Is Infosec Worker Need Underestimated?
Former Associate Director of National Intelligence Suggests It Is
"We were really pretty far behind and we were kind of surprised that the Soviet Union was so far ahead in science and technology," Patrick Gorman, former associate director of the Office of the Director of National Intelligence, said in an interview with GovInfoSecurity.com (transcript below).
The return on that investment, just over a decade later, resulted in the United States landing men on the moon. And, the investments produced additional benefits such as the creation of the IT industry and other technological advancements unrelated to space.
Similarly, Gorman and others say the United States government and business should take the lessons from the space race and make similar investments in educating and training to build quickly the cadre of professionals needed to safeguard our digital assets. But, Gorman said, fear won't get the government and business to make the necessary investments.
"The way you sell these things is out of opportunity," said Gorman, a partner at the strategy and technology consultancy Booz Allen Hamilton. "If we put more emphasis into science, technology, engineering and mathematics, both from K-12 and the university level, we're going to get benefits that are not related to cybersecurity. This is a larger opportunity. Not only solve the cybersecurity issue, but I think we build up a foundation that is really going to provide the economic growth force into the 2020s. I wouldn't approach with fear; I would approach them from an opportunity perspective."
In the interview, with GovInfoSecurity.com's Eric Chabrow, Gorman also addresses the risk the nation faces by not having a sufficient number of cybersecurity specialists and the way the private sector can help to build a cybersecurity workforce.
Gorman joined the Office of the Director National Intelligence in March 2007 as assistant deputy director for strategy, plans and policy. In August 2008, he became associate director and acting CIO, leaving in August 2009 for Booz Allen Hamilton.
ERIC CHABROW: One estimate being bantered about is that America faces a shortage between 20,000 and 30,000 IT security specialists in government and in the industries that support our nation's critical IT infrastructure. Are those numbers right and how would you characterize the current state of the cybersecurity workforce in the United States.
PATRICK GORMAN: The numbers you are referring to I think came from a study by the Center for Strategic and International Studies that was released this summer. If anything, those numbers are understated. The demand is much higher than probably than the 20,000 to 30,000 because this is not just support in the government sector but it is also in support of financial services, energy and the whole commercial sector that is out there.
If you look at the trends we've seen lately, really since the .com crash, the number of computer scientist graduating from colleges with bachelor degrees have been really cut in half. They used to be about 16,000 a year.; they are about 8,000 a year now. Not only have are we not producing enough, but we've been going the wrong direction for about the last eight to 10 years.
CHABROW: Does the dearth of IT security specialists in government and key industries mean our IT infrastructure is a great risk?
GORMAN: When people start talking about cybersecurity, a lot of people like to focus on things like staying at the cyber command, things that the Department of Homeland Security has been doing, for example, or same building and facilities and all these things that are really interesting and they assume part of it resources. But the foundation of all of this is human capital. If we don't have the human capital in place, all the other stuff is not going to work. We're not poised right now to create the number of people with the right skill sets that we need to really support the needs we're going to have, not only within government, but as I said earlier, within in the commercial sector as well. It is the most critical piece of cybersecurity, so it's not just independence to it.
CHABROW: Why is the human element the most important?
GORMAN: As much technology is put into this, it's going to be the humans that are doing the architectures, they are doing the monitoring, and they're doing the instant response. At the end of the day, we can't build the technology; it's not going to save us in cybersecurity. It's going to be about the people who are on the front lines and working these issues, doing the forensics, designing and securing systems, laundering intrusion detection systems, all these types of things, and it is going to take people with high skill sets, and it's going to take us probably five or 10 years to really develop the cadre we're going to need if we are going to have a secure cyber space.
CHABROW: Looking at the current situation, how much are we at risk because we don't have sufficient number of IT security specialists working for government and industry?
GORMAN: We're at risk because we just don't have enough people to do the job. I think it is just an operational gap. The other thing that happens is that everybody is in competition for the same talent. At the end of the day, even though we may have 8,000 to 10,000 people that can serve as cybersecurity specialists in the country, probably 25 percent of them are world class, the few that really need to work on the hard problems, we need much more than that.
If you think about the global IT industry, it is a $4 trillion industry. The amount of numbers that we are talking about is a rounding error when you look at the amount of money that is being spent each year in IT. I think there is a significant gap.
CHABROW: And what does that mean to our IT systems today?
GORMAN: Obviously, it puts us at risk. The biggest challenge that most companies are facing that are into space; whether they're supporting government or whether they are securing their own system, is still not finding that talent. And it is finding talent with the skill sets that you need, I mean there are people have worked this stuff, and I think as the CSIS report pointed out, it's not sure that the current certification program is serving us well in knowing that what we're getting and the skill sets that we're getting are applicable to the environment that we face today. The law of the certification was developed 10 or 15 years ago, and I would argue that the cybersecurity challenges have evolved quite a bit since then.
CHABROW: As you pointed out, there are fewer graduates with the kind of skills that we need. There has always been a question about the science and math skills of American students that are going to feed into colleges. The government and private industries, including the CSIS, are trying things such as a cyber challenge, where there is great enthusiasm. But there were only 16 people there. Even, if a year from now, you have a few hundred, that's really nothing compared to what is needed. What do we do?
GORMAN: In 1958, when the Soviet Union launched Sputnik into space, United States responded very quickly with the National Defense Education Act. It is really recognizing that we were really pretty far behind and we were kind of surprised that the Soviet Union was so far ahead in science and technology.
The government moved out smartly and we moved out quickly, and they put substantial resources into building up our science, technology, engineering and mathematics foundation in this country, and I think it had several benefits.
One, all these direct benefits, the space program, national security; and the indirect benefits to the nation's IT industry that was coming out of Silicon Valley and out of Boston at the time. We were going to have unintended consequences of this and, if done right, there're good unintended consequences, and that's building up our STEM foundation (science, technology, engineering and mathematics) of this country. It is going to take something of that order of magnitude, because as you said earlier, you're talking 16 or 20 or 50 people involved in some of these things, you know we need thousands of people involved in these things not dozens. The order of magnitude needs to adjust, now I would say with CNCI 8 (Comprehensive National Cyber Initiative's eight initiative), which is the money the government put into education training around cybersecurity, is a great start, but I think that is a down payment on where we really need to go.
CHABROW: I see a couple of things that are different today then existed then. One is with Sputnik, there was a great fear because it was during the height of the Cold War that the Soviet Union would take advantage of space to attack us and it was that kind of fear. There was also sort of a national pride. I think people recognize cybersecurity as an important issue, especially people who understand it, but I don't know whether the public is there yet to provide the backing that Congress might need or the administration might need to promote these kinds of programs.
GORMAN: The way to approach these programs is not to sell it out of fear. The way you sell these things is out of opportunity. If we put more emphasis into science, technology, engineering and mathematics, both from K-12 and the university level, we're going to get benefits that are not related to cybersecurity. This is a larger opportunity. Not only solve the cybersecurity issue, but I think we build up a foundation that is really going to provide the economic growth force into the 2020s. I wouldn't approach with fear; I would approach them from an opportunity perspective.
CHABROW: What's your plan? What should we be doing?
GORMAN: There are several bills in Congress. Everybody kind of recognizes this. There is nothing new here. People are underestimating the size that we really need to build out. What we're going to have to do is figure out what is the right number of graduates we really need. We have all these antidotes, we need maybe 20,000 to 30,000 cybersecurity professionals. I don't know if it is that, maybe it's 50,000, but we got to figure out what it is and we have to put the money from the federal government into basically a scholarship program and building on existing programs through the National Science Foundation and through the Information Assurance Scholarship program that is run by Department of Defense. We have the channels; we have the mechanisms in place, so it is just the matter of sizing this and then increasing the amount of funding for this. The universities are in place with these academic standards of excellence that have been set over the last 10 to 12 years. A lot of this stuff is in place. It's just the matter of putting resources into it.
