Infosec Skills Gap Threatens Key IT Systems
"(T)hey are harsh words ... that was deliberately intended to call attention to the issue," former Office of Management and Budget executive Franklin Reeder, who co-authored the paper, A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters, says in an interview with GovInfoSecurity.com.
Reeder doesn't blame many of the organizations that provide professional certifications because the market drives current certifications that focus on understanding and implementing regulatory processes required by the Federal Information Security Management Act rather than the skills needed to secure computers.
"We are hoping over time that entities will emerge that will issue much more rigorous certifications and that the certifications that already exist will continue to evolve into much more rigorous indications that the folks who hold them are highly skilled," Reeder says.
In the interview, the first of two parts, Reeder discusses the thinking that went into the white paper, including the:
- The risks posed to government and key national IT systems because of a shortage of 20,000 to 30,000 highly skilled cybersecurity experts;
- Challenge of licensing government cybersecurity professionals; and
- Lessons the 21st century IT security vocation can learn from the 19th century medical profession.
ERIC CHABROW: Characterize the severity of the cybersecurity skills challenge that federal government faces.
FRANKLIN REEDER: I would expand it and say that American society faces. It's very hard to put a number on it, and being a numbers guy that troubles me a bit, but people in the know estimate that deficiency is probably on the order of 20,000 or 30,000. Let me qualify that a little bit; what we are talking about here are folks with the high-end skills necessary to both build the technology that is more resilient and to defend it.
CHABROW: When you talk about 20,000 or 30,000, are you talking about this is a shortage of people in government, in American society?
REDDER: In government and in industries that operate critical infrastructure; to talk about government per se is a little bit misleading since most of the people who operate the critical infrastructure on which not only government relies but also other sectors rely, are in the private sector. The government, with a few exceptions, doesn't hire most of the staff who run the technology that it uses to deliver services or process information.
CHABROW: And that is part of a tradition that government contractors have a lot of work or is it because there has just been a recent demand for cybersecurity specialists that the government just doesn't have the wherewithal to find those people?
REDDER: There are lots of reasons, some of them philosophic, some of them having to do with the fact that government traditionally has had difficulty hiring these kinds of folks. There are also very good reasons why, particularly in areas that are changing so quickly, the government can be a little bit more agile if it is acquiring these skills through the private sector.
The tide has ebbed and flowed a little bit from administration to administration, Republican administrations like to outsource a little bit more, this administration has made a commitment to in source, but that is really at the margins. In the high tech world everything from the moon shot to the building of atomic weapons has largely been a contracted operation.
CHABROW: Again, going back to the 20,000 to 30,000 number, is there any way to put that into perspective? Do you know how many cybersecurity professionals in these areas exist now?
REDDER: It's hard to get a handle around numbers when we know for example that there are, I believe at last count, 60,000 or 70,000 people who hold the ISC2 CISSP credential. My guess is that there are probably on the order of 100,000 to 150,000 folks who would be identified as cybersecurity folks in this larger workforce we are talking about.
The deficiency here is, and the number I'm talking about, is not necessarily in the aggregate but rather of the need for people with very highly developed skills, computer forensics, penetration testing, the skills that are critical to a robust and very sophisticated cybersecurity program.
CHABROW: Having that shortage of not many people, is that putting our critical systems in major risk?
REDDER: There is little doubt about that. Evidence again here is largely anecdotal, but there are lots of examples, a couple of which are cited in the report that show that the absence of folks with these skills clearly puts a lot of the information technology infrastructure at risk, now whether that is in the power sector or the Department of Commerce, or in the defense world.
CHABROW: Are there a sufficient number of people in our society who would have the skills to be able to develop the kind of skills needed to do these jobs?
REDDER: If you have faith in the American education systems as I do, and the quality of the workforce that it has always given us, it is in this world; I think our comparative advantage the answer is yes. Are they ready to assume these roles? Absolutely no.
CHABROW: Part of your recommendations are to try to get these people to assume these roles?
REDDER: It's a little bit of a stock and flow problem in the following sense. If you think about the kinds of recommendations we are making, they are of two types and these are not unrelated.
One goes to the larger question of encouraging through scientific and technical education initiatives, through the kinds of things that lots of folks are talking about, building a supply of people who are motivated to go into these fields, encouraging the education system as a number of agencies like National Security Agency and National Science Foundation already are to build more rigorous academic programs.
