Cyberwarrior Shortage Threatens U.S. Security
Getty Images
The U.S. Computer Emergency Readiness Team/National Cybersecurity and Communications Integration Center is designed to help protect the technical infrastructure of the United States.
Published: July 19, 2010
There may be no country on the planet more vulnerable to a massive cyberattack than the United States, where financial, transportation, telecommunications and even military operations are now deeply dependent on data networking.
What's worse: U.S. security officials say the country's cyberdefenses are not up to the challenge. In part, it's due to a severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries. The protection of U.S. computer systems essentially requires an army of cyberwarriors, but the recruitment of that force is suffering.
"We don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time," says James Gosler, a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency and the Energy Department.
If U.S. cyberdefenses are to be improved, more people like Gosler will be needed on the front lines. Gosler, 58, works at the Energy Department's Sandia National Laboratory in Albuquerque, N.M., where he focuses on ways to counter efforts to penetrate U.S. data networks. It's an ever-increasing challenge.
"You can have vulnerabilities in the fundamentals of the technology, you can have vulnerabilities introduced based on how that technology is implemented, and you can have vulnerabilities introduced through the artificial applications that are built on that fundamental technology," Gosler says. "It takes a very skilled person to operate at that level, and we don't have enough of them."
Gosler estimates there are now only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyberdefense tasks. To meet the computer security needs of U.S. government agencies and large corporations, he says, a force of 20,000 to 30,000 similarly skilled specialists is needed.
Some are currently being trained at the nonprofit SANS (SysAdmin, Audit, Network, Security) Institute outside Washington, D.C., but the demand for qualified cybersecurity specialists far exceeds the supply.
"You go looking for those people, but everybody else is looking for the same thousand people," says SANS Research Director Alan Paller. "So they're just being pushed around from NSA to CIA to DHS to Boeing. It's a mess."
The Center for Strategic and International Studies highlights the problem in a forthcoming report, "A Human Capital Crisis in Cybersecurity."
According to the report, a key element of a "robust" cybersecurity strategy is "having the right people at every level to identify, build and staff the defenses and responses."
The CSIS report highlights a "desperate shortage" of people with the skills to "design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts."
The cyber manpower crisis in the United States stands in sharp contrast to the situation in China, where the training of computer experts is a top national priority. In the most recent round of the International Collegiate Programming Contest, co-sponsored by IBM and the Association for Computing Machinery, Chinese universities took four of the top 10 places. No U.S. university made the list.
The Chinese government, in fact, appears to be systematically building a cyberwarrior force.
"Every military district of the Peoples' Liberation Army runs a competition every spring," says Alan Paller of SANS, "and they search for kids who might have gotten caught hacking."
One of the Chinese youths who won that competition had earlier been caught hacking into a Japanese computer, according to Paller, only to be rewarded with extra training.
"Later that year, we found him hacking into the Pentagon," Paller says. "So they find them, they train them, and they get them into operation very, very fast."
Some members of Congress, eager to follow China's example, are now promoting a U.S. Cyber Challenge, a national talent search at the high school level. The aim is to find up to 10,000 potential cyberwarriors, ready to play both offense and defense.
"The idea is for schools around the country to field teams, and the teams would compete against one another," says Sen. Thomas Carper, a Delaware Democrat who is one of the backers of the effort. He sees the challenge as an opportunity "not only for them to hone their skills on being able to hack into other systems, particularly those of folks we may not be fond of, but also to use what they learn to strengthen our defenses."
In order to protect a computer system, one needs to know how someone might attack it. Last year's preliminary Cyber Challenge game was won by a 17-year-old from Connecticut -- Michael Coppola -- who was smart enough to hack into the game computer and add points to his own score.
"There's actually a flaw within that Web application," Coppola says. "Using that, I was able to execute commands on the computer running the scoring software, and I was able to add points and basically do whatever I wanted."
It was certainly an unconventional approach, but the competition judges were so impressed by Coppola's ability to hack into the computer game that they actually rewarded him for changing his score.
"It's cheating," Michael says, "but it's like the entire game is cheating."
Indeed. People who know how to cheat will soon be on the front lines of cyber defense, because the best way to defend a computer system from attack is to figure out how an adversary would be able to hack into it.
