A Cybersecurity Education Proposal

As the world races forward with quantum computing research and education, the U.S. again trails far behind toward the end of the pack. Physics, theoretical computer science, and quantum mechanics tend to be the required coursework for a degree in Quantum Computing, and as you would expect, schools like MIT, CIT, Stanford, Harvard, and Cal Berkeley all offer comprehensive programs in quantum.

The challenge is that very few high school students are interested in the mind-warping foundational principles of quantum and those who find it fascinating will likely have a hard time gaining entrance to those institutions. As the next wave in cybersecurity will depend on quantum, burying our heads in the sand is not an option. The dilemma again points to central governance that must direct the kind of programs necessary to compete in the world of tomorrow, and unfortunately, that cannot be found in the U.S. government or our education system today.

As of 2020, neither Congress nor the administration has appointed a permanent cybersecurity position of authority. A sad statement and a regressive backdrop for our systemic failure to deal with the realities of this increasing global threat.

The Skills Gap

Workforce shortages exist for almost every position within cybersecurity, but the most acute needs are for skilled technical staff. Ten years ago, a Center for Strategic and International Studies (CSIS) report entitled “A Human Capital Crisis in Cybersecurity” found that the U.S. not only has a shortage of the highly technically skilled people required to operate and support systems already deployed but also an even more desperate shortage of people who can design secure systems, write safe computer code and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.

At the time, we only had about 1,000 security specialists with the skills and abilities to take on these roles, compared to a need for 10,000 to 30,000 professionals.

In 2016, CSIS found that IT professionals still considered technical skills like intrusion detection, secure software development, and attack mitigation to be the most difficult to find among cybersecurity professionals.

Additionally, a 2018 survey revealed that a lack of required technology skills was one of the greatest challenges facing organizations when hiring cybersecurity candidates. These challenges were particularly acute for mission-critical job roles, with over a third of organizations reporting a lack of technology skills for vulnerability assessment analyst positions and half of employers reporting deficiencies for cyber defense infrastructure support candidates.

A Brief History of Attempts to Close the Gap

What follows is the brief yet remarkable history of the federal government’s attempt at closing the skills gap:

In May 1998, a presidential directive was signed by Bill Clinton requiring that the Executive Branch assess the cyber vulnerabilities of the nation’s critical infrastructures: information and communications, energy, banking and finance, transportation, water supply, emergency services, and public health, as well as those authorities responsible for the continuity of federal, state and local governments.

The directive also called for the federal government to produce a detailed plan to protect and defend America against cyber disruptions. The National Plan for Information Systems Protection was the first major element of a more comprehensive effort to protect our nation’s critical infrastructure.

In 2000, The CyberCorps® Scholarship for Service Program (SFS) was created under the Federal Cyber Service Training and Education Initiative, a component of the National Plan for Information Systems Protection, co-sponsored by National Science Foundation and Department of Homeland Security, to enhance the security of critical information infrastructure, increase the national capacity of educating IT specialists in Information Assurance (IA) disciplines, produce new entrants into the government IA workforce, increase national research & development (R&D) capabilities in IA and strengthen partnerships between institutions of higher learning and relevant employment sectors.

In 2001, the first grants were awarded to 4 schools and the first graduating class made up of 9 students entered the federal IA workforce in 2002.

In 2014, more than 16 years after the Clinton directive, the Cybersecurity Enhancement Act of 2014 was signed into law (Public Law No: 113-274). Its stated intent is to provide for an ongoing, voluntary public-private partnership to improve cybersecurity and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness.

It also reflects the critical need for Information Technology (IT) professionals, industrial control system security professionals, and security managers in federal, state, local, and tribal governments. The SFS program is managed by the National Science Foundation (NSF), in collaboration with the U.S. Office of Personnel Management (OPM), the Department of Homeland Security (DHS), and in accordance with the Cybersecurity Enhancement Act of 2014 (Public Law No: 113-274). Section 302 of the act addresses the SFS program specifically.

