Wednesday, July 22, 2009

Cyber IN-Security: Ten Times More Computer Security Graduates needed for .gov jobs

One hour ago at the National Press Club, the Partnership for Public Service presented its report "Cyber IN-Security: Strengthening the Federal Cybersecurity Workforce". Participating in the presentation were:

- Ron Sanders, chief human capital officer, Director of National Intelligence
- Vance Hitch, chief information officer, Department of Justice
- Max Stier, president and CEO, Partnership for Public Service

A copy of the 36 page report, co-authored with Booz Allen Hamilton, is available from

The first, and most important, of the four challenges described in the report is ...

1) The pipeline of potential new talent is inadequate.

The report says that only 40% of various hiring decision makers in federal agencies are "satisfied or very satisfied" with the quality of applicants applying for federal cybersecurity jobs and only 30 percent are satisfied or very satisfied with the number of qualified candidates who are applying. The need is for "closer to 1,000 graduates a year" to fill these jobs, as opposed to the current 120 graduates provided through the Scholarships for Service program.

A couple quotes from the report:
Defense Secretary Robert Gates has stated that the Pentagon is "desperately short of people who have capabilities (defensive and offensive cybersecurity war skills) in all the services and we have to address it." ... Three-fourths of CIOs, CISOs, IT hiring managers, and HR professionals surveyed for this report said attracting skilled cybersecurity talent would be a "high" or "top" priority for the next two fiscal years.

Much like our government did during the space race, the White House should lead a nationwide effort to encourage more Americans to develop technology, math and science skills. In conjunction with this effort, Congress should fund expansion of the successful programs that provide graduate and undergraduate scholarships in computer science and cybersecurity fields, such as the Scholarship for Service program, in return for a commitment to government service.

Victor Piotrowski, who heads the Scholarship for Service program, says there are currently 870 students who have graduated from the program over its lifetime, and that there are 225 students currently enrolled in the program nationally. The pipeline currently produces 120 students per year, but Victor says the need is for "between 500 and 1,000 such graduates" every year. His program is currently funded at $12 Million per year, although the Cyber Security Act of 2009, proposed by Senator Jay Rockefeller from West Virginia, would raise that to $300 million over five years.

The report also quotes Alan Paller from SANS Institute, who says "There is a radical shortage of people who can fight in cyber space -- penetration testers, aggressors, and vulnerability analysts. My sense is it is an order of magnitude short, a factor of 10 short."

Other agencies quoted in the report describe that they are being "outbid by other agencies", and that the existing pool gets snapped up by the "FBI, NSA, and DHS", leaving other federal agencies without the talent they need.

The Pentagon has estimated that their military, civilian, and contractor workforce dedicated to cybersecurity positions is 90,000 personnel, while the non-DOD cybersecurity workforce is estimated at between 35,000 to 45,000. The Intelligence community, who we have seen takes "the majority" of new hires, has a classified number of workers in this space as well.

Other critical concerns raised by the report are that . . .

- The Hiring Process is Broken
- Government Lacks Clear Definitions for Cybersecurity Jobs
- No Career Path for Cybersecurity Workers
- Pay Limitations Make It Harder for Government to Compete for Top Talent

From my position as the Director of Research in Computer Forensics at the University of Alabama at Birmingham I'm focusing on trying to do our part to help. Students who come through our program will have a solid foundation in the basics of information assurance that are taught in the core of our program, such as Internetworking, Computer Security, Network Security, etc., but we then specialize in addressing the needs of future cybercrime investigators.

In "Law, Evidence and Procedure", students get a broad look at our Justice system and how cases move through it.

In "Introduction to Computer Forensics" we then explain how a computer security "incident" fits into that framework and how the rules they heard about in LEP apply to the specifics of cybercrime cases and cases involving digital evidence.

In "Cybercrime & Forensics" students explore the side of Computer Forensics which we call "Media Forensics", learning about how files are stored on disks, and getting practical experience using the same tools they will encounter in the field, duplicating hard drives to create a forensic working copy, understanding the structure of FAT and NTFS file systems, learning to recover deleted files, crack passwords, decrypt files, and thoroughly document a piece of digital media using tools such as EnCase.

In "Investigating Online Crime" students explore the other side of Computer Forensics which we call "Network Forensics", meaning how the various computers involved in a case interact with one another. From a legal process perspective, this course introduces the students to various tools to retrieve data from providers, including subpoenas, search warrants, etc, as well as what burden of proof is required for each, and for the indictment. Guest speakers include both local and federal law enforcement, and both local and federal prosecutors who share details of actual cases with the students, stressing WHY certain information was required to move their case forward, and any legal or technical barriers that had to be overcome. Students create original applications for analysing cybercrime and digital evidence, and work with Analyst tools, including I2 Analysts Notebook and Maltego to prepare mock presentations for investigators, prosecutors, judges, and juries to document a wide variety of cases.

Top students in our program are also invited to join our research team, where we have active projects working on real cases related to Spam, Phishing, Malware, and website attacks.

I'm excited to see the focus being brought on the great need for graduates who can take on these Cyber Security positions, and hope that many potential graduates will come join us at UAB to prepare themselves for those jobs. Our Certificate in Computer Forensics is available with the Masters or PhD in Computer & Information Science, or with the Masters in Criminal Justice.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.