Why the United States needs more cybersecurity experts — badly
With a shortage of cybersecurity experts, the United States is extremely vulnerable to a large-scale cyberattack, but the solution lies with students, Alan Paller, founder of the SANS Institute, said at an event in Fairfax, Virginia, on Tuesday.
Addressing educators at the Virginia Cybersecurity Education Conference at George Mason University, Paller explained that if a “cyber pandemic” — a simultaneous attack on critical systems at multiple organizations — were to occur, the effects would be devastating. “Cyber pandemics are the way you start a war,” Paller said.
Luckily, by growing the cybersecurity workforce, he said, that threat level can be brought down. SANS is central to that effort, training more than 41,000 cybersecurity professionals each year, according to its website.
Despite the U.S. currently having a shortage of 300,000 cybersecurity professionals, it’s able to effectively mitigate attacks, but only, Paller said, because they are largely isolated events. But, he said, “As soon as you get a whole bunch of [attacks] and there are lots of different ones and they’re happening everywhere at the same time, we have no defenses. [A cyber pandemic] is an existential threat for every single country that is subject to a potential cyberattack.”
In a cyber-pandemic scenario, people are an important factor, he said. “The question is how many of these people do we need and what are the skills we need and where are we going to get them?” he said.
Cybersecurity professionals can be divided into four main categories: researchers, policy and management strategy experts, testers, and tool builders. Paller said researchers and tool builders are in shortest supply. In a research project examining the military industry, former National Security Agency mathematician Ed Giorgio found fewer than 1,000 cybersecurity tool builders. Paller said these people are critical to protecting the country from a large-scale cyberattack and estimated the country needs 60,000 such workers nationally.
But rather than looking to existing cybersecurity professionals for the answer, high school and college students are being identified to fill these critical roles.
Through a SANS initiative first developed in England called CyberStart, students’ aptitudes for becoming tool builders can be assessed with an online game. In 2017, the U.S. began using CyberSmart to assess the cybersecurity aptitude of students in Virginia and it’s been used in many other states since. Of the nearly 2,000 high school students who completed the game, 62 were identified as having high potential to become successful tool builders and received scholarships.
“This game that the kids play is a measure of how curious they are and how tenacious they are and how fast they learn,” Paller said. “It’s not measuring whether or not they are good at something.”
Once these students are identified, Paller said, then they can get further training to develop their cybersecurity skills.
“But what matters to kids is that there are real jobs at the end,” he said, adding that partnerships between education, government, and industry are now what is needed to continue filling these critical cybersecurity roles. Paller said he expects nearly 40 states to sign on to CyberStart this year, hopefully to create a robust talent pipeline for cybersecurity.