with Aaron Schaffer

The United States is facing a critical shortage of cybersecurity professionals, one that government watchdogs and experts say is only expected to grow in the coming years. 

The shortage, which runs into hundreds of thousands of people, has spurred government officials to ramp up their efforts to address two of its driving factors: a lack of professional development opportunities and barriers surrounding diversity.

“Developing sound public policy requires diverse perspectives from communities that represent America. It requires the recruitment, development and retention of diverse talent,” Department of Homeland Security Secretary Alejandro Mayorkas said in a speech last month announcing the agency's plans to launch a diversity and workforce development initiative in the coming months. 

It requires equal access to professional development opportunities to fill the current half-million cyber vacancies across our country and to prevent future shortages that threaten our ability to compete.”

The significant task comes at a critical moment for U.S. cybersecurity as both the government and private sector are still reeling from a major Russian hacking campaign that infiltrated at least nine government agencies and a separate Microsoft breach that compromised thousands of local U.S. businesses and organizations.

Efforts from the public sector demonstrate there's one way to make a huge immediate impact on the workforce problem: highlighting and promoting existing talent in underrepresented communities. 

You cannot effectively change a pipeline without making it visible who's already there, says Camille Stewart, who co-founded the nonprofit campaign #ShareTheMicInCyber with Lauren Zabierek, executive director of The Cyber Project at Harvard Kennedy School's Belfer Center. 

They launched the online campaign in June as a way for prominent cybersecurity leaders to lend their platforms to Black professionals by allowing them to tweet from their accounts. The aim of the project was to amplify the voices of Black people who work in cybersecurity as well as connect them with professional opportunities.

“Our goal is really to show people that there are individual actions that they can take to elevate the fact that there are black practitioners already working in this space, says Stewart, a cybersecurity attorney and a Cyber Fellow at the Harvard Kennedy School’s Belfer Center. After the murders of George Floyd, Ahmaud Arbery among others, the cyber community, like many other communities, is really looking for ways to effect change and be part of something bigger. So this is a way to do that.”

Since the first campaign, #ShareTheMicInCyber has hosted two additional events and companies including Google and Twitter are helping by offering trainings and programming. As a result of the events, participants have connected with new business partnerships and even board seats, Stewart says. 

#ShareTheMicInCyber has also partnered with the nonprofit think tank R Street Institute for a project called “Making Space.” The initiative started as a pledge to get organizations to commit to including women and minorities on panels they hosted or sponsored. It now boasts more than 40 partners and has expanded to other work, including a new effort to launch an online database for organizations and companies to connect with Black professionals.

“What I didn't want to do is publish a pledge and get people signed on board without giving them the resources to make that pledge actionable,” said Tatyana Bolton, policy director for R Street's Cybersecurity & Emerging Threats team. “Part of the problem is that people always say, 'I love diversity and we absolutely want women and people of color on our panels and events. We want to hire them. But I don't know of any.' I wanted to take away that excuse.”

Tearing down barriers to entry such as excessive job requirements and unaffordable training could also help address diversity.

A key factor in the workforce shortage is a culture of hiring requirements that many experts agree don't reflect the what's needed for entry-level employees. Those excessive requirements can often deter qualified applicants from applying.

“We cannot close the workforce gap by continuing to hire the way we have been hiring for the past 20 years, said David Forscey, managing director for the Aspen Cybersecurity Group. We failed. And that's because we are cutting off a lot of the available talent through biased hiring.

The Aspen Cybersecurity Group has worked with more than 30 employers to get them to expand their candidate pipelines for cybersecurity jobs and rewrite job descriptions.

Training and certification, which can often run into the thousands of dollars, also pose barriers to low-income applicants. #ShareTheMicInCyber now also offers a scholarship in partnership with Women in Security and Privacy to help cover training, certification and other professional development expenses for Black cybersecurity professionals.

Issues of diversity don't stop at getting professionals in the door, experts note. Organizations have to be willing to invest in sustained change, including promoting diverse leadership and creating a safe work environment where Black professionals can actually thrive, Stewart and Bolton say.

