Conflict of Interest: Certifiers Who Train?
Though cybersecurity is growing in importance within the federal government, there is no such occupational classification as an information security professional; most infosec specialists are classified as IT pros. But the panel's white paper listed nine cybersecurity skills sets: systems administration, network administration, security assessment, threat analysis, forensics investigation, programming, technical writing, security architecture and engineering and information security and incident management.
"Our notion here is that we needed to be concrete, not abstract, and so this taxonomy is not intended as the definitive answer but rather the beginning of something that could be built out," Franklin Reeder, a former official at the Office of Management and Budget who co-authored the white paper with U.S. Cyber Challenge Director Karen Evans, said in an interview with GovInfoSecurity.com (transcript below).
"Professional certifications need to be role based," Reeder said. "I need to know what it is I am hiring you to do to determine what credentials I need you to have in order to do that. ... First, this is an attempt to identify some of the key roles, and usually they are pretty intensively technical roles, that are part of the cybersecurity regime and then move from that to the skills that are necessary to perform/discharge those rules and ultimately to build a foundation on which certifications would be developed."
In the interview, Reeder also addressed:
- How IT security professional certification should be governed;
- Why organizations that train cybersecurity pros should not be allow to certify them; and
- How the U.S. Cyber Challenge, a good-buy hacking contest, should help increase the pool of cybersecurity professionals.
Reeder, in part one of the interview, said a shortage of 20,000 to 30,000 highly skilled IT security specialists have put government and key private-sector IT security systems at risk. He also addressed the need to make the certification process more rigorous and lessons the 21st century IT security profession can learn from 19th century physicians.
ERIC CHABROW: The Commission on Cybersecurity for the 44th Presidency recommends a creation of continuing U.S. Cyber Challenge, and those are good guy hacking contests I guess, aimed at encouraging the development of a cybersecurity professional class and establishment of an independent board of information security examiners to develop and administer a process for certifying cybersecurity professionals. Why are those moves important?
FRANK REEDER: We are at both ends of the food chain, if you will. One of the criteria that has driven the commission's work since the issuance of the report in December 2008 was to try to be as specific as we could be about actions that could be taken, and indeed you will find in our report an outline of an action plan so that we get beyond hortatory exhortations to do good and avoid evil. The recommendations that were decided are two illustrations of where we think something concrete can be done.
The Cyber Challenge is an example at the front end of the food chain, at the beginning of the development of a labor pool to create opportunities for those who might have an interest in getting into the cyber world, or who already are but may not see a clear path. And, unfortunately some of them therefore engaged in shall we say more destructive activities, to reward them to create an opportunity to which they can be identified a little bit like the science challenges that emerged from the scare. You and I are old enough to remember post-1957, post-Sputnik, about the need for more opportunities for young people to become aware of the professional opportunities, in this case in the cyber world.
At the other end of the spectrum, a way of stimulating the development of more rigorous certifications, these things that in the marketplace will help consumers. Consumers here being both people who buy services and people who hire other people, to distinguish between those who have the requisite skills and those who may not. One way of doing that is creating something that would be shamelessly modeled on the National Board of Medical Examiners, which interestingly enough is about 90-something years old now in the medical field. Going back to my tortured example, there is a way of determining who in the medical field is board certified in a particular specialty and who is not. That board doesn't necessarily need to be the sole source of certifications, but it needs to be the body or it could be the body that both develops rigorous certifications and that promotes greater rigor in the certifications that are being developed by other bodies.
CHABROW: The commission in its appendix provides a taxonomy of cybersecurity occupations, and let me just quickly go through them; systems administration, network administration, security assessment, threat analysis, forensics investigation, programming, technical writing, security architecture and engineering and information security and incident management. Why is it important to have such a taxonomy?
REEDER: Our notion here is that we needed to be concrete, not abstract, and so this taxonomy is not intended as the definitive answer but rather the beginning of something that could be built out, and indeed there are entities, particularly under the auspices of the Federal CIO Council working collaboratively with the Office of Personnel Management to do this.
