Certifications are not a panacea for cybersecurity woes

A national certification program for cybersecurity professionals won't solve our security problems, writes Daniel Castro.

As Congress debates legislation to improve cybersecurity, one problematic idea that appears to have gained some traction is developing a national certification program for cybersecurity professionals.

If certifications were effective, we would have solved the cybersecurity challenge many years ago. Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.

Organizations know that simply getting their employees certified will not solve their security challenges. Although a good certification standard might be a measure of a baseline level of competence, it is not an indicator of job performance. Having certified employees does not mean firewalls will be configured securely, computers will have up-to-date patches, and employees won’t write passwords on the backs of keyboards. Nor has the increase in the number of certified cybersecurity workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.

At the federal level, a certification mandate would be little more than a box-checking activity for agencies, akin to many of the Federal Information Security Management Act requirements that tax the federal budget and workforce, but produce few results. Even worse, Congress might go further and impose costly certification requirements on a broad range of private network operators and companies in many major industries. By requiring certification for so many jobs, Congress would in effect create a “license to practice” for cybersecurity professionals.

Licenses are typically only required in professions in which the public is harmed by the absence of licensure. (Perhaps that is an argument to require licenses for members of Congress.) Therefore, the implicit assumption in arguing for a certification program for all federal cybersecurity professionals, those involved in operating critical infrastructure and potentially many more individuals in the private sector, is that the public is being harmed because unqualified workers are filling those jobs -- not because of a lack of talent or insufficient training but because hiring managers cannot distinguish between competent and incompetent cybersecurity workers. That is the only problem that certification (in the form of a de facto license) could fix. However, no proponent of that approach has provided evidence to show that the problem exists, nor is the problem commonly cited in other studies as a factor contributing to cybersecurity risks.

The security community needs to speak up. The cybersecurity challenge is too important to allow Congress to provide a paper-thin response that produces nothing more than the veneer of government action without reducing any real risks.