Lawmakers and policymakers are also working to address barriers to entry.

A policy report from Congress's bipartisan Cyberspace Solarium Commission last fall urged the federal workforce to ensure cyber development policies and programs "consistently and deliberately incorporate efforts to recruit and retain underrepresented populations including women, people of color, and the neurodiverse.

The report's recommendations align with those from nonprofits: lessening recruitment barriers, investing in workforce training programs and sustaining investment in retaining a diverse workforce.

“While a lack of diversity in the federal government is by no means unique to cybersecurity, the demand for more people, and more diverse perspectives, in cyber makes the need especially acute,” the report noted. “The federal government can and must help drive this change throughout the national cyber workforce.”

But those successful retention policies or even the exact diversity of the current cybersecurity workforce are hard to quantify, experts say.

“It's very unclear what the baseline is,” says Forscey. There's just not a lot of data on what's the picture of diversity today and what [practices] companies have adhered to that have actually generated success.”

Just nine percent of the U.S. cybersecurity workforce identifies as Black or African American, according to a 2018 study conducted in partnership with the nonprofit International Information System Security Certification Consortium and the International Consortium of Minority Cybersecurity Professionals.

Official government data on the U.S. workforce is virtually nonexistent, however.

“If we're going to make meaningful change on diversity, equity and inclusion in the federal government, we have to understand who already is in the workforce, says Laura Bate, a senior director on the Cyberspace Solarium Commission and cybersecurity policy fellow at New America. And we have to understand the dynamics that shape that. What causes people to stay? What causes people to leave?”

Experts say diversity is also a national security issue.

“We won't prevent the next SolarWinds or Microsoft Exchange hack if we keep doing the same things with the same people over and over and expecting different results,” Bolton says. “We have to recruit and elevate diverse and new voices in cybersecurity. It's critical to our national security.”

A diverse workforce is also key to dealing with foreign adversaries, who have weaponized systemic racism in the United States to sow discord, Stewart says. For instance, Russian actors exploited racial tensions in information operations in the 2016 election.

“It is a national security imperative for us to address systemic racism, and part of that is diversifying the workforce. Part of that is having uncomfortable conversations about how racism manifests itself in our institutions and creates bias in our technology,” says Stewart. “And so I tend to start my conversation there because we've seen that the argument that it is the right thing fails with some people.  I think an argument that works for everyone is the fact that it is essential to the mission and it is.

The keys

Federal investigators are looking into a cyberattack on Codecov, which makes software for testing computer code.

The company said a customer found that something was off with its software, leading the company to investigate the attack, Reuters’s Raphael Satter reports. Codecov said it discovered that hackers had begun tampering with the software on Jan. 31.

Codecov’s website says that the company has at least 29,000 customers, including Web-hosting company GoDaddy and software company Atlassian. GoDaddy did not respond to a request for comment, while Atlassian said it was investigating. “At this moment, we have not found any evidence that we have been impacted nor have identified signs of a compromise,” Atlassian said.

The FBI and Cybersecurity and Infrastructure Security Agency did not respond to requests for comment.

Russia said it will expel 10 U.S. diplomats in response to the Biden administration’s SolarWinds sanctions.

The move comes after Washington announced the expulsion of 10 Russian diplomats and sanctions on 32 Russia-related individuals and companies, Robyn Dixon reports. U.S. officials say that most of the Russian diplomats on their list are secretly intelligence officers.

Russia also symbolically banned eight current and former U.S. officials, including FBI Director Christopher A. Wray and Director of National Intelligence Avril Haines, after U.S. sanctions on similar Russian officials.

The tit-for-tat comes just over four months after cybersecurity firm FireEye announced that it had spotted the attack on SolarWinds and other companies. The attack compromised at least nine federal agencies and 100 private companies.

A manager of hacking group FIN7 was sentenced to 10 years in prison.

Fedir Hladyr, a Ukrainian national, pleaded guilty to conspiring to commit wire fraud and hack into computers in 2019. He served as FIN7’s systems administrator and supervised hackers who attacked hundreds of U.S. companies, according to the Department of Justice.

Arguing for a 10-year prison sentence, federal prosecutors said it would “send a strong message of public deterrence” to hackers, CyberScoop’s Sean Lyngaas reports. In a sentencing memorandum, prosecutors said a “conservative estimate” for losses caused by FIN7 is $3 billion to $5.7 billion.

“I was so stupid, careless and reckless and for this I sincerely apologize to the court and to the government,” Hladyr said before being sentenced.

Government scan

A former Republican operative resigned as the NSA’s top lawyer.

Michael Ellis was sidelined as the agency’s general counsel amid a probe by the Pentagon’s inspector general and a security inquiry into Ellis’s handling of classified information, Ellen Nakashima reports. His resignation came a day after NSA Director Gen. Paul Nakasone confirmed to Congress that the inspector general probe remained open.

“I have been on administrative leave for nearly three months without any explanation or updates, and there is no sign that NSA will attempt to resolve the issue,” Ellis said in a letter to Nakasone on Friday. “I therefore resign my position, effective immediately.”

His resignation was first reported by Fox News. Ellis declined to comment beyond the letter and the NSA declined to comment.

Chat room

Mark Fitzpatrick, a former acting deputy assistant secretary of state for nonproliferation:

Lt. Col. Yevgeny “Eugene” Vindman, the twin brother of Trump impeachment witness Alexander Vindman, said good riddance:

UC Davis law professor Brian Soucek:

Industry report

Law enforcement officials are racing to stop online sellers of fake vaccination cards.

Officials say that the online trade of the fake cards is illegal and could undermine people’s safety, Dan Diamond reports. It comes amid a national debate over digital “vaccine passports,” and whether the government should be involved in credentialing the passports.

“This is a concern that is national and bipartisan,” North Carolina Attorney General Josh Stein said, adding that the spread of fake vaccination cards “will extend the pandemic, resulting in more people sick and more people dead.”

Stein recently led an effort with 47 colleagues to demand that eBay and other e-commerce platforms crack down on the scams. But a Washington Post review showed that they continue to exist on eBay, where one account sold more than 100 blank vaccination cards in the past two weeks. The company removed those listings after The Post brought them to the company’s attention. “Our team has reviewed and taken appropriate action,” said eBay spokesperson Parmita Choudhury, who declined to disclose additional details about the account.

Global cyberspace

Russia is racing to catch up to China’s facial recognition capabilities.

Critics say the country is selectively using the technology to target protesters and critics while shielding Russia’s security services, Dixon reports. Corrupt officials also sell the data on burgeoning black markets, with the data being used by everyone from investigative journalists to criminals.

Daybook

  • Former Director of National Intelligence John Ratcliffe speaks at a Heritage Foundation event today at 11 a.m. 
  • CISA executive assistant director for cybersecurity Eric Goldstein speaks at the Industrial Control Systems Joint Working Group’s spring virtual meeting on Tuesday at 8:30 a.m.
  • Senate Majority Leader Charles E. Schumer (D-N.Y.); Rep. Michael McCaul (R-Texas); acting National Counterintelligence and Security Center director Mike Orlando; and Carl McCants, the technical director of NCSC’s supply chain and cyber directorate, speak at an Intelligence and National Security Alliance event on microelectronics supply chains on Tuesday at noon.
  • A House Energy and Commerce Committee panel holds a hearing on securing U.S. wireless network technology on Wednesday at 10:30 a.m.
  • The Senate Armed Services Committee holds two hearings on the military’s cyber workforce and technology on Wednesday at 2:30 p.m.
  • Former undersecretary of state Keith Krach and retired four-star Gen. Stanley McChrystal discuss how the United States and its allies can create a global cyber-trust network at a Washington Post Live event on Thursday at 11 a.m.
  • Former acting Defense Intelligence Agency director David Shedd and former Undersecretary of Defense for Intelligence Steve Cambone speak at a Heritage Foundation event on the intelligence community on Friday at noon.

Secure log off

Lulling us out of the weekend: