In October 2008 Express Scripts, one of the nation’s largest processors of pharmacy prescriptions, reported that extortionists had threated to disclose personal and medical information on millions of Americans if the company failed to meet payment demands.
For at least the past six years the US Department of Defense, nuclear laboratory sites and other sensitive US civilian government sites have been deeply penetrated, multiple times, by other nation-states. “China has downloaded 10 to 20 terabytes of data from the NIPRNet (the sensitive, but unclassified US military network).”
How did this happen? Where were the defenders in this crisis moment? Where was Batman?
In the paper, “A Human Capital Crisis in Cybersecurity,” “A Report of the CSIS Commission on Cybersecurity for the 44th President,” authors Evans and Reeder report on the shortage of skilled security professionals needed to battle ever increasing waves of cybercrime.
According to Jim Gosler, NSA Visiting Scientist and founding director of the CIA’s Clandestine Information Technology Office, there are only about 1,000 security specialists in the United States who have the specialized skills to operate effectively in cyberspace; however the United States needs about 10,000 to 30,000 individuals.
According to the report there is an even more desperate shortage of people who can design secure systems, write safe computer code and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.
So what to do?
The Commission reports that the current professional certification programs are ineffective and issue credentials which create a false sense of preparedness for both practitioners and their employers. Evans and Reeder go on to state that “in many ways cybersecurity is similar to 19th century medicine – a growing field dealing with real threats with lots of self-taught practitioners, only some of whom know what they are doing.”
The reports ends with the call to develop “a culture of professionalism,” and the accreditation standards and professional certifications by specialty. In the end nothing else can be tolerated if organizations and nations are to prevent, detect and respond to ever increasing threats.