Obama's cybersecurity recommendations a small step forward, but need teeth and political willpower

Last week's report recommended training 100,000 new cybersecurity professionals and increasing federal R&D funding for cybersecurity by $4 billion over the next decade

barrack obama 2016
REUTERS/Kevin Lamarque

Last week's report by the nonpartisan Commission on Enhancing National Cybersecurity recommended training 100,000 new cybersecurity professionals and increasing federal R&D funding for cybersecurity by $4 billion over the next decade -- but that's not enough to address the current shortfall, experts say.

One positive aspect is that the report focuses on the human side of cybersecurity, said Nathan Wenzler, principal security architect at San Francisco-based AsTech Consulting.

"Historically, as the Commission's report also points out, there has been a tendency to lean toward technological solutions to every information security problem," he said.

It's refreshing to see more of an emphasis on policy, metrics and training, he said.

Training 100,000 new cybersecurity professionals might not be enough, however.

"It's a good start, but it's about half of it," said Paul Petefish, co-founder and CEO at Chicago-based Evolve Security Academy, Inc.

According to the Bureau of Labor Statistics, more than 200,000 cybersecurity jobs were unfilled last year -- and the shortfall could climb to 1.5 million by 2019, according to a report by Cybersecurity Ventures.

"We are far, far from automation and AI -- regardless of what the media and some cybersecurity tech companies marketing will have you believe," said Petefish. "We will still need folks to implement, care and manage the cybersecurity solutions in 2020 -- and in 2030."

"The report from the President's Commission on Enhancing National Cybersecurity certainly got some of the issues right," said Chris Roberts, chief security architect at Santa Clara, Calif.-based Acalvio Technologies. "We’ve been fighting for 20 years and what we’ve done and what we are doing is not working."

However, throwing money at the problem won't necessarily fix things.

"Money doesn't solve everything," he said. "Sometimes a cattle prod or punitive punishment against those who still think that security is someone else’s problem might be the right answer."

"This report provides a solid foundation for the current challenges and threats we are facing," said Joseph Carson, head of global strategic alliances at Washington DC-based Thycotic Software Ltd. "The recommendations lead us in a good direction."

But implementing these recommendations will require people with actual expertise in cybersecurity, he said.

"It's easy to hire entry-level professionals," said Kasey Cross, director of product management at Los Altos, Calif.-based security firm LightCyber. "But there aren't really enough advanced, sophisticated security engineers."

The $4 billion funding recommendation may also be too little, she said.

"On the face of it, it seems like a lot," she said. "But they're also planning on spending $4 billion on a couple of new Air Force planes."

And the money will be spent over the course of ten years, on various projects.

"When you look at the value of the assets that the cybersecurity will be protecting, it's not that big," she said. "It should be higher. That $4 billion will not go as far as we think it would."

Plus, the timing of the report is problematic.

"The fact that we have started this strategy while we're transitioning from one president to another president might affect priorities," she said. "But, then again, since the commission was established, we've seen even more breaches in federal agencies, so I think there will be more focus overall by the government."

"With a new presidency, it is always interesting to wait and see which programs become a priority for the government and presidency," said Paul Calatayud, CTO at Overland Park, Kansas-based FireMon.

But cybersecurity affects trust in technology, innovation and commerce, he said, and has a big potential impact on the economy.

"In order to preserve and maintain this trust, our government will need to continue to play an active role," he said. "Cyber defense is not an isolated issue and cannot be seen as a partisan agenda.”

"It's not a very political issue," said Jamison Utter, VP and lead cybersecurity trainer at Portland, Ore.-based Senrio, an IoT cybersecurity firm. "I believe that the issue is pretty strong and apparent, and doesn't have much to do with party or politics. This is a societal problem, not a Democrat or Republican or whatever issue."

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)