Elements of Cyber War is part of a four-part series by Steve King. He leads the Advisory Services practice at CyberTheory and is our resident CISO. (Read Part 1 and Part 2 here)
In our previous installment, we discussed the informational disadvantage of cyberwarfare, examining the many facets of what information truly means in today’s cyber context. We also explored the various types of informational capabilities our nefarious opponents have over us. In this installment, we move into the World of Education because knowledge is cyber power.
1.8M Vacant Positions by 2022
Just as we found back in 2015, the U.S. has still focused almost none of its energy on developing a formalized cybersecurity skill base. We do deploy more red-team exercises and have created some aggressive coops internationally. At some universities like Georgia Tech and Baylor, the cybersecurity curriculum includes appropriate coursework for cyber warriors, and we have now created a Collegiate Cyber Defense Competition (CCDC), but overall, cybersecurity has not become a national priority. This lack of national focus has resulted in 314,000 unfilled cybersecurity positions as of January 2019 and what will soon translate to over 1.8 million vacant information security and cybersecurity positions by 2022.
Highly Trained Enemies
Our enemies, on the other hand, have trained and developed tens of thousands of highly educated and skilled hackers who are, right now, creating new attack vectors, techniques, and technologies that they continue to employ to go after their commercial, industrial, and political targets mostly here in the U.S.
NO Nukes But Lots of Smarts
North Korea is ironically our most formidable adversary. While many in Washington have continued to burn calories around a virtually non-existent NoKo nuclear threat, North Korea has been steadily developing its cybersecurity education programs. As a result of a committed and highly disciplined educational initiative, the North Korean cyber operations are more diverse, aggressive, and capable than any of our other enemies. They are not just focused on espionage. Their warriors are perfectly skilled at sophisticated zero-day exploits and at stealing vast amounts of IP from our most-secured computer networks even when they are air-gapped and isolated from the internet, e.g., military servers and power plant control systems.
Not Taught Here
The North Korean attackers have been trained in measuring electromagnetic radiation leakage from air-gapped computers and extracting critical data after only a few seconds of monitoring.
This is not a course we teach at any cybersecurity graduate program in the U.S.
NoKo’s IIT
In the early 1990s, when computer networks were beginning to reach a level of maturity, a group of North Korean computer scientists proposed a massive educational program to teach advanced cyber-espionage and cyber-hacking with the goal of graduating 10,000 student hackers by the year 2015. To qualify for entry into these programs, applying students had to demonstrate not only outstanding technical ability but also the ability to read, write, and speak flawless English. It was the North Korean equivalent of India’s IIT in terms of how difficult it was to gain entry.
A Slow Hand
While they were doing that, we were offering cybersecurity degrees at only 17 universities in 2015.
Today, we offer cybersecurity degrees at over 65 universities, but the curricula are all centered on or around standardized frameworks for cybersecurity defense or focused on basic criminal forensics.
Undergraduate course offerings often focus on subjects like fundamentals of computer troubleshooting, network security, ethical hacking, Windows server: install and storage, Linux system administration, etc. Those course descriptions indicate that the intention is to graduate a sysadmin or network admin with a BS degree in Computer Networks and Cybersecurity.
This is the baseball equivalent of bringing in a minor league class A ballplayer to pitch to Barry Bonds.
Less Leadership, More Weapons
Graduate course offerings like those offered by one leading university include … “foundations of cybersecurity, secure systems architecture, cybersecurity risk management, cybersecurity operational policy, and the management of cybersecurity.” Scanning the syllabus for these courses reveals that all of the content can be found in industry certifications like CISSP, CISM, CEH, and CRISC, which can be obtained quickly and easily at a fraction of the cost of that university’s Master’s Degree in Cyber Security Operations and Leadership. Now maybe there are some magic beans in how the professor guides students through the material, but if the goal as stated is to “equip students to stay abreast of ongoing changes in threat and mitigation as lifelong learners in the field” the coursework falls far short. What we need instead is coursework centered on actual red-team tactics across a full range of cyber weaponization.
Big Damage Quickly
We need well-trained cyber snipers and military-grade penetration rangers who can throttle through the most advanced and sophisticated defenses and commit the greatest possible damage in the least amount of time. Our flimsy educational offerings in cybersecurity seem intended to graduate future administrators and bureaucrats when our greatest deficiency is in the working warrior classes. Pushing North Korea’s cyber educational units to dramatically level up in capability, Kim Jong-un proclaimed, “Cyberwarfare is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.” Perhaps the actual goal of our university programs can be found in one of their program descriptions where they suggest their purpose is “to collaborate with important stakeholders in the cybersecurity community to explore ways to keep the curriculum immediately relevant and to assist in the placement of our graduates.”
