Welcome to The Cybersecurity 202! I’ll be speaking with Senate Homeland Security Chairman Gary Peters (D-Mich.) and SolarWinds CEO Sudhakar Ramakrishna in a Washington Post Live event at 10:30 a.m. today. Check it out here.
Help wanted: more cybersecurity workers
The demand for cybersecurity workers is growing far faster than the supply, driven by an unrelenting barrage of cyberattacks hitting everything from the U.S. government to mom-and-pop businesses.
Here are some stunning numbers:
- The United States added more than 260,000 cyber workers to its ranks between 2020 and 2021, according to a report out this morning from the cybersecurity nonprofit (ISC)2.
- But the number of open cyber jobs still grew by about 17,000 during that time, the organization found.
For comparison, imagine a water glass that grows bigger as you try to fill it. You can pour and pour, but it still becomes less full.
Uh-oh
The consequences are evident up and down the line: There aren’t enough cyber pros to ensure technology is built securely, to implement security protections correctly or to respond when hacks happen.
“We can't do these jobs well because we don't have enough people in place,” (ISC)2 CEO Clar Rosso told me. “And those things that we're not able to do well are the cause of most data breaches and ransomware attacks.”
The cyber workforce shortage also makes the nation more vulnerable to a host of hacks that threaten the economy and national security. Those include Chinese government-linked hackers stealing companies’ intellectual property to make them less competitive and ransomware attacks that strangle production of critical goods.
The details
Right now, there are about 377,00 unfilled cyber jobs in the United States and 2.7 million globally, (ISC)2 found. (ISC)2 conducts cybersecurity certification and training programs and produces a series of reports on cyber workforce trends.
That’s basically in line with other estimates, though numbers vary quite a bit because different groups define cyber jobs differently. An interactive map built with U.S. Commerce Department grant money estimates there are about 464,000 U.S. cyber job openings.
Here’s the problem in a nutshell: Hacking threats have grown precipitously during the past quarter century as Internet technology has become indispensable to businesses and individuals. But the academic infrastructure to train cyber pros is comparatively in its infancy.
The demand for cyber pros has been growing even faster recently because companies that underestimated their need for cyber help have been shocked into action by the surge in damaging ransomware attacks.
“My 82-year-old mother knows what ransomware is now. I don't know anyone who can't slip ransomware into a conversation,” Rosso told me. “So, I think awareness of the risk is certainly driving demand.”
New pathways
One thing that would help a lot is if organizations shifted the requirements for incoming cyber workers. The goal would be to bring in more people who lack degrees in cybersecurity or information technology but are self-taught in the field or can learn on the job.
“We need to find pathways for people without IT or technology and cybersecurity backgrounds to enter the profession,” Rosso said. “You have to look at those English majors and poets.”
The Department of Homeland Security is preparing to roll out a new cyber hiring system that will do just that. The department also plans to raise salaries for cyber workers outside the traditional government range to compete with the private sector.
The program is highly ambitious, but it took about seven years to get it off the ground. The private sector has been even slower to reform in some cases.
It’s tough to estimate when the cyber workforce gap might decrease. There are too many complicating factors, Rosso said, such as how quickly people enter the field and how the hacking threat evolves.
“What we can say is that if we don’t start growing our pipeline more aggressively and bringing in new people, we’ll be talking about a workforce gap well beyond the next decade,” she said.
The keys
The State Department is launching a new cyber office
The cyber bureau will be led by a Senate-confirmed ambassador. The department will also create a special envoy position for critical and emerging technologies, the Wall Street Journal’s Dustin Volz reports. Secretary of State Antony Blinken is set to announce the changes this week.
The move essentially reinstitutes and elevates a State Department cyber coordinator position that was created under President Barack Obama and eliminated under President Donald Trump.
The Cyberspace Solarium Commission recommended creating a similar post and, in April, the House passed a bill with a similar goal.
Here’s the reaction from Chris Painter, who filled the top State Department cyber post under Obama:
A little over 10 yrs ago, the Obama Administration showed great foresight in establishing the first dedicated cyber diplomatic office in the world — now emulated by over 35 countries. It’s good to see these issues get the attention, resources & priority they deserve again.
— Chris Painter (@C_Painter) October 25, 2021
U.K. spy agencies will house classified data in Amazon’s cloud
Amazon won’t be able to access the platform’s data, which will be held in Britain, the Financial Times’s Helen Warrell and Nic Fildes report. Industry experts say the contract, whose details haven’t been publicly announced, could be worth as much as $1.38 billion.
“The new cloud service — designed to host top-secret information securely — will enable spies to share data more easily from field locations overseas and power specialist applications such as speech recognition which can ‘spot’ and translate particular voices from hours’ worth of intercept recordings,” Warrell and Fildes write. “It will also allow [signals intelligence agency] GCHQ, [domestic intelligence agency] MI5 and [foreign intelligence agency] MI6 to conduct faster searches on each other’s databases.”
GCHQ and Amazon declined to comment to the Financial Times. The contract comes after a prolonged fight between Amazon and Microsoft for a Pentagon contract to store data in the cloud worth $10 billion. That contract was tied up in U.S. courts for years and was scrapped in July. (Amazon founder Jeff Bezos owns The Washington Post.)