In 2018, the National Defense Authorization Act of Fiscal Year 2018, mandated SFS program updates and enhancements, among them the requirement that students identified by their institutions for SFS Scholarships must meet selection criteria based on prior academic performance, likelihood of success in obtaining the degree and suitability for government employment.

Since the inception of the program in 2001, approximately 3,600 SFS graduates have found placement in more than 140 government entities, or roughly 1% of the InfoSec job openings that are projected to be available by the end of this year.

What organizations are truly desperate for are graduates who can design secure systems, create new tools for defense, and hunt down hidden vulnerabilities in software and networks. None of these skills are being taught in any of the coursework that we find in the Davenport University Cybersecurity program.

Competing Programs Abroad

Russia and China have been running rigorous cybersecurity educational programs for years and have trained upwards of 100,000 cyber warriors. As a result, both countries possess the highest levels of technical sophistication, far more advanced than those in the U.S.

China has moved into the lead position in quantum computing having even installed their own quantum-based communication system in Beijing and Shanghai.

They have both demonstrated competency in full-spectrum operations, including the ability to coordinate the capabilities in cyber operations with the other elements of state power, including conventional military force and foreign intelligence services that have a global reach. Their exhibition of cyberattack prowess demonstrates the potential to cause complete paralysis and/or destruction of an adversary’s critical systems and infrastructure, resulting in significant destruction of property and/or loss of life.

Under those circumstances, regular business operations and/or government functions cease and data confidentiality, integrity, and availability are completely compromised for extended periods, including forever.

For an example of how good the Russians are at this stuff, consider the average amount of time it takes for a Russian cyber attacker to conduct a “breakout,” which is the act of leaving the entry beachhead and moving laterally within the network to prepare for an attack. The gold standard for detection, investigation, and remediation in the cybersecurity industry is what is known as the 1-10-60 rule and only the best and most prepared businesses can manage it.

It translates to detection within 1 minute, investigation within 10 minutes, and remediation within 1 hour (60 minutes). The average Russian breakout is 17 minutes and they own the record for the fastest recorded ever which is 7 minutes. Today’s best-prepared businesses in cybersecurity defense terms will never catch a Russian intrusion in time to prevent damage.

This threat is very real and very present, yet we continue to ignore it both at the state level and within all public and private businesses.

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”― Bruce Schneier

In response to this incredible imbalance in capabilities, we make a childlike political gesture by outlawing the best cybersecurity research on the planet from use by federal agencies because it is headquartered in Russia (Kaspersky).

Then, to be sure we are fully cooperating with our adversary’s advancement in cybersecurity capabilities, we encourage their participation in U.S. investments and welcome Chinese venture capitalists and their LPs into our startup eco-system and allow them to take a large enough position in AI/ML cybersecurity ventures where they become entitled to unfettered access to the venture’s IP.

That access goes right to the Chinese Ministry of National Defense because nothing happens in commercial markets without the Chinese government’s approval and control. There is no such thing as an independent business in China. As the former CTO and CISO of an MSSP doing business in China for 7 years, I can assure you that all Chinese businesses, including venture capital firms in the U.S., are Chinese government agencies.

Cyberattack Threats

The Worldwide Threat Assessment of the U.S. Intelligence Community is a document published each year that itemizes the significant threats to the U.S. and its allies. The 2020 report is still classified and yet to be released due largely to, I suspect, findings related to the coronavirus pandemic that run counter to the current administration’s global views.

But last year’s report claims that China and Russia posed the greatest espionage and cyberattack threats to the U.S. and also warned that other adversaries and strategic competitors like Iran and North Korea will increasingly build and integrate cyber espionage, attack, and influence capabilities into their efforts to influence U.S. policies.

It warned that rivals to the US.. are successfully developing capabilities to “shape and alter the information and systems” that the U.S. relies on.