Part two is the private sector has got to step up. One of the things that we did within Booz Allen was create a cyber university to take a lot of our existing staff and train them in cyber and cybersecurity, and to give them skill sets that we couldn't necessarily get from universities or existing vendors. We had to kind of custom make some of this stuff. The private sector has to make investments as well; this is just not a federal government issue. Obviously, state and local as responsibilities as well, so it's going to take a partnership of industry and government to come together because it is in all of our interest to build up, not only a capacity, but the skills that we need so again, we're not retraining people five or 10 years down the road when we should have got it right the first time.
CHABROW: The CSIS report dealt with the occupational classifications the government should adopt for cybersecurity and many of them sound like traditional IT jobs, including programmers. Are we at a point where we really need to redefine what a cybersecurity specialist or a cybersecurity professional is?
GORMAN: I think that is absolutely right, and that is what we did internally. We had a classic division of people who had infrastructure, telecom backgrounds and few, who knew networks, and we had the people that knew applications, and we had people that knew how to do programming. We had people that had information operations background. It was the classic way of thinking about it. We really need a melt of all that stuff, and we needed to put together a curriculum. Everybody got trained at a certain level and then they could specialize beyond that, and then you had beginning, intermediate and advanced capabilities. We have to step back and re-think what is cyber and what is cyber space, and what skills do we need to operate within cyber space to secure it in so that we use it to our advantage as opposed to suffering from the downside of it. And I don't think it is just a matter of re-jigging the existing occupational codes, I think it is about recasting and rethinking what a cyber operator is.
CHABROW: Are the most critical skills still technical skills?
GORMAN: You can't do this job without technical skills. Even if you're an international affairs major and you are looking at policy implications and treaty issues, and all the other things that are going on in cyber space, you still have to understand how the Internet works, backbone networks, fiber-optic cables, the technical protocols, because you can't go in and make discussions if you don't understand that stuff. It is the equivalent if you're negotiating strategic arms reduction talks in 1970s; you had to understand ICBMs, throw-weight, MIRVs, you had a technical base just to have that discussion. I don't think you can get away playing into space without having a strong technical foundation. Doesn't mean that is what you are going to do on your day to day job, but you do really have to know this stuff.
CHABROW: What do you see as the biggest obstacle for this nation to achieve the needed numbers of cybersecurity specialists in the next five years?
GORMAN: It's a matter of how do you turn this thing around that quickly so that the class of 2015 has instead of 8,000 computer science graduates or cyber specialists ... that we're turning out 20,000. We have to start reaching out to people in high school to get them excited about this. There is a public awareness campaign, that not only can you make money and do well in this career field, but it is actually very interesting. You're not going to be stuck in some cubicle coding and not have a social life. It is a dynamic interesting field and we just need to get the message out that this is something that if you're 17 or 18 years old should be very interested in.
CHABROW: Is there a concern that we're producing enough from elementary all through high school students who have the kind of math and science skills needed to go into this field?
GORMAN: We do every year a cyber intern program, so we run 80 to 100 students through that we get from different universities. Because these are sophomores and juniors, at this point they probably don't have the right skill sets that we're looking for, and we've been pleasantly surprised. Our schools are doing a better job that a lot of us give them credit for, at least my experience has been, or maybe we just got lucky picking really good interns. Their skill sets and their analytic capabilities are actually quite high. We have the right foundation. it is just a matter of channeling people into these programs and for industry to understand that they have a role in this too, and they are going to have make some investments as well. This can't just be a federal government supportive initiative. We'll get there, but I we have to move out now and we have to have a plan. They are putting one together and they kicked off some initial meetings around this, around what they call the NICE (National Initiative Cybersecurity Education) program, which basically builds up not only awareness but cybersecurity education with the Department of Education and building the federal work force through Office of Personnel Management and then doing the work plus training the development through DHS and DoD.
I'm optimistic that we're getting the right programs in place with the leadership place to do this. The question is are we going to move in a matter of months or is this going to take us years to get these programs under way, and if that is the case, then instead of the class of 2015 we're talking about the class of 2020.
CHABROW: How optimistic are you?
GORMAN: I would say pretty optimistic. The programs are in place. We're seeing leadership around this. Obviously, increasing the resourcing of this and Congress is taking an interest and in almost all the legislation that I've seen there is some element of education training, so I think everybody recognizes that this is the key part of how we are going to secure the country going forward.