The Worldwide Threat Assessment from the U.S. Intelligence Community is a document published each year, which itemizes the significant threats to the U.S. and its allies. This year’s report claims that China and Russia pose the greatest espionage and cyberattack threats to the U.S. but also warned that other adversaries and strategic competitors like Iran and North Korea will increasingly build and integrate cyber espionage, attack and influence capabilities into their efforts to influence U.S. policies.
It warned significantly that rivals to the U.S. are successfully developing capabilities to “shape and alter the information and systems” that the U.S. relies on.
Emerging and disruptive technologies, as well as the proliferation and permeation of technology into all aspects of our lives, pose unique challenges. The scourge of transnational organized crime, illicit drugs, violent extremism and endemic corruption in many countries will continue to take their toll on American lives, prosperity and safety.
Both state and non-state cyber actors threaten our infrastructure and provide avenues for foreign malign influence threats against our democracy. We will see the continuing potential for surges in migration from Afghanistan, Latin America and other poor countries, which are reeling from conflict and the economic fallout of the COVID-19 pandemic.
Economic and political conditions in Latin America continue to spark waves of migration that destabilize our Southern neighbors and put pressure on our Southern border. Finally, ISIS, al-Qa‘ida, Iran and its militant allies will take advantage of weak governance to continue to plot terrorist attacks against U.S. persons and interests, including to varying degrees in the U.S. and exacerbate instability in regions such as Africa and the Middle East.
Regional instability and conflicts continue to threaten U.S. persons and interests. Some have direct implications for U.S. security. For example, the Taliban takeover of Afghanistan threatens U.S. interests, including the possibility of terrorist safe havens re-emerging and a humanitarian disaster. The continued fighting in Syria has a direct bearing on U.S. forces, whereas tensions between nuclear-armed India and Pakistan remain a global concern.
The iterative violence between Israel and Iran, Russia and Ukraine and conflicts in other areas—including the Baltics, Africa, Asia and the Middle East—have the potential to escalate or spread, fueling humanitarian crises and threatening U.S. persons, as in the case of Al-Shabaab, which is leveraging continued instability in East Africa and the lack of security capacity of regional states to threaten U.S. interests and American lives.
On a daily basis, as we connect and integrate tens of billions of new digital devices into our lives and business processes, adversaries and strategic competitors are gaining even greater insight into and access to our protected information. In particular, the report warned that China and Russia present a “persistent cyber espionage threat and a growing attack threat” to U.S. core military and critical infrastructure systems, businesses and social media, as well as attacks designed to aggravate social and racial tensions, undermine trust in authorities and criticize perceived anti-Russia and anti-Chinese politicians.
A contributing component to our shrinking competency in cybersecurity defense is education, or more specifically, the lack thereof.
The Education Deficit
The bottom line is we don’t have enough educational programs, the ones we do have are focused on the wrong skills and the degrees are too easily obtained. A degree in cybersecurity isn’t like a degree in political science where the assumption is that the student will learn how to apply the training once engaged with real world dynamics through mentors and the process itself. Or a degree in statistics, where the application of the training will be relevant immediately because the rules that govern the domain haven’t changed in a hundred years.
Cybersecurity changes every minute and the real world realities have little to do with our current curricula.
Additionally, we have an insufficient national emphasis on cybersecurity education and at the highest levels of government, we fail to recognize or acknowledge the severity of the threat. Instead of making progress over the last decade, we have regressed dramatically.
The attacker/defender dynamic in education has become even more asymmetric and the gap between what is necessary and the state of our current skill base has expanded even further.
Our four principal adversaries operate within totalitarian government structures and can dictate whatever form of education their leaders deem necessary for national defense. I certainly am not arguing for America to adopt any of those characteristics. On the other hand, I see nothing wrong with the declaration of a national emergency and the organization of a Manhattan-like project that could transform a volunteer army into a competent cyber defense military unit that could operate within a new set of rules for the engagement of a clear and present enemy.
Let’s spend $60,000,000 in new tax payer dollars on a National Cybersecurity Masters Education program and invite 500,000 college graduates with undergraduate degrees in engineering, math and science to participate. The program would be a fully funded, 2 year online graduate degree focused on building cyber warrior skills.
