What's wrong with cybersecurity training?
- By Amber Corrin
- Jun 26, 2013
This unidentified woman is part of the Navy's cyber force, but agencies are having a hard time finding enough people with real-world cybersecurity skills. Is our approach to training part of the problem? (Source: Navy Cyber Forces.)
Are we training our cybersecurity professionals in all the wrong ways?
Agencies have been ramping up efforts in training, education, recruiting and hiring, and still the government faces a shortage of skilled cyber professionals. According to some, the problem is rooted in a wrongheaded approach – and as a result, the United States is losing its competition.
Increasingly, government officials and private sector executives are training their focus on younger students in science, technology, engineering and math. However, there also needs to be more emphasis on the real-word, technical aspects of cybersecurity and cyber defense, rather than the academic and soft-skill side of things that too often get policy attention, insiders say.
"Other nations are building world-class talent," Alan Paller, founder of the SANS Institute, said at a June 25 Institute for Defense and Government Advancement event in Arlington, Va. "The U.S. is saying, 'We should have centers of academic excellence,' but they put out people who don't know what they're doing. We're nice to people in the field; we've got to stop that if we actually want protection for our systems."
However, some such efforts may already be underway. Douglas Maughan, cybersecurity division director at the Homeland Security Advanced Research Projects Agency, outlined measures the Homeland Security Department is taking to build up the next generation of cyber warriors, starting with high school and college.
One of the prime examples is the National Collegiate Cyber Defense Competition, a system of intensive, annual cyber battles held among dozens of universities across the United States. They eventually lead to a national finals round – a "March Madness for nerds," as Maughan described it.
"We put them in an environment where they have to defend against a real red team. It's about real defense in an operational environment," he said, adding that new DHS tools, such as new access management technologies, are constantly being added to the competition, forcing participants to learn them as they go along. "We're looking for the next generation of cyber defenders; that's what it's about. It's all about the next generation."
At the Defense Department, cyber training within the services are continuously undergoing scrutiny and changing as priorities, technologies and the cyber environment evolve.
According to a June 25 Army Times report, the Army is working on plans to consolidate its Cyber Center of Excellence at Ft. Gordon, Ga., with its Signals Center of Excellence in under a new school that would bring together training and modernization efforts. The transition is set to begin this August and last through 2015.
Will such efforts be enough? According to Paller, only if the right people are doing the teaching – the ones who have the technical skills that are critical to national cyber defense, and not those who merely have the policy and book training and "CSI-whatever" credentials after their names, he said.
"We've got these people pretending to teach cybersecurity, but they're putting out policy people or researchers...that's causing us a problem," Paller said. "If you're a fighter pilot, you don’t want your squadron leader to be someone who learned it out of the book yesterday."