The Worldwide Threat Assessment of the U.S. Intelligence Community is a document published each year, which itemizes the significant threats to the U.S. and its allies. This year’s report claims that China and Russia pose the greatest espionage and cyberattack threats to the U.S. but also warned that other adversaries and strategic competitors like Iran and North Korea will increasingly build and integrate cyber espionage, attack and influence capabilities into their efforts to influence U.S. policies. It warned that rivals to the US are successfully developing capabilities to “shape and alter the information and systems” that the U.S. relies on.
And on a daily basis, as we connect and integrate tens of billions of new digital devices into our lives and business processes, adversaries and strategic competitors will be able to gain even greater insight into and access to our protected information. In particular, the report warned that China and Russia present a “persistent cyber espionage threat and a growing attack threat” to US core military and critical infrastructure systems, businesses and social media, as well as attacks designed to aggravate social and racial tensions, undermine trust in authorities and criticize perceived anti-Russia and anti-Chinese politicians.
Not Enough, Wrong Ones, Too Easy
In summary, we don’t have enough educational programs, the ones we do have are focused on the wrong skills and the degrees are too easily obtained. A degree in Cybersecurity isn’t like a degree in Political Science where the assumption is that the student will learn how to apply the training once engaged with real-world dynamics, through mentors and the process itself. Or a degree in Statistics, where the application of the training will be relevant immediately because the rules that govern the domain haven’t changed in a hundred years.
Cybersecurity changes every minute and the real-world realities have little to do with our current curricula.
Additionally, we have an insufficient national emphasis on cybersecurity education and at the highest levels of government, we fail to recognize or acknowledge the severity of the threat. Instead of making progress over the last decade, we have regressed dramatically.
The attacker/defender dynamic in education has become even more asymmetric and the gap between what is necessary and the state of our current skill base has expanded even further.
Look. I get it.
Our four principal adversaries operate within totalitarian government structures and can dictate whatever form of education their leaders deem necessary for national defense. And I certainly am not arguing for America to adopt any of those characteristics. On the other hand, I see nothing wrong with the declaration of a national emergency and the organization of a Manhattan-like project that could transform a volunteer army into a competent cyber defense military unit that could operate within a new set of rules for the engagement of a clear and present enemy.
Our Proposal:
Let’s spend $60,000,000 in new tax-payer dollars on a National Cybersecurity Masters Education program where we invite 500,000 college graduates with undergraduate degrees in engineering, math and science to participate in a fully funded, 2-year graduate program focused on building cyber warrior skills. When I say fully funded, I mean $40,000 in tuition and $20,000 in living expenses each year. The entrance requirements would be similar to any graduate degree program in Engineering, Law or Science at any leading University. Upon graduation, these students would be free to do what they want. Most would pursue a job in private industry. Some would become civil servants. Others may abandon the profession altogether.
But we will have created a fast program that highly incentivizes participants, removes all reciprocal restrictions on post-graduation service and has a high probability of success.
The best part is that it will cost each U.S. taxpayer exactly $11.18. That is less than we spend on a standard Netflix subscription for one month. Let’s get even crazier and throw in a $20,000 recruiting fee to help the graduates find a great job upon graduation. That will cost another $1.40 each.
That math is powered by 143 million taxpayers in 2020.
$12.58 Each for 500,000 Cybersecurity Graduates
A simple program like this, with origins in Zero Trust thinking, run by our public and even private University systems, and not under the auspices of any government agencies, could quickly close the skills gap and flood hundreds of thousands of future CISOs and skilled cyber warriors onto a thirsty market. Instead of bureaucrats and administrators, this brand of CISO would be trained in hand-to-hand cyber enemy combat and equipped with the appropriate tools necessary to take the fight to the enemy, shifting the attacker-defender dynamic to offense and away from detection, responding and remediating.
We should supplement that with a purpose-driven cybersecurity education and training program that is offered on a just-in-time basis online and delivered through a modern platform designed with the user experience as the top priority.
A program that has been vetted by CISOs and not a bunch of cybersecurity practitioners who drive curriculum creation through a necessarily narrow view of the landscape owing to their limited prior experience.
A program that delivers all levels of training, for cybersecurity practitioners, engineers, analysts, CISOs, non-CISO executive suite and board members, along with everyone else in an organization in a curated context that will ensure everyone is getting exactly what they need, when they need it and in a consumable, consistent and repeatable set f programs overseen by an assigned success manager who assures that value is continuously extracted and applied.
An online learning program designed to be an extension of an organization’s expanding purview over cybersecurity education, delivery, absorption and execution.
In Harmony with NIST and NICE
A program unlike any other on today’s commercial markets, and one in harmony with NIST guidelines and the NICE framework that, in addition to preparing students for certification exams in over 150 specialties, can also bring outer dimensional thinking to the creation and building of new Cybersecurity architectures and programs like Zero Trust, designed to move away from traditional, heritage programs and toward those best suited for modern cyberwarfare.
Because we all now live in a digital world and cannot continue to ignore our individual responsibilities to manage our digital environments with dutiful care, it has been recommended that, in addition to the above-described solutions, a model for a National Cybersecurity Service (NCS) program be mandated as a two-year public service requirement for every college graduate in the country – a war-time peace corps – less than half the service requirement for graduates of Annapolis – and/or 18 year olds who want to pursue a career path in cybersecurity without attending college.
The Israeli’s didn’t manage to survive all these years by pretending their enemies were their trading partners. In much the same way as the IDF (Israeli Defense Forces) accommodates varying interests, our own NCS would offer different specialty educational opportunities, but the program concentration would be on warrior-level and offensive cyber training.
The New Manhattan Project
Framed as a Manhattan project, such a program can be both authorized and funded by Presidential order (ala FDR) and Congressional mandate (though many would question whether any recent Congress would have either the political appetite or courage to do so). Regardless of cost, it would likely be dwarfed by legislation that we push through our law-making process on a daily basis and would be the only initiative aimed directly at a true existential threat, and one acting as a clear and present danger, and not just a measurable, abstract probability ten years into the future.
But if we don’t do something really soon, it won’t matter how many new technologies we invent, how much new cyber threat awareness we create in our corporate boardrooms or how many new initiatives we create around the traditional approaches to managing cybersecurity. If we don’t shift our approach to a risk management model, re-build our cyber defense infrastructure on the basis of a Zero Trust architecture and staff it with an abundance of trained warriors, we will continue to retreat from this cyber war front in the business of business, out-resourced, out-smarted and out-intimidated by opposing forces unencumbered by layers of social justice and political correctness, just as we have been doing for the last 20 years.
And at a national security level, it won’t matter how many submarines, aircraft carriers, jet fighters or other military hardware and human resources we can muster against our enemies in some conventional theater of war either.
The next International war will be fought in cyberspace and right now, things don’t look too good for the U.S. team.
“Cybersecurity’s response to bitter failure, in any area of endeavor, is to try the same thing that didn’t work … only harder.”
~ Marcus Ranum, an early developer of the first commercial bastion host firewall and the first Internet email server for the whitehouse.gov domain and is also the author of the eponymous Ranum’s Law, “You can’t solve social problems with software.”