When I say fully funded, I mean $40,000 in tuition and $20,000 in living expenses each year. The entrance requirements would be similar to any graduate degree program in engineering, law or science at any leading university. Except that non-major electives would not be required. Upon graduation, these students would be free to do what they want. Most would pursue a job in private industry. Some would become civil servants. Others may abandon the profession altogether.
But we will have created a fast program that highly incentivizes participants, removes all reciprocal restrictions on post-graduation service and has a high probability of success.
The best part is that it will cost each U.S. taxpayer exactly $11.18. That is less than we spend on a standard Netflix subscription for one month. Let’s get even crazier and throw in a $20,000 recruiting fee to help the graduates find a great job upon graduation. That will cost another $1.40 each.
That math is powered by 143 million taxpayers in 2020. The total cost is $12.58 per taxpayer per year.
A simple program like this, with origins in Zero Trust thinking, run by our public and even private University systems and not under the auspices of any government agencies could quickly close the skills gap and flood hundreds of thousands of future CISOs and skilled cyber warriors onto a thirsty market. Instead of bureaucrats and administrators, this brand of CISO would be trained in hand-to-hand cyber combat and equipped with the appropriate tools necessary to take the fight to the enemy, shifting the attacker defender dynamic to offense and away from the detect, respond and remediate mindset.
Supplemental Online Learning
We could supplement that with a purpose driven, online cybersecurity education and training program that is offered on a just-in-time basis and delivered through a modern platform designed to supplement the university program with tactical training and hands on labs.
A program that has been vetted by CISOs and not academic cybersecurity practitioners who drive curriculum creation through a necessarily narrow view of the landscape owing to their limited prior experience and the need to stay consistent with other STEM offerings.
A program that delivers all levels of training for cybersecurity practitioners, engineers, analysts, CISOs, non-CISO executive suite and board members, along with everyone else in an organization in a curated context that will insure everyone is getting exactly what they need, when they need it and in a consumable, consistent and repeatable set of learning paths overseen by an assigned success manager who assures that value is continuously extracted and applied.
A program unlike any other on today’s commercial markets, and one in harmony with NIST guidelines and the NICE framework that, in addition to preparing students for certification exams in over 150 specialties, can also bring outer dimensional thinking to the creation and building of new cybersecurity architectures and programs like Zero Trust, designed to move away from traditional, heritage programs and toward those best suited for modern cyber warfare.
The World Has Changed
Because we all now live in a digital world and cannot continue to ignore our individual responsibilities to manage our digital environments with dutiful care, it has been recommended that, in addition to the above described proposals, a model for a National Cybersecurity Service (NCS) program be mandated as a two year public service requirement for every college graduate in the country – a wartime peace corps – less than half the service requirement for graduates of the U.S. Naval Academy – and/or 18 year olds who want to pursue a career path in cybersecurity without attending college.
The Israelis didn’t manage to survive all these years by pretending their enemies were their trading partners. In much the same way as the IDF (Israeli Defense Forces) accommodates varying interests, our own NCS would offer different specialty educational opportunities, but the program concentration would be on warrior level and offensive cyber training.
Framed as a Manhattan project, such a program can be both authorized and funded by Presidential order (ala FDR) and Congressional mandate (though many would question whether any recent Congress would have either the political appetite or courage to do so).
Time For Action
Legislation of this nature would need complete bi-partisan support so as to not become weaponized and used for fodder in an ideological battlefield and would be the only initiative aimed directly at a true existential threat and one acting as a clear and present danger, not just a measurable, abstract probability that may or may not occur sometime into the future.
We know that crime and fraud, malware and ransomware, open-source and third-party vulnerabilities, cloud and network complexity, expanding skills gap and weak hygiene have conspired to increase the number of successful breaches and cyberattacks we record annually along with the hideous amount of money we spend trying to combat the incoming threats.
If we don’t act on legislation at this ladder of intention, we will likely forfeit any possible chance we may still have at leveling the relationship dynamic between the defenders and the adversaries.
As Marcus Ranum, an early developer of the first commercial bastion host firewall and the first Internet email server for the whitehouse.gov domain, who is also the author of the eponymous Ranum’s Law, “You can’t solve social problems with software” reminds us, “Cybersecurity’s response to bitter failure, in any area of endeavor, is to try the same thing that didn’t work … only harder.”