Although recent hiring forecasts (some thousands of new cyber-security professionals over the next three years) by both the NSA and DHS5 show a strong demand for cyber-security skills, such a hiring spree seems ambitious, to say the least. The current rate of production of skilled cyber-security workers satisfies the appetite of neither the public nor private sector, and if we do not make a concerted effort to drastically increase this work force, then the U.S. will export high-paying information security jobs. In a global economy, such a situation isn't necessarily a bad outcome, but it poses several challenges to the U.S.'s stated cyber-security plans. We believe the creation of a significant cyber-security work force is not only feasible, but also will help ensure the economic strength of the U.S.
A large cyber-security work force would provide a strong pillar for the domestic high-tech industry. Beyond offering immediate economic stimulus, the nature of these jobs demands that they remain in the U.S. for the long term, and they would directly support efforts to introduce information technology into the health care and energy systems in a secure and reliable fashion. Without a commitment to educating such a work force, it is impossible to hire such a work force into existence.
The Washington Post article "Cyber-help Wanted"3 highlighted the need for a dramatically different approach to cyber-security education, outreach, and hiring by the federal government. From our point of view, far too few workers are adequately trained mostly because traditional educational mechanisms lack the resources to effectively train large numbers of experienced, knowledgeable cyber-security specialists. The government's incredibly diverse cyber-security needs complicate matters: operational, analytical, and strategic technology roles span both the military and civilian parts of government. Even finding a figurehead to direct and coordinate government cyber-security efforts is a monumental and ill-defined task.1
We see the central problem as one of both scaling and competency; academic departments often wrongly eschew the teaching of the informal "Hacker Curriculum" as being too tied to a specific technology to teach abstract computer science concepts, and current amounts of cyber-security research and education funding leave sizeable gaps in our ability to meaningfully educate large numbers of students. Indeed, those educators most capable of passing along information security and assurance skills are often restrained in their ability to dedicate a large amount of time to the classroom because they must spend their time chasing more prestigious research dollars.
Although professional certification courses exist, the NSF has the Scholarship-for-Service (SFS) program, and the NSA has designated many college and university cyber-security programs as Centers of Academic Excellence (CAE), in reality, only a small number of quality educational programs are funded, equipped, and willing to quickly educate large numbers of information security workers.6
Furthermore, existing funding for cyber-security education or retraining pales in comparison to the amount of funding available for pure research. Just as importantly, many of the commercial training programs and certifications focus on teaching skills useful for fighting the last cyberwar, not the current, nor future ones. University education serves a pivotal role in providing the core skills necessary for a professional work force to be adaptive to a threat that is hyper-adaptive. Plans for training government cyber-security workers should focus on educating a new work force rather than mass certification of existing workers.
Hope for the future exists: we have seen the enthusiasm that previously bored students have when they get a chance to manipulate real network packets, modify real operating systems and hardware, assess real-world security policies and access control mechanisms, and analyze real vulnerabilities and exploits. We have a number of colleagues in academia who do a tremendous job communicating their talent to small batches of undergraduates or master's-level students. These efforts need to be scaled up.
Plans for training government cyber-security workers should focus on educating a new work force rather than mass certification of existing workers.
To most folks trying to find another job, pay for health care, or deal with a mortgage that is under water, the urgency of educating a cyber-security work force may seem like a low-priority issue. Despite these challenges, the Obama administration has laudably held cyber-security as an important national priority, and we believe that educating large numbers of cyber-security professionals must be a front-line priority, particularly since information security underpins the future success of the strategic priorities of simultaneously reinventing both the health care and energy systems. In fact, the demand for cyber-security professionals far outstrips the current supplyindicating one sector of the economy that is primed for growth if adequate number of professionals can be trained. With the declaration of "National Computer Science Education Week" in December 2009 and December 2010, Congress has recognized that computer science is a vital national interest.4
Since most current government and private sector endeavors rely on the presumption of a stable, dependable, and secure computing infrastructure, we recommend the following initiatives:
We realize that some might argue with these specific recommendations and have others to suggest. We hope the efforts we have listed here stimulate enough discussion to create meaningful, effective, and significant changes in both the quality and scale of cyber-security education in the U.S. We believe there is a fundamental discrepancy between the expectations of users and employers (including the government) and the reality of a scarce work force and underdeveloped educational mechanism.
Cyber-security presents a difficult and important challenge because the flight is fundamentally unbalanced: an attacker need only find a single weakness, whereas a defender must scramble to protect everything. If the U.S. cannot produce highly competent defenders of its military, civilian, financial, energy, health care, and transportation information systems, then it will cease to be a meaningful international presence.
1. Bellovin, S. The role of a cybersecurity czar; http://www.cs.columbia.edu/~smb/blog/2009-11/2009-11-03.html.
4. House Resolution 558. National Computer Science Education Week; http://www.opencongress.org/bill/111-hr558/show; House Resolution 5929. Computer Science Education Act of 2010; http://www.opencongress.org/bill/111-hr5929/show.
5. Krebs, B. Security fix: DHS seeking 1,000 cyber security experts. Washington Post, (Oct. 1, 2009); http://voices.washingtonpost.com/securityfix/2009/10/dhs_seeking_1000_cyber_securit.html?hpid=sec-tech.
6. The State of Information Assurance Education 2009: Prof. Eugene Spafford, Purdue University, (Oct. 20, 2009); http://www.govinfosecurity.com/articles.php?art_id=1789&opg=1.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2011 ACM, Inc.
No entries found