Hacking the human component of cyber readiness

The ability to share information on emerging cybersecurity threats is vital for the Defense Department. But personnel needs and a somewhat imperfect relationship with the private sector continue to prove challenging.

"I think we are convinced, whether or not you are in government … that sharing has to take place," said Lt. Gen. Paul Nakasone, the commanding general for U.S. Army Cyber Command, during a panel on cyber readiness at the Intelligence and National Security Summit in Washington, D.C. Wednesday. "That is clearly what we have to do. Now, how do we make it most efficient?"

That question has been the center of the DOD's struggle to leverage the private sector's "expansive" and "in-depth," according to Nakasone.

"How do we have the ability to read in more key leaders of industry onto the security clearances necessary so they can take a look at some of the things we were able to garner?" he asked. "At the same time, how do we quickly form a partnership without a bevy of lawyers to work with the private sector?"

From the industry's perspective, it all comes down to trust.

"The basic tenet of any [information-sharing] model," said Ron Bushar, the cybersecurity firm FireEye's vice president for professional services, "has to be 'I'm trusting you with sensitive information and I trust you're going to do the right thing with that data and I trust that I'm going to get some value back out of what I share with you.'"

"Those two components have to play against each other," he added. "I have to trust you enough to share my information with you and I have to feel like I'm getting value back out of that relationship."

Moreover, simply sharing information on cyber threats isn't enough. It must be timely as well as relevant. Cybersecurity reports that come months or years after a compromise are "nice" and "educational" but ultimately not "useful in the moment," Bushar said. "I need real-time information to make decisions about what I should do or not do in my infrastructure to prepare for what we think may be coming next."

To build that automated world, DOD must leverage the talent of the private sector and foster more of an open door policy within the department as well.

The automated indicator sharing program, which allows private sector and government to share cyber threats, was a solid step in that direction, according to Mark Kneidinger, the Department of Homeland Security's director of the federal network resilience. But there is still room to better capitalize on the private-government relationships.

The AIS, which had to clear several legal hurdles and took years to complete, was "a key way of opening up the opportunity for threat indicators to be shared," Kneidinger said, and the number of private companies using the system is increasing.

But while these strategies are working, the speakers said, DOD must look past simple sharing and prioritize encouraging members in industry to take on high-level government positions and lead cyber strategy.

"As we're seeing key CIO positions being filled, we're also seeing an influx of industry coming into the government at the CIO level," Kneidinger said. There's value in that "industry experience, being able to share at the executive level within the agency as well as being part and partnered with the community that has worked together with cyber for the government area."

Despite that trend, attracting and retaining such talent is a challenge because public service doesn't pay.

"We have the authority to bring cyber folks in relatively rapidly," Kneidinger said. "The issue is still competition. Competition with industry, competition with banks, health care areas and things of that nature."

McAfee Vice President and Chief Technical Strategist Scott Montgomery, meanwhile, told FCW before a Sept. 7 House hearing on the cybersecurity workforce that the number "wrench turners" who do the hands-on keyboard work is "actually almost right-sized" in government.

He said where government lags is in the population of researchers and especially in analysts.

"This is sort of akin to beat cop versus SWAT team," Montgomery said. "Unfortunately it takes people going through the operator route typically for some time to become or to grow into analysts."

Montgomery advocates government programs like the National Science Foundation CyberCorps program and passing the Cyber Scholarship Opportunities Act, currently before Congress.

"This is a great reason why diversity helps as well," he added. "You actually want different kinds of thinkers thinking about the same problem in different ways, to get to the fastest solution. That community, there's not enough of those anywhere."

DHS has looked at ways to increase compensation in cyber, but the pay gap compared to industry salaries persists. To get past it, agencies like the U.S. Digital Service have to play up the excitement of the roles, and allow individuals to flow in and out rather than trying to lock them in for a long career.

But even if those approaches are adopted across the government, training and clearances become an issue. The backlog for background checks stands at 700,000, and cyber professionals poached from the private sector can be restricted to "limited" roles until they are cleared.

Ultimately, as Ret. U.S. Navy Admiral T.J. White, who helms U.S. Cyber Command's Cyber National Mission Force put it, there's always more that could be done.

"We operate within the resources given to us," White said. "You can always make the case that if you had more you'd do more."

FCW editorial fellow Ben Berliner contributed to this story.