Cyber IN-Security: Ten Times More Computer Security Graduates needed for .gov jobs

One hour ago at the National Press Club, the Partnership for Public Service presented its report "Cyber IN-Security: Strengthening the Federal Cybersecurity Workforce". Participating in the presentation were:

- Ron Sanders, chief human capital officer, Director of National Intelligence
- Vance Hitch, chief information officer, Department of Justice
- Max Stier, president and CEO, Partnership for Public Service

A copy of the 36 page report, co-authored with Booz Allen Hamilton, is available from OurPublicService.org.

The first, and most important, of the four challenges described in the report is ...

1) The pipeline of potential new talent is inadequate.

The report says that only 40% of various hiring decision makers in federal agencies are "satisfied or very satisfied" with the quality of applicants applying for federal cybersecurity jobs and only 30 percent are satisfied or very satisfied with the number of qualified candidates who are applying. The need is for "closer to 1,000 graduates a year" to fill these jobs, as opposed to the current 120 graduates provided through the Scholarships for Service program.

A couple quotes from the report:

Defense Secretary Robert Gates has stated that the Pentagon is "desperately short of people who have capabilities (defensive and offensive cybersecurity war skills) in all the services and we have to address it." ... Three-fourths of CIOs, CISOs, IT hiring managers, and HR professionals surveyed for this report said attracting skilled cybersecurity talent would be a "high" or "top" priority for the next two fiscal years.

Much like our government did during the space race, the White House should lead a nationwide effort to encourage more Americans to develop technology, math and science skills. In conjunction with this effort, Congress should fund expansion of the successful programs that provide graduate and undergraduate scholarships in computer science and cybersecurity fields, such as the Scholarship for Service program, in return for a commitment to government service.

Victor Piotrowski, who heads the Scholarship for Service program, says there are currently 870 students who have graduated from the program over its lifetime, and that there are 225 students currently enrolled in the program nationally. The pipeline currently produces 120 students per year, but Victor says the need is for "between 500 and 1,000 such graduates" every year. His program is currently funded at $12 Million per year, although the Cyber Security Act of 2009, proposed by Senator Jay Rockefeller from West Virginia, would raise that to $300 million over five years.

The report also quotes Alan Paller from SANS Institute, who says "There is a radical shortage of people who can fight in cyber space -- penetration testers, aggressors, and vulnerability analysts. My sense is it is an order of magnitude short, a factor of 10 short."

Other agencies quoted in the report describe that they are being "outbid by other agencies", and that the existing pool gets snapped up by the "FBI, NSA, and DHS", leaving other federal agencies without the talent they need.

The Pentagon has estimated that their military, civilian, and contractor workforce dedicated to cybersecurity positions is 90,000 personnel, while the non-DOD cybersecurity workforce is estimated at between 35,000 to 45,000. The Intelligence community, who we have seen takes "the majority" of new hires, has a classified number of workers in this space as well.

Other critical concerns raised by the report are that . . .

- The Hiring Process is Broken
- Government Lacks Clear Definitions for Cybersecurity Jobs
- No Career Path for Cybersecurity Workers
- Pay Limitations Make It Harder for Government to Compete for Top Talent

From my position as the Director of Research in Computer Forensics at the University of Alabama at Birmingham I'm focusing on trying to do our part to help. Students who come through our program will have a solid foundation in the basics of information assurance that are taught in the core of our program, such as Internetworking, Computer Security, Network Security, etc., but we then specialize in addressing the needs of future cybercrime investigators.

In "Law, Evidence and Procedure", students get a broad look at our Justice system and how cases move through it.

In "Introduction to Computer Forensics" we then explain how a computer security "incident" fits into that framework and how the rules they heard about in LEP apply to the specifics of cybercrime cases and cases involving digital evidence.

In "Cybercrime & Forensics" students explore the side of Computer Forensics which we call "Media Forensics", learning about how files are stored on disks, and getting practical experience using the same tools they will encounter in the field, duplicating hard drives to create a forensic working copy, understanding the structure of FAT and NTFS file systems, learning to recover deleted files, crack passwords, decrypt files, and thoroughly document a piece of digital media using tools such as EnCase.

In "Investigating Online Crime" students explore the other side of Computer Forensics which we call "Network Forensics", meaning how the various computers involved in a case interact with one another. From a legal process perspective, this course introduces the students to various tools to retrieve data from providers, including subpoenas, search warrants, etc, as well as what burden of proof is required for each, and for the indictment. Guest speakers include both local and federal law enforcement, and both local and federal prosecutors who share details of actual cases with the students, stressing WHY certain information was required to move their case forward, and any legal or technical barriers that had to be overcome. Students create original applications for analysing cybercrime and digital evidence, and work with Analyst tools, including I2 Analysts Notebook and Maltego to prepare mock presentations for investigators, prosecutors, judges, and juries to document a wide variety of cases.

Top students in our program are also invited to join our research team, where we have active projects working on real cases related to Spam, Phishing, Malware, and website attacks.

I'm excited to see the focus being brought on the great need for graduates who can take on these Cyber Security positions, and hope that many potential graduates will come join us at UAB to prepare themselves for those jobs. Our Certificate in Computer Forensics is available with the Masters or PhD in Computer & Information Science, or with the Masters in Criminal Justice.

President Obama's CTO: Aneesh Chopra

Like so many others who were playing the guessing game regarding President Obama's new CTO, I was wrong. I take comfort in failing along with BusinessWeek, ZDNet, Forbes, TheStreet, The Wall Street Journal and others to guess who would fill the office.

We might have taken a hint from one of President Obama's recent speeches to Congress, where he said:

"Our recovery plan will invest in electronic health records and new technology that will reduce errors, bring down costs, ensure privacy, and save lives."
-- (Transcript 24FEB09

Aneesh Chopra's bio on his Virginia website points out that he chairs the "Solutions Committee of the IT Investment Board, the Effectiveness and Efficiency Committee on the Council on Virginia's Future, and co-chairs the Healthcare IT Council". He was awarded the Healthcare Information and Management Systems Society's 2007 State Leadership Advocacy Award, and was named one of the top 25 by Government Technology magazine's Doers, Dreamers, and Drivers magazine.

In 2006, ExecutiveBiz.com interviewed Mr. Chopra on his new position as Secretary of Technology for the Commonwealth of Virginia. His answer to the question "What is your background?" lines up well with President Obama's vision for secure electronic healthcare records:

ExecutiveBiz: What is your background?

Aneesh Chopra: Professionally, I am a managing director at a think tank with a focus for the health care industry, but a big portion of my professional background has been studying ways that technology can fundamentally transform the healthcare industry in particular. Also, I internally helped launched the Advisory Board's first software-based membership business. So not only have I been researching technology and how I can benefit the healthcare industry, I have been business development wise active in the use of technology to grow our own business.


It was clear from his work in the job though that Health Care was not his only focus. Here were some answers regarding educational technology, another area on which the Secretary turned his attention while in office in Virginia, from one of the 46 Podcasts his office put out during his time there: (03/25/09 - Secretary Chopra discusses technology in the classroom --

We have an innovation imperative in the Commonwealth, and frankly for the country, and it requires us to think anew about how we produce students who are globally competitive. There are three basic questions we have to ask:
What are we actually teaching our kids?
How are we teaching our kids?
What are the tools with which we can allow the sharing ideas and the process of learning how to teach our kids?
In each of these areas there is a place for technology to play a role, in some cases a direct role, and in other cases more of an indirect role.

In his 2007 Accomplishments podcast (January 9, 2008) he stressed three Public/Private Partnerships, including:

a Google partnership to produce Google SiteMaps of 55 government websites, mapping more than 200,000 state webpages to increase their ability

Microsoft Virtual Earth helped create Campus Safety maps to help identify resources and plans for various emergencies on campus as a reaction to school shootings.

Cox and Comcast Cable began offering "GED On Demand" for free to more than 1 million broadband subscribers in Virginia.

1 of 3 new jobs created in Virginia came from high-tech jobs, and 30% of all wage-earners in Virginia received their pay from a technology related job.

5 innovators in HealthCare IT, 3 of which provided an 8-fold return on the investment. The Virginia HealthCare Exchange Network was created as part of the initiative.

Many other initiatives were described, making this podcast well worth listening to in order to learn more about how our nation's new CTO thinks about Technology. Many of these initiatives were grant-generated, by placing challenges into the community and asking for innovators who have solutions to step forward to address government productivity, broadband, and government IT.

To summarize what I see about Aneesh Chopra - he's proven that he knows how to solicit ideas from innovators, shape them into actual solutions, and roll them out as successful products. He did it in the business world, he did it in his HealthCare IT think tank, and he did it for the State of Virginia. I look forward to seeing what he can do for our nation.

I'm especially interested to see what types of reforms a technology thinker can bring to our Criminal Justice systems! At UAB Computer Forensics our partnership between Computer Science and Justice Science is based on the concept that when Computer Scientists are presented with Criminal Justice problems, good technology things can happen. Hopefully this will be one of our new CTO's priority areas as well.