Professional certifications need to be role based. I need to know what it is I am hiring you to do to determine what credentials I need you to have in order to do that. Again, simple homemade example, having a driver's license is not sufficient if what I am really hiring your to do is drive big rigs or hiring you to maintain big diesel engines on those big rigs. This is an attempt first to identify some of the key roles, and usually they are pretty intensively technical roles, that are part of the cybersecurity regime and then move from that to the skills that are necessary to perform/discharge those rules and ultimately to build a foundation on which certifications would be developed.
You also picked up on something that is important to note: when we talk about cybersecurity professionals, we are not necessarily talking about people who are typically identified as cybersecurity types. System administrators, network administrators, those who write code are typically not identified as cybersecurity types, but what they do or the manner in which they do it is critical both to the deploying technology that is to the extent that we can make it safe, and then given that there is no such thing as absolutely safe technology, having the skills necessary to protect it, to defend it, and ultimately to recover when bad stuff happens, because bad stuff will happen.
CHABROW: One of the things that struck me in the report was a discussion around designating programmers as one of the cybersecurity professions. The report noted - I forget the exact wording - but something to the effect that almost every vulnerability can be traced back to code. In developing these taxonomies, is the designation of programmer a cybersecurity occupation or would all programmers need to have some cybersecurity background?
REEDER: As I see it, and there will be lots of debate around this, I would hope that a programmer who has to have lots of other skills other than secure coding would at some point be able to get a credential that says in writing the code that I write I understand and am able to demonstrate the things that are necessary to assure that that code is as free of flaws as it is possible to make it.
There are 25 things that anybody who writes code ought to know about how to do that securely. We ought to have a test and a practicum that folks who write this stuff that drives our sensitive technology ought to be able to demonstrate so that we can say, "Oh, this person knows how to do that." This is where we have found in our discussions considerable controversy about whether we could, as some have advocated, but ACM (Association for Computing Machinery), for example, and IEEE (a professional association dedicated to advancing technological innovation) are very concerned that we are not ready to write the definitive programmer certification and that is not what we are advocating. What we are advocating is a certification that an individual has the requisite skills if he or she is a programmer to write code that is as error free as we know how to make it.
CHABROW: Is this list of occupations aimed at identifying key occupations that are cybersecurity related that would be used in government or by government contractors in critical infrastructure, and not just for certifications?
REEDER: Absolutely. And in fact, another recommendation of the commission was that government, in its employment practices, because some of these people are on federal payrolls, use certifications as a way of identifying and rewarding folks, and through the procurement process begins to specify that when it is buying services that include cybersecurity support that the contract puts on those have the requisite professional certifications.
CHABROW: Anything else you would like to add?
REEDER: You will find, at least in Karen and me, just a little bit of passion around this. One of the things that we have both felt for a long time, and our concern here certainly predates the issuance of this report, is that if indeed we are to protect critical systems, and if indeed cybersecurity types are to become a profession, then there is a set of things that has to happen.
Certainly any certification regime needs to include a process for continuing education, and if you will, decertifying individuals who either no longer maintain currently or whose professional behavior has been called into question.
The other thing that I think is terribly important and I think we need to evolve to is the certification process needs to be separated from the training. We don't think that certifying bodies, and this is a first person singular opinion that Karen and I both share, I don't think the report says this but we think that the certifying bodies can't be in the training business. It is too much of a conflict of interest.
CHABROW: So what do you hope happens now that this White Paper is out?
REEDER: My model for this is a little bit like the 9/11 commission, which figured that when it issued its report or issued papers, that wasn't the end of the process but that was the beginning of one. There are a couple of things already happening. The U.S. Cyber Challenge is real and over the coming weeks and months we see a lot of organizations aligning around that and so we hope at the front end we see the beginnings of a ground swell to create opportunities for young folks to become more engaged in cyber and cybersecurity.
At the other end of the spectrum, we are already seeing some legislative activity and I hope that if the Congress in its wisdom enacts cyber legislation as at least we have been led to believe that they would like to get done, I realize they have one or two other things on their plates, but if they do enact legislation it is our hope that that legislation will push some of the themes that we talked about in the report so that we can use - and that legislation by the way is primarily addressed to the federal government, but if the federal government can both lead by example and use the lever of its acquisition process to encourage more rigorous certifications, then I think some of these changes can become real in months not years or decades.