Managing expectations for enhancing national cybersecurity

Obama's special commission recommendations to new administration lofty, unrealistic

Folks have had some time to digest the long-awaited release of the final report from President Obama's special Commission on Enhancing National Cybersecurity.

Intended to advise the next administration on where the country ought to go in order to build more robust cybersecurity measures to protect against digital threats in the years to come, the report is extensive. 

In his cybersecurity, privacy, and data protection alert, Akin Gump, Strauss Hauer & Feld, LLP, wrote, "The Report identifies 10 foundational principles, nine broad findings, six major imperatives, 16 recommendations and a total of 53 action items associated with those recommendations."

One of the most pronounced recommendations, Action Item 4.1.1, says, "The next President should initiate a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020."

Some are troubled by this, arguing that the timeframe is unrealistic. "I would even say training 100,000 cybersecurity specialists is not a realistic number," said Anup Ghosh, CEO at Invincea. 

An industry in flux makes it difficult to predict what should or could happen in the future, but Ghosh said, "If you are really talking about specialists who can identify attacks, respond to attacks and defend the network, you’re not really going to be able to train 100,000, nor should you be trying to."

Given that the skills gap is a topic of great concern, it doesn't really make sense that aiming to train 100,000 people who can fill some of the 1.5 million jobs in cybersecurity is an unrealistic goal, let alone and unnecessary one. 

"Yes, there's a lot of unfilled jobs, but there are different levels of faith in the numbers. Maybe if you had all those trained people today, there would be jobs for them, but the reality is you don't have them," Ghosh said.

So did the commission of what The Report called, "Distinguished leaders and experts from academia and industry, including several CEOs, some of whom had previously held critical government roles," miss something? How are these positions going to be filled if not by trained specialists?

Perhaps they won't be filled at all. "Software will take over those jobs," said Ghosh. "The problem space is not really scalable to humans. How we solve the problem is with software, big data algorithms like machine learning."

Using the analogy of a police force, Ghosh said that many people approach security with the same mentality that they use to fight crime. If we want to see a reduction in crimes, one inclination is to increase the number of officers working the beat.

"That analogy doesn't actually work in cyberspace," Ghosh said.

What will solve the problem, though, is innovation. "What the adversaries didn't do was recruit another 10,000 or 100,000 people to commit cybercrime," Ghosh said. Instead, they wrote tool kits that cranked out novel attacks in order to hit as many targets as they can. 

"That's why they can release 400,000 malware. They don't have 100,000 monkeys coding," said Ghosh. So, is better tools and better algorithms the better solution to taking a bite out of cybercrime?

If national cybersecurity can be enhanced through better software, that doesn't negate the need for more trained specialists. There's quite a difference between 100,000 people and 1.5 million jobs. The solution isn't as black and white as people vs. software.

"Even if you have great talent, if leaders aren't conversant in cybersecurity, they aren't going to make the right decisions," Ghosh said. 

Regardless of the number of people the government intends to train, what will not change are the clear and present threats to national security. "Trump has to understand that this is continuous warfare going on and allocate continuous resources, investing in innovation," Ghosh said.

Innovation and leadership, say I. 

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!