This assessment is admittedly snarky, and it is in no way intended to denigrate the competent and well-intentioned professionals who conceive of and guide these programs at these really good schools. The problem is the coursework contains nowhere near the information necessary to either create an advanced attack vector or defend against sophisticated cyberattacks. The curriculum is way too generalized, the syllabus is too light, the objectives are too easily achieved and the graduating students are no more prepared to join the battle than if they had simply been working as a network administrator for a few years in any IT department in America.
Moon Shot Needed
We will not win this war with this level of training and education. We need a moon shot now and the impetus for a program of that magnitude must come from Washington. Unfortunately, there are no signs of anything of that nature appearing on anyone’s to-do list. And that is a problem.
It’s a problem because a little country like North Korea has emerged as a significant and serious cyber threat to the U.S., with an army of over 10,000 highly trained warriors honing their skills with hundreds of practice attacks on a variety of targets around the world.
Our response? NICE.
How NICE?
In an attempt to ignite some movement on the cybersecurity education front, we created an organization in 2008 that was designed to make the federal cybersecurity workforce better prepared to handle cybersecurity challenges. The National Initiative for Cybersecurity Education (NICE) is a partnership between government, academia, and the private sector focused on supporting the country’s ability to address current and future cybersecurity education and workforce challenges through standards and best practices. NICE is led by the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce.
Supporting What?
Anytime the mission charter of any organization includes the word “supporting”, you can make bank on betting the impact will equal zero. Our Department of Homeland Security (DHS) has partnered with not-for-profits, middle and high schools, universities, and state school boards across the country to help incorporate cybersecurity concepts into our nation’s classrooms.
DHS is also partnered with the National Integrated Cyber Education Research Center (NICERC) to provide K-12 cybersecurity curricula and hands-on professional development for teachers at no cost. DHS claims the grant has helped get their cybersecurity curricula into the hands of over 15,000 teachers impacting 820,000 students in 42 States.
The curriculum is focused on subjects like Cyber Fundamentals, Algebra I, and Computational Thinking. But the important idea here is that it is offered to public school teachers along with grant money that might encourage engagement yet completely without regard to qualifying student interest. It falls right into the civics or history problems, where the natural question for an 8-year-old is “Why do I need to know this, and how will it affect my life?”
STEM is great if you are interested in STEM. If you’re not, then not so much.
Wait, there’s more.
DHS and The National Security Agency (NSA) jointly sponsor the National Centers of Academic Excellence (CAE) program, designating specific 2- and 4-year colleges and universities as top schools in Cyber Defense (CD).
Say What?
Schools are designated based on their robust degree programs and close alignment to specific cybersecurity-related knowledge units (KUs), validated by top subject matter experts in the field. CAE graduates help protect national security information systems, commercial networks, and critical information infrastructure in the private and public sectors. To encourage students to enter cybersecurity degree programs, DHS co-sponsors the CyberCorps Scholarship for Service (SFS), providing scholarships for bachelors, masters, and doctoral degree programs focusing on cybersecurity in return for service to federal, state, local, or tribal governments upon graduation. The scholarship assists in funding the typical costs incurred by full-time students while attending a participating institution, including tuition, education and related fees. The scholarships are funded through grants awarded by the National Science Foundation (NSF) in partnership with DHS and the Office of Personnel Management (OPM).
No Internet
It turns out you have to be physically on-campus for this program, however, so there are no online degrees available. Huh?
Uncle Sam Wants You, But Not That Much
You also have an obligation to repay the scholarship in service to a state, local, or tribal government organization or congressional agency upon graduation and you must commit to a 3-4 year service term depending on your scholarship funding. A graduate will be hired as a GS9 at a pay rate of $21/hr (2019) and if you don’t like that wage so much, you can refund the entire scholarship amount.
Food Stamps for Dead People
The entire program was funded with $25 million in 2018, which is about the same amount we spend on food stamps for dead people in New York and Massachusetts each year.
Workforce shortages exist for almost every position within cybersecurity, but the most acute needs are for highly skilled technical staff.
It Was Bad in 2010
Nine years ago, a Center for Strategic and International Studies (CSIS) report entitled “A Human Capital Crisis in Cybersecurity” found that the U.S. not only has a shortage of the highly technically skilled people required to operate and support systems already deployed but also an even more desperate shortage of technically trained cyber developers.
