point bullets inside of banners quoting their sponsors like packs of 8 year olds chasing a soccer ball tend to repel, or paralyze, the best and brightest; that's even if, especially if, first attracted by the skillful sales pitch. I suspect that there are plenty of exceptionally bright people throughout the National Security Apparatus; however, its like throwing National Guardsman on the border in response to a couple of adverse editorials. Lacking a clear mission and effective rules of engagement supporting rationally assigned tasks, an exceptionally capable force becomes an otherwise useless consumer of time, money and supplies, not because they aren't bright and capable, but because nothing they're allowed to do is effective, and nothing effective is allowable. Same situation here. Until we figure out the mission, agree on the operating boundaries, and create conditions (including legal and governance framework) wherein bright people can work the problem set and not have to chase soccer balls, no amount of hand wringing, DSB studies, slogans, speeches, or bolded Power-Point bullets, with or without lightening bolts, will accomplish anything very effective. I am curious, what the heck means "Veteran Cyber Security Specialist," since that relatively nonsensical term simply wasn't coined that long ago.
I have been in IT for 30 years. I started in the USAF, and went on to work for defense contractors. Have held several clearances, including top secret. Have degrees in math and comp sci. I am presently long term unemployed.
It seems to me that these "desperate shortage" articles come out routinely. No matter how many major IT layoffs, or how many CS grads can not find a job, or how depressed wages are for IT pros.
Why are these articles never specific? Exactly what skills do they need that they find so hard to fill? Exactly what credentials are they looking for: BSCS, PhD, CISSP, CCIE, or what?
Why do these articles seem to reek of corporate/government propaganda?
Good IT guys don't want to go through the nonsense associated with these positions. They can get jobs with private industry that don't have the headaches. I live in the Washington area and there are plenty of IT jobs here. You just have to have a TS/SCI or plan to get one. I'm much happier not having the FBI asking my neighbors questions and crap like that.
They typical run these propaganda campaigns about every six months.
http://www.fiercegovernmentit.com/story/u-s-faces-shortage-cybersecurity-workers/2009-12-23
Screaming and crying about desperate shortages is just a routine part of business. It keeps the poor saps studying for a career they will probably never get. It keeps the markets nice and glutted.
IMO: what really gives this away as propaganda, is the lack of specificity. They will never tell you exactly what credentials are supposedly in such short supply.
Everyone is focusing on government crackdown on hackers...but no one is focusing on standard reasons -- like how does government pay compare to what the person might earn in the private sector?
Ok, now ask -- how much has the government done to cultivate love for country in the past quarter century?
How about patriotism? No...paying people to snitch on their neighbors is not considered something that builds loyalty to country.
Ok...now put the pay item into perspective....
What are the pay and job prospects for software types, in general in the US -- compared to say, 15 years ago?
Add all that up...ignore the curiosity=jail trip...
standard job market indicators would tend to say this type of job isn't going to be a big attractor these days...
Now add the curiosity=jail nonsense and get tough on US-citizens/war on US citizens rhetoric that is so popular with the conservatives that have been in power for most of the past 30 years (the Reagan generation, 1980 and beyond).
The dominant paradigm is to keep voters and consumers stupid. Education is *bad* -- since percentage wise, the more educated people are, the more likely they are to have liberal or progressive views. Not a bright prospect for American future -- at least not for the majority -- for those who run the big Corps, the landscape looks brighter and brighter...
I doubt I'll live long enough to see the worst of it, or a turnaround...