Cybersecurity training: The battle over mandates
Will mandatory cybersecurity training or licensing make government systems more secure?
Few people would advocate putting cops on the street or soldiers into battle without first giving them proper training. Yet there is no standard governmentwide preparation program required for those who protect the government’s information systems and computer-controlled infrastructure from bad guys intent on mischief or harm.
Whether an obligatory return to the classroom will make a difference in countering those threats is at the heart of a debate spurred by a proposal to license cybersecurity professionals that work for or contract with the government. The mandate is part of an ambitious cybersecurity measure the Senate initiated, and it would affect tens of thousands of information technology workers.
Proponents see the measure as money well spent to improve information security through a more professional, better-trained cybersecurity workforce. But opponents believe mandatory licensing will tie up the industry in red tape and hinder its ability to keep training up-to-date with rapidly changing technology.
The measure, sponsored by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), would direct the Commerce Department to develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals.
It would then become unlawful for a person lacking the proper license and certification to provide cybersecurity services to an agency or for an information system or network designated as critical infrastructure.
Opinions about the proposal’s potential impact vary, but the different camps agree on one point: There are still many unanswered questions. For example, people wonder how “cybersecurity services” would be defined. They also speculate on which skills would need certification or licensing and whether using company-based certifications would be the right approach.
There are also questions about enforcement, legal liability, the value of certification versus licensing, and how federal requirements would impact states' rights and their traditional role in licensing various professions.
The Senate measure would apply to all federal IT systems and any others the president deems critical infrastructure, which could include privately owned assets such as the electric grid.
It wouldn’t be the federal government’s first attempt at demanding proof of training for cybersecurity professionals. The Defense Department has had a mandatory certification — but not licensing — requirement for its information assurance workforce since 2004. The program has certified only one-third of the department’s information assurance workforce so far, and though officials have yet to complete an extensive assessment of the program’s performance, they see signs that it is having a positive impact.
Licenses vs. certifications
The new proposal would affect the entire federal IT industry — from contractors to government employees and the many companies that provide information assurance certification and training.
The use of certification as a tool for hiring, placing and promoting employees is certainly nothing new. However, a mandatory licensing program would be unprecedented, and that proposal has proven particularly contentious.
“A lot of people have problems with where do you draw the line: Who has to get a license, who doesn’t, who would be the licensing authority, what would be the extra cost, what are the liability issues?” said Lynn McNulty, director of government affairs at (ISC)² and a former federal information security program manager. (ISC)² is one of numerous organizations that constitute an expansive training and certification industry.
McNulty said he’s not hearing a lot of complaints about the certification requirement, but many people have a problem with the licensing requirement.
During a roundtable discussion on certifications (ISC)² hosted in early June, several participants said the licensing requirement would represent a departure from the state-based approach to validating the qualifications of professionals such as doctors and lawyers.
Federal licensing of cybersecurity professionals “would fly against that principle, and it just doesn’t make a lot of good sense in my opinion,” said John Lainhart, public-sector service area leader for security, privacy, wireless and IT governance at IBM’s Global Business Services. He participated in the (ISC)2 roundtable discussion as a representative of the Information Systems Audit and Control Association, which provides cybersecurity training and certifications.
Critics say another problem with licensure and its added layers of federal oversight is that the government’s training and testing programs would not evolve as quickly as industry-driven certification programs.
That would be a significant slowdown for an industry that changes as rapidly as IT does, and could dampen rather than boost the growth of a newly trained cybersecurity workforce, said Dan Liutikas, another roundtable participant and senior vice president, chief legal officer and corporate secretary at CompTIA, an IT industry and training association.
Yet another issue with licensing is what form the testing should take. Alan Paller, director of research at the SANS Institute, a cybersecurity training, certification and research organization, supports the idea of evaluating security professionals’ skills in operational situations, as airplane pilots are tested.
He added that if the government establishes a licensing program for IT security professionals, it shouldn’t belong to the commercial world. “It should be owned by a completely independent organization that isn’t trying to sell something already, and they should not be able to do any training at all — none,” Paller said.
The current state of play
Establishing certification or licensing requirements would force the government to define skill sets and career paths for cybersecurity professionals. Such tracks are common for other government jobs but nonexistent for IT security.
“Everything always points back to the fact that we are calling things apples and oranges and grapes,” said Brenda Oldfield, director of cyber education and workforce development in the Homeland Security Department’s National Cybersecurity Division. “We do not have common terminology across the mission areas. Everything that we attempt to do in developing any plans for training and education of the civilian workforce or of the federal workforce depends upon this common lexicon.”
On that issue, the legislation might be getting ahead of itself, said Patricia Titus, former chief information security officer at the Transportation Security Administration and currently CISO at Unisys Federal Systems.