These are people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate, and reconstitute from damage due to system failures and malicious acts. At the time, we only had about 1,000 security specialists with skills and abilities to take on these roles, compared to a need for 10,000 to 30,000 professionals. In 2016, CSIS found that IT professionals still considered technical skills like intrusion detection, secure software development, and attack mitigation to be the most difficult-to-find skills among cybersecurity professionals. A 2018 survey revealed that a lack of required technology skills was one of the greatest challenges facing organizations when hiring cybersecurity candidates. These challenges were particularly acute for mission-critical job roles, with over a third of organizations reporting a lack of technology skills for vulnerability assessment analyst positions and half of employers reporting deficiencies for cyber-defense infrastructure support candidates. What organizations are truly desperate for are graduates who can design secure systems, create new tools for defense, and hunt down hidden vulnerabilities in software and networks.
Quantum Anyone?
None of these skills are going to be taught in coursework that we find in programs like that university’s Master’s Degree in Cyber Security Operations and Leadership.
Russia and China have been running rigorous cybersecurity educational programs for years and have trained upwards of 100,000 cyberwarriors. As a result, both countries possess the highest levels of technical sophistication, far more advanced than the U.S., China has moved into the lead position in quantum computing having even installed their own quantum-based communication system in Beijing and Shanghai.
Serious Stakes
They have both demonstrated competency in full-spectrum operations, coordinating the breadth of capabilities available in cyber operations in concert with other elements of state power, including conventional military force and foreign intelligence services with global reach.
Their display of both kinetic and cyberattacks demonstrates the potential to cause complete paralysis and/or destruction of an adversary’s critical systems and infrastructure, resulting in significant destruction of property and/or loss of life.
Maybe Forever
Under those circumstances, regular business operations and/or government functions cease, and data confidentiality, integrity, and availability are completely compromised for extended periods, including forever. The threat is very real and very present, yet we continue to ignore it both at the state level and within private businesses.
Kaspersky
So, in response to this incredible imbalance in capabilities, we make an infantile political gesture of outlawing the best cybersecurity research on the planet from use by federal agencies simply because it is headquartered in Russia. Then to be sure we are fully cooperating with our adversary’s advancement in cybersecurity capabilities, we encourage their participation in U.S. investments by welcoming Chinese venture capitalists and LPs who take a large enough position in AI/ML cybersecurity startups to have unfettered access to their IP.
Commercial Reports to Government
That access goes right to the Chinese Ministry of National Defense because nothing happens in commercial markets without the Chinese government’s approval and control.
Warnings
The Worldwide Threat Assessment of the U.S. Intelligence Community is a document published each year, which itemizes the significant threats to the U.S. and its allies.
This year’s report claims that China and Russia pose the greatest espionage and cyberattack threats to the U.S. but also warns that other adversaries and strategic competitors like Iran and North Korea will increasingly build and integrate cyber espionage, attack, and influence capabilities into their efforts to influence U.S. policies. It warned that rivals to the U.S. are successfully developing capabilities to shape and alter the information and systems that the U.S. relies on.
Granular Insights
And as we connect and integrate billions of new digital devices into our lives and business processes, adversaries and strategic competitors will be able to gain even greater insight into and access to our protected information.
In particular, the report warned that China and Russia present a persistent cyber-espionage threat and a growing attack threat to U.S. core military and critical infrastructure systems, and businesses and social media. In addition, we see attacks designed to aggravate social and racial tensions, undermine trust in authorities, and criticize perceived anti-Russia and anti-Chinese politicians.
One Degree, Two Degrees
In summary, we don’t have enough educational programs, the ones we do have are focused on the wrong skills and the degrees are too easily obtained. A degree in Cybersecurity isn’t like a degree in Political Science where the assumption is that the student will learn how to apply the training once engaged with real-world dynamics. Or a degree in Statistics, where the application of the training will apply immediately because the rules that govern the domain haven’t changed in a hundred years. Cybersecurity changes every minute and the real-world realities have little to do with our current curricula.
No Progress, Much Regression
Additionally, we have an insufficient national emphasis on cybersecurity education, and at the highest levels of government, we fail to recognize or acknowledge the severity of the threat.
Instead of making progress over the last 4 years, we have regressed dramatically.
The attacker/defender dynamic in education has become even more asymmetric and the gap between what is necessary, and the state of our current skill base has expanded even further.
Look. I get it. These four principal adversaries operate within totalitarian government structures and can dictate whatever form of education their leaders deem necessary for national defense. And I certainly am not arguing for America to adopt any of those characteristics.
On the other hand, I see nothing wrong with the declaration of a national emergency and the organization of a Manhattan-like project that could transform a volunteer army into a competent cyber-defense military unit that could operate within a new set of rules for the engagement of a clear and present enemy. Because if we don’t do something really soon, it won’t matter how many submarines, aircraft carriers, jet fighters or other military hardware and human resources we can muster against our enemies in some conventional theater of war. The next war will be fought in cyberspace and right now, the Vegas odds don’t look too good for the U.S.