Now 18, Coppola is himself looking to a career in cybersecurity. [Copyright 2013 NPR]
TRANSCRIPT:
MARY LOUISE KELLY, host:
And now we're going to hear about an audience that is extremely interested in al-Qaida and its online magazine - government security agencies. They're increasingly concerned about cyber attacks and are scrambling to improve their defenses against hackers. But here's the challenge: a severe shortage of cyber technicians and engineers. NPR's Tom Gjelten reports.
TOM GJELTEN: The United States and other countries know the next war will have a cyber dimension. Adversaries are constantly finding ways to penetrate each other's computer defenses. So, in the years ahead, the United States will need an army of cyber warriors, people like Jim Gosler, who has worked for the CIA, the National Security Agency, and currently, the Energy Department.
Mr. JIM GOSLER: We don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time.
GJELTEN: Gosler is now a fellow at the Sandia National Laboratory, where he works on ways to counter efforts to penetrate U.S. networks. He says the protection of those systems is an ever-increasing challenge.
Mr. GOSLER: You can have vulnerabilities in the fundamentals of the technology. You can have vulnerabilities introduced, based on how that technology is implemented. And you can have vulnerabilities introduced based on the artificial applications that are built on that fundamental technology. It takes a very skilled person to operate at that level, and we don't have enough of them
GJELTEN: Gosler says there are, right now, only about 1,000 people in the entire United States with the skills needed for that frontline cyber defense. He thinks 20 or 30 times that many are needed.
Alan Paller agrees. He's research director for the SANS Cybersecurity Training Institute.
Mr. ALAN PALLER (Research Director, SANS Cybersecurity Training Institute): You go looking for those people, but everybody else is looking for the same thousand people. So they're just being pushed around from NSA to CIA to DHS to Boeing. It's a mess.
GJELTEN: The Center for Strategic and International Studies highlights the problem in a forthcoming report titled "A Human Capital Crisis in Cybersecurity." The CSIS report says the cyber manpower shortage is now desperate. The SANS Institute's Alan Paller says the United States is actually losing ground, right now, to China, where the training of cyber warriors is a top national priority.
Mr. PALLER: Every military district of the People's Liberation Army, the PLA, runs a competition every spring and they search for kids who might have gotten caught hacking.
GJELTEN: Paller says one of the Chinese kids who won that competition, had earlier been caught hacking into a Japanese computer. He was rewarded with extra training.
Mr. PALLER: Later that year, we found him hacking into the Pentagon. So they find them, they train them, and they get them into operation very, very fast.
GJELTEN: Some members of Congress want the U.S. to follow China's example. They're promoting a U.S. Cyber Challenge, a national talent search to find up to 10,000 potential cyber warriors, ready to play both offense and defense.
Senator Thomas Carper of Delaware.
Senator THOMAS CARPER (Democrat, Delaware): The idea is for schools around the country to field teams, and the teams would compete against one another - not only for them to hone their skills on being able to hack into other systems, particularly those of folks we may not be fond of - but also to use what they learn to strengthen our defenses.
GJELTEN: In order to protect a computer system, one needs to know how someone might attack it. Last year's preliminary Cyber Challenge game was won by a 17-year-old from Connecticut, Michael Coppola, who was smart enough to hack into the game computer and add points to his own score.
Mr. MICHAEL COPPOLA (Champion, Cyber Challenge): There's actually a flaw within that web application, and using that, I was able to execute commands on the computer running the scoring software. And I was able to add points and basically do whatever I wanted.
GJELTEN: Was that fair? In his case, the judges were so impressed by Michael's ability to hack into the computer game, that they actually rewarded him for changing his score.
Mr. COPPOLA: It's cheating, but it's like the entire game is cheating, I guess you could say.
GJELTEN: People who know how to cheat will soon be on the front lines of cyber defense, because the best way to defend a computer system from attack is to figure out how an adversary would hack into it.
Michael Coppola, now 18, is himself looking to a career in cybersecurity.
Tom Gjelten, NPR News, Washington. Transcript provided by NPR, Copyright NPR.
%7Cutmccn%3D(direct)%7Cutmcmd%3D(none);&utmn=764490591&utmp=%2Fnews%2Ffront%2F128574055%3Fpage%3D0&utmhn=m.npr.org&utmac=UA-5828686-23&utmhid=886143127)