As we connect and integrate tens of billions of new digital devices into our lives and business processes, adversaries and strategic competitors will be able to gain even greater insight into and access to our protected information. In particular, the report warned that China and Russia present a “persistent cyber-espionage threat and a growing attack threat” to U.S. core military and critical infrastructure systems, businesses, and social media, as well as attacks designed to aggravate social and racial tensions, undermine trust in authorities and criticize perceived anti-Russia and anti-Chinese politicians.

The pandemic created an accelerant much like pouring rocket fuel onto an open fire.

In summary, we don’t have enough educational programs, the ones we do have are focused on the wrong skills and the degrees are too easily obtained. A degree in cybersecurity isn’t like a degree in political science where the assumption is that the student will learn how to apply the training once engaged with real-world dynamics. Or a degree in statistics, where the application of the training will be relevant immediately because the rules that govern the domain haven’t changed in a hundred years.

Cybersecurity changes every minute and the real-world realities have little to do with our current curricula.

Additionally, we have insufficient national emphasis on cybersecurity education and at the highest levels of government, we fail to recognize or acknowledge the severity of the threat. Instead of making progress over the last 4 years, we have regressed dramatically.

The attacker/defender dynamic in education has become even more asymmetric and the gap between what is necessary, and the state of our current skill base has expanded even further.

Look. I get it.

These four principal adversaries operate within totalitarian government structures and can dictate whatever form of education their leaders deem necessary for national defense. And I certainly am not arguing for America to adopt any of those characteristics. On the other hand, I see nothing wrong with the declaration of a national emergency and the organization of a Manhattan-like project that could transform a volunteer army into a competent cyber-defense military unit that could operate within a new set of rules for the engagement of a clear and present enemy.

Here’s a proposal:

Let’s spend $60,000,000 in new tax-payer dollars on a National Cybersecurity Masters Education program where we invite 500,000 college graduates with undergraduate degrees in engineering, math, and science to participate in a fully funded, 2-year graduate program focused on building cyber-warrior skills.

When I say fully funded, I mean $40,000 in tuition and $20,000 in living expenses each year. The entrance requirements would be similar to any graduate degree program in engineering, law, or science at any leading university. Upon graduation, these students would be free to do what they want. Most would pursue a job in private industry. Some would become civil servants. Others may abandon the profession altogether.

But we will have created a fast program that highly incentivizes participants, removes all reciprocal restrictions on post-graduation service, and has a high probability of success.

The best part is that it will cost each U.S. taxpayer exactly $0.43. Less than the cost of a single postage stamp. Let’s get even crazier and throw in a $20,000 recruiting fee to help the graduates find a great job upon graduation. That will cost another 6 cents each.

That math is powered by 141 million taxpayers in 2019.

A simple program like this, run by our public university system and not under the auspices of any government agencies could quickly close the skills gap and flood hundreds of thousands of future CISOs onto a thirsty market.

Instead of bureaucrats and administrators, this brand of CISO would be trained in hand-to-hand cyber-enemy combat and equipped with the appropriate tools necessary to take the fight to the enemy, shifting the attacker-defender dynamic to offense and away from detecting, responding, and remediating.

But if we don’t do something really soon, it won’t matter how many new technologies we invent, how much new cyber-threat awareness we create in our corporate boardrooms, or how many new initiatives we create around the traditional approaches to managing cybersecurity.

If we don’t shift our approach to a risk management model and staff it with trained warriors, we will continue to lose this cyber war as we have been for the last 20 years.

And at a national security level, it won’t matter how many submarines, aircraft carriers, jet fighters, or other military hardware and human resources we can muster against our enemies in some conventional theater of war either.

The next International war will be fought in cyberspace and right now, things don’t look too good for the U.S. team.

Information security’s response to bitter failure, in any area of endeavor, is to try the same thing that didn’t work … only harder.”― Marcus Ranum

Read more: