Tuesday, July 31, 2012

U.S. must develop Olympic-level cybersecurity experts

Dan Manson

The Summer Olympics is arguably the world's premier sporting event, and for decades it's been the most politicized. During the Cold War, it served as a proxy battleground for the superpowers, with the "medal count" determining victory. After the Soviet Union prevailed five times between 1956 and 1976, the United States established its first Olympic Training Center to help athletes compete successfully on the world stage.

The reality, of course, is that winning or losing the medal count has little practical significance once the Olympic flame has been dimmed, but that's not the case in another competitive arena, one in which the stakes are enormous. That arena is cyberspace, and if the United States does not respond vigorously to the challenges it faces, the outcome could be devastating.

Almost daily, the media report about security breaches, and it appears no one is immune. Business trade secrets and personal data have been stolen. Secure networks have been breached. Even President Obama's personal Twitter account has been hacked. In response to serious national security concerns, the United States established a Cyber Command in 2009. Still, experts worry that not enough is being done.

Quite simply, if a Cybersecurity Olympics were held today, the United States would not win the medal count. It wouldn't even be close.

One of the most popular events at international cyber competitions is "capture the flag," which involves teams defending theirdigital territory and seizing control of their opponents' information. This requires advanced skills in gaining access to electronic "flags" on other systems, while defending your own system from attacks. Teams from other countries routinely win.

With so much at stake, this is simply unacceptable.

We need to develop Olympic-caliber cybersecurity experts who undergo the same rigorous training and performance measurements as the athletes you see at the London Games. We need Cybersecurity Training Centers with admission based on performance in qualifying competitions, with no degree or age limitations.
Recently, Department of Homeland Security Secretary Janet Napolitano asked two heavyweights in the cyber world, Jeff Moss and Alan Paller, to co-chair a task force to assess ways DHS can increase the number of highly qualified cybersecurity professionals by assessing their individual skills. Their findings are expected soon.

DHS has been a strong supporter of cybersecurity training, including the Western Regional Collegiate Cyber Defense Competition, an event Cal Poly Pomona has hosted. Such training and competitions are good, but they yield aggregate team results, which makes it difficult to identify an individual's skills.

The United States should set a goal by 2020 of 1million participants in organized cybersecurity training events and competitions that measure individual performance. From this group, we should identify 250,000 who participate often enough to produce meaningful data, and then we should select 50,000 to receive advanced training that prepares them to move into vital cybersecurity roles.

Schools, consortiums and companies need to work together to develop an elite group, an Olympic Cyber Team, if you will, along with a large number of practitioners who may never rise to that level but whose honed skills will nonetheless provide significant benefits.

The evolution of cyber into a sport is a critical step in developing future experts. By instilling competition, by identifying and rewarding those who excel, and by making cyber attractive to a diverse group of participants, we will close the gap with other nations.

The government's National Initiative for Cybersecurity Education sums up the task ahead:

"Today, there is little consistency in how cybersecurity work is defined and described throughout the nation. The lack of a common language to discuss and understand the work requirements of cybersecurity professionals hinders our nation's ability to: [assess] capabilities, identify skill gaps, develop cybersecurity talent in the workforce, prepare the pipeline of future talent.

Establishing and using a unified framework for cybersecurity work and workers is not merely practical but vital to the nation's cybersecurity. Much as other professions have defined their specialties, it is now time to forge a common set of definitions for the cybersecurity workforce."

From "T-ball" to Olympic-level competition, we can make a huge difference by developing and embedding performance measurement into cybersecurity training and competitions. Educators, businesspeople and government leaders must work together to ensure that cyber athletes are nurtured, not neglected.
We cannot afford to lose this medal count.

Dan Manson is a professor in the computer information systems department at Cal Poly Pomona and executive director of the university's Center for Information Assurance.

No comments:

Post a Comment