Battling Cyber Threats

December 3, 2010

Agnes Chan (Courtesy of Agnes Chan)

Today, virtually every area of life depends on a cyber infrastructure that is vulnerable to attack. According to a recent report by the Center for Strategic & International Studies, sensitive U.S. military and civilian networks have been “deeply penetrated, multiple times, by other nation-states,” and hackers employed by terrorist and criminal organizations are a constant and serious menace. In an August 2010 survey by Symantec, of 1580 private businesses in industries such as energy, banking, health care, and other areas of critical infrastructure, more than half reported politically motivated cyber attacks, averaging 10 attacks in the past 5 years.

Computer security experts say the United States faces a radical shortage of highly skilled cybersecurity professionals who can prevent and combat such attacks. One federal official has estimated that there are only 1000 cybersecurity experts in the United States who have the deep technical knowledge required to safeguard national security; tens of thousands are needed, he believes.

“This is a scourge that is going to kill us,” says Alan Paller, director of research at the SANS Institute in Bethesda, Maryland, and a leading expert on computer security workforce issues. “It would be like going into World War II and having no pilots. It’s actually a very bad problem. The bad guys are spending tens of billions of dollars developing these attack tools. They get through our defenses, carried along on e-mail and on other traffic, and we have to have people who can find them.”

The need for cybersecurity professionals has grown rapidly, along with the growth in data networks in banking, telecommunications, health care, transportation, law enforcement, energy, emergency response systems, and national defense, among other areas. Meanwhile, the number of American students entering science and engineering has declined. In most fields of science, that decline has been offset by an influx of foreign scientists. But the decline is especially troublesome in cybersecurity because so many high-level cybersecurity jobs require American citizenship and an ability to obtain security clearance.

What’s needed most, Paller says, is people with sophisticated technical skills and experience in areas such as system design, software security, digital forensics, computer engineering, and cryptography. “We have way too many people who call themselves cybersecurity people, people who might have written a report about cybersecurity, or done a risk assessment, or passed a test,” he says. “We need the people who can actually reset the firewall settings so that they block attacks; the people who can configure software safely; the people who can find errors in software; people who can do the forensics to find evidence of malicious activity. It’s like the difference between a hospital administrator and a doctor: they’re all in health care, but they’re not all doctors.”

Agnes Chan, co-director of Northeastern University’s Institute for Information Assurance, says there is an equally strong need for people who combine technical expertise with training in risk management and policy. She notes that many cybersecurity positions, especially those that involve risk analysis and policy work, require both a computer scientist’s technical proficiency and a social scientist’s understanding of human behavior and how it can affect security. “It is not easy to find students that are strong in both,” Chan says.

Others echo that emphasis on cybersecurity’s human component. “You can think about cybersecurity as being like the lock on the door,” says Eugene Spafford, director of Purdue University’s Center for Education and Research in Information Assurance and Security in West Lafayette, Indiana. “If I use a cheap lock, somebody’s going to be able to get into the office real quickly. But if I forget to lock the door regularly or I leave the key sitting on the desk, that’s just as bad. So training people is critically important. It’s just as important as technology. The field is larger than simply understanding the bits and the wires.”

Such shortages translate into abundant opportunity for computer scientists, engineers, mathematicians, and other scientists who pursue a career in cybersecurity. The National Security Agency (NSA) plans to hire 1000 cybersecurity professionals in the next year. The Department of Homeland Security (DHS) has more than tripled its cybersecurity workforce in the past 2 years. TheDepartment of Defense (DOD), which employs more cybersecurity professionals than any other federal body, is hiring aggressively, as are many other federal and state agencies.

There is at least as much demand for high-level cybersecurity professionals in the private sector, which controls almost 85% of the United States’s critical infrastructure. “There’s a bubble that’s going to hit, and the need for cybersecurity people is going to really escalate in the future,” says Richard “Dickie” George, technical director of NSA’s Information Assurance Directorate. “More and more, industry is going to realize that the long-term viability of the country depends on this protection.”

“If you’re good, you’re going to have dozens of job offers,” says Sujeet Shenoi, director of the University of Tulsa’s Cyber Corps Program, which is widely regarded as one of the strongest and most intense in the United States. “I can’t produce the students fast enough. I graduate about 35 students a year, and even if I were to quadruple it, I wouldn’t be able to fill the demand.” Lance Hoffman, director of George Washington University’s (GW’s) Partnership in Securing Cyberspace through Education and Service (PISCES) program, says students there have fared equally well, enjoying 100% job placement since 2002.