The Biden administration may name a GOP election official to DHS
Washington Secretary of State Kim Wyman (R) has been in talks with government officials about the post to lead election security at the Department of Homeland Security for weeks, CNN’s Sean Lyngaas reports. If appointed, Wyman would be one of the U.S. government’s highest-profile federal election security officials. As secretary of state, Wyman repeatedly pushed back against former president Donald Trump’s baseless claims that the election was stolen.
“Since Trump's defeat last November, election officials of both parties have faced a torrent of mis- and disinformation from Trump allies that election experts warn is a threat to U.S. democracy,” Lyngaas writes. “The FBI has in recent months stepped up its efforts to investigate the threats to state and local officials.”
CISA declined to comment to CNN. Wyman’s office did not respond to a request for comment from the outlet.
A major ransomware gang has shifted its business model
The Conti group has begun selling other criminals access to the company computer networks it has penetrated, Krebs on Security’s Brian Krebs writes. But it's not clear what Conti's goal is.
The tactical shift comes days after reports that the U.S. government targeted ransomware group REvil with an offensive operation. Conti published a diatribe one day after the REvil action, calling the federal government “the biggest ransomware group of all time.”
The new business model has prompted speculation that changes could be afoot with the gang. “I wonder if they are about to close down their operation and want to sell data or access from an in-progress breach before they do,” Fabian Wosar, the chief technology officer of cybersecurity firm Emsisoft, told Krebs.
Chat room
Facebook whistleblower Frances Haugen's criticisms of the company have sparked a tertiary conflict among cybersecurity pros who are anxious about her comments about encryption.
Haugen expressed concern that the company's shift to end-to-end encryption for its Messenger service could make it tougher to track espionage campaigns by China and other repressive nations. Most cybersecurity advocates support end-to-end encryption despite such concerns because it makes stealing people's information far more difficult.
Haugen told members of the U.K. parliament that her comments were misinterpreted and she's pro-encryption. Here are details from TechCrunch.
The Stanford Internet Observatory's Alex Stamos, a former chief security officer at Facebook:
These things can all be true:
— Alex Stamos (@alexstamos) October 24, 2021
1) FB needs a major cultural shift around safety
2) That probably requires Mark Z to leave
3) The issues involved here are complex
4) Haugen is wrong on encryption
5) It's wrong for leaked documents to be used to support one side of this debate https://t.co/y2r5FECOmb
The Stanford Internet Observatory's Riana Pfefferkorn:
The paper is on SSRN. Too bad Haugen didn't read it before she decided to make herself a useful idiot for govts that are anti-encryption (like the UK). Why does she think they oppose it?! It's *because they want surveilling their citizens to be easier.* https://t.co/n18BpSiiZO
— 🦇🎃 💀 Riana-Mator 🦇🎃💀 (@Riana_Crypto) October 24, 2021
Luta Security founder and CEO Katie Moussouris:
I’ve often advocated this exact point when journalists try to make me parrot their anti-exploit sale story angles - offensive exploit sales are *preferable* to government-mandated weakened or backdoored end to end encryption.
— Katie 👻 Moussouris (she/her) (@k8em0) October 25, 2021
Anti-encryption is pro-surveillance.
Period. https://t.co/fUEo85qJZC
Journalist Kim Zetter:
Haugen is arguing it’s better to not have encryption so Facebook can spot malware sent via its apps to infect victims and spy on them, than to arm the targets of that malware with a method that would protect their comms from being spied on by Facebook, their government and others
— Kim Zetter (@KimZetter) October 24, 2021
Civil liberties advocates applauded Haugen's clarification. The ACLU's Jennifer Granick:
Seems @FrancesHaugen 's comments on encryption we're misrepresented by the British press. Pleased to hear it. Help truth get its boots on and pass it around.
— Jennifer Granick (@granick) October 26, 2021
https://t.co/QMOZp5PfBD
Industry report
Global cyberspace
Cyber insecurity
Privacy patch
Daybook
- The Irish Defense Forces hosts an event on national and international cybersecurity coordination today at 7:30 a.m.
- The Cyber Threat Alliance hosts an event on the gap between theoretical and practical cybersecurity practices today at 10 a.m.
- Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and SolarWinds President and CEO Sudhakar Ramakrishna participate in a Washington Post Live event today at 10:30 a.m.
- National Cyber Director Chris Inglis and deputy national security adviser Anne Neuberger speak at a Center for Strategic and International Studies event today at 2 p.m.
- The House Homeland Security Committee’s cybersecurity subcommittee holds a hearing on cybersecurity in the transportation sector today at 2 p.m.
- The Senate Rules Committee holds a hearing on emerging threats to election administration today at 2:30 p.m.
- CISA Chief of Staff Kiersten Todt speaks at the CSA Fed Summit on Thursday.
- Deputy Treasury Secretary Wally Adeyemo, Deputy Assistant Treasury Secretary Rahul Prabhakar, Todt and cybersecurity experts participate in a Carnegie Endowment for International Peace event on the U.S. cybersecurity workforce on Thursday at 10 a.m.
- CISA Director Jen Easterly and Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, speak at a Center for Strategic and International Studies event on critical infrastructure cybersecurity on Friday at 1 p.m.
- Gen. Paul Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, speaks at an event hosted by American University’s Tech, Law & Security Program on Friday at 3 p.m.
Secure log off
Watch the cat and turn the sound on.. 😅 pic.twitter.com/M4WvdKngpZ
— Buitengebieden (@buitengebieden_) October 25, 2021
Thanks for reading. See you tomorrow.