The Office of Personnel Management still hasn’t designated a job series for IT security professionals, she said. Right now, such workers are categorized as IT specialists, managers or program analysts.
“I think OPM needs to develop an IT security job series, and part of that series then would be the requirements of what the individuals have to do,” Titus said. Those might include certification, appropriate training and relevant job responsibilities, she added.
Oldfield has been working for years to establish a common set of skills for information security professionals in the government. Most recently, that effort has been folded into the education component of the Comprehensive National Cybersecurity Initiative, the multiyear, multibillion-dollar program launched by the Bush administration. Oldfield co-leads the education initiative for DHS in cooperation with DOD.
“We have to be able to validate that cyber professionals have the skills needed, but we have to identify what those skills are uniformly,” she said.
Officials have identified numerous federal documents that specify different IT security competencies that workers should possess. The challenge is to bring them all together. That’s the job of an interagency work group being established to identify critical roles and unify agencies’ training efforts. Such consolidation will also likely produce cost savings by eliminating duplicative efforts.
“Many times there are high-end training classes and laboratory experiences conducted that have empty seats, and they could offer those seats to other agencies if we were comparing apples to apples,” Oldfield said.
As experts weigh the potential value of a governmentwide cybersecurity certification or licensing requirement, they are turning to DOD for lessons about how its program has fared.
DOD’s certification requirements cover a spectrum of management and technical information assurance roles for some 90,000 military, civilian and contract employees. Officials created the program in 2004 in response to departmental Directive 8570, released a manual of instructions in 2005 and updated that manual in 2008. Under the program, they identified commercially available, accredited certifications that information assurance employees and contractors need to have to work on DOD systems.
“The idea of a common lexicon that’s provided by these certifications is something that was lacking before,” said George Bieber, director of DOD’s Information Assurance Workforce Improvement Program.
At the launch of the program, Pentagon officials created a working group with representatives from the military services to define the functions or skills the certifications would cover. Then they examined which existing certifications aligned most closely with the desired skills.
DOD’s legal representative originally said they needed to use certifications rather than licensure because the latter is not a federal or DOD function, Bieber said. Officials also decided to take advantage of existing commercial certifications rather than develop custom programs so that employees would have skills they could use in the private sector or at other agencies.
DOD’s program hasn’t moved as quickly as officials had hoped. Their goal was to have about 40 percent of targeted workers certified by now, but only about 30 percent have been. Bieber blamed the shortfall on an aggressive schedule, funding constraints, changing culture and the extra work needed to make changes in supporting systems, such as personnel databases. However, DOD officials still hope to have all 90,000 certifications done by 2011.
Studies conducted by a couple of DOD offices have shown that security seems to improve as more employees are certified. DOD officials are in the process of collecting data to assess the program more broadly.
Bieber said he has heard that certifications help increase a cybersecurity staff’s problem-solving abilities by providing them with a common lexicon when addressing incidents.
“It’s really enabled the security issues to be handled at a lower level, whereas before it was going up,” he said.
The DOD model expanded?
It’s uncertain whether the requirements outlined in the Rockefeller-Snowe bill would expand the DOD model of using commercial certifications or prompt the development of new standards. And experts disagree on which approach is best.
Paller said the way DOD developed its program by surveying commercial certifications was a huge error. He believes a certification program should measure specific skills that people use in specific jobs — something he said DOD’s approach doesn’t do. Rather, it found a lowest common denominator, he said.
“My sense is if we care about this enough to make it a national law, we ought to make it much more technical and much more sophisticated,” Paller said.
However, others see expanding DOD’s approach as the way to go.
Lainhart said DOD’s program, which is based on U.S. and internationally recognized certifications, is preferable.
“Let’s not reinvent the wheel,” Lainhart said. “We’ll achieve a global standard that way by using the certifications that are out there, and I think that’s again consistent with [President Barack Obama’s] cybersecurity policy review.”
Indeed, what will follow from the administration’s recently completed 60-day review of cybersecurity policy could be a big factor in determining the new proposal’s fate.
The reviewers’ report recommends that the federal government initiate a national public awareness and education campaign. It adds that shared training and rotational assignments across agencies — and potentially with the private sector — would be efficient and beneficial. However, the administration hasn’t said whether it favors mandatory certifications and licenses for cybersecurity professionals.
Even with all the unanswered questions, some experts are happy just to be having the conversation. Bieber said he thinks all the focus on cybersecurity will turn more attention on training and certification efforts.
“One of the things I love about the Rockefeller-Snowe bill is it's provocative, and it’s creating these discussions,” said Mason Brown, director of the SANS Institute and a participant in the (ISC)2 roundtable discussion. “If we expect something in draft format and out of committee or out of the gates to be perfect, we’re a little bit nutty.”