Cybersecurity professionals who work in operational settings — that is, who actually battle cyber attacks — spend their days writing secure software and designing networks. Some do “penetration testing,” hacking into their own organization’s defenses to expose weaknesses an enemy might exploit. Others specialize in digital forensics, deconstructing cyber attacks to understand their origins and purpose. Still others create educational programs or work on policy questions, such as how to balance security and privacy, and how to address security breaches in the context of international law.

Research opportunities, too, are growing. All the federal security agencies and many large companies have research arms devoted to developing cybersecurity technologies and finding more effective ways to educate users so that they don’t compromise computer systems. Appreciation — and funding — for basic research on information security is expanding, says Benjamin Cook, cyber-enterprise capabilities manager at Sandia National Laboratories in Albuquerque, New Mexico. He notes, however, that blue-sky research positions are “few and far between.”

In recent meetings, cybersecurity experts identified a number of research priorities. One is the development of mathematically rigorous ways of establishing that hardware or software, or a computer system, is trustworthy. “In the industrialized world, we’ve kind of bet the bank on this technology,” Cook says. “If we can’t develop a rigorous and fundamental ability to establish trust in these systems, we’re inching out onto thin ice.” Other priorities include understanding phenomena of complex networks such as malware propagation and new models of cybersecurity based on biological concepts such as biodiversity and immunity. Some promising areas of research, Cook notes, may be especially suited to scientists with a multidisciplinary bent.

The main routes into high-level operational and research positions in cybersecurity are the 125 university-based cybersecurity training programs designated by NSA and DHS as Centers of Academic Excellence (CAEs) in information assurance education and research. These programs are eligible to apply for scholarship funding for undergraduates and graduate students through two federal programs: the National Science Foundation’s Federal Cyber Service: Scholarship for Service (SFS) program and DOD’s Information Assurance Scholarship Program (IASP). The SFS and IASP programs fund students for up to 2 years of undergraduate or graduate training in cybersecurity in return for an equivalent period of government service, either to DOD (for IASP awardees) or to other federal agencies (for SFS awardees). “It’s like ROTC for geeks,” says Hoffman.

Like other cybersecurity training programs around the country, the CAE programs draw students from computer science, engineering, math, statistics, forensic sciences, criminal justice, business administration, public policy, law, education, and the social sciences. Although computer science is fundamental to cybersecurity research and practice, there is plenty of opportunity for scientists in other fields to apply their interests to cybersecurity issues — and no need to start over. Graduate students or postdocs in fields such as math, physics, and biology tend to be competitive applicants to CAE programs, although they may have to spend some time developing their computer science knowledge. To understand whether their career goals require taking a couple of courses or spending a few years getting more training, scientists should first figure out what aspect of cybersecurity they’re interested in, says Diana Burley, a professor of human and organizational learning who teaches in GW’s PISCES program.

“It may be a matter of figuring out how what you already know fits in,” Purdue’s Spafford suggests. A math degree, for example, provides an excellent grounding for work in cryptography. A mechanical engineer’s systems-oriented thinking is an asset for designing and analyzing network defenses. A biologist might study the use of biometric technologies for computer security. A cognitive scientist might use aspects of artificial intelligence to develop protocols for recognizing who is at a keyboard.

Different cybersecurity training programs have different emphases, as a listing of SFS-funded programs reveals. Some concentrate on policy and risk management, some on forensic investigation, others on behavioral aspects of cybersecurity, and still others on research and interdisciplinary training. The best programs combine deep training in core subjects such as computer security, network protocols, or cryptography with significant hands-on experience. “Just being able to solve today’s problem isn’t enough,” says NSA’s George. “You need to be able to train yourself to solve the problems that will come 5 or 10 years from now. Then you also need enough hands-on laboratory work doing things like reverse engineering, forensic investigation, and penetration testing that will enable you to solve today’s problems. That’s a very difficult balancing act.”

“This stuff can’t be done completely in an abstract setting,” agrees Ernest McDuffie, who leads theNational Initiative for Cybersecurity Education, a multiagency effort coordinated by the National Institute of Standards and Technology. “You can’t do it with a chalkboard — you need to get your hands dirty.”

For those with useful skills but without the specific degree, Paller suggests a “back door” into the field: Volunteer or get a part-time job with your university’s computer support service; then, after a semester or two, migrate to doing security support. “That’s where you’ll learn the skills that will put you in line for the jobs that most need filling,” Paller says. Doing cutting-edge work in cybersecurity requires knowing three things: programming, networks and protocols, and operating systems. Academic credentials aren’t what’s needed, he says. What’s needed are people with the skills the best scientists possess: “It’s people who are extraordinarily good at taking things apart and seeing how they’re made. It takes being hungry to get to the bottom of things.”

Credit: Article by Siri Carpenter of