And at the other end creating much more rigorous credentialing processes, whether it is the Department of Defense finding folks for highly classified stuff or industry users operating critical infrastructure. There is a way of identifying people who are competent.
I use the metaphor, we live in a world where at the moment it is really hard to distinguish the highly skilled professional from somebody who stayed up all night taking an exam and gotten a credential of some sort. We are little bit like late 19th, early 20th Century medicine, lot's of folks out there practicing, good folks, folks who care about what they do, who don't necessarily always have the skills to do it.
Our hope is that we can develop a credentialing system that will allow us to distinguish them. The metaphor that I like to use is when I have brain surgery, I would like the person who performs that surgery to be a board-certified neurosurgeon, preferably not a dermatologist. And to give it a little bit more texture. I would also like the technician who calibrates the machine that produced the image on which the surgeon will rely to have the requisite credentials doing that.
It is both a matter of identifying the subspecialties within the field, and the range of skills the food chain necessary to deliver a service in that area. We are making some progress at the low end but I don't think we are there at the high end, and that's where we think work is needed as well.
CHABROW: The paper that you wrote states: "It is the consensus of the commission that the current professional certification regime is not merely inadequate, it creates a dangerously false sense of security." Those are mighty harsh words.
REDDER: Absolutely. If they are harsh words, then congratulations you found that; that was deliberately intended to call attention to the issue.
Let me give you a little bit of background again. Earlier this year you may recall there were some legislative initiatives that advocated issuing licenses for cybersecurity professionals. The consensus of the commission was not necessarily that licensing ought not to be the end game, but that if you established a regime of licensing today, you would end up licensing folks who don't have the rigorous, practically demonstrated skills that are necessary with the result that, going back to my somewhat tortured metaphor, somebody like me would go out and find somebody who had a license but who didn't necessarily have the skills and had demonstrated the skills necessary to perform some of these high end tasks.
That is what we meant by that statement and we are hoping over time that entities will emerge that will issue much more rigorous certifications and that the certifications that already exist will continue, as I think they are, to evolve into much more rigorous indications that the folks who hold them are highly skilled.
CHABROW: The impression I got reading your report was that some of these certifications were designed for the paperwork for Federal Information Security Management Act and not for this movement toward continuous monitoring.
REDDER: In effect, I think we say it. The certifications follow the practice; they aren't driving the practice. Much of what is happening and has happened in the federal government in the last 10 years has been around policy and compliance, issuing C&A, certification and accreditations, rather than real-time security management. We think that some of the legislative proposals on the Hill will change that.
We hope that the professional certifications will reflect the change of the practice. I don't accuse the organizations that issue certifications of having driven a compliance mentality; they operate in a labor market in which that was the mandate.
CHABROW: Is it the recommendation of the commission to require individuals to have certain certifications, or is that still something that should be left up to individual agencies or the government as a whole?
REDDER: Well, in point of fact, the Department of Defense already does that. All we are suggesting is that those certifications need to be more role-based, more rigorous, and any certification needs to include not just the ability to answer a multiple choice written examination, but include a proctored practical demonstration of the skills in the body of knowledge related to that role.
Defense has already decided as a matter of policy to do that. Over time, I would expect that other employers or folks who buy cybersecurity services would similarly say I'm only going to buy them from, if you will, certified professionals and the market will drive what occur simply because the value added of dealing with certified professionals will be obvious.
CHABROW: Was that an easy consensus to reach among commission members, or was that an area of debate?
REDDER: Well the area of debate was more around, and I think continues to be, whether licensing is feasible. In the report, you may recall, we spent a little time addressing some of the concerns that organizations like IEEE (professional association dedicated to advancing technological innovation) and ACM (Association of Computer Machinery) have raised about certifying software engineers.
We appreciate that there are challenges in a field that broad of developing professional certifications that are rigorous and role-based. The concern here was in the commission, not that we shouldn't strive toward developing certifications, but that the certifications weren't mature enough for the commission as a whole to say we are ready to move to licensing.
On the other hand, there was relatively little dispute that in defined areas like securing coding for example, that it ought to be possible to develop a rigorous professional certification and that we ought to proceed incrementally and in areas where there is, and here I am really parroting the language of ISO17024, the standard on professional certifications generally, there needs to be a defined body of language based on role, there needs to be psychometrically sound examinations and we would add to that, not only psychometrically sound but then include practical demonstration of the skills required to perform that role.
The commission was pretty clear on the need for rigorous certifications. There was some concern that those were not mature enough for us to say that we are anywhere close to being able to recommend licensing.