Does Dearth of Infosec Pros Pose Risk?NSA's Information Assurance Director Doesn't Sugarcoat the Truth
George is technical director of the National Security Agency's Information Assurance Directorate, and in the second part of an interview with GovInfoSecurity.com (transcript below), he describes a shortage of skilled infosec pros in government. Does such a shortfall in cybersecurity talent place government systems at risk?
"I wouldn't say that we are insecure because of that, but it makes the challenge harder for us," George says. "Security is not a zero-sum game, either. You are not either secure or insecure, it is how secure are you, what is the threat, how hard is it to take advantage of that threat. It is a complicated issue. It is not to say that if I had three more people I would be secure. What kind of security can we create for the nation?"
In the interview, conducted by GovInfoSecurity.com's Eric Chabrow, George also discusses:
- Competition among government agencies and the government and business in recruiting far too few cybersecurity professionals.
- Need to start educating students early about IT security in hopes they'll be attracted to a career in cybersecurity.
- Lack of cybersecurity awareness among American citizens.
In Part 1 of the interview, George addresses the technical challenges facing the NSA in securing its IT systems, including staging attacks on its IT.
George began at the National Security Agency in August 1970 after graduating from Dartmouth College. He started in the Crypto-Math Intern Program, having tours in Research, the SIGINT Directorate and the Information Assurance Directorate's predecessor organization. Except for a tour in the Signals Intelligence Directorate and one at the Center for Communications Research in Princeton, he has worked in the Information Assurance Directorate's since 1973, and has served as its technical director since 2003.
ERIC CHABROW: Where does the NSA find and how does it develop knowledgeable IT security professionals to meet its cybersecurity challenges?
DICKIE GEORGE: That's a great question. The good news about today's world is a lot of the people that we are recruiting are people that have grown up with today's technology. It comes as really natural to them. Where it doesn't come quite a natural to a lot of our more senior analysts, and that is a great thing.
We also see that we have the Centers of Academic Excellence where we have partnerships with 106 universities around the country and they are teaching the kind of skills that we need. So we are being fairly effective at finding the right people with the right skills to fill those needs; we don't find enough. We have tremendous needs and we have the same needs that private industry has and that competition for theses scarce talents makes it really hard. But the good news is that we are all part of the big team and we don't win unless the private industry wins as well. But the important partnership with us is partnering with the universities to get the kind of education that the kids need to get the hands on training that allows them to understand.
I have a personal belief that it is really hard to build security unless you know how to attack it. It really helps to get in the lab and see how things break, how they can be misused and how these layers of security can be defeated when you are trying to build a solid defense. You have to understand the threat before you can defend against the threat.
CHABROW: For a student, that sounds like that would be an exciting thing to do.
GEORGE: When I talk to the students, they are really excited. When I compare the kind of education you get in college today as to when I was in school, it is so much more hands on, so much more real world that they have a tremendous opportunity to really do things that matter. Things that really are effective in today's world; they solve real-life problems as opposed to theoretical problems. It is an opportunity they have to really make a difference, even as students.
CHABROW: I am listening to you and I am thinking of an article I did a few years ago that addressed the decline in interest in computer science students at universities around the country and at that time people were more interested in going into things like forensics. I am wondering now, with more attention being placed on cybersecurity, do you see a growing interest among young people to get into this field?
GEORGE: Yes, definitely. One of the things that drove people into IT a few years ago was the dot-com boom. That is where the jobs were and people to some extent are interested in what they are going to be doing for the rest of their lives. When gaming was hot, and it still is hot but the jobs aren't there like they were a few years ago, that was something that drove people into computer science. In today's world, there is so much emphasis on cyber. It is going to attract students to that area and that is going to make a difference for us. The number of computer science majors is way down, particularly in this country, of U.S. citizens, it is down. We need to build it back up and we need to work hard with the universities to not only get the right people interested but we have to start at a young enough age that they understand that there is a future there for them and that they can do something in science that is meaningful and challenging. It is a great opportunity to work with students when they are freshman, when they are sophomores in college, when they are in high school, to make them understand that they have a bright future and they can make a difference. Today's students really do want to make a difference.
CHABROW: You referred earlier to the challenge of finding qualified people for the NSA. Obviously, this is the same kind of challenge that industry faces as well as other government agencies. How serious a problem is that?
GEORGE: For us, it is a huge problem. We need to hire the best and brightest and we go out to the universities, we see those students there, but we also see a lot of other government agencies and a lot of private industries that are all after the same skills. There aren't enough people to satisfy all the needs in the country and that is a significant problem for us.
When we are looking at succession planning, who are going to be the real leaders in the future? We need to get those kids when they are young, when we can build their understanding of the system, when we can use them for a long time to really be our leaders in the future. And we are competing for exactly the same skills and it is really hard; it is a challenge.
CHABROW: Are the IT systems of the military, the intelligence community and civilian agencies at risk because we can't find enough people to fill the jobs in IT security?
GEORGE: I would say that we could always be better than we are and we would be more secure if we had enough highly skilled people to satisfy the needs. I wouldn't say that we are insecure because of that, but it makes the challenge harder for us. We have a group of people that take this very, very seriously and are working very, very hard on it. We are always looking for a few more smart people that can come in and have a few more creative ideas to make us more secure. And security is not a zero-sum game, either. You are not either secure or insecure, it is how secure are you, what is the threat, how hard is it to take advantage of that threat. It is a complicated issue. It is not to say that if I had three more people I would be secure. What kind of security can we create for the nation?
CHABROW: Anything else you would like to add?
GEORGE: Well, I always have a story I like to throw in. If you think about security today, we have technology that is capable of doing it, what we need is a user base that understands the threat. I talk about when I was in school and about once a month an alarm would go off and we would all dive under our desks because somebody might be dropping a bomb on the school and they were trying to protect us. You know it wasn't too far from World War II. My parents lived through that and so there was really an understanding of that threat and an understanding of the damage that could occur if someone dropped a bomb on the school. So we would all dive under the desks and when I went home, half the kids in my school had bomb shelters in their basements because they understood the threat.
In today's cyber world, cyber is so much more complicated than a bomb that it is really hard for people to really understand the threat and understand how to defend themselves against that threat. That education is what we have got to achieve as a nation so that we can all work together to make ourselves a much harder target.