The Department of Homeland Security (DHS) said this week it will hire up to 1,000 cybersecurity experts over the next three years to help protect U.S. computer networks. This was part of National Cybersecurity Awareness Month and the announcement was made by DHS Secretary Janet Napolitano, who also said they probably won’t need to hire all 1,000 experts, which is good because I am pretty sure THERE AREN’T ONE THOUSAND CIVILIAN CYBERSECURITY EXPERTS IN THE ENTIRE FRIGGIN’ WORLD!!!!
So I polled six old friends who ARE cybersecurity experts and they kinda-sorta agreed with me. More on this below.
But first I have to marvel that I even know six cybersecurity experts and — even more amazing — I’m pretty sure they don’t know each other. They seem to be like badgers, solitary creatures who only come out to mate.
They are cynics, too. One questioned the term “cybersecurity” as being inappropriate.
“(It) depends on your definition of expert,” said expert number one, who works deep in the military-industrial complex. “If you mean someone who can spell ‘cyber’ then sure (there are 1,000). If you mean those who know that ‘cyber’ is short for ‘cybernetics’ and has little to do with computers then probably not. I still occasionally use the title ‘Cybernetic Psychophysicist.’”
Sure enough, there’s a very detailed definition of cybernetics here and it doesn’t intrinsically have very much to do with computers or networks, though don’t tell that to the DHS without first taking off your shoes and placing the definition in a one quart plastic bag.
“Duh!” said expert number two who has spent his career at telcos and cable companies. “Of course. You got it right. I doubt there are 1000 in the world. There are a lot of wannabees, or folks who think they are…”
“Define ‘expert,’ said another friend from behind Door Number Three, who comes from the security software business. “(An expert is) a person with a high degree of skill in or knowledge of a certain subject. Great, but the question is all about scope. I may be an expert cook – but can I run a kitchen? Same thing with security there are tons of experts – in specific areas. I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru. (even though my knowledge base was very broad). This is where we run into unintended actuated consequences. An expert will make a choice and take an action. The end result may not be what they had anticipated because of other factors beyond the realm of their expertise caused an unanticipated consequence.
“Example: I am forced to use low sulfur gas because the experts say it produces 20 percent less harmful emissions. Too bad they did not notice it has a lower power quotient then a normal gas blend. As a result I use 30 percent more gas that is 30 percent more expensive (and puts four percent more sulfur into the air).
“So I believe there to be less then 30 real experts in security, but there may be well over 500 subject matter experts and perhaps another 1000 sous-security people.”
Now I brought in the big gun — expert number four, an independent security consultant to foreign governments:
“My bet is that they are going to just pull the bodies from the Department of Defense and Department of Energy,” he said. ”DoD has established a number of credentials required to be classified as a security specialist like CompTIA Security+, CISSP, etc. None of this stuff has any practical application because it is hardware/software neutral.
“Even if a government agency, (over 550 or them) allows you to sniff their network, are they going to let you evaluate the applications for bugs? I don’t think so. Without scrubbing the software with products like Ounce Labs (owned by IBM), what is the point of evaluating the network?
“Another item of great importance is a security clearance to do the work. This is where you will get only one brand of thinking; DoD or DoE clearance. This will prohibit the security “black hat” types from ever being involved in the project without coming from the DoD or Energy.
“So you will end up with 1,000 Security Managers in the government with Sec+, and CISSP certifications, talking to cisco, Juniper, CheckPoint, Tipping Point, Microsoft, Oracle, Ounce Labs, etc. security professionals at $300 an hour doing the actual work. That’s 1,000 jobs for window dressing, releasing reports that end up on Drudge Report listing the number of breaches in Federal Government Agencies.
“When you look at the private sector protection of data standards for items like credit cards you have real teeth in your regulations. You don’t have to take credit cards, but if you do then you need to be PCI compliant. Don’t want to be PCI? No problem we won’t allow you to use our credit cards. Where will that type of enforcement be with the wall of 2,000 eyes protecting the USA?”
No there won’t be (this is Bob again) because governments are required to provide services to their citizens. Even the DHS can’t shut down the government to cure a security breach, though I am beginning to believe they haven’t yet figured that part out.
“I’m not sure there are even a handful (of experts) with any sort of broad experience,” said expert number five, who is usually associated with security hardware. “There probably are pockets of them, with specialized narrow experience, e.g. in banking, virus or DOS attacks, military networks, etc.. And even if there were 1,000, what would they be doing on behalf of Uncle Sam?”
That’s a great question given that we as a nation can’t seem to hire and keep a national cybersecurity czar. So what are we doing hiring 1,000 experts given there is no boss?
While it is great to have a Cybersecurity Awareness Month, whatever that is, and it might be great to add a thousand “experts” to protect our nation, if you look deeper into this story it is for the most part BS or HS and, I fear, CS to boot.
Look, the number of CCIE’s with security as a certification is 2,300 for the entire world. Subtract the 50 percent who work for cisco, then 50 percent again for those not working in the field any longer, and you get 500 cisco CCIE Security Experts worldwide. The only way to get another thousand in three years is by training them. But in the last four months with 800 available seats to sit for the cisco CCIE Security exam only one person has passed!
The DHS is extremely unlikely to be able to find and train 1,000 cybersecurity experts in three years. Maybe they’ll come up with 100 (more likely 5-10), but the DHS environment will make it unlikely — very unlikely — that all of those 100 will stick around.
Secretary Napolitano says she might not need all 1,000, which to me says she is really looking for 3-5 people. And frankly that ought to be enough if they are truly experts and are both properly led and supported (which they probably won’t be).
So this is the wrong approach entirely. It won’t work, the DHS probably knows it won’t work (if they don’t know that, well God help us all) but they see it as better than nothing. That doesn’t worry me so much, though. What really worries me is the point brought up by cybersecurity expert number six, who himself came in from the cold:
“Sure there are 1,000 (cybersecurity experts),” he said, ” but they are already